Author Archives: privacynewshighlights

16-30 September 2012

 

Biometrics

US – Voice Verification Technology Prevents Impersonators from Obtaining Voiceprints

Computer users have learned to preserve their privacy by safeguarding passwords, but with the rise of voice authentication systems, they also need to protect unique voice characteristics. Researchers at Carnegie Mellon University’s Language Technologies Institute (LTI) say that is possible with a system they developed that converts a user’s voiceprint into something akin to passwords. The system would enable people to register or check in on a voice authentication system, without their actual voice ever leaving their smartphone. This reduces the risk that a fraudster will obtain the person’s voice biometric data, which could subsequently be used to access bank, health care or other personal accounts. “When you use a speaker authentication system, you’re placing a lot of faith in the system,” said Bhiksha Raj, an associate professor of language technologies. “It’s not just that your voiceprint might be stolen from the system and used to impersonate you elsewhere. Your voice also carries a lot of information—your gender, your emotional state, your ethnicity. To preserve privacy, we need systems that can identify you without actually hearing your voice or even keeping an encrypted record of your voice.” [Source]

CA – Quebec Sets Rules For Biometric Identification Systems

In Quebec, employers need to comply with the requirements set in the Act to Establish a Legal Framework for Information Technology, which the Quebec Commission on Information Access strictly monitors. Under the act, both physiological biometry and behavioral biometry are available to employers. Usually, employers choose physiological biometry, which deals with fingerprints to record employee attendance. Kronos Touch ID Technology is used often because it does not store fingerprint images. All it requires is for the employee to enter his or her personal ID code and place his or her finger on a screen.

Biometric identification systems based on mathematical representation technology are acceptable to the Quebec Commission on Information Access as it does not store images, thus it does not infringe on the rights of an individual to privacy. The Act Respecting the Protection of Personal Information in the Private Sector is strict when it comes to employers using biometrics in Quebec. There are nine conditions summarized in its guidelines entitled “Biometrics in Quebec: Application Principles, Making an Informed Choice.” The approach first prompts employers to explore alternative choices other than biometrics. If employers do choose biometrics, they need to secure the consent of each individual or employee to be subjected to biometrics. This gives employees the option whether to give their consent or not, and employees can withhold their consent without providing any justification. Employers need to conduct information sessions so as to acquaint and make the employees understand the “ins and outs” of the biometric identification system and its necessity to be employed in the workplace. Furthermore, employers have to consult with legal counsel to make sure that human rights issues are assessed properly and that necessary legal requirements and reporting obligations to Commission are obliged with. [Source]

EU – Facebook Suspends Use of Facial Recognition Tool in EU

Facebook has suspended the use of its facial recognition tool in Europe. The feature suggests users who could be tagged in photographs posted to the site. Facebook says that the feature has been turned off for new EU users and that “templates for existing users will be deleted by 15 October.” The decision was made in response to recommendations from the Irish Data Protection Commissioner. In addition, Germany has demanded that Facebook disable the service and destroy its associated database. [BBC] [ComputerWorld] [InformationWeek] [v3.uk] [ArsTechnica] See also: [US: To lawbreakers’ angst, mug shot websites spreading]

WW – Airport Iris-Scanning May Be Wave of Future

Iris-scanning technology is being rolled out in select airports. Technology similar to AOptix’s InSight Duo iris scanner may become a standard security check at airports and border crossings around the globe, the report states, making the security experience more efficient. A company whitepaper states, “In an InSight-based eGate, a traveler would pass through border control by first scanning his biometric passport on the eGate and then authenticating his biometric record with InSight.” Privacy concerns loom, however, as researchers recently were able to reverse engineer iris code back into an iris image. Privacy expert Woodrow Hartzog said, “A significant enough breach could render an entire verification system unreliable.” [Ars Technica]

Canada

CA – Alberta Privacy Commissioner Issues Report on Privacy Breaches

Alberta’s new Privacy Commissioner, Jill Clayton, has released a report on the first two years of mandatory privacy breach reporting in Alberta (the “Breach Report”). As of the end of April 2012, 151 breach reports had been received by the Privacy Commissioner. Of these reports, 63 cases (42%) involved a real risk of significant harm. In the remainder of the matters, this threshold was not reached, PIPA was determined not to apply, or the matter was still under review. The Breach Report shows that a majority of the 63 reported cases meeting the real risk of significant harm threshold involved human error or lost or stolen unencrypted electronic devices: 22 breaches were caused by human error. These incidents included inappropriate disposal of personal information, emails sent to the wrong individuals (or viewable to all individuals in a mass email), faxes sent to the wrong person or to an unsecure fax, loss of files and portable memory sticks, and unauthorized disclosure of passwords. The most common form of human error was mail and courier errors caused by delivery to the wrong individual.

-          18 breaches were caused by theft. These breaches were primarily due to office and car break-ins resulting in the loss of computer devices, although in a few cases paper documents were also stolen.

-          14 breaches were caused by electronic system compromises. These breaches were typically found to occur as a result of targeted attacks by external hackers seeking to extract large amounts of data. In one incident, 50 million individuals were affected.

-          9 breaches were caused by a failure to adequately control access to electronic or paper files. One case in particular involved files that were accessible to the public via the Internet.

Where a real risk of significant harm was found, the Breach Report indicates that most of the personal information breached was considered to be of high sensitivity, such as social insurance numbers, drivers’ license numbers, or credit card numbers. The Breach Report also indicates that the following circumstances were likely to lead to a real risk of significant harm:

-          where information was apparently stolen for nefarious purposes;

-          where recipients could not be determined;

-          where electronic devices containing personal information had no encryption and no audit capability, making access possible and unknown; and

-          where a large number of individuals were affected and where there was a likelihood that the personal information could be used for a nefarious purpose (such as “phishing” for more personal information).

The Breach Report also offers some commentary on when reporting is not required. Where no real risk of significant harm was found, the personal information involved was typically of low sensitivity. Even where sensitive information was breached, reporting was not required where the organization used strong encryption methods or auditing capability, thus making access to the information highly unlikely. Typically, reporting was not required where recipients were few and known to the organization, or where the information was returned or confirmed destroyed in a relatively short time frame. The Breach Report offers further guidance on prevention of privacy breaches. In addition to measures intended to protect against specific risks to personal information, organizations should implement the following basic steps: [Source]

CA – Newfoundland Passes Amendments to Privacy and ATIP Laws

Despite a four-day, record-breaking, filibuster in mid-June, the provincial Conservative party of Newfoundland and Labrador passed a bill that will radically reduce public access to government information in the province. Bill 29 has drawn widespread criticism from legal experts, opposition politicians and working journalists alike, who have called the bill regressive and draconian. “It’s more of a piece of legislation that sets rules on how not to release things,” Russell Wangersky, an editor and columnist with The Telegram in St. John’s. The amendment to the province’s Access To Information and Protection of Privacy Act (ATIPPA) has the potential to drastically reduce the need of the Newfoundland government to respond to, well, anything, really. Requests that Cabinet determines are “vexatious, frivolous [or] trivial” can now be disregarded. The definition of “Cabinet confidences” has also been expanded to include documents that have been prepared for Cabinet, but which Cabinet doesn’t need to have ever seen or used. Bill 29 took its cue from a review of the ATIPPA, released in January of 2011, undertaken by career NL bureaucrat John R. Cummings, Q.C. Among other high-ranking governmental positions, Cummings has been Newfoundland’s Deputy Minister of Justice, Deputy Attorney General and Secretary to the Cabinet. The new law subsequently implemented 16 of the review’s 33 recommendations. Cummings’ review was supposed to rely heavily on a public consultation process, but Wangersky sees it differently. “The review [to] our Access to Information Privacy Act…was overseen by a former civil servant who had a number of years’ experience turning down Access to Information requests,” says Wangersky. “[Cummings] heard primarily from civil servants and government departments and came up with modifications to the Act that substantially restrict the release of documents and put more and more of a control over what can be released into the hands of Cabinet.” [Source]

CA – Kenney’s Emails Targeting Gay Community Raises Privacy Concerns

For many who received an email from Citizenship and Immigration Minister Jason Kenney about gay refugees, the message raised one important question: How did he know I’m gay? The bulk email sent from Kenney’s MP’s office to thousands was titled “LGBT (lesbian, gay, bisexual and transgender) Refugees in Iran” and began with the salutation, “Friend.” Among the recipients was Meredith Richmond of Peterborough, Ont., who, to her knowledge, had never had any contact with Kenney’s office before. She had no idea how Kenney got her personal Gmail address and seemed to know about her sexual orientation. “It felt really targeted at me,” she said. “I’m not a supporter of the Conservatives.” While Richmond had never directly emailed Kenney’s office, she was one of nearly 10,000 people who electronically signed a 2011 online petition supporting a gay artist from Nicaragua, who was then facing deportation. Toronto community organizer and former NDP candidate Michael Erickson posted the petition on the website change.org. Whenever someone “signed” the petition, the site automatically sent a form letter by email to Kenney’s office with the signatory’s reply email address. It appears those thousands of messages were harvested by the email program in Kenney’s office and saved for later use. [Source] [Elections watchdog mulls regulation of parties’ voter databanks] and [Political Parties Operate Outside Canada’s Privacy Laws] andalso: [MB: Bateman apologizes for 1,500 leaked email addresses]

CA – Toronto Real Estate Board Seeks to Bar Public from Tribunal Hearing

The Toronto Real Estate Board is sticking so vociferously to its claims that Multiple Listing Service information routinely handed out by its own agents is such a violation of privacy in the wrong hands, it tried to have the public removed from a Competition Tribunal hearing. In the face of objections from the Competition Commissioner’s legal counsel and media covering the hearing, Tribunal chair Justice Sandra Simpson agreed that no one would be barred from the hearing. But she asked that MLS data on a handful of homes for sale as of Sept. 17 be edited to remove a number of details before being entered into the public record. That included virtual tour photos of the interior of the homes, the names of the homeowners, mortgage and commission information that is more often than not on MLS listings that traditional “bricks-and-mortar” realtors give out to clients. [Source]

CA – Teen’s Identity in Facebook Privacy Case to be Kept Confidential

A Nova Scotia teenager who wants to sue the people she alleges bullied her on Facebook will be able to keep her name private but won’t be able to get a partial publication ban on the trial, the Supreme Court of Canada has ruled. The case involved a 15-year-old teen known only as “A.B.” who learned in 2010 that a fake profile of her had been set up on Facebook. It included a photo of her and a slightly modified version of her name. The fake profile discussed her physical appearance and allegedly included “scandalous sexual commentary of a private and intimate nature,” according to the court documents. She wanted to launch a civil suit and wanted the court to compel Internet provider Bragg Communications to disclose the identity of the people behind the IP address where the alleged defamation came from. But A.B. also wanted a partial publication ban on the case, to keep the details of the alleged defamation under wraps and her full name kept confidential. This week, the Supreme Court agreed that the teen’s identity should be kept confidential, saying the court has a duty to protect her because of her age. [Source]

Consumer

CA – Canadians Trust That Organizations Won’t Share Their Information” Poll

In asking Canadians what information they’re willing to share with organizations – via consumer loyalty programs, for instance – pollsters found a considerable chunk of the population agreeable to divulging everything from sexual orientation (40%) to health details (31%) to political and religious affiliations (30% and 41%, respectively). “There’s an inherent trust that organizations are going to act reasonably with your information,” says Bryan Pearson, author of The Loyalty Leap: Turning Customer Information into Customer Intimacy. Fully 48% of Canadians say they always or often read the privacy policies of companies Canadians trust that organizations won’t share their information with whom they deal – a surprisingly high figure, Mr. Pearson said. The nationally representative survey, released Tuesday, is considered to be accurate 95% of the time, with a margin of plus or minus three percentage points. It was conducted online throughout June. [The National Post]

US – U.S. Consumers Reveal Surprising Privacy Findings

Research findings LoyaltyOne released this week show that when it comes to privacy, U.S. consumers are still protecting some of their personal information as much as they do their social security number. Of the 1,000 U.S. consumers responding to an online survey, 50% said they’d be willing to give a trusted company their religious affiliation, 49% their political affiliation, 49% their sexual orientation, 36% health information, 26% mental health information, 24% browsing history and 15% for both smart phone location and number of sexual partners. Last on the list is their social security number at 11%. Several of the 2012 questions followed up on a 2011 survey and were structured to measure changes in U.S. consumer sentiments over the past year. For brands intent on deepening their customer relationships, the results signal a concerning trend — trust may be eroding. Some key year-to-year results: 78% of U.S. respondents said they do not feel they receive any benefit at all from sharing information, up from 74% in 2011 Less than half feel that companies use their personal data to better serve the consumer, an 11% slip from 2011 62% said they would share more personal data if it meant receiving relevant product and service offers, down from 66% in 2011. “Consumers are disappointed. For years they’ve provided their valuable information and they’re not realizing something of suitable worth in return,” Pearson said. “If businesses don’t act quickly to demonstrate they have the consumer’s best interest at heart, they risk an erosion of the business-to-consumer relationship.” [Source]

WW – Think Tank: Business Would Benefit by Upping Consumer Data Control

Policy think tank Demos has said businesses would benefit if they granted consumers more control over how their personal data is used. Consumers are suffering a “crisis of confidence” when it comes to information sharing, Demos said. Businesses could overcome this if they have “open, transparent and clear information-sharing relationships with customers” and allow consumers to make an “informed choice” about the ways their personal information is used. “Regulators and businesses need to find a flexible, dynamic framework, which recognizes the diversity of views on the issue, and consider how people can customize and negotiate their relationship with organizations so that it is and feels mutually beneficial.” [Out-Law.com] [DEMOS Report]

Electronic Records

US – HHS, VA Demonstrate PHI eTransfer

The U.S. Department of Health and Human Services and the Veterans’ Administration have demonstrated how sensitive patient data can be transferred electronically while maintaining confidentiality. Developed as part of the Data Segmentation for Privacy Initiative (DS4P), the demonstration showed how a patient could consent to a transfer and how data would be tagged according to sensitivity, requiring further authorization from the patient prior to additional disclosure. Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts said, “This project helps demonstrate that with proper standards in place, existing privacy laws and policies can be implemented appropriately in an electronic environment.” [FierceEMR]

EU Developments

EU – Reding: Data Protection Directive Overhaul Could Save 2.3 Billion in Costs

EU Justice Commissioner Viviane Reding says an overhaul of EU data protection rules could save as much as €2.3 billion in administrative costs. Reding has said a single set of data rules for the EU and a one-stop-shop for data protection will make Europe a more attractive place to do business. The proposed legislation will also provide better access to personal data, Reding and Irish Data Protection Commissioner Billy Hawkes wrote in a recent piece for the Irish Examiner. Ireland will play a key role in shaping the new rules, Reding says, as it is home to many firms handling personal data. [Bloomberg] See [Letter to European Parliament re: European Commission General Data Protection Regulation - US Consumer Organizations] and also: [Article 29 Data Protection Working Party - Opinion 07/2012 on the Level of Protection of Personal Data in the Principality of Monaco - Working Paper 198]

EU – EC Releases Cloud Strategy; ICO Releases Guidelines

The European Commission (EC) has released a new strategy for “unleashing the potential of cloud computing in Europe.” Among the “key actions” in the strategy are “Cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility,” EU-wide certification schemes and a European Cloud Partnership with member states. EC Vice President Viviane Reding said the strategy “will enhance trust in innovative computing solutions and boost a competitive digital single market where Europeans feel safe,” adding, “That means swift adoption of the new data protection framework…”

UK – ICO Issues ‘Viable and Realistic’ Cloud Computing Guide

The Information Commissioner’s Office (ICO) released, on 27 September 2012, a cloud computing guide, recommending, among others, that cloud customers create a clear record about the categories of data they intend to move to the cloud and warns that using cloud services ‘may give rise to more personal data collected…for example, the usage statistics or transaction histories of users may be recorded’. [Source] Information Commissioner’s Office publishes guidelines on the responsible use of cloud computing. [Source] See also: [European Data Protection Supervisor - Formal Comments on DG MARKT’s Public Consultation on Procedures for Notifying and Acting on Illegal Content Hosted by Online Intermediaries]

UK – ICO Releases Google Data Protection Audit Report

The Information Commissioner’s Office (“ICO”) followed-up on a consensual audit and found that the organisation remained at a level of “reasonable assurance”; areas where the organisation improved included introducing privacy as a key theme for internal audit reviews (privacy risk is actively considered in the scoping of audits), the use of Privacy Design Documents in user-facing products (these documents are granular to the different types of products, to ensure the relevant privacy issues are addressed by an appropriate working group), and advanced, mandatory training covering privacy (building on the experience gained through the Privacy Design Document process). The organisation still needs to do more regarding historical projects lacking a Privacy Design Document (a risk-based approach was adopted to roll out Privacy Design Documents, but procedures need to ensure that the right projects are being escalated for review). [Source]

EU – Irish Data Protection Commissioner Released Report of Facebook Re-Audit

A re-audit finds that a social networking website responded to recommendations in a satisfactory way, addressing third party applications (creating an App Centre that standardised the user experience with respect to privacy and creating an audience selector, allowing users to choose who can view their activity with respect to apps), tagging of photos (users have tools to pre-approve tags, un-tag photos, block users who are harassing them with unwanted tags, and remove the record of a deleted tag), privacy and data use policy (new users are met by a “welcome dashboard” that gives a tour of the greatest areas of privacy risk and are given a privacy prompt 30 days after joining, to provide information and choice once they have a working knowledge of the site), and retention (users can delete posts, friend requests, tags and messages on a per-item basis and social plug-in data is deleted for users after 60 days, and non-users within 10 days). Issues that remain on-going include compliance management (all significant changes to the use of personal data are to be approved in a manner set out by the board of directors that takes full account of European data protection requirements), third party apps (a tool to check whether apps’ privacy policy links are live still needs to become operational), cookies (the exact form of consent needed to comply with the cookie law is still being debated among industry and regulatory authorities), and advertising (although the site does not allow targeted advertising based on sensitive categories, advertisers can still use words and terms that are sensitive in nature to filter their ad campaigns). [Source] See also: [UK Information Commissioner’s Office - Submission to the Joint Committee - Pre-Legislative Scrutiny on the Draft Communications Data Bill] and [UK: BBC issues extraordinary apology after airing private conversation with the Queen]

EU – EDPS Calls for Harmonized “Illegal Consent” Definition

European Data Protection Supervisor (EDPS) Peter Hustinx has said the European Commission (EC) should define the term “illegal content” in order to provide clarity on content host responsibilities for removal of such information. Comments by the EDPS come after an EC consultation on reforming rules governing the removal of illegal material posted online. Examples of what the EC considered illegal include content infringing on intellectual property rights, inciting hate, relating to terrorism or invading privacy. Hustinx said he “is of the view that there is a need for a more pan-European harmonized definition of the notion of illegal content for which notice-and-action procedures would be applicable.” [Out-Law.com]

Facts & Stats

US – 94 Million Exposed: The Government’s Epic Fail on Privacy

94 million is the number of Americans’ files in which personal information has been exposed, since 2009, to potential identity theft through data breaches at government agencies. This number — which was just revealed in the latest report from tech security firm Rapid7 — is only the most conservative estimate. When you take into account the difference between reported data breaches, which is what this report measures, and actual incidents, you are talking about a much, much bigger number. [Source]

Finance

WW – PCI SSC Issues App Best Practice Guidelines

The Payment Card Industry Security Standards Council (PCI SSC) has issued best practice guidelines for developers and manufacturers to provide direction in securing mobile device payment processes. The recommendations include isolating sensitive functions and data in trusted environments; using secure code best practices; minimizing third-party access; developing remote payment-disabling functions, and creating suspicious activity monitoring tools. The guidelines also look at ways to prevent the interception of account data in transit. “We have a brand new group of developers that aren’t aware of their responsibility,” said PCI SSC’s chief technology officer. “They are designing good code but don’t know all it’s being used for.” [SC Magazine] [Press Release]

FOI

CA – BC Not So Free With Information: Report

The British Columbia government responds to nearly a quarter of all requests under freedom-of-information laws by insisting it has no records to offer, according to statistics compiled by a group that argues the dramatic increase in such cases raises serious questions about public accountability. The BC Freedom of Information and Privacy Association filed a complaint this week with the province’s information and privacy commissioner, suggesting the trend is either a sign the province isn’t releasing all the information it could or, worse, a symptom of a government that avoids keeping records to skirt the law. The group compiled statistics, available on the provincial government’s website, that indicate the number of such cases has increased sharply in the past decade. In 2002-2003, there were no cases in which the government could not find any records to satisfy a request; today, that scenario accounts for 23% of all requests. [Source] See also: [City of Victoria seeks to limit requests for information] [Saskatchewan Gov’t will look into Workers Compensation Board concerns of Privacy Commissioner] and [NL: Privacy-breach penalties should be enforced, says commissioner] 

US – DND Tightens the Screws on Release of Information

Members of the Canadian military have been told to tighten the screws and withhold information, even though it may not be sensitive or a threat to national security. The unusual directive, known as a CANFORGEN, was written last year by the country’s deputy top commander in response to a media story on financial uncertainty facing National Defence. The story was deemed to have contained “information that was not meant for wider or public consumption,” but the data had not been given the designation of either secret or protected. That prompted Vice-Admiral Bruce Donaldson, the vice-chief of defence staff, to instruct those handling information to give everything that passes over their desks – or is posted on the internal department system – a second glance with an eye to keeping it hidden. “Information that is not sensitive to the national interest, and therefore not classified, should also be examined to see if it is sensitive to other than the national interest, and therefore requires an appropriate designation of either Protected A, B, or C,” said the directive, obtained by The Canadian Press under the Access to Information Act. The directive goes beyond reviewing information to protect privacy. “Sensitivity to other than the national interest is not limited to information that is personally sensitive, but also includes, for example, information that is sensitive to the organization, administration, finances or other internal functioning of the department, its relationship to outside organizations, or other government business operations.” [Source]

CA – Commissioner Urges Public Institutions to Join Global Open Data Movement

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is calling on public institutions to take advantage of emerging technologies to make data available to the public, academics, researchers, and industry, for use in new and unanticipated ways. As long as personally identifiable information is protected from such disclosure, the open data movement bodes very well for introducing greater transparency to government institutions. The global movement towards Open Data makes vast amounts of machine-readable data freely available by way of portals, metadata, and search tools. It is one of the truest embodiments of Commissioner Cavoukian’s concept of Access by Design, by which public institutions proactively release information as part of an automatic process, fostering more transparency and accountability in government. [Source]

Genetics

US – Court to Examine Legality of Warrantless DNA Samples

The U.S. Supreme Court has decided to reexamine the constitutional privacy of an individual’s blood chemistry. In Missouri v. McNeely, the court will decide whether police can take a DNA sample from a criminal suspect without a judge’s approval, the report states. In Schmerber v. California in 1966, the court ruled that police could take a DNA sample without a warrant in an emergency case, such as drunk driving. In McNeely, the court will analyze that ruling after a police officer ordered a DNA sample from a drunk driving suspect, considering it an emergency as his blood-alcohol level would drop over time. [National Constitution Center] See also: [Do Patients Have A Right To Access Their Clinical Sequence Data? - Alison Hall, Senior Policy Adviser, PHG Foundation]

US – ACLU Asks Court to Stop DNA Collections on Felony Arrests

Through California’s DNA database of close to two million samples, more than 10,000 criminal suspects have been identified in the last five years. But the American Civil Liberties Union (ACLU) will argue to the Ninth U.S. Circuit Court of Appeals that the state’s genetic data collection efforts have become “unconstitutionally aggressive…at the expense of civil liberties,” the report states. California’s Proposition 69 allows police to take a DNA sample of every suspect arrested on felony charges. The ACLU says the practice “comes too early in the criminal justice process,” and samples should be taken only from those convicted. [The Washington Post]

Health / Medical

US – Medicare Bills Rise as Records Turn Electronic

“When the federal government began providing billions of dollars in incentives to push hospitals and physicians to use electronic medical and billing records, the goal was not only to improve efficiency and patient safety, but also to reduce health care costs. But, in reality, the move to electronic health records may be contributing to billions of dollars in higher costs for Medicare, private insurers and patients by making it easier for hospitals and physicians to bill more for their services, whether or not they provide additional care.” [New York Times]

Horror Stories

US – Breach Affects 100,000 IEEE Members

The user names and passwords of approximately 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) have been compromised in an apparent breach. The affected data was stored on an FTP server in unencrypted form. The IEEE has as many as 400,000 members worldwide, many of whom are security professionals. The incident was discovered by Romanian researcher Radu Dragusin. [Help Net Security] See also: [Health Agency Notifies 2,500 Clients of Breach]

CA – BC Health Ministry Fires Fifth Worker for Alleged Breach

A fifth employee of British Columbia’s Health Ministry has been fired over an alleged privacy breach. The worker had been one of three who had been suspended, but according to the report, the 30-year government employee in charge of data access, research and stewardship has now been released. BC Health Minister Margaret MacDiarmid has said the issues in the ongoing investigation relate to inappropriate conduct, data management and “contracting-out allegations,” the report states. “It’s been incredibly complex and it continues to be,” MacDiarmid added. [The Victoria Times Colonist] [NextGov] [Vancouver Sun] [Vancouver Sun] See also: [US: Former Howard University Hospital Employee Sentenced For Selling Personal Information About 40 Patients] and [Newfoundland’s Eastern Health says computer software will track privacy breaches]

US – Provider Settles HIPAA Case for $1.5 Million

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc., (MEEI) has agreed to settle with the U.S. Department of Health and Human Services (HHS) for $1.5 million for potential violations of the HIPAA Security Rule. The HHS Office for Civil Rights conducted an investigation after MEEI reported that an unencrypted personal laptop containing sensitive health data was stolen. The investigation found MEEI “failed to take necessary steps to comply with certain requirements of the Security Rule.” In addition to the fine, MEEI will now review, revise and maintain policies and procedures to comply with the rule and will undergo independent compliance assessments for three years. Meanwhile, Lahey Clinic Hospital has alerted patients of a breach. [Source] See also: [UK: Stolen Laptop Contained Children’s Data] and [Hospital Employee Sentenced to Six Months for Selling Data]

US – AvMed Ruling May Open the Door for Liability Cases

The recent AvMed data breach case may open the door for plaintiffs to prove they are victims of identity theft as a result of a data breach. The 11th U.S. Circuit Court of Appeals ruled earlier this month that plaintiffs in Curry v. AvMed sufficiently alleged liability against the health plan provider for the data breach affecting 1.2 million customers that led to identity theft and financial losses for some. “When a company doesn’t live up to the obligation that it’s supposed to…that person has a cause of action for that money he paid toward the protection of his personal information,” said the lawyer representing the plaintiffs. [SC Magazine]

US – Report: Most Breaches Due to Employee Error

Forrester Research has found that most data breaches are caused by events such as employees losing or misusing corporate assets or having them stolen. In the survey of more than 7,000 executives and employees in North America and Europe, 31% said theft or loss was the cause of data breaches, and 39 percent said data leaks on mobile devices are a concern. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” the report’s authors said, adding it’s not only a matter of appropriate tools and controls; only 56% of respondents said they were aware of their organization’s security policies. [COMPUTERWORLD]

Identity Issues

U.S. – State Dept. Admits Passport Form Was Illegal, But Still Wants It Approved

“Early last year, the State Department proposed a new “Biographical Questionnaire” for passport applicants, which would have required anyone selected to receive the new long-form DS-5513 to answer bizarre and intrusive personal trivia questions about everything from whether you were circumcised (and if so, with what accompanying religious rituals) to the dates of all of your mother’s pre- and post-natal medical appointments, your parents’ addresses one year before you were born, every address at which you have ever resided, and your lifetime employment history including the names and phone numbers of each of your supervisors at every job you have ever held.” [Papers Please]

US – Court Rules in Favor of Plaintiffs’ ID Theft Case

The 11th Circuit Court has ruled in a 2-1 opinion that the plaintiffs in a class-action lawsuit sufficiently alleged liability against a health plan provider for a data breach involving identity theft. Two laptops containing unencrypted sensitive information— including Social Security numbers—on 1.2 million AvMed customers were stolen in 2009. In Curry v. AvMed, Inc., the plaintiffs said they carefully avoided sharing their sensitive information digitally but still became victims of identity theft and suffered financial losses. The ruling “gives crucial guidance to plaintiffs seeking damages for identity theft caused by a data breach and to defendants seeking to defend against such claims,” the report states. [Information Law Group] See Curry v. AvMed, Inc., No. 11-13694, 2012 WL 2012 WL 3833035, — F.3d —- (11th Cir. Sep. 5, 2012).

Intellectual Property

EU – French Government Levies First Piracy Fine

The French government has imposed its first fine under the country’s new anti-piracy law. Alain Prevost was fined 150 euros (US $197) for downloading two songs, even though his wife has admitted that she was the person who had downloaded the files. The fine was levied against Prevost because he paid for the Internet connection over which the songs were downloaded. After receiving two warnings about the downloaded songs from Hadopi, the agency that seeks out Internet copyright violators, Prevost terminated his ISP account. He and his wife are divorcing, and he had written to Hadopi, telling them to contact her about the downloaded songs. Their replies were sent to an email address that he no longer had access to. [BBC] See also: [Dutch Court Says Links to Photos Constitute Copyright Violation | Source]

Internet / WWW

WW – Project Founder: Data Subjects Should Take Some Profit

The founder of a large-scale data project says individuals should receive a portion of the profits companies generate by capturing their personal data. The Human Face of Big Data aims to create a digital snapshot of the human race, the report states, by using a smartphone app to ask 10 million people for personal details about their lives. “Big Data is a new asset class, and yet the ones creating it seem to have no say in the process,” founder Rick Smolan said. “Why is it everyone is making money off our browser history except us?” [The Sydney Morning Herald]

US – CSA Launches Big Data Working Group

The Cloud Security Alliance (CSA) has initiated a Big Data Working Group to develop best practices for privacy and security solutions, particularly in government, healthcare and e-commerce sectors. The CSA’s charter document notes “traditional security mechanisms, which are tailored to securing small-scale static—as opposed to streaming—data are inadequate” for Big Data. In addition to developing Big Data security and privacy best practices, the group aims to help industry and government adopt best practices; create coordination efforts between organizations to develop standards; speed up efforts to research privacy and security solutions, and draft research proposals for joint government and industry funding, the report states. [Integration Developer News]

WW – Tech Companies Form Lobbying Group Aimed at Protecting Internet Freedom

Several big technology companies have joined forces to form a lobbying group to protect Internet freedom. The Internet Association was founded in large part to counteract efforts by the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) to influence legislation; both the RIAA and the MPAA lobbied hard for the Stop Online Piracy Act (SOPA), and effort that was ultimately unsuccessful. The Internet Association counts Amazon, Google, and Facebook among its members. [WIRED]

WW – Last of the IPv4 Addresses to be Allocated in Europe

RIPE, the organization that gives out IP addresses in Europe, is down to its last batch of IPv4 addresses. Companies may only make one more request for these addresses, and if the request is granted, they will receive 1,024 IPv4 addresses. All applications must describe how the organization is implementing the new IPv6 address scheme. Until this final batch, RIPE was giving out about four million IPv4 addresses every 10 days. [v3] [RIPE.net] [BBC] [InfoWorld] See also: [Majority of US Government Agencies Will Not Meet IPv6 Deadline | Source]

Law Enforcement

CA – Police Checks Routinely Violate Privacy, Report Says

A new report by the Canadian Civil Liberties Association says many Canadians, especially in Alberta, are having their privacy rights violated because police are releasing non-criminal information in routine police checks. “The status quo is unacceptable,” the report concludes. “There is an urgent need for greater fairness and clarity in the police background check process.” In the past decade, more and more organizations across Canada are requiring police checks before hiring employees or accepting volunteers. In Alberta alone, the report estimates that police run about 160,000 background checks every year. The information released contained not only information about convictions, but also about charges or contact with police which were either withdrawn or did not involve criminal activity. This includes cases involving mental health issues or where individuals were merely contacted as witnesses to crimes. “Disclosing this kind of sensitive information may undermine the presumption of innocence,” the report says. “Employers who receive negative record checks may not fully understand the distinctions between different types of police information, creating significant risk that non-conviction records will be misconstrued as a clear indication of criminal conduct.” The 50-page report calls for standards that would prohibit the release of information other than convictions, except in rare circumstances. It also says non-conviction records should be reviewed regularly and destroyed where warranted. It also says individuals should have a right to be notified on the information in their file and be able to appeal it before an independent adjudicator. While there are laws governing the release of certain information, such as under the Privacy Act and the Youth Criminal Justice Act, the report says there are no set standards for what police services can or can’t collect and release in police checks. It calls the situation across Canada “a patchwork” of policies that may violate Canada’s Charter of Rights and Freedoms. The report says the problem is particularly acute in Alberta, where it says there is too much discretion is left to individuals in police services as to what information can and should be retained and released. The report points to Ontario as an example of good practices. There, the province’s Privacy Commissioner issued an Order regarding the handling of information collected by police. [Source] [Press Release] [Report: Presumption of Guilt? The Disclosure of Non-Conviction Records in Police Background Checks]

Mobile Privacy

US – Proposed Privacy Act Makes Mobile Tracking Harder

US lawmakers have introduced a new bill that will make it tougher for companies or anyone else to track mobile users without consent. The Mobile Device Privacy Act simply makes it illegal for companies to monitor device users without their express consent. The bill was introduced by Rep. Edward Markey (D-Mass.), who is co-chair of the Bi-Partisan Congressional Privacy Caucus. The legislation is a result of concern over last year’s Carrier IQ controversy, which centered on a piece of software that wireless operators installed on smartphones in order to help track network congestion and end-user quality problems, with an eye to improving service. The software, which Sprint and others quickly disabled after the flak started, was meant to be a diagnostic tool but has the capability to be used for ill: Android developer Trevor Eckhart posted a video showing how the software logs text messages, web searches and other activities without the mobile user’s knowledge or permission – promptly setting off big privacy alarm bells. “Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information,” Markey said. “This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to such transmission.” The law requires anyone performing data collection, even with consumers’ opt-in permission, to inform the US FTC and the FCC of their tracking activities. The agencies would be given enforcement power as well. Also, the legislation would require that any tracking software contained on the device at purchase or included in software updates be disclosed upfront, giving consumers the right to refuse tracking. This disclosure must include what types of information is collected, who it is transmitted to and how it will be used.[Source]

WW – Funding Among Reasons for App Security Breaches

A recent survey has found that the majority of companies questioned experienced at least one web application security incident since last year. In the Forrester study, which questioned 240 North American and EU companies, 18% reported a breach had cost their organization $500,000 or more and indicated the incident had a negative impact on their brand. Among the reasons for the security failures were an inability to secure additional funding for technology and processes, a lack of tools for application security and pressure to quickly deliver new products and services. SQL injection was the leading cause of breaches at organizations that had experienced five to 10 incidents since 2011. [Network World] See also: [Over half of Android devices have unpatched vulnerabilities, report says] and [McAfee: New malware is proliferating]

WW – PCI Council Issues Best Practice Guidance for Mobile Apps

The Payment Card Industry Security Standards Council (PCI SSC) has released best practice guidance for mobile app developers and device manufacturers. It said that the main focus of the guidelines is to provide direction on securing mobile device payment processes and the payment environment itself by educating developers in the emerging mobile app market. Key recommendations of the report include isolating sensitive functions and data in trusted environments, implementing secure coding best practices and eliminating unnecessary third-party access and privilege escalation. Developing ways to remotely disable payment functions, in addition to creating tools for mobile apps to monitor and report suspicious activity were also among the recommendations. The guidelines focus on ways to prevent account data from being intercepted while sent or received on mobile devices or from being compromised while being processed or stored on them. [Source] [Press Release] [Guidance: PCI Mobile Payment Acceptance Security Guidelines]

Offshore

UK – ICO Issues Outsourcing Guide for Small and Medium-Sized Businesses

Summary: Where a data processor is used to process data on the data controller’s behalf, the data controller must ensure that suitable security arrangements are in place to comply with the seventh data protection principle (the processor must provide sufficient guarantees in respect of the technical and organisational security measures, and the controller must take reasonable steps to ensure compliance with those measures); if the data processor is located outside the EEA, they must comply with the eighth data protection principle (organisations that transfer personal data to a data processor in a third country will remain subject to the ICO’s powers of enforcement, and continue to be responsible for protecting the data subjects in relation to the overseas processing of their personal data by the data processor). Model contract clauses offer adequate safeguards for the protection of the rights and freedoms for international transfers of data (the clauses are in a standard form which may not be amended, however they may be incorporated in their entirety into a data processing service agreement with an overseas data processor). Before using a non-EEA based data processor, an organisation should consider whether there is any particular legislation in place in the country or territory where the chosen processor is located which might adversely affect the rights of the data subjects whose data is to be transferred. [Source]

Online Privacy

CA – Commissioner: Websites Inappropriately Sharing Users’ Personal Information

A report by Canada’s Office of the Privacy Commissioner says some leading Canadian websites are inappropriately sharing users’ personal information with third parties. Privacy Commissioner Jennifer Stoddart investigated 25 shopping, travel and media sites and found information—including names, e-mail addresses and postal codes—was being collected without consent. Stoddart has written to 11 of the sites, seeking explanations on how changes will be made to comply with Canadian privacy law, the report states. “Our research serves as a wake-up call to all online services to ensure they are complying with Canadian law—and respecting the privacy rights of people who use their sites,” Stoddart said. [Canadian Press] See also: [Experts call for Privacy Commissioner to reveal data leaking Web sites]

US – FTC Supports W3C’s Do-Not-Track Guidelines

The Federal Trade Commission (FTC) says it supports the World Wide Web Consortium’s (W3C) efforts to develop voluntary guidelines for a do-not-track system. “The commission has repeatedly and forcefully called for industry—not government—to implement a do-not-track mechanism that would allow consumers to decide whether to have their online activity…collected,” said FTC Chairman Jon Leibowitz in a letter to Congress. Leibowitz was responding to an inquiry by nine Republican lawmakers on whether the FTC was “empowered to work with an international organization like the W3C,” the report states. Meanwhile, a Georgia man is currently working on an online registry with features similar to the W3C’s do-not-track. [MediaPost] [Do-Not-Track Talks Reach a Stalemate]

US –Policy Limits Hotmail Passwords to 16 Characters

It has recently been revealed that unbeknownst to most Hotmail users, their account passwords have been limited to 16 characters, regardless of whether or not they have chosen longer passwords. A security researcher recently received an error message when he typed in his 30-character Hotmail password; he had never before received the message, and was able to access his account by entering just the first 16 characters of the password. Kaspersky Lab’s Costin Raiu wrote that “To pull off this trick with older passwords, Microsoft has two choices: Store fill plaintext passwords in their [database and] compare the first 16 [characters] only, or calculate the hash only on the first 16 [and] ignore the rest. A Microsoft representative has acknowledged that “16 characters has been the limit for years now,” and noted that “uniqueness is more important than length.” [Source] [See also: [Mobile PCI Standards Released]

US – Twitter Gives Court Protester’s Posts

After months of fighting a subpoena, Twitter has given a U.S. judge the online posts of Occupy Wall Street protester Malcolm Harris. The tweets, which were handed over to Manhattan Criminal Court Judge Matthew Sciarrino, will remain under seal while a request for a stay by Harris is heard in a higher court, the report states. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union have filed an amicus brief supporting Twitter’s appeal. EFF’s Marcia Hofmann called it a “canary-in-a-coal-mine case,” adding “companies will look at this case and say it’s not a good idea to push back against governments we think are overreaching.” [Reuters] [Ars Technica] [CNET] [WIRED]

US – Google Adds Support for ‘Do Not Track’ Within Chrome

The development team behind Google Chrome has added the ‘Do Not Track’ privacy setting in the most recent Canary version of the Web browser. The privacy option will be available to all Chrome users before the end of the year after passing through the development and beta phases. While Google did agree to launch support for the ‘Do Not Track’ initiative earlier this year, the Chrome development team has been extremely slow in adding the feature to the browser. Alternatively, Mozilla added support for the feature in Firefox during early 2011 and Apple added the ‘Do Not Track’ privacy setting to Safari 6. In addition, Microsoft took the feature a step further and enabled the ‘Do Not Track’ function within Internet Explorer 10 without requiring the user to turn it on. [Source] [Source] [Source] [Source]

WW – Wikipedia Releases Search Data to Public But Pulls It After Privacy Concerns

Wikipedia announced they have decided to give away their search data to the public for free. Shortly after they announced this, they decided to “temporarily taken down this data to make additional improvements to the anonymization protocol related to the search queries.” [Source]

US – Confusion Over Facebook Wall Posts Leads to Privacy Scare

Facebook representatives have said recent reports that private messages were appearing on users’ timelines were false. According to Facebook, “A number of users raised concerns after what they mistakenly believed to be private messages appeared on their Timeline,” adding that an investigation revealed “that the messages were older wall posts that had always been visible on the users’ profile pages.” In response, France’s data protection authority—the CNIL—has been asked to investigate the issue. Meanwhile, the Electronic Privacy Information Center plans to ask the Federal Trade Commission to investigate the new Facebook-Datalogix deal and whether it contravenes a recent settlement. [The Wall Street Journal]

Other Jurisdictions

AU – Parliamentary Report Recommends Privacy Amendment Bill

A tabled parliamentary report recommends the House of Representatives pass the Privacy Amendment Bill 2012. The bill would clarify the role and strengthen the powers of the privacy commissioner, address credit reporting arrangements and protect personal information. According to a statement, “The committee has examined the bill to ensure that an appropriate balance between privacy protection and the convenient flow of data has been achieved.” Attorney-General Nicola Roxon said, “Both consumers and governments have a role to play to protect privacy,” adding, “In introducing these changes, the Gillard government is doing its bit to protect the privacy of Australian families.” [COMPUTERWORLD]

AU – Parliamentary Committee Endorses Fines for Breaches

A parliamentary committee has recommended passing a bill that would allow for fines of up to $1.1 million for severe or repeated privacy breaches. The suggested penalties were contained in a report tabled in the Lower House. A Senate committee is examining the bill as well and will report to Parliament this month. The bill responds to the Australian Law Reform Commission’s 2008 report, which aims to update privacy laws given technological advances. Privacy Commissioner Timothy Pilgrim says the fines would incentivize better data protection. Should the bill become law, the committee advises that the attorney general should conduct a review 12 months after implementation. [The Australian]

AU – Coalition Seeks ‘Softer’ Privacy Law

A spokesman for shadow attorney-general George Brandis said that Liberal senators would recommend softening parts of the bill around company liability for privacy breaches following a strong backlash from the industry, particularly the internet sector. If passed in their current form, the new laws would give the Federal Privacy Commissioner the ability to seek court ordered fines against companies and large organisations of up to $1.1m in cases of severe or repeated privacy breaches. Senator Brandis’s spokesman said the coalition would recommend changes to the laws that would limit company liability in cases where they can demonstrate that they’ve taken “all reasonable precautions” to prevent privacy breaches. The recommendations were only one of about half a dozen that the senators were expected to include in a parliamentary report expected to be tabled in the upper house yesterday following a short delay last week. The senators are also expected to make recommendations to make it easier for social networking companies to share information about their members with third parties and for all companies to transfer data about Australian customers. Federal Privacy Commissioner Timothy Pilgrim declined to comment for this report. [Source] SEE ALSO: [Office of the Australian Information Commissioner - Submission to the Parliamentary Joint Committee on Intelligence and Security on the Inquiry Into Potential Reforms of National Security Legislation] and [Australian Security Intelligence Organisation – Submission to the Parliamentary Joint Committee on Intelligence and Security on the Inquiry Into Potential Reforms of National Security Legislation [ Baker & McKenzie Review]

NZ – Commissioner Seeks Data Broker Enforcement Powers

New Zealand’s privacy commissioner is seeking additional powers to monitor companies that collect and sell personal data. Assistant Privacy Commissioner Blair Stewart has said the current version of the Privacy Act clears the way for enforcement only after a complaint is filed, but many citizens do not know of the existence of data brokers. The privacy commissioner has supported a Law Commission recommendation to update the law, giving the commissioner powers to serve compliance notices on organizations. Stewart said, “People don’t tend to complain about certain practices, if the sort of practices go on in the background and they can’t see what’s happening.” [Otago Daily Times] See also: [NZ Prime Minister Requests Inquiry Into Allegations of Unlawful Interception of Communications in Megaupload Case] and [Office of the Privacy Commissioner, New Zealand - Proposed Amendment No 7 to Credit Reporting Privacy Code 2004 - Information Paper] and [EU: Commission to decide on New Zealand’s adequacy in October]

Privacy (US)

US – Supreme Court to Hear Driver’s License Case

The U.S. Supreme Court will hear a case involving whether lawyers can legally obtain personal data gleaned from driver’s license records to recruit individuals for lawsuits. The appeal comes from three South Carolina residents who were solicited by lawyers to join a lawsuit against car dealers, the report states. The justices will determine whether the lawyers’ actions contravened federal privacy law pertaining to the protection of driver’s license records. The federal law does have a lawsuit exception. [Associated Press]

US – Apple Shareholders File Proposal on Privacy and Data Security

Investors in Apple Inc. have filed a shareholder proposal asking the company to publish a report explaining how its Board of Directors is overseeing privacy and data security risks. The proposal, which is intended for consideration by Apple shareholders at the company’s 2013 annual meeting, states that “Unauthorized collection, disclosure, or misuse of personal information can cause great harm to individuals and society – including discrimination, identity theft, financial loss, loss of business or employment opportunities, humiliation, reputational damage, questionable government surveillance or physical harm,” the proposal states. The shareholders assert that “Apple’s Board has a fiduciary and social responsibility to protect company assets which include the personal information of a variety of stakeholders.” In seeking a report, the shareholders state that “investors need to understand more fully how the Board is overseeing” concerns about privacy and data security. The shareholder proposal at Apple was developed in consultation with the Open Media and Information Companies Initiative – or Open MIC – a non-profit organization that works with shareholders and companies to foster more open and responsible media policies and practices. A copy of the Apple proposal is available here. [Source]

US – Exploring Privacy’s Top Thinkers and Practitioners

At the annual Privacy Law Scholars Conference held earlier this year, information privacy law scholars and other top thinkers met with practitioners from industry, advocacy and government to hash out privacy’s toughest and most pressing challenges. Law scholar Daniel Solove discusses the strong conduit that is forming between privacy scholarship and practice, and in three such examples, papers delving into Big Data, hiring discrimination in a Web 2.0 world and operationalizing Privacy by Design are explored. [IAPP Privacy Advisor]

US – Groups Ask FTC to Investigate Facebook Tracking Partnership

Facebook’s in-store tracking partnership with Datalogix aims to show advertisers whether their ads lead to sales. Facebook says the data collection doesn’t violate any FTC regulations because of an opt-out link on Datalogix’s website. The Electronic Privacy Information Center and the Center for Digital Democracy have asked the FTC to look into the partnership. Ryan Calo of the Center for Internet and Society says the opt-out link’s location isn’t best practices, and it’s unlikely that Facebook consulted the FTC before unveiling the initiative. “That opt-out option isn’t easy to find nor is it on the Facebook website,” he said. [The Atlantic Wire] [US – Facebook Now Knows What You’re Buying at Drug Stores]

US – Appeals Court Approves Facebook Beacon Settlement

In a split decision, a US federal appeals court has approved a US $9.5 million settlement in a class action lawsuit brought against Facebook over its Beacon program, which kept track of and posted information about what users purchased from Blockbuster, Overstock, and other sites. The lawsuit alleged that Beacon violated federal wiretap and video rental privacy laws. Under the terms of the settlement, Facebook admits to no wrongdoing, but does agree to put money in a so-called digital trust fund, which would provide grants to organizations studying online privacy issues. Some of those being represented by the lawsuit maintained that the award was too small and that Facebook should not have a seat on the board of the digital trust fund. In a separate case involving Facebook’s “Sponsored Stories” feature, a US District Court judge in San Francisco rejected a settlement that would have had Facebook pay US $10 million to charity and US $10 million to cover attorneys’ costs. He is the judge who approved the Beacon settlement. [Source] OTHER NEWS: [Privacy Advisor: FTC ramping up data privacy enforcement actions] and [FTC - In the Matter of Apogee One Enterprises - Complaint and Stipulated Final Judgement and Order] and [FCC – Enforcement Advisory – Political Campaigns And Promoters Are Reminded Of Restrictions On Autodialed and Prerecorded Calls

Security

US – Report: Mobile Device Theft Tops Risk List

A new report has revealed that the top healthcare privacy risk is the theft of mobile devices. Of the reported breach cases, 52% involved the theft of portable devices such as laptops, smartphones and tablets. Kaufman Rossin Director of Information Security and Compliance Jorge Rey—a co-author of the report—said there was a drop in reported breaches, indicating more organizations are complying with HIPAA, but the rise in mobile device theft “was concerning because physical security is usually your easiest area of risk to address.” [American Medical News] SEE ALSO: Analysis of Apple’s disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn’t break it. [Source]

UK – Body Scanners Removed by Manchester Airport

A UK airport is scrapping passenger body scanners after a three-year trial period ended without a decision from the European Commission. The airport will replace the body scanners with “privacy friendly” scanners. Manchester Airport Group Chief Operating Officer Andrew Harrison expressed frustration “that Brussels has allowed this successful trial to end,” adding, “Our security surveys and those run by the Department for Transport show passengers regularly rate their experience at Manchester as one of the best security processes in the UK, if not Europe. There’s no doubt that body scanners play a big part in these results.” [BBC News]

US – NIST Issues Risk Assessments Guidance

The National Institute of Standards and Technology has issued what could be characterized as the bible of risk assessment. Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government. The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other. [Source] [Full announcement on the CSRC News/Announcement page] [NIST Public Business Affairs Office media release] [SP 800-30 Revision 1] [CSRC Special Publications] S [Draft Special Publication 800-88 Revision 1, Guidelines for Media Sanitization is available for public comment]

AU – Privacy Commissioner: Citizens Concerned About Smart Meter Data

Australian Privacy Commissioner Timothy Pilgrim has said smart meter technology could threaten people’s privacy. “We are starting to see people voicing concern about the level of data that these meters can collect,” Pilgrim said. Customers with smart meters must consent to having their data shared with various third parties, the report states. Pilgrim said companies have an obligation to delete or de-identify personal information that is no longer necessary. An Origin Energy spokesman said its online energy-usage portal is fully compliant with Australian privacy legislation and that the company keeps personal data for tax and compliance purposes. [The Age]

US – Meeting Scheduled to Establish Voluntary Smart Grid Code of Conduct

In response to workshops on smart grid privacy, a task force will develop a voluntary code of conduct for utilities and third parties providing consumer energy use services. The White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation for the Global Digital Economy,” in February. The blueprint contains an outline for a multi-stakeholder process to develop a voluntary code in order to promote consumer confidence. As such, an initial multi-stakeholder meeting will take place December 6 in Washington, DC, and aims to develop the process and a timeline as well as to establish priorities. [Smartgrid.gov]

WW – Risk Report Finds “Sharp Increase” in Browser Exploits

Results of the IBM X-Force 2012 Mid-Year Trend and Risk Report suggest “the landscape has seen a sharp increase in browser-related exploits…along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.” The report notes an upward trend in vulnerabilities. “We’ve seen an increase in the number of sophisticated and targeted attacks,” said IBM’s Clinton McFadden, adding, “As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data.” [InfoSecurity]

Surveillance

US – Rent-to-Own Laptops Secretly Photographed Users Having Sex, FTC Says

Seven rent-to-own companies and a software maker are settling charges with the FTC alleging they spied on consumers using rented computers. Without consumers’ knowledge or consent, the companies captured screenshots of confidential and personal information, logged keystrokes and in some cases took webcam pictures. The proposed settlement bans the companies from using monitoring software and from using deceptive methods to gather information about consumers. It also forbids the companies from using geolocation tracking without consumer notice and consent and from “providing others with the means to commit illegal acts,” among other provisions. [WIRED] [Settlement] [Commentary: Web Cam Spying Settlement Indicates Need for Stronger Privacy Laws] [FTC Wrist Slaps PC Rental Firms For Spying]

US – Report Indicates “Massive Spike” in Tracking

Documents indicate a jump in law enforcement is “real-time surveillance targeting social networks and e-mail providers 80% from 2010 to 2011.” The documents, obtained through a Freedom of Information Act suit by the American Civil Liberties Union (ACLU), also indicate “a massive spike in ‘non-content’ surveillance by federal law enforcement over the last two years, jumping 60 percent from 23,535 cases in 2009 to 37,616 in 2011.” The report suggests “police are using a 1986 law intended to tell police what phone numbers were dialed for far more invasive surveillance: monitoring of whom specific social network users communicate with, what Internet addresses they’re connecting from” and other interactions. [Source]

US – Survey: More Than a Third of Public Fears Police Use of Drones

More than a third of Americans worry their privacy will suffer if drones like those used to spy on U.S. enemies overseas become the latest police tool for tracking suspected criminals at home, according to an Associated Press-National Constitution Center poll. Congress has directed the Federal Aviation Administration to come up with safety regulations that will clear the way for routine domestic use of unmanned aircraft within the next three years. The government is under pressure from a wide range of interests to open U.S. skies to drones. But privacy advocates caution that drones equipped with powerful cameras, including the latest infrared cameras that can “see” through walls, listening devices and other information-gathering technology raise the specter of a surveillance society in which the activities of ordinary citizens are monitored and recorded by the authorities. Nearly half the public, 44%, supports allowing police forces inside the U.S. to use drones to assist police work, but a significant minority – 36% – say they “strongly oppose” or “somewhat oppose” police use of drones, according to a survey last month. When asked if they were concerned that police departments’ use of drones for surveillance might cause them to lose privacy, 35% of respondents said they were “extremely concerned” or “very concerned.” An almost identical share, 36%, said they were “not too concerned” or “not concerned at all.” [Associated Press]

US – GAO Report on Drones Cites Growing Privacy Concerns

A Government Accountability Office (GAO) report has said there are growing concerns about privacy and civil liberties as unmanned aircraft systems (UAS) are introduced to the public airspace. The GAO reported, “Concerns include the potential for increased amounts of government surveillance using technologies placed on UAS, the collection and use of such data and potential violations of constitutional Fourth Amendment protections against unreasonable search and seizure.” The GAO report also revealed that no federal agency “has been statutorily designated with specific responsibility to regulate privacy matters relating to UAS for the entire federal government.” [Security Management]

Telecom / TV

US – Tech Companies Form Alliance To Lobby Washington

Major Internet companies have formed a lobbying group to address regulatory and political issues in Washington, DC. Google, Yahoo, LinkedIn, Amazon, eBay and Facebook are among those comprising The Internet Association. The group will lobby on privacy and cybersecurity issues, among others. The group’s president said it’s the Internet’s “decentralized and open model that has unleashed unprecedented entrepreneurialism. Policymakers must understand that the preservation of that freedom is essential to the vitality of the Internet itself and the resulting economic prosperity.” [Reuters] SEE ALSO: [Commission nationale de l’informatique et des libertés, France - Connected TV: What Challenges for the Protection of Privacy?]

US Government Programs

US – New York to Expand Access to DMV Information by Law Enforcement Agencies

Governor Andrew M. Cuomo has announced a new data sharing initiative that will give law enforcement agencies greater and instantaneous access to information housed by the Department of Motor Vehicles (DMV) through a secure internet portal. This information includes photos of all 16 million New York State drivers and non-drivers, vehicle registrations, drivers’ lifetime driving histories, as well as real-time notifications of traffic violations and other changes to a driver’s record.[Source]

US – White House Draft of Executive Order on Cybersecurity “Close to Completion”

US Department of Homeland Security (DHS) Secretary Janet Napolitano says that the White House’s executive order on cybersecurity is “close to completion,” but added that to ensure the safety of US networks, lawmakers will have to pass cybersecurity legislation as well. There are issues that an executive order cannot address: it cannot provide liability protection as incentives for employing cybersecurity measures and it cannot change penalties for cybercrimes. The president has not yet reviewed the draft document. [NextGov] See also: [Senator Sends Letters to Fortune 500 CEOs Asking About Cybersecurity Efforts] and [State Dept. Legal Adviser Says Cyberattacks Subject to Int’l Laws of War] and [FERC Establishes Cybersecurity Office]

US Legislation

US – Groups Disagree on Proposed COPPA Changes

Privacy advocates are urging the Federal Trade Commission (FTC) to discard a proposal by the Walt Disney Company that would change how organizations meet COPPA obligations. The company wants the FTC to alter its definition of websites “directed at children” and has proposed a “family-friendly” classification. The Center for Digital Democracy has said “children’s privacy would receive much less protection as a result” of the changes. Meanwhile, in its comments to the FTC, the Interactive Advertising Bureau has said new behavioral advertising limits “would restrict children’s access to online resources by undermining the prevailing business model.” [NationalJournal]

US – Senator Introduces Bill Requiring Warrant for E-Mail History

After more than 25 years since the passage of the Electronic Communications Privacy Act (ECPA), Sen. Patrick Leahy is hoping to get the out-of-date privacy law up to speed by introducing a new bill in the Senate Judiciary Committee. The key component of this new bill is that law enforcement officials would no longer have the ease of freely being able to read people’s personal e-mail and online communication — they’d need a warrant first. As the law now stands, police are allowed to get individual’s private correspondence by simply asking e-mail providers for the person’s message history.[Source] See also: [US: Judge preserves privacy of climate scientist’s e-mails]

US – Bill Would Require Police to Obtain Warrants for E-mail, Location Data

A new bill would require police to acquire warrants before accessing U.S. citizens’ e-mail or tracking their cell phones. Introduced by Rep. Zoe Lofgren (D-CA), the bill would require a search warrant for law enforcement access to cloud data or location information, the report states. The bill is backed by Digital Due Process, which comprises companies including Amazon.com, Apple, Google, Twitter and Microsoft. It’s anticipated that the U.S. Justice Department will combat the effort; it has previously warned that such protocols would hinder “the government’s ability to obtain important information in investigations of serious crimes,” the report states. [CNET News]

US – CA Signs Two Social Media Privacy Bills Into Law

California Gov. Jerry Brown has signed two social media privacy bills, making it illegal for businesses and universities to ask for access to people’s social media and e-mail accounts. Brown said, “The Golden State is pioneering the social media revolution, and these laws will protect all Californians from unwarranted invasions of their personal social media accounts.” Assembly Bill 1844 prevents employers from requiring user names or passwords from employees or job applicants, and Senate Bill 1349 prevents public and private universities from requiring students to disclose their user names and passwords. [Mercury News]

US – Senate Panel Delays Privacy Law Rehash

The Senate Judiciary Committee will likely wait until after the presidential elections to overhaul the Video Privacy Protection Act and the Electronic Communications Privacy Act (ECPA). Judiciary Chairman Patrick Leahy (D-VT) said panel members told him “they want further discussion” of the reforms. Earlier this week, several law enforcement groups wrote the committee saying, “Any effort to revise ECPA should involve detailed and careful consideration of the consequences of proposed changes on the ability of law enforcement investigators to conduct their work efficiently and effectively on behalf of American citizens.” [NationalJournal] SEE ALSO: [ Connecticut’s new data-breach hotline goes live Oct. 1] and [New Jersey Senate, No. 1898 - An Act Prohibiting a Requirement to Provide Information to Access an Account on a Social Networking Website by an Employee - State of New Jersey 215th Legislature] and [Departing CA Senator Simitian Hopes Others Pick Up the Privacy Torch]

Workplace Privacy

US – Managing Risks in Implementing Bring Your Own Device Programs

Companies must deal with the following issues in the context of implementing a corporate bring your own device (“BYOD”) strategy – hardware and software standards (determine what the technical minimum requirements a device must meet in order to be released for productive use in the company’s IT-system environment), rights on ownership and licenses (in order to put the device into productive use, it is very likely that the company must dispose of all rights needed to use the device with the existing IT-system environment), access and control rights (for the purpose of having legal certainty, the company must establish clear rules to determine under what circumstances it may access the employees’ devices or monitor their use), transfer rights (the fact that company data resides on the device impacts the employees’ ability to transfer the device to third parties, e.g., in case of maintenance or repair), and data protection compliance (there must be a comprehensive data protection concept in place which spans reasonable technical and organization measures to protect confidentiality of the data, and provides adequate notification of the individuals whose data are processed). [Source: Matthias Scholz, Baker and McKenzie]

EU – EU Proposal Would Complicate Workplace Evidence Gathering

If the EU adopts its new data protection proposal, companies could have a difficult time conducting internal investigations that rely on collecting documents and e-mail from employees. EU regulations already make it difficult for lawyers to gather information—including data stored on company computers and servers, the report states. But the new proposal “eliminates the most convenient way of gathering evidence for U.S. legal compliance purposes,” said DLA Piper’s Jim Halpert. He added that under current law, lawyers can gather information if given voluntary employee consent. But under the EU’s proposal, that consent, “even if freely given,” would be deemed “invalid.” [Corporate Counsel]

US – California Governor OKs Web Privacy Bill

California Gov. Jerry Brown has signed privacy bills making it illegal for employers and colleges to demand ac-cess to social media accounts. Brown announced Thursday that he signed the bill that prohibits employers from demanding usernames and passwords from employees and job applicants. The companion bill makes it illegal for colleges and universities to demand social media user-names and passwords from students. [Source] See also: [US: Lawyer’s Facebook photo causes mistrial in Miami-Dade murder case] See also: [OIPC SK - Investigation Report F-2012-003 - Saskatchewan Workers’ Compensation Board] and [OIPC SK - Investigation Report F-2012-002 - Saskatchewan Workers’ Compensation Board] and [OIPC SK - Investigation Report F-2012-005 - Saskatchewan Worker’s Compensation Board]

 

+++

 

 

01-15 September 2012

 

Biometrics

US – FBI Begins Installation of $1 Billion Face Recognition System Across America

A move by the Federal Bureau of Investigation (FBI) to upgrade its biometric database has a number of privacy and civil liberties groups raising red flags over potential privacy intrusions. The Next Generation Identification program will update the FBI’s fingerprint database and will compile mugshots, DNA data, iris scans and voice recognition to help agents track down suspects. An FBI spokesman said the agency “is tentatively planning to host a meeting of federal law enforcement and national security agencies with privacy and civil liberties groups to discuss various aspects of federal government uses of facial recognition technology later this year.” Sen. Al Franken (D-MN) has expressed privacy concerns about the database. [CNET News] [Source]

US – Alabama First State to Scan Fingerprints of Prison Visitors

The Alabama Department of Corrections has enacted a first-in-the-nation policy requiring visitors at the state’s prisons to have their fingerprint scanned before they are allowed to enter the facilities. No other state prison system in the country has a similar requirement. The change, implemented in August, has its roots in the prison system getting a new computer program, said a spokesman for the Department of Corrections. The move is drawing some criticism. State Departments of Corrections routinely require that visitors be approved, and each visitor undergoes a criminal background check. However, the fingerprint requirement is “extreme” said David Fathi, director of the American Civil Liberties Union’s National Prison Project.” If showing a driver’s license is all that is required to get on an airplane that will fly you near the White House, it should be enough to get you inside a prison to visit someone,” he said. [Source 

WW – Devices Capture Increasing Amounts of Intimate Data

A growing number of products are capable of monitoring intimate biological data—devices like wireless health monitors and, soon, “stretchable electronics” capable of measuring heart rate, brain activity, body temperature and hydration levels. One company will soon pilot a “Digital Health Feedback System” that will capture biometric data using microchips embedded in a pill and using stomach fluids to emit signals to an external sensor. The ways companies may use or share the data collected by such devices is yet to be seen. One company says customers will own the data but requires customers to grant it permission to use data for “product development and the cultivation of its data sets,” the report states. [The New York Times]

 

Canada

CA – Stop Collecting Health Numbers, SaskTel Told

Saskatchewan’s privacy commissioner says SaskTel should stop collecting health card numbers from its customers. Gary Dickson also wants the Crown-owned phone company to stop gathering social insurance numbers and other unique identifiers whenever possible. The recommendations were part of a 58-page report Dickson released this week. [Source] [Source]

CA – Ontario Trial Hinging on Cellphone Search Warrant Raises Privacy Concerns in B.C.

David Eby of the B.C. Civil Liberties Association is concerned about the outcome of a court case in Ontario ruling on whether police can search a suspect’s cellphone without a warrant. A cellphone was found on an Ontario man after he had been arrested on suspicion of armed robbery in July 2009. On the phone were images and text messages that were used against him in his trial. A warrant to examine the phone was only obtained after the police found evidence on the phone. The cellphone information was ruled admissible as evidence but that decision has gone to the Ontario Court of Appeal for a ruling on whether it was a violation of Charter of Rights and Freedoms. Police can search a bag or briefcase when they arrest someone. They need a warrant to get into your house or the trunk of your car. But a phone can carry a lot more vital information these days than a briefcase. “The issue that the courts are grappling with now is the realities of new technologies,” said Eby. He believes police should get a warrant before accessing all that information. [Source 

CA – Growing Number of Stolen ID Cards Used to Obtain Passports: RCMP Report

Criminals are increasingly using stolen social insurance numbers and doctored birth certificates to obtain legitimate driver’s licences and passports, an internal RCMP report says. And by leveraging pilfered or forged identity markers into higher-value IDs, criminals can sidestep tough anti-counterfeiting features built into government-issued identity documents, including a pending upgrade of passports with biometric chips. “Identities are being overtaken, altered or created, facilitating a number of other crimes, including many variations of fraud, typically for financial gain or to conceal a true identity,” says the March 2011 report prepared by the RCMP’s criminal intelligence division. It points to a rising use of “breeder” documents — identity records such as social insurance numbers, birth or citizenship certificates — that are stolen, tampered with or falsified, then used to sign up for credit cards or valid forms of identity. The report suggests Ottawa’s recent move to stop issuing SIN cards, instead sending the information in a letter, may not hinder identity thieves who skim someone’s mail or pick through their garbage looking for the nine-digit number. The report says the failure of governments to cross-check the authenticity of personal documents used in applications allows fraudsters to stitch together a “synthetic” identity, often combining a stolen social insurance number or altered birth certificate with a made-up name and date of birth.That means a social insurance number can be successfully paired with an entirely different name on a government application form, since the two are not routinely checked for a match, it says. And online applications make it easier for criminals to avoid face-to-face interactions when committing identity fraud, the report notes. [Source 

CA – Privacy Goes Missing With Alberta’s New Missing Persons Act: Critics

A new law that came into effect this month giving Alberta police easier access to personal records when investigating missing persons cases is being touted as a potential lifesaver by the provincial government. But critics say that however well-intentioned the Missing Persons Act is, it presents real dangers to privacy and, possibly, personal safety. The legislation, introduced more than a year ago, allows police in a missing person case to seek an order from a justice of the peace to search personal information, such as cellphone and computer records, employment, education and health files, closed circuit television records and financial histories. In emergency situations, police can also make a written demand for information without going to the courts. Justice Minister Jonathan Denis said Friday the law’s major impact is that police can now access information even if there is no reason to think a crime has been committed. Denis said the legislation is the first of its kind in Canada. But Liberal MLA Laurie Blakeman said she’s horrified by how much personal information the government is allowing police to collect under the law. [Source 

CA – Commissioner Urges Orgs to Make Privacy Part of Their Corporate Culture

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, says it is not enough for organizations to have a privacy policy in place – they must take steps on an ongoing basis to make sure it is reflected in every aspect of their operations. A new paper, released today by the Commissioner at a meeting of the Privacy Section of the Canadian Bar Association, provides a 7-step action plan on how to effectively execute an appropriate privacy policy and embed it in the concrete practices of an organization. Paper: A Policy is Not Enough: It Must be Reflected in Concrete Practices [Source: Office of the Information & Privacy Commissioner of Ontario]

 

Cloud Privacy 

HK – Cloud Security Alliance Presents Privacy Level Agreement Initiative

The Cloud Security Alliance (CSA) has announced the launch of launched a Privacy Level Agreement (PLA) Working Group in the EU and a partnership with the Hong Kong Applied Science and Technology Research Institute (ASTRI) to advance cloud computing security and build capabilities that will accelerate the development of the cloud ecosystem in Hong Kong. The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities. The group will work to define compliance baselines for data protection legislation and establish best practices for defining a standard for communicating the level of privacy measures such as data protection and data security that it agrees to maintain while hosting third-party data. [Source]

 

E-Government 

CA – BC: Coquitlam Rejects Plan to Publish Voters’ Names

Coun. Terry O’Neill’s plan to improve voter turnout was flatly rejected at a council meeting in Coquitlam this week. Introduced in July, O’Neill’s motion sought to publicize the names of those who vote in a civic election, a move he hoped would improve “abysmally low” voter turnout in recent years. But the key stumbling block among his council colleagues was the issue of privacy, and the motion was defeated 8-1. O’Neill was the lone councillor to vote in favour of the motion. “No idea is perfect,” he said. “But I think this is a good idea and it’s a good start.” O’Neill got the idea after reading an Atlantic magazine article entitled, “The Ideas Report.” The report cited a U.S. study that suggests “people are more likely to follow social norms when their behaviour is observed by others” – in other words, if their names are published, they are more likely to vote. Under current provincial legislation, municipalities are mandated to produce voter lists for eight weeks after an election, a point O’Neill used to counter claims his motion would undermine privacy concerns. He also argued publishing the names of those who vote in local newspapers would instill a sense of pride, while also exerting pressure on those who choose not to vote. Coun. Selina Robinson, however, said that tactic encouraged a form of public shaming rather than public engagement. [Source]

 

Electronic Records

US – New Texas Privacy Law Adds More Hassle, Expense

Texas physicians and certain other professionals who use electronic health records must comply with a new state privacy law beginning this month that imposes more stringent requirements than HIPAA. HB300, an omnibus health information technology privacy and security bill, covers meaningful use of electronic health records, the physician quality and reporting system, e-prescribing, translator availability, drug plan authorizations, and increased documentation and certification requirements. The changes begin with a broadened definition of “covered entities,” to include almost anyone who handles protected health information. This may include business associates, healthcare payers, government units, schools, healthcare facilities, providers, researchers and physicians. Covered entities are allowed to transmit protected health information for treatment, payment, health plan operations and insurance functions, and patients must be informed — through prominently displayed notices in public areas — that this disclosure may occur for authorized purposes. Other uses will require patient authorization. Patient requests for their electronic health records must be fulfilled within 15 business days of a written query, just as physicians have been required to do for paper records under state law. Health care workers also face stricter training requirements regarding privacy issues, and penalties for violations will be ramped up significantly under the new law.[Source 

US – ONC Shelves Voluntary “Rules of the Road” Draft Regs

The Office of the National Coordinator (ONC) for Health Information Technology has stepped away from plans to set voluntary “rules of the road” for health information exchanges—including guidelines for privacy and security. In a blog post about the shelving of a Nationwide Health Information Exchange Governance Rule, ONC head Farzad Mostashari wrote, “Based on what we heard and our analysis of alternatives, we’ve decided not to continue with the formal rulemaking process at this time and instead implement an approach that provides a means for defining and implementing nationwide trusted exchange with higher agility, and lower likelihood of regret.” [GovInfoSecurity]

 

Encryption 

UK – UK Limits Spyware That May Have Targeted Dissidents

The British government has imposed export controls on U.K.-based Gamma Group’s FinSpy surveillance tool, which can remotely take over computers and phones, following reports that the systems may have been used to target political dissidents. The U.K. Secretary of State for Business Innovation and Skills informed the company that existing export restrictions apply to FinSpy, requiring Gamma to obtain a license to sell the system outside the European Union, according to an Aug. 8 letter the government sent to lawyers for London-based Privacy International, which is pressing for such restrictions. [Source]

 

EU Developments

US – Privacy, Consumer Groups Back EU’s Proposed Privacy Rules

22 U.S. privacy and consumer groups have voiced support for a tough online privacy proposal being considered by the European Union, even though some U.S. businesses and government officials have described the proposal as too regulatory. The proposal “provides important new protections for the privacy and security of consumers,” the groups wrote in a letter sent to members of the European Parliament. “We believe that the promotion of stronger privacy standards in Europe will benefit consumers around the globe, as businesses improve their privacy practices and security standards.” The privacy and consumer groups, including Consumers Union, Privacy Rights Now, the Electronic Privacy Information Center and Public Citizen, called for the E.U. to strengthen the privacy protections in the proposal. The E.U. should limit the number of compliance exceptions in the proposed General Data Protection Regulation, promote greater transparency in data practices and strengthen the public’s right to data portability, the groups said. The proposal should also limit the scope of information online businesses can collect through “legitimate interests,” the groups said. [Source]

EU – Privacy Czar: Civil Rights at Stake in Asylum Database Proposal

European Commission proposals that would give the police access to a new EU-wide fingerprint database for asylum seekers – Eurodac – is a “serious intrusion” into the rights of a vulnerable group, the European Data Protection Supervisor (EDPS) says. The EDPS said that under Commission proposals, law enforcement authorities would have access to Eurodac data. While the EDPS understands that the availability of a database with fingerprints could be a useful additional tool in combating crime, EDPS views the Commission’s amendment “a serious intrusion into the rights of a vulnerable group of people in need of protection.” The EDPS said the access might not be really necessary. “Just because the data has already been collected, it should not be used for another purpose which may have a far-reaching negative impact on the lives of individuals,” said EDPS supervisor Peter Hustinx. “To intrude upon the privacy of individuals and risk stigmatising them requires strong justification and the Commission has simply not provided sufficient reason why asylum seekers should be singled out for such treatment,” he added. [Source]

UK – ICO: Cookie Compliance Deadline Set for Some

Information Commissioner’s Office (ICO) Group Manager for Business and Industry Dave Evans said Businesses should now “know they have to respond to the law,” said Evans. The comments come after one web software firm taunted the ICO about cookie compliance. For noncompliant businesses, Evans said, “It might be a law they wish didn’t exist, but the simple fact is that it is here to stay,” adding, “for example, some sites have failed to engage with us at all, and they’re now being set a deadline to take steps towards compliance, with formal enforcement action likely if they fail to meet this deadline.” [Out-law.com] [Privacy watchdog to issue massive fines for cookie law breaches]

UK – Web Software Firm Taunts UK Data Regulator Over Cookies

A software firm has challenged the UK’s Information Commissioner’s Office to punish it over its use of web cookies. Derby-based Silktide said it created http://nocookielaw.com to highlight the “ineffective” rules put in place in May to clamp down on websites using “tracking” cookies which log user data. The site says: “Dear ICO, sue us. Send in a team of balaclava-clad ninjas in black hawk helicopters to tickle us to death with feather dusters.” The ICO has defended its role. “We welcome any opportunity to help us draw attention to this matter, as a key part of our work in ensuring compliance with the cookie law has been making businesses aware of the regulations,” a spokesman said. [Source]

UK – Parliamentary Committee Hears Evidence on Proposed Framework

The UK Parliament’s Justice Select Committee has held its first evidence session on the EU’s proposed data protection framework. The Association of Chief Police Officers, the Federation of Small Businesses and the Information Commissioner’s Office were among those who provided their opinions. While many said the regulation brings welcome changes, “the overwhelming response was to criticize the overly-engineered text” of both the regulation and the Data Protection Directive, the report states, and a key “tension in the regulation exists between the drive toward harmonization and the consequent prescriptive practices and procedures that the commission’s version of harmonization requires.” [Source]

UK – British Funeral Director Puts QR Codes on Grave Stones

Visitors to graveyards in the UK may soon be able to learn much more about the people buried there, with the introduction of quick response (QR) codes on headstones. Chester Pearce in Poole is the first funeral director to offer families the option of interactive gravestones with embedded QR codes. The £300 QR codes are etched on to small granite or metal squares before being embedded or glued on to the gravestones. When scanned using a smartphone or tablet, the code launches a personalised web page dedicated to the deceased, complete with pictures, videos and contributions from family and friends. The QR codes can also be put on memorials and tribute plaques on benches. [Source]

EU – Working Party Releases Meeting Agenda

The Article 29 Working Party has released a draft agenda ahead of its next meeting. The meeting will take place September 25 and 26 in Brussels. It will discuss “the draft application form and cooperation procedure for Binding Corporate Rules (BCR) for processors,” the draft opinion on purpose limitation and “developments on the draft data protection regulation and directive.” [Source]

EU – Uruguay Declared Adequate by EU

The European Union has confirmed that Uruguay has achieved adequacy for personal data protection, according to the website of the nation’s data protection authority. “It is a recognition to the work of the regulatory unit and control of personal data,” the website states, “and a confidence in Uruguay as a country capable of assuming the challenge of taking care of the adequate controls that are required in the use and treatment of the personal data that has been provided.” [Source]

 

Facts & Stats

US – 94 Million Records Affected by Government Breaches, Sheriff Announces Breach

The government sector reported 268 incidents of data breaches from January 2009 to May 2012, reports Help Net Security. The breaches exposed a combined total of more than 94 million records. According to research by Rapid7, the number of PII records exposed from 2010 to 2011 increased by almost 170 percent. The leading causes of such losses were unintended disclosure, loss and theft of portable devices, physical loss and hacking, the report states. Meanwhile, a Maine sheriff’s office is warning approximately 180 people who were recently arrested to monitor their personal accounts after their Social Security numbers were inadvertently made public last week for “a fairly limited period of time.” [Help Net Security] 

WW – Data Breaches are Down but Hackers Are More Selective: Symantec

The latest data breach figures from Symantec present a ‘good news, bad news’ scenario. Symantec’s August 2012 Intelligence Report compares the number of breaches for the first eight months of this year with the same period of 2011. There were an average of 14 data breaches per month so far in 2012, down from 16.5 from January to August of 2011. And the average number of identities stolen during those incidents was cut in half from 2011 to 2012 during the months of January to August. Sounds like good news. But the bad news is that, as Symantec cautions, hackers may just be getting smarter and more strategic. And although hackers are still to blame for most of the breaches (40%) the rest of us can bear some responsibility too: 21% of breaches result from data being made public accidentally and 19% are due to theft or loss. [Source]

 

Finance

CH – Banks to Notify Employees of Data Transfers

In the wake of concerns surrounding the transfer of bank data to other countries, Swiss banks have agreed to inform employees before data is sent to foreign tax investigators. Data Protection Commissioner Hanspeter Thür said five banks have “signed on to notify employees after Thür threatened to ask the Federal Administrative Court to force banks to protect employee data,” the report states, noting Thür met with bank officials to promote “a transparent process for employees” and that he has “doubts data handovers to the U.S. are legal.” [World Radio Switzerland]

AR – Argentina Government Tracking All Credit Card Purchases

The Argentina government has begun mandating banks to report credit card purchases to national tax authorities and is adding a 15% surcharge on purchases made outside the country using Argentinian bank-issued credit cards,. The changes are an effort to combat tax evasion and close off ways for people to convert pesos to U.S. dollars at the official rate—which is lower than the black market rate. The author states this is an example of how a “cashless society… has actually advanced the cause of financial repression,” adding, they are “important lessons in why a cashless society should not strip everyone of their transactional and financial privacy.” [Forbes] 

US – Bank Fraud Ringleader Sentenced

The leader of a bank fraud and identity theft scheme in Pennsylvania that targeted top-tier financial institutions and their customers has been sentenced to more than eight years in prison for his crimes. Although that sentence is steeper than in many similar ID theft cases, one legal expert says the case merited an even harsher sentence. [Source]

 

Health / Medical 

CA – Manitoba Ombudsman Wants Tougher Penalties for Snooping by Health Workers

Manitoba’s acting ombudsman says penalties for nosiness should be strengthened now that technology is making it easier for health-care workers to snoop into the private information of patients they have a grudge against. “In the old days, three people had access to your record — your doctor, his or her nurse and his or her receptionist. Now, you can have thousands of people with access to your records,” Mel Holley said. Holley has concluded an investigation into a case last year in which a worker at CancerCare Manitoba, the province’s prime centre for cancer treatment, got into the electronic patient files of a neighbour’s child who was undergoing treatment. The worker, whom Holley did not identify, did not need to see the child’s file for any work-related purpose, but did so because of a personal conflict with the youngster’s mother. [Source]

 

Horror Stories 

US – App Company Admits to Being the Source of Apple UDID leak

A Florida-based app publishing company called BlueToad has claimed it was the source of the Apple UDID leak, contradicting claims from Anonymous that it hacked them from an FBI laptop. Speaking to NBC News, BlueToad CEO Paul DeHart said data released by Anonymous closely matched data held on one of the company’s databases. DeHart believes Blue Toad was hacked several weeks ago. He apologised to those whose data was stolen, adding that an investigation is underway into the exact circumstances. Earlier this month Anonymous leaked one million UDIDs out of about 12 million it claimed to posses. It said it had hacked the data from a laptop belonging to an FBI agent as it wanted to publicly expose the monitoring and tracking by US government agencies such as the FBI. However the FBI was quick to deny it was the source of the data, saying in a statement that it could find, “no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.” Apple also denied handing over the information to the FBI. It is also phasing out the use of UDIDs, partly. There has been no response yet from the usual Twitter accounts connected to Anonymous. However one thing is clear: the dates do not match up. Anonymous said the information was hacked back in March but BlueToad believes its data breach occurred within the last two weeks. DeHart admitted that it is possible the data had been shared by whoever stolen it from BlueToad and found its way onto an FBI laptop. Web pages have been set up to check whether IDs have been compromised and Apple users can look up an UDID using a confidential partial search at http://pastehtml.com/udid [Source] [FBI Disputes Claims of Hackers' Apple Data Breach] [Alleged FBI Hack: Much Ado about Nothing?] [Hacker group claims FBI tracking Apple users] 

US – Officials Alert Patients: Breached Data May Have Been Sold

University of Miami officials are warning patients affected by a July breach that two university employees may have sold their data. The employees accessed information including names, dates of birth, insurance policy numbers, partial Social Security numbers and some clinical information. In some cases, Social Security numbers may have been viewed in full. The university is providing two years of identity protection services, the report states. “We continue to review and refine our physical and electronic safeguards to enhance protection of all patient data,” university officials wrote in a letter. [Healthcare IT News] [Miami hospital data breach due to employee offense] 

CA – B.C. Health Ministry Suspends Workers Over Privacy Breach

Seven employees have been suspended without pay from the B.C. Ministry of Health over allegations of inappropriate access to medical information. The employees in question worked in the area of research and evidence development, which awards drug research contracts on behalf of the ministry. Government has also terminated agreements with two research contractors until after the investigation is complete. It is believed both government workers and research contractors had inappropriate access to health data. It is not clear what information, if any, has been compromised. Both the RCMP and B.C.’s Office of the Information and Privacy Commissioner have been notified about the allegations. [Source] See also: [NL: Eastern Health announces more privacy breaches] Update: [BC: McInnes: Alleged data breach a body blow to health research expansion] and [Alaska's Health and Social Services CSO Offers Lessons Learned from a Breach] 

US – Judge Consolidates Four Breach Class Actions

A U.S. District Court Judge yesterday consolidated four proposed class-action lawsuits against LinkedIn Corp. The suits were filed in California’s Northern District in response to a June security breach and claimed $5 million in damages after hackers stole 6.5 million user passwords from the site and posted them online, the report states. The suits claim that although LinkedIn’s privacy policy says it will protect user data with “industry standards and technology,” the company used “a weak encryption format that failed to comply with basic industry standards…without implementing other crucial security measures.” [The Recorder] 

US – Judge Throws Out Consumer Complaint

A federal judge has dismissed a consumer lawsuit against 17 tech companies. U.S. District Court Judge Sam Sparks found the consumers’ written complaint is “too unwieldy” for the lawsuit to proceed, the report states. The suit was filed against the tech companies for allegedly collecting or storing users’ address books without their consent, the report states. Complaints are required to make allegations in a “short and plain statement.” Sparks said the consumers’ complaint was not “written with an eye toward this court’s busy docket” and is instead aimed at the “court of public opinion.” The consumers have until September 12 to amend the complaint. [MediaPost]

 

Identity Issues 

CA – Tighter Air Security Rules Leads To New Canadian Passports With Electronic Chip

Starting next spring, Canadian passports will be valid for up to 10 years. But it will also feature a new electronic chip on which vast amounts of data can be stored. Not that it will, insists Passport Canada. But it could – including personal commercial information like cars you’ve rented, hotel reservations made or your frequent flyer programs. Eleven years after 9/11, the new passport is part of a global tightening of air travel security that is the subject of a three-day conference starting this week at Montreal’s International Civil Aviation Organization (ICAO). [Source]

WW – Research Paper Reexamines Reidentification

Columbia University’s Daniel Barth-Jones has released a paper reexamining Latanya Sweeney’s 1997 analysis of reidentification vulnerabilities. With a “profound impact on the development of de-identification provisions” within HIPAA, Sweeney’s study has been “frequently cited as an example” of the “astonishing ease” with which medical data can be reidentified. According to Barth-Jones, this reexamination “exposes an important systemic barrier to accurate reidentification known as ‘the myth of the perfect population register.’” The author provides “recommendations for enhancements to existing HIPAA de-identification policy” and commentary on “balancing the competing goals of protection patient privacy and preserving the accuracy of scientific research and statistical analyses conducted with de-identified data.” [Source] 

US – University Decides Sex Tracking Smartphone App May Not Be Such a Great Idea

Earlier this summer, researchers from Indiana University and the Kinsey Institute launched the ultimate app for the TMI crowd: the Kinsey Reporter, which “crowdsources sexual behavior.” It works how you would expect it to work. The app acts as a digital Dr. Alfred Kinsey — the pioneering sex researcher, a.k.a. Liam Neeson — for those willing to spill their sexual secrets, asking them for reports on their flirting, kissing, cuddling, self-loving time, fetishes, use of birth control, and all other aspects of body-rubbing activity. The app managed to attract a national pool of willing guinea pigs in just over three months time, judging from this recent report: The researchers’ pitch was to share your sexy times for science to allow them to get better insight into “issues that have been challenging to study until now.” (Thanks to those pesky Peeping Tom laws.) The app assured users that all reports would be anonymous, tied solely to the participants’ geolocation, which would be tagged when they uploaded their reports. Then it would be used for research and to generate nifty reports. Though originally released in May, the app got media attention just this week after the university issued a press release. Those reports, of course, involved the word “creepy.” A few hours after the release was issued, the University’s general counsel got wind of the app’s existence, apparently for the first time, and made the decision to disable the Kinsey Reporter app and an accompanying website for further study after concerns were voiced concerns about potential privacy issues and data protection. [Source]

 

Intellectual Property 

US – Federal Appeals Court Restores Initial US $222,000 Verdict in Filesharing Case

The 8th US Circuit Court of Appeals in Missouri has reinstated the original verdict against Jammie Thomas-Rasset, the Minnesota woman who since 2006 has been challenging an illegal file-sharing lawsuit brought by the Recording Industry Association of America (RIAA). Thomas-Rasset was initially ordered to pay US $222,000 for illegally downloading and sharing 24 songs through Kazaa. The RIAA says it found more than 1,700 songs on Thomas-Rasset’s computer but for the court case, it focused on just 24. After the first trial, the judge declared a mistrial after he decided that he had given the jury inaccurate instructions. The subsequent trial also found Thomas-Rasset guilty and the jury gave a verdict of US $1.92 million, which the judge reduced to UD $54,000.  The companies went to third trial on damages, which awarded the RIAA US $1.5 million, but that was reduced to US $54,000 as well. The appeals court ruled that the US $222,000 verdict should stand. Thomas-Rasset’s lawyer says his client plans to appeal to the US Supreme Court. The RIAA no longer pursues action against individual file-sharers; instead, it is focused on working with service providers to help identify and punish those who persist in illegal downloading. [WIRED] [Ars Technica] [BBC] [Opinion]

 

Law Enforcement 

WW – Infrared-Camera Algorithm Could Scan for Drunks in Public

Computer scientists have published a paper detailing how two algorithms could be used in conjunction with thermal imaging to scan for inebriated people in public places. The paper, published in the International Journal of Electronic Security and Digital Forensics, details two different algorithms that focus on data gathered from a subject’s face — alcohol causes blood-vessel dilation at the skin’s surface, so by using this principle as a starting point the two began to compare data gathered from thermal-imaging scans. One algorithm compares a database of these facial scans of drunk and sober individuals against pixel values from different sites on a subject’s face. A similar method has been used in the past to detect infections, such as SARS, at airports — though a study carried out at the time of the 2003 outbreak warned, “although the use of infrared instruments to measure body surface temperatures has many advantages, there are human, environmental, and equipment variables that can affect the accuracy of collected data.” A second algorithm is used to map out the different areas of the face. The pair found that, when inebriated, an individual’s nose tends to become warmer while their forehead remains far cooler. To use this information against the database with the first algorithm, a second algorithm was necessary to identify and differentiate between features. The system could, the paper argues, be used to avoid embarrassing and unfounded reproaches by police officers and officials, who generally make assumptions based on behaviour and appearances alone. [Source] See also: [New Mexico: Eddy County Sheriff’s office uses tech to fight child porn]

 

Location 

US – Feds: No Constitutional Protections for Location Data

Wired reports on court arguments made by the Obama administration claiming there is “no expectation of privacy” in cellphone location data, meaning law enforcement should not need to obtain a warrant to track a suspect’s movements. Citing a 1976 Supreme Court case, the administration said data such as bank records gleaned from cellphone providers are “third-party records.” The arguments come as the government prepares for a retrial in the United States v. Jones case. The administration’s court filing states, “When a cellphone user transmits a signal to a cell tower for his call to be connected, he thereby assumes the risk that the cellphone provider will create its own internal record.” [Source]

US – FTC Issues Guidance to Promote Secure Mobile Apps

The Federal Trade Commission has just published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC’s new publication, Marketing Your Mobile App: Get It Right from the Start, notes that there are eight general guidelines that all app developers should consider. The FTIC guidelines are:

  1. Tell the truth about what the app can do.
  2. Disclose key information clearly and conspicuously..
  3. Build privacy considerations in from the start.
  4. Offer choices that are easy to find and easy to use.
  5. Honor privacy promises.
  6. Protect children’s privacy.
  7. Collect sensitive information only with consent.
  8. Keep user data secure. .

Berger says the FTC has no plans to ask Congress to give it more authority to deal specifically with mobile-app privacy matters, but is asking lawmakers to enact legislation to require businesses to assure the online privacy of consumers through its privacy framework. [Source]

Mobile Privacy 

US – Mobile Users Avoid, Uninstall Apps Over Privacy Concerns: Pew Report

About six in 10 mobile phone users said they have decided against downloading certain apps over privacy concerns, a new survey finds. And in many cases, they have uninstalled apps that collected too much personal information about them. According to the survey on mobile privacy released this month by the Pew Internet & American Life Project, users made those decisions when they learned how much personal information they would share by using the apps. The findings, in a survey of 2,254 adults, show that “many cell phone users take steps to manage, control or protect the personal data on their mobile devices,” according to the report’s authors. Among the findings:

—  88% of adults said they own some sort of a mobile phone, and 43% of that group downloaded applications to their phone. That’s up from 31% in 2011.

— 30% of smartphone owners said they turned off their phone’s location tracking feature because they were worried about people or companies accessing this information. That compares with just 7% for those with regular, basic cellphones.

— 41% of all cellphone owners said they backed up data on their phone, such as photos or contacts.

— Men were more likely than women to delete an app because of privacy concerns. But there was no gender difference among people who decided not to install apps in the first place due to privacy concerns.

— Those with BlackBerrys were the most likely to say they’ve lost their phone or had it stolen: 45% compared with 30% of iPhone owners and 36% of Android owners. In all, nearly one-third of all mobile phone owners said they have had their phone lost or stolen.

— People who have had their phone lost or stolen were no more likely to back up the information on their phones afterward. . [Source] 

US – Smartphone Apps Track Users Even When Shut Down

Some smartphone apps collect and transmit sensitive information stored on a phone, including location, contacts, and Web browsing histories, even when the apps are not being used by the phone’s owner, according to two researchers at the Massachusetts Institute of Technology. The popular game Angry Birds uses the phone’s GPS and Wi-Fi wireless networking features to track the owner’s location, even when he’s not playing the game, for example. Another game, Bowman, collects information from the phone’s Internet browser, including what websites the owner has been visiting. And WhatsApp, a popular text-messaging program, scans the user’s address book when it is seemingly idle. What is not known is whether apps that run on Apple Inc.’s iPhone and iPad tablet computer collect information in similar ways. The researchers only tested 36 apps written for the Android operating system, which is “open source” software. There are logical reasons for some apps to collect such data, researchers said. Rovio Entertainment Ltd., the maker of Angry Birds, makes money from the free version of the game by displaying ads on the screen. It uses location data from the phone to point players to local advertisers. But researchers questioned the need to keep tracking user locations even when the game is shut down. And there is no apparent reason a video game like Bowman needs to know about the player’s Web-surfing habits. The developers of Angry Birds and Bowman did not respond to requests for comment. WhatsApp cited its privacy policy, which says its app scans address books for phone numbers only to see if any of the user’s friends are also WhatsApp users. According to the policy statement, WhatsApp does not copy names, addresses, or e-mail­ addresses from the phone’s address book. The researchers have applied for a patent on their research, which they hope to turn into a rating system to help consumers quickly understand privacy policies for thousands of apps. They used the results of their tests to calculate an “intrusiveness score” for each app, rating the amounts of personal data it collects while in use and when idle. But they can test only a handful of the more than half a million Android apps, so they hope to develop a separate app that would “crowdsource” the process. Owners of Android phones could install the app, use it to test other apps, then publish the results on a website. Consumers could check an app’s intrusiveness score before deciding whether to install it. [Source 

US – NTIA Cancels Mobile App Privacy Meeting to Allow for Fact Gathering

The National Telecommunications and Information Administration (NTIA) has cancelled its September 19 stakeholder meeting to allow stakeholders to meet with app developers for informal briefings first. One such briefing will occur September 19. At the NTIA’s August 29 meeting, the second of a series of three, participants said they needed more information on the mobile app sphere before making decisions. As a result, such briefings have been scheduled for September 13, 14, 19 and 28. The NTIA meetings aim to establish a code of conduct framework, called for under the Obama administration’s Privacy Bill of Rights. [Broadcasting & Cable reports] 

US – Justice Dept. Says Counterterrorism Apps Pose Privacy and Security Concerns

The US Department of Justice (DOJ) is discouraging people from reporting suspicious activity through smartphone apps due to privacy concerns. Normally, information about potential threats reported by citizens is sent to regional analysis centers. Some of those centers are now allowing the reports to come to them through iPhone, iPad and other mobile device apps. The WVa app was introduced in February. The devices have the advantage of sending location information and pictures quickly, but there is concern that the apps could be misused and that they might flood emergency centers with unverified information. [NextGov] [WV]

 

Offshore 

WW – Study Says Data Privacy #1 Obstacle in Multinational Probes

Data privacy is the biggest challenge for lawyers and accountants conducting multinational investigations or cross-border litigation, according to a study released this month. The study found that 54% of those questioned said that data privacy was the greatest obstacle when handling these types of investigations or engagements. The study, published by business advisory firm FTI Consulting Inc., surveyed 114 legal and accounting professionals who have handled e-discovery matters for either multinational investigations or cross-border litigation. Respondents also said that multinational investigations were costly enterprises with 48% reporting they had spent more than $500,000 on such matters, and, most thought things would only get tougher with 76% predicting an increase in data privacy requirements in the coming years. [The Wall Street Journal 

CY – Cayman Islands: Proposed New Privacy Law Open for Comment

The Cayman public now has two months to examine and review critical draft legislation regulating the collection and use of personal data by all businesses, organisations and government entities. The new bill also deals with the individual right of people to access their own personal information and have more control over how it is used. The draft Data Protection Bill 2012 aims to provide legal protection of individual rights without being overly-bureaucratic, officials said this week, as the long awaited proposed law was published for public review. David Archbold, of the Information and Communications Technology Authority, said the bill will have tangible benefits for the Cayman Islands and be an effective tool to advance the right to privacy. “The scope of the draft Bill is quite broad, with exemptions in the public interest or for the protection of other rights and freedoms,” government officials said. The 69 page draft Data Protection Bill 2012 and the accompanying consultation papers are available at http://www.dataprotection.ky [Source]

Online Privacy

WW – Apache Web Software Overrides IE10 Do-Not-Track Setting

Apache has announced it will override Microsoft’s default do-not-track (DNT) setting. One of the authors of the DNT standard, Roy Fielding, wrote a patch for Apache that will disable Microsoft’s DNT setting. As a result, web servers using Apache software—the most commonly used software to house websites—will ignore IE10 DNT settings, the report states. Fielding said, “The only reason DNT exists is to express a non-default option,” adding, “It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.” [CNET News] [PCMag] [Microsoft: DNT Default Not an Antidote to Advertising]

WW – Study: File Sharers Heavily Monitored

A study conducted by researchers at the University of Birmingham in the UK reveals that nearly all files shared via torrent sites are monitored by large Internet service companies that are possibly acting on behalf of copyright enforcers. In their study, the researchers noticed that IP addresses of file sharers were being tracked by several monitors acting as file sharers, the report states. One of the researchers said, “In the EU, there are quite strong data protection laws, and people who store personal data have to fulfill a lot of criteria, and this could definitely be looked on as personal data about the people being monitored.” [CBC News] 

US – Big Data: Which Websites Respect Your Privacy Rights the Least?

One lawyer’s has published analysis of how 25 major websites handle customer data. Andrew Nichol’s ClickWrapped.com evaluates sites on four categories, including how user data is used and when it can be disclosed. The evaluations are based on a 100-point scale, and points can be gained based on whether the site’s policy is consumer-friendly. [TIME 

US – Judge: Twitter Must Produce Posts or Face Fines

A judge has ruled that Twitter must disclose an Occupy Wall Street protester’s tweets or face a fine. New York State Supreme Court Judge Matthew A. Sciarrino Jr. has said the company must either turn over the posts or provide its earning statements from the previous two quarters so the judge can assess a fine. “I can’t put Twitter or the little blue bird in jail, so the only way to punish is monetarily,” Sciarrino said. In an exclusive for The Privacy Advisor, Mathew Schwartz asks, “Can service providers be held liable for what their users post, tweet or upload, including what others may deem to be offensive communications?” [Bloomberg]

 

Other Jurisdictions 

AU – Data Retention Laws Risky, Canberra told

The government was warned early this year that proposed new data retention laws would put Australians at higher risk of privacy breaches. The controversial proposal, which could see internet companies store up to two years’ worth of data on subscribers and users, is part of a package of legislative changes to overhaul the telecommunications interceptions regime currently before a joint parliamentary intelligence and security committee. It has come to light that last December privacy consultants Information Integrity Solutions (IIS) advised Attorney-General cola Roxon that some internet companies subject to the new laws may not have the capability to adequately protect the data. Some may also struggle to understand their obligations to protect it under the proposed laws, it warned. In a report obtained under Freedom of Information, IIS advised the government to limit the data retention period to a maximum of six months in order to mitigate the risk of privacy breaches. Under the current proposal before the committee, the legislation anticipates retaining the data for up to two years. [Source] See also: [Ukraine: New Liability For Company Officials]                                   

SA – Personal Information Bill Referred Back to Parliament

The Protection of Personal Information Bill has been referred back to Parliament for a second reading and further debate. A portfolio committee on justice and constitutional development ruled unanimously in favor of the bill, which would provide a regulatory framework for the ways in which personal data may be processed. The bill is “expected to have a significant impact on the manner in which private and public bodies process personal or identifying information as it aims to protect the free flow of information” and information access while protecting privacy, the report states. One expert advised organizations to look at the bill’s various requirements and consider steps toward compliance. [Business Report 

IS – Israeli Court Upholds DPA’s Authority to Issue Market Instructions

In a detailed, 27-page decision (Admin. App. 24867-02-11 IDI Insurance v. Database Registrar), the Tel Aviv District Court recently upheld the validity of an instruction issued by the data protection regulator restricting financial institutions from using information about a third party’s attachment of their client’s account for the financial institution’s own purposes. The court held that the regulator is authorized to issue market instructions interpreting the law. The decision is likely to have far-reaching effects on the validity and weight given to a series of detailed guidance documents and market instructions published by the Israeli Law, Information and Technology Authority (“ILITA”) over the past two years. These include instructions regarding:

  •  outsourcing data processing operations;
  • requirements for user authentication when providing remote access to personal data;
  • employee screening and employment recruitment agencies; and
  • allocation of responsibility for databases between health insurers and primary health care providers

In addition, ILITA issued a draft instruction concerning the collection of data from minors; draft guidance concerning privacy in the workplace; and, perhaps most importantly, draft data security regulations which are intended to replace the currently applicable regulations that date back to 1986 (the Privacy Protection Regulations (Conditions for Data Storage and Security and Public Sector Data Sharing), 1986).

 

Privacy (US) 

US – FTC Finalizes Myspace Settlement

The Federal Trade Commission (FTC) has finalized a settlement reached in May with Myspace. The settlement requires the company to develop a data privacy program and undergo privacy audits for two decades, the report states. The FTC found that Myspace violated its privacy policy by sharing users’ personal information with third parties without first obtaining their consent. [The Hill] 

US – Next President, Congress Face Privacy Challenges: Report

Among the top technology hurdles facing the next U.S. president and Congress is consumer privacy, according to a new report. With the FTC constrained in its regulatory power and given the nation’s “patchwork of inconsistent, sector-specific laws protecting certain categories of sensitive data…the opportunity for abuse of consumer privacy is growing every day,” the report states. Advances in technology including the increasing use of facial recognition, license plate scanners and drones all present privacy challenges. In the meantime, “Congress has been dragging its feet on a baseline consumer privacy law for over a decade.” [ABC News] 

US – Domestic Surveillance During Divorce Results In Federal Privacy Lawsuits

Dan Horn reports on a case of domestic surveillance that is noteworthy for the issues it raises. If you have a right to install surveillance systems – including audio recording and monitoring online activity – in your own home and on your own devices, what rights do your spouse and visitors to your home have with respect to their privacy? Although a Cincinnati couple’s divorce is finalized, the surveillance uncovered during their divorce proceedings resulted in two federal court lawsuits involving friends and relatives, the husband’s defense attorney, and a company that manufactures the computer monitoring software. One of those suing is a man whose e-mail communications with the wife were recorded without his knowledge or consent. [Source 

US – Obama Nominates Joshua Wright to FTC

President Obama yesterday announced the nomination of George Mason University School of Law Prof. Joshua Right to the Federal Trade Commission (FTC). If confirmed, Wright will replace Commissioner J. Thomas Rosch. Wright served as the scholar-in-residence at the FTC’s Bureau of Competition from 2007 to 2008. Wright’s academic work has focused on antitrust law, economics, consumer protection, intellectual property and contracts, the report states. The post will now require Senate confirmation. [The Hill]

 

Privacy Enhancing Technologies (PETs) 

WW – Cloudnymous Launches Cloud-Based Privacy Cloak

Startup Cloudnymous has launched a new cloud-based anonymous VPN service which lets users access any restricted or censored website. As customer data is spread evenly across the cloud, even if a server is brought down, customer data cannot easily be retrieved. The cloud-based VPN service offers “true” anonymity and protection of the user’s data through strong encryption protocols, according to the firm — and may be of particular interest to those trying to circumvent location-based restrictions online. “Cloudnymous is perfect for U.S. visitors who want to watch Hulu or listen Pandora overseas, to Asian users wanting to open public sites restricted by local laws and simply for those who want to keep privacy while surfing the Internet”, said the company. The service is based on a ‘pay per use’ system. There are no contracts; instead, users can pay $0.15 for daily paid servers, $4.95 for monthly paid servers and $0.15 per GB for traffic paid servers. Users can choose the point where the traffic “originates” from — for example, an American or European address, which would in theory circumvent blocks on services including Facebook, Skype and Pandora. According to Cloudnymous, the only logs kept on traffic flow are connection start and end times, and the amount of traffic. Names or addresses are not required to sign up — and all website, VPN traffic and internal communication is encrypted. [Source]

 

Security

UK – GCHQ Chooses Top 20 Security Controls for Businesses

The UK’s GCHQ is introducing a new program to help British businesses protect their computer systems from attacks. The program is called Cyber Security for Business and was launched on Wednesday, September 5. This marks the first time that intelligence services in the UK will be working directly with private sector organizations to help better their cybersecurity stance. GCHQ has created a guide titled Top 20 Critical Controls for Effective Cyber Defence, which is aimed at helping organizations reduce the risk of cyberthreats and prevent or deter most attacks. GCHQ director Iain Lobban says the approach will “make the bad guys’ job harder and won’t cost a fortune.” [v3] [Telegraph] [The Independent] [The Register] [SCMagazine] 

WW – Cyber Security Budgets Grow While IT Budgets Stagnate

Security budgets appear to be comparatively safeguarded, growing 8% to $60 billion in 2012, reaching $86bn by 2016.  At the same time IT budgets are relatively flat, according to Gartner. [SecurityWeek] [The Register]

 

Smart Cards 

UK – Researchers Find Flaw in Chip-and-PIN

Researchers at Cambridge University say that criminals have been exploiting certain flaws in the chip-and-pin system meant to prevent payment card fraud at ATMs and point-of-sale terminals. Chip-and-PIN, also known as EMV, relies in an embedded chip that encodes card information; payment cards are authenticated by ATMs or payment devices computing several pieces of data, including an “unpredictable number.” But the researchers have found that certain ATMs and payment terminals use incremental numbers rather than random ones. The research was prompted by a rash of reported thefts from European bank card users; the banks refused to refund their losses because they maintained that EMV made the type of fraud they were talking about impossible. The researchers suspected that the thieves had devised a way to predict the “unpredictable” numbers. [Krebs] [Research Paper]

 

Surveillance

US – Gov’t Report Questions How Privacy Applies to Drones

A report released by the Congressional Research Service last week questions government use of drones for surveillance. The Federal Aviation Administration anticipates 30,000 commercial and government drones flying U.S. skies within the next 20 years. The Supreme Court has ruled police may gather surveillance by flying planes and helicopters over homes because the areas are in public view. But the researchers say courts could decide drones are more privacy invasive; their ability to hover and remain in the air longer “may sway a court’s determination of whether certain types of warrantless drone surveillance are compatible with the Fourth Amendment,” the report states. Several lawmakers have introduced drone bills. [The Hill] [CRS Report: Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses] [Congress report warns: drones will track faces from the sky]

 

US Government Programs 

White House Circulating Draft Cybersecurity Executive Order

A draft executive order on cybersecurity is being circulated by the Obama administration. The draft has been sent to various federal agencies for feedback and would formulate a voluntary system for firms operating critical infrastructure to adhere to government-backed cybersecurity best practices and standards, the report states. The executive order builds off part of Sen. Joe Lieberman’s (I-CT) cybersecurity legislation from earlier this year. According to the report, the order is also subject to change, and it is not yet clear if it will get final approval from the president. [The Hill] [White House draft cyber order promotes voluntary critical infrastructure protections] 

US – ‘Zombies Are Coming!’ U.S. Homeland Security Department Warns

Tongue firmly in cheek, the government urged citizens to prepare for a zombie apocalypse, part of a public health campaign to encourage better preparation for genuine disasters and emergencies. The theory: If you’re prepared for a zombie attack, the same preparations will help you during a hurricane, pandemic, earthquake or terrorist attack. The federal Centers for Disease Control and Prevention last year first launched a zombie apocalypse social media campaign for the same purposes. Among the government’s recommendations were having an emergency evacuation plan and a change of clothes, plus keeping on hand fresh water, extra medications and emergency flashlights. A few suggestions tracked closely with some of the 33 rules for dealing with zombies popularized in the 2009 movie Zombieland, which included “always carry a change of underwear” and “when in doubt, know your way out.” [Source]

 

US Legislation

US – House Approves Reauthorization of FISA Amendments Act

The US House of Representatives has voted to reauthorize the 2008 FISA Amendments Act, a law that “allows a secret national security court to approve the interception of communications in and out of the US among groups of people of interest to intelligence agencies.” While the law requires that any data collected “incidentally” are subject to rules that hides the individual’s identity and limits the use of the information, one congressman observed, “the enforcement of this provision is itself shrouded in secrecy, making the potential for abuse substantial and any remedy unlikely.” And Cato Institute analyst Julian Sanchez notes that the breadth of power that FISA allows is similar to the “general warrants” used by agents of the crown in the colonial era, prompting the adoption of the Fourth Amendment rights against unlawful search and seizure. The bill now goes to the Senate. [Washington Post] [WIRED] [Ars Technica] [NextGov] [The Washington Post]  

US – Markey Introduces Mobile Device Privacy Act

A new bill has been proposed by Rep. Ed Markey (D-MA) to “require mobile phone makers, network providers and application developers to disclose to customers any monitoring software installed on their mobile devices.” The Mobile Device Privacy Act, which Markey introduced this week, would also require permission from customers before their mobile devices could be monitored. “Apps very commonly access our sensitive information—our location, our photos, web browsing, history. Apps often do this without prior notice and even when the app isn’t actively being used,” Markey said, adding reports of such tracking have created a “significant societal issue that has to be discussed.” Software and technology groups, meanwhile, are saying legislation is not the answer, the report states. [IDG News] 

US – Senate Judiciary Geared to Revamp ECPA, VPPA

The Senate Judiciary Committee has said it will work on an update of the Video Privacy Protection Act and attach provisions to amend portions of the Electronic Communications Privacy Act. Judiciary Committee Chairman Patrick Leahy (D-VT) said in a statement, “When Congress first enacted these laws almost three decades ago, e-mail was still a novelty and most Americans viewed movies at home on VHS tapes rented at their local video store,” adding, “The explosion of cloud computing, social networking sites, video streaming and other new technologies in the years since require that Congress take action to bring our privacy laws into the digital age.” [NationalJournal]

US – FTC Extends Comment Deadline for COPPA Reforms

The Federal Trade Commission has extended to Sept. 24 the deadline to comment on proposed modifications to the Children’s Online Privacy Protection Rule, which gives parents control over what information Web sites and online services may collect from children under 12. Go to: https://ftcpublic comments

 

Workplace Privacy

IS – Draft Guidance Issued on Personal Data Protection in the Workplace

The data protection authority in Israel (ILITA) has provided draft guidance on privacy in the workplace (April 2012). Summary: Employers’ increasing collection of employee personal information throughout employment requires the application of information privacy principles in the workplace; informed consent, specified purpose, proportionality, transparency, purpose limitation, confidentiality and security, obligations related to outsourcing, and access and correction. [Source] 

US – Plaintiff Has to Turn Over Emotional Social Media Content In Employment Lawsuit

“Plaintiff sued her former employer for discrimination and emotional distress. In discovery, defendant employer sought from plaintiff all of her social media content that revealed her “emotion, feeling, or mental state,” or related to “events that could be reasonably expected to produce a significant emotion, feeling, or mental state.”“ The case is Robinson v. Jones Lang LaSalle Americas, Inc., 2012 WL 3763545 (D.Or. August 29, 2012), and the outcome is no surprise at this point. If you make a claim in court, expect the defendant’s lawyers to seek your social media content in discovery. Read more on InternetCases [Source]

 

+++

 

21-31 August 2012

Electronic Records

AU – OAIC Seeks Public Comment on PCEHR Enforcement

The Office of the Australian Information Commissioner (OAIC) is seeking public comment on how it should enforce personally controlled electronic health record (PCEHR) privacy regulations. Together with a set of enforcement guidelines, the OAIC has released a consultation paper. The guidelines detail the OAIC’s enforcement and investigative powers under the PCEHR and Privacy Acts and outline the penalties, enforceable undertakings and injunctions that can be applied in breach cases, the report states. The OAIC is asking if the draft guidelines are acceptable and provide enough clarity. The deadline for public comment is September 18. [ZDNet]

US – Hackers Claim File Containing iOS Device IDs is Evidence of FBI Tracking Project

Hackers have posted a document to Pastebin that they claim contains unique identification codes for one million iOS devices that were obtained when the laptop of an FBI agent was compromised earlier this year. The attackers claim to have obtained a file that contains Unique Device Identifiers (UDIDs), usernames, and push notification tokens for 12 million devices. They also claim that the file contains some names and associated mobile phone numbers. The attackers are suggesting that the presence of such a document indicates that the FBI may be tracking iOS devices. [ZDNet] [The Register]

Encryption

WW – Report Calculates Costs Savings from Use of Full Disk Encryption

“Is full disk encryption (FDE) worth it? A recent study conducted by the Ponemon Institute shows that the expected benefits of FDE exceed cost by a factor ranging from 4 to 20, based on a reduction in the probability that data will be compromised as the result of the loss or theft of a digital device. ‘After doing all of the math, Ponemon found that the cost of FDE on laptop and desktop computers in the U.S. per year was $235, while the cost savings from reduced data breach exposure was $4,650.’” [Source] [Source]

EU Developments

UK – ICO Defends Cookie Compliance Initiatives

The Information Commissioner’s Office (ICO) has defended its record against claims it has not investigated cookie compliance failures. An earlier report stated the ICO received 320 violation claims without investigating one. The ICO said the report was “dramatically wide of the mark,” adding, “So far, 45 (websites) have been analyzed, of which 27 have clearly taken action to increase the visibility of the information about cookies.” The ICO also said, “A progress update, including a list of all the websites contacted, will be published on our website in November…” [SC Magazine]

UK – Retailers Could Be Forced to Release Customer Data

UK ministers have announced they may require supermarkets and online retailers “to release sensitive personal data they hold about customers.” Companies could be required by law “to provide electronic copies of ‘historic transaction data’ when individuals request it,” the report states, which would mean shoppers receive “records of their purchases and spending habits.” While consumers currently have the right to request such information under the Data Protection Act, “the details are rarely in electronic form, and the process is awkward and slow,” the report states, noting, “The new rules would make access far quicker and easier.” [London Evening Standard]

Google

US – Advocacy Group Challenges FTC Settlements

Nonprofit advocacy group Consumer Watchdog “is dialing up its criticism of the proposed privacy settlement between the FTC and Google,” filing a motion in U.S. District Court seeking friend-of-the-court status and a hearing. Consumer Watchdog questioned the proposed $22.5 million settlement when it was first announced because it allows Google to deny “any violation of the FTC order, any and all liability for the claims set forth in the complaint and all material allegations of the complaint save for those regarding jurisdiction and venue,” the report states. [IDG]

US – Consumer Group, Resort Challenge FTC Settlement

The U.S. District Court of Northern California has granted Consumer Watchdog the right to challenge the legal logic behind the proposed FTC settlement with Google. The advocacy group has questioned how the FTC can charge a company with a violation while also allowing no admission of guilt. A Google representative noted, “We are confident there is no basis for this challenge,” while a Consumer Watchdog spokesman said, “The settlement is particularly the start of a very slippery slope,” adding, “It’s very important the FTC get called on this.” Meanwhile, Wyndham Hotel & Resorts LLC is challenging the FTC’s allegations that it failed to adequately secure consumer data. [POLITICO]

WW – Google to Set up Privacy Red Team

In what appears to be a response to recent high profile privacy issues involving Google and some of its services, the company is in the process of setting up a Privacy Red Team. In a job post for the role of a Data Privacy Engineer Google says the purpose of the team will be to “independently identify, research, and help resolve potential privacy risks across all of our products, services, and business processes in place today”. Google has come under fire in a number of jurisdictions for how it has infringed on the privacy of its users. Recently Google was ordered by the US Federal Trade Commission to pay a $22.5 million fine for having misrepresented to users of Apple’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads. While in Europe Google has come under fire from various Data Protection agencies for not deleting Wi-Fi data it gathered as part of its StreetView program from unsecured wireless networks. A ThreatPost report states the move by Google “to look critically at engineering and other decisions in the company’s products and services that could involve user privacy risks is perhaps a unique one.”[ZDNet] [The Register] [Net-Security] [PCMag] [InformationWeek] see also: [Why the FTC May Investigate Google and What to Do If It Happens] see also: [Paying Lip Service to Privacy: Attorney Details Steps for Organizations to Fill Privacy Gaps]

Health / Medical

US – Network Exposure and Healthcare Privacy Breaches

Under Federal law requiring disclosure, the HHS reports on data breaches of over 500 records. Since 2009 HHS has documented 435 PHI breaches impacting 20,066,249 individual records. Why are healthcare systems vulnerable to patient privacy breaches? A key vulnerability is system complexity. EHR systems store patient electronic health records and transported data insider healthcare organizations and between healthcare business units and in and out of HIEs. These systems are big and complex. In addition, the HIE and EHR IT vendors are highly fragmented, competing in typical American free market economy fashion with no vendor-neutral standards for patient privacy enforcement. Lack of vendor neutral standards leads to the implementation of proprietary interfaces between systems for electronic healthcare data transfer and exchange. Every interface developed by a healthcare systems integrator is potential attacker entry point. Risks are compounded by:

  • High porousness of the healthcare enterprise network: A porous healthcare provider network invites attackers in and trusted insiders to take good stuff out using pen drives, tablets, DropBox and Gmail.
  • Low level of ethics of top executives: Executives should be taking leadership positions in security and HIPAA compliance as an example to the rest of the employees and as proof that they believe that good security is key to protecting customers. When a top executive doesn’t let internal risk management guidelines get in the way of his personal goals, it sets the stage for additional fraud at lower echelons and fosters an environment where it’s OK to take company documents, just as long as you don’t get caught.
  • Minimal network monitoring: Organizations with minimal network monitoring are living a life of ignorance that is bliss. If there is a porous network and lack of security and compliance leadership, then even if there is a fraud event, violation of company policy in regards to fraud, online gambling or sexual harassment in the workplace; it will not be detected. Security and fraud violations that are not detected cannot be used for corrective action and future deterrence. [Source]

US – ONC to Revise Model Privacy Notice for PHRs

The Office of the National Coordinator for Health IT is calling for comments and recommendations to inform its revision of the model privacy notice for personal health records. The current model privacy notice is applicable through September 30, the report states. FierceEMR

US – HIMSS Issues Recommendations for “Medical Banking”

The Health Information and Management Systems Society has issued a set of recommendations to guide financial institutions managing revenue for healthcare organizations. Released as a whitepaper , the guidelines aim to help financial institutions involved in “medical banking” to comply with HITECH’s added security and privacy requirements. Recommendations include selecting a privacy officer, updating workforce training and considering data privacy and security accreditation or certification by an independent third party. The paper states, “As customers of financial institutions, healthcare providers and payers need assurances that financial institutions can safeguard protected health information with appropriate technology systems, infrastructure and procedures for risk management and incident management.” [Source]

US – EHR Stage 2 Final Rules Call for Encryption

This week saw the release of the two final rules for Stage 2 of the HITECH Act’s electronic health record (EHR) incentive program. The Department of Health and Human Services rules, which address meaningful use and software certification, are scheduled to be published in the Federal Register on September 4. The meaningful use rule includes requirements for risk assessment analysis addressing encryption of data stored in certified EHR technology, while the software certification rule requires EHR software “be designed to encrypt, by default, electronic health information stored locally on end-user devices,” the report states. A recent whitepaper, meanwhile, cautions against securing personal health information on portable devices. [GovInfoSecurity] [Meaningful Use Rule] [Software Certification Rule]

US – Experts “Mostly Pleased” with HITECH Stage 2 Provisions

Privacy and security experts are “mostly pleased” with the provisions included in Stage 2 of the HITECH electronic health record (EHR) incentive program. One provision requires EHR software be designed to encrypt medical records stored on devices by default, which Rebecca Herold says “will ultimately improve protection of patient information.” Two other provisions—receiving mixed reviews from the experts—include a risk assessment rule mandating security updates, but not specifically encryption, and a patient access rule requiring that five percent of discharged patients access their EHRs within a specified time period—down from 10% in the proposed rule. [Source]

Horror Stories

UK – Data Breaches in UK up More than Tenfold in Five Years

The UK Information Commissioner’s Office (ICO) says that over the past five years, data security breaches in the UK have increased more than 1,000 percent. The figure is slightly higher for local government breaches, and slightly lower for National Health Service (NHS) breaches. The dramatic increase may be attributable in part to organizations reporting more breaches than they have in the past because of increased awareness and legal requirements to keep personal data safe. Telecommunications is the only sector that showed a decline in the number of breaches reported over the given period of time. [BBC] [v3.co.uk]

AU – Cyber Thieves Steal Half a Million Australian Credit Card Numbers

A cyberattack has resulted in the theft of 500,000 credit card numbers in Australia. The incident occurred at an unnamed business in Australia and appears to be the work of hackers located in Eastern Europe. They allegedly placed keystroke loggers on point-of-sale (POS) terminals and remotely downloaded the information. The unnamed company was using default passwords on the POS terminals and stored transaction data unsecured. The thieves appear to have used an unsecured Microsoft Remote Desktop Protocol (RDP) to harvest the data. The people behind the attack are believed to be the same ones that conducted a similar attack in the US on Subway sandwich restaurants. Police are investigating the incident. [WIRED] See also: [Class-Action Filed Against Eastern Health] and [When Cybercrime Isn’t Treated as a Crime: Why Not Report Credit-Card Account Theft to Local Cops?]

US – Thumb Drive Prompts Notifications, Feds Arrest Former ER Worker

A cancer center in Texas is notifying 2,200 patients that a missing thumb drive contained their personal details. CMIO reports that it’s the third breach this year for the University of Texas MD Anderson Cancer Center in Houston. Meanwhile, federal officials have arrested a Florida man for selling the medical records of patients of Florida hospitals. Dale Munroe, who worked in the emergency room at Florida Hospital Celebration before he was fired last year, is accused of accessing and selling the records of more than 700,000 patients, according to the report. [Source]

US – Hackers Publish Stolen Data; Breaches Hit Two Orgs

A hacker collective calling itself Team GhostShell has allegedly accessed and published one million records taken from banks, government agencies and other firms and is warning of further leaks. A security expert said it is “a pretty significant breach.” In a separate incident, a Cancer Care Group laptop containing personal information of approximately 55,000 individuals was stolen from an employee in July. Meanwhile, the University of Rhode Island has disabled a server after it was discovered that the personal information of more than 1,000 faculty and staff was publicly available. [CNET News]

UK – UK Information Commissioner Investigating Tesco Website Security

The UK Information Commissioner’s Office (ICO) is investigating Tesco for alleged inadequate security practices. The retail company allegedly stores its website login and password data unhashed and unsalted. Some of the site’s pages do not use HTTPS, and the company emails users’ passwords in plaintext. Some have noted that it is unusual for the ICO to become involved when a breach has not occurred. [SCMagazine] [BBC] [ComputerWeekly]

Identity Issues

WW – Dropbox Implements Two-Factor Authentication

Dropbox has implemented two-factor authentication for Windows, Mac, and Linux users. Earlier this summer, the company said it would take steps to better protect customers’ data after hackers managed to hijack an employee’s account, access some customer email addresses, and send them spam advertising gambling sites. Dropbox attributed the attack to an employee who used the same password for his work account as for another account elsewhere, which had been compromised earlier. Dropbox will now provide users with one-time security codes, either sent to their phones in a text message, or generated with a mobile authenticator app. Users say the plan still has some problems that need to be worked out. [Krebs] [InformationWeek] [The Register] See also: [Do authenticaton questions really protect you?]

Law Enforcement

US – License Plates Scanned at Border, Data Shared With Car Insurance Group

As public scrutiny continues to mount against the use of license plate readers (LPRs) across the country, the Electronic Privacy Information Center (EPIC) has now released government documents showing that such data, which includes precise GPS location, date, and timestamps, in addition to the plate in question, are shared with an auto insurance umbrella organization. The documents, published this week as the result of a Freedom of Information Act (FOIA) request, include a six-page memorandum of understanding (MOU) from 2005 between the National Insurance Crime Bureau (NICB) and the United States Customs and Border Protection (CBP) agency. The NICB is a nonprofit organization funded by hundreds of American auto insurance corporations around the country, which “partners with insurers and law enforcement agencies to facilitate the identification, detection, and prosecution of insurance criminals.” The revelation has certainly raised some eyebrows, but the NICB now says that while insurance companies are members of the organization, they do not automatically gain access to the LPR data. Roger Morris, the NICB’s chief communications officer, clarified by e-mail that only authorized “Special Investigations Units” personnel from NICB member companies have access to such data “for theft prevention activities.” Every 24 hours, the NICB receives an electronic data transfer from all border stations, providing LPR details on all cars that have crossed in and out of the country. Mainly, the NICB says it’s looking for cars that have been (possibly fraudulently) reported stolen, but were spotted at a border. Morris added that the CPB’s LPR data—”roughly 15 million reads a month”—is kept for 12 months. That means the CBP makes approximately 500,000 LPR reads at the borders every single day, and passes that data along to the NICB. The MOU also allows the NICB to sub-contract management of this data to a “data processing service,” and requires that any misuse of the LPR data be reported to the NICB, and then reported on to the CBP. “In short, US Customs is granting a private company access to what it admits is ‘highly sensitive commercial, financial, and proprietary information,’ and then further allowing the private company to outsource the management of that ‘highly sensitive’ data to yet another private company,” wrote the ACLU Massachusetts. “The only auditing and accountability mechanisms required are self-policing and self-reporting. These documents reveal a growing problem that extends far beyond the management of license plate data. The government is increasingly collecting vast quantities of information about ordinary people accused of no crime, and increasingly it is relying on private contractors to manage, sort, and analyze this data looking for crime or even ‘pre-crime’ trends. The sharing of our license plate data with private companies should be viewed as but one troubling example of this much larger problem.” [Source]

US – Dealer uses MPLS License Plate Data in Car Repo

A South St. Paul car dealer used data stored by Minneapolis police license plate scanners to repossess a car, likely the first time the records have been used by a business in Minnesota. The data’s value for a repo man illustrates just one of the potential applications of Minneapolis’ massive database chronicling patterns of vehicles on its streets. Some privacy advocates fear that data could eventually be used for more sinister purposes. Minneapolis deploys 10 license plate readers, eight of them mounted on police cars and traffic enforcement vehicles, that scan thousands of license plates each day and store their locations – 4.9 million so far in 2012. Their primary use is to help police on patrol identify wanted vehicles in real time. [Source]

US – 6 Years of Spying on NY Muslims Didn’t Generate a Single Terror Lead: NYPD

In more than six years of spying on Muslim neighbourhoods, eavesdropping on conversations and cataloguing mosques, a secret unit of the NYPD never generated a lead or triggered a terrorism investigation, the department acknowledged in court testimony. The demographics unit is at the heart of a police spying program, built with help from the CIA, which assembled databases on where Muslims lived, shopped, worked and prayed. Police infiltrated Muslim student groups, put informants in mosques, monitored sermons and catalogued every Muslim in New York who adopted new, Americanized surnames. Police hoped the unit would serve as an early warning system for terrorism. And if police ever got a tip about, say, an Afghan terrorist in the city, they would know where he was likely to rent a room, buy groceries and watch sports. But in a June 28 deposition as part of a long-standing federal civil rights case, Assistant Chief Thomas Galati said none of the conversations the officers overheard ever led to a case. [The National Post]

Location

US – Location Privacy Act Passed in California

California state legislators have passed a new bill requiring law enforcement agencies to obtain a warrant before collecting any GPS or location data from cell phones or smart phones. The Location Privacy Bill 2012, which was sponsored by the EFF and the ACLU, has now been passed on to California Governor Jerry Brown for signing into law. In a statement the EFF said it “urge[s] Governor Brown to have California take the lead on this issue and sign SB 1434,” and that it “strikes a sensible balance between keeping the public safe and preserving our privacy.” Brown vetoed a similar initiative in 2011, however. Earlier this week, California passed a bill protecting students from having to provide access to their social media accounts. [ZDNet] [ArsTechnica]

US – Missouri Tracking Law Challenged in Court

A new cellphone tracking law recently passed in Missouri is being challenged in court on assertions that it conflicts with federal law. Missouri’s law makes it easier for police to track users’ cellphone locations in cases of emergency. According to a lawsuit filed Monday, the law should be overturned under the supremacy clause of the U.S. Constitution. The suit seeks a restraining order or injunction and class-action status, the report states. The attorney who filed the suit said, “If I take my cellphone to California, I have more rights. If I use my cellphone in Missouri, I have less rights. So really it comes down to a privacy issue.” [Associated Press]

Offshore

IN – India Pushes Sites to Remove ‘Inflammatory’ Content

India pressed social media websites including Facebook and Twitter on to remove “inflammatory” content it said helped spread rumors that caused an exodus of migrants from some cities. The government said in a statement it had already blocked access to 245 web pages it said contained doctored videos and images, and the telecommunications secretary, R Chandrashekhar, threatened legal action against the websites if they did not fully comply with the requests to take down the offending pages. [Reuters]

Online Privacy

US – Advocates Ask FTC to Investigate; FTC Extends COPPA Deadline

A group of advocacy organizations has asked the Federal Trade Commission (FTC) to investigate several viral campaigns aimed at children. The Center for Democracy & Technology—along with 16 advocacy groups—has sent a letter to the FTC with five complaints about the campaigns alleging they violate COPPA. “Such tell-a-friend campaigns, a powerful form of word-of-mouth marketing traditionally directed at teens and adults, are inherently unfair and deceptive when aimed at children,” the complaint states, noting, “The practices also violate existing privacy laws for children.” Meanwhile, the FTC announced it is extending the deadline for public comment on proposed modifications to COPPA. [ZDNet]

US – Child Advocates Ask FTC to Investigate Viral Marketing Aimed at Kids

A coalition of nearly 20 children’s advocacy, health and public interest groups focused on children’s health and privacy have asked the US Federal Trade Commission (FTC) to investigate online viral advertising programs that exploit commercial appeal to children. The groups say that the “tell-a-friend” features used by McDonald’s, General Mills, Turner Broadcasting and other companies violates the Children’s Online Privacy Protection Act (COPPA), which became law in 2000, because the actions are taken without adequate parental notification and without parental consent. Georgetown law professor and legal counsel for the Center for Digital Democracy said that the FTC should put an end to the “commercial exploitation of children.” [WIRED] [CNET] [MSNBC] [New York Times]

US – Judge Rejects Facebook Sponsored Stories Proposed Lawsuit Settlement

A US District Court judge in California has rejected the proposed settlement of a lawsuit brought against Facebook over its Sponsored Stories feature. The lawsuit was filed by five Facebook users and is seeking class action status on behalf of as many as 100 million users; it alleges that Facebook violated users’ rights by using their images in Sponsored Stories. The settlement would allow adults to limit how their images are used in Sponsored Stories; minors would be able to opt out altogether. The settlement would have Facebook change its Statement of Rights and Responsibilities and provide users with more information about how their names and pictures are used with Sponsored Stories. The settlement would also give users more control over their data. The proposed settlement would have Facebook pay US $10 million to Internet privacy organizations and to pay attorney’s fees of up to US $10 million. Judge Richard Seeborg said he had “serious concerns” about the settlement, asking why Facebook should not be asked to pay US $100 million, because it seemed as though the legal team was making money on the case, but the users they were representing were not receiving much in return. [WIRED] [ComputerWorld] See also: [Facebook cleanses pages of fraudulent “Likes”]

EU – Consumer Group Tells Facebook to Fix App Centre

The Federation of German Consumer Organizations “believes Facebook is violating privacy laws with its new app center and has set a deadline for the social network…to fix it or potentially face legal action.” The group contends the app center gives third-party applications users’ information without their knowledge. “It will consider legal action against Facebook if the site fails to fix the problem by September 4,” the report states, noting the deadline follows plans by Hamburg’s data protection commissioner to “reopen his investigation into Facebook’s policies on tagging photos, retaining and deleting data and the level of control users have over their information.” [Reuters]

US – Twitter Appeals Court Decision

Twitter has filed an appeal with the New York State Supreme Court to overrule a lower court order for the company to disclose an Occupy Wall Street protester’s tweets. The American Civil Liberties Union has filed a brief in support of the company, saying, “We are hopeful that Twitter’s appeal will overturn the criminal court’s dangerous decision and reaffirm that we retain our constitutional rights to speech and privacy online as well as offline.” [The Hill] [Twitter and your privacy] [Expert: Case Shows “Privacy Is Big Business”]

WW – Your Old Tweets Resurface with Twitter’s Data Reseller Partners

Twitter has announced its Certified Partners Program. There are currently 12 partners in the program, and they specialize in one of three categories: engagement, analytics, and data resellers. Twitter says that the certifications will “make it easier for businesses to find the right tools.” Three of the 12 partner companies–Topsy, DataSift, and Gnip–are data resellers, which means they provide access to all publicly available tweet content over several years (what Twitter calls the “Firehose”). Before data resellers like these existed, your old tweets–even public ones–would become buried as you continued to pile new ones on top of them. They’d be inaccessible after 30 days. Now, companies like DataSift have unlocked this previously inaccessible archive of every Tweet ever made in the past several years. The company collects about 250 million tweets every day, analyzing the things people talk about, the words they use, their geographic location, and even whether their tone seems negative or positive. Aside from leaving Twitter altogether, there are two ways to protect yourself from Twitter’s data resellers. 1. Go back and delete old tweets: Unlike when you’re looking for someone else’s Tweets, you can always see your own without any expiration date. DataSift is required to regularly update its files to remove Tweets that have since been deleted. 2. Set your tweets to private by protecting them: Protected tweets aren’t part of Twitter’s public stream and data resellers can’t collect them. You’ll know that a user’s Tweets are protected when you see a little lock icon next to their avatar. [Source] [Comment from PogoWasRight] See also: [DIGITAL WILL: How to share your data after death]

US – Social Media Privacy for College Athletes? California Senate Says Yes

California’s Senate has unanimously approved legislation to bar colleges and universities from requiring students to provide administrators with access to their social media usernames and passwords. Governor Jerry Brown now must sign or veto the bill by Sept. 30. California is not the first state to pass legislation protecting social media privacy for students. In March, Maryland’s Senate passed a bill to prevent public colleges and universities in the state from requiring students including athletes to provide access to their social accounts. [Source]

Other Jurisdictions

PH – Data Privacy Law Signed

President Benigno Aquino has signed the Data Privacy Act 2012. The bill is also known as “An Act Protecting Individual Information in Information and Communication Systems in the Government and the Private Sector.” The bill is based on the European Directive and requires data security standards by business process outsourcers. The president did not veto any of the bill’s provisions, the report states. Some lawmakers have said the law will spur investment in the Philippines. [ABS-CBN News] [GovInfoSecurity] [Philippines: BPO companies more bullish after signing of data privacy law] see also: [Rwanda: Proposed Communications Intercept Law - Is Our Privacy Adequately Protected?]

CN – Cabinet OKs Draft Data Protection Bill Changes

China’s Executive Yuan has approved draft legislation that seeks to make improvements on a 2010 amendment to the Personal Data Protection Act. The proposed changes would require data collectors to inform consumers prior to processing such data. The bill will go before the Legislature Yuan for final approval, the report states. [The China Post]

AU – ACC Report Issued, Commissioner Urges Culture Change

An independent report on New Zealand’s Accident Compensation Corportation (ACC) has revealed that a data breach was due to “human error” but also “systemic weaknesses within ACC’s culture, systems and processes.” Commissioned by New Zealand Privacy Commissioner Marie Shroff, the Independent Review of ACC’s Privacy and Security Information was undertaken by KPMG and former Australian Privacy Commissioner Malcolm Crompton. Shroff said the ACC “has elements of privacy protection and security” in place, but they “are not up to the standard expected” of such an organization, adding, a “culture change” will be necessary, starting “right at the top.” Meanwhile, State Services Commissioner Iain Rennie urged vigilance by public servants processing personal data. [Press Release] [Report]

Privacy (US)

US – Magistrate Says Video Privacy Law Applies to Digital Content

A US federal magistrate has ruled that information collected about which videos people watch online is protected under US privacy law, possibly putting Hulu on the spot for sharing users’ viewing habits with third parties. US Magistrate Laurel Beeler ruled that the Video Privacy Protection Act of 1988 applies to Hulu. Hulu argued, unsuccessfully, that the law applies only to video rental stores not video streaming services. Beeler wrote that, despite Hulu’s assertion that the VPPA does not specifically cover digital distribution, “Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects that argument.” [WIRED]

US – Administrative Subpoenas Raise Questions

Administrative subpoenas, which carry the signature of a federal official but not that of a judge, require telecommunications companies, Internet service providers, banks, bookstores, hospitals, and utility companies in the US to “turn over” customer records if the US Drug Enforcement Administration (DEA) or agents from other government departments believe the information is relevant to an investigation. The DEA obtained the power through a piece of 1970 legislation; that agency is believed to be one of the major users of administrative subpoenas. A DEA spokesperson said that the agency does not keep a database of the administrative subpoenas it issues. There are reportedly more than 300 US statutes that allow federal officials to bypass Fourth Amendment protections by issuing these subpoenas; government agencies are not obligated to disclose the frequency with which they use administrative subpoenas. Administrative subpoenas can be issued not only for drug investigations, but also for hazardous waste disposal, atomic energy, child exploitation, medical insurance fraud, student loans, and other investigations. [WIRED]

US – 2012 Republican Convention: GOP adopts Internet freedom plank

Part of the platform the Republican party adopted included language to protect Internet freedom, something that lawmakers and interest groups on both sides of the aisle have been calling for in recent months. The Republican plank is focused on removing regulation around technology businesses, as well as language that would protect personal data online from the government. The platform language also says that the party will “resist any effort” to move Internet governance away from its current multi-stakeholder model in favor of international or “intergovernmental” organizations. There has been some discussion of handing more control of the Web to the United Nations, as reported in May. The proposal is being championed by China, Russia and some Arab states but has gathered vocal critics from technology companies such as Google, Microsoft, Verizon and Cisco, who say such a plan would create financial risks to their businesses. The GOP platform also specifically criticized the Federal Communications Commission, saying that the agency’s net neutrality rule and other regulations show the Obama administration is “frozen in the past.” The platform proposes that the federal government inventory its spectrum to discover how much of it could be auctioned to the public. [Source]

US – Privacy Worries Surround UN Internet Regs

“What would online privacy look like if the United Nations (UN) regulated the Internet?” queries Mathew J. Schwartz. “That’s one question on the minds of privacy advocates as the International Telecommunications Union—a UN agency based in Geneva, Switzerland, that regulated telecommunications and IT issues—approaches the task of helping the UN decide if it should exert more control over Internet governance,” Schwartz writes. According to the report, some proposals “have technologists and—at least in the United States—legislators up in arms, leading to allegations that the renegotiated treaty could allow countries such as China and Russia to more easily censor the Internet.” [Privacy worries surround UN Internet regulations]

US – Sens. Call on Obama to Issue Cybersecurity Order

At least two senators have called on the Obama administration to issue an Executive Order on cybersecurity after Congress failed to pass legislation on the issue. In an open letter to the White House, Sen. Diane Feinstein (D-CA) wrote, “our critical infrastructure, our financial hubs and our ability to defend the nation are at risk; we must take action to address these vulnerabilities as soon as possible.” Feinstein did note that the administration does not have power to offer legal certainty or protection to firms that share cybersecurity data with the government, the report states. Meanwhile, some experts say impending cybersecurity initiatives further prompt the need for the Privacy and Civil Liberties Oversight Board. [Hogan Lovells’ Chronicle of Data Protection]

US – SEC Cyber-Disclosure Guidance Becoming Standard

The Securities and Exchange Commission (SEC) cyber-disclosure guidance has “become de facto rules for at least six companies” including Google and Amazon. According to letters sent by the SEC, the companies were asked to, in future filings, disclose to investors if systems had undergone a cyberattack. Companies have expressed concerns that such admissions can hurt reputations, provide competitors with important information or give rise to consumer litigation, the report states. In its deliberations on cybersecurity legislation, Congress has assessed ways to encourage firms to disclose data breaches, including a voluntary reporting system. [Bloomberg]

US – CA PUC Approves Gas Meter Privacy Protections

The California Public Utilities Commission has unanimously agreed to new rules governing the protection and use of consumers’ data captured from gas meters. Two commissioners described the protections as being balanced, enabling both consumer protections and the “responsible use of consumer information,” according to the report. The rules allow covered entities certain rights around the collection, use and disclosure of the data. [Solid State Technology] [US – As Smart Grid Grows, Privacy Concerns Proliferate]

Privacy Enhancing Technologies (PETs)

WW – Researchers Hack Brainwaves to Reveal PIN Numbers, Other Personal Data

A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal information by presenting 30 headset-wearing subjects with images of ATM machines, debit cards, maps, people, and random numbers in a series of experiments. The paper, titled “On the Feasibility of Side-Channel Attacks with Brain Computer Interfaces,” represents the first major attempt to uncover potential security risks in the use of the headsets. “The correct answer was found by the first guess in 20% of the cases for the experiment with the PIN, the debit cards, people, and the ATM machine,” write the researchers. “The location was exactly guessed for 30% of users, month of birth for almost 60% and the bank based on the ATM machines for almost 30%.” To detect the first digit of the PIN, researchers presented the subjects with numbers from 0 to 9, flashing on the screen in random order, one by one. Each number was repeated 16 times, over a total duration of 90 seconds. The subjects’ brainwaves were monitored for telltale peaks that would rat them out. The EEG headsets, made by companies such as Emotiv Systems and NeuroSky, have become increasingly popular for gaming and other applications. [Source]

RFID

TX – Rebellion Erupts Over School’s Student-Chipping Plan

A rebellion is developing in Texas against a plan by a school district in San Antonio that would monitor the exact location and activities of all students at all times through RFID chips they are being ordered to wear. School district officials did not respond to a request for comment, but the developing furor comes only days after a coalition of civil rights and privacy organizations publicly stated their opposition to “spychipping” the students. A “position paper” from groups including the American Civil Liberties Union, Electronic Frontier Foundation, Big Brother Watch, Citizens’ Council for Health Freedom, Constitutional Alliance, Freedom Force International, Friends of Privacy USA, the Identity Project and Privacy Activism said no students should be subjected to the “chipping” program “unless there is sufficient evidence of its safety and effectiveness.” “Children should never be used as test subjects for technology, no matter what their socio-economic status. If schools choose to move forward without complete information and are willing to accept the associated liability, they should have provisions in place to adhere to the principles of fair information practices and respect individuals’ rights to opt out based on their conscientious and religious objections,” the statement said. The paper said RFID tracking is dehumanizing, since it can “monitor how long a student or teacher spends in a bathroom stall.” The plans also violate free speech and association, since the presence of a tracking device “could dissuade individuals from exercising their rights to freedom of thought, speech and association. For example, students might avoid seeking counsel when they know their RFID tags will document their presence at locations like counselor and School Resource Officer offices.” It argued that the technology also violates religious freedom and could be subject to unauthorized use. “While RFID systems may be developed for use in a school, the RFID tags may be read covertly anywhere by anyone with the right reading device. Since RFID reading devices work by silent, invisible radio waves and the reading devices can be hidden, unauthorized or covert uses can be nearly impossible to detect,” the report said. “A student’s location could be monitored from a distance by a jealous girlfriend or boyfriend, stalker, or pedophile.” [Source]

Security

US – Data Security Now a Main Concern for US Boardrooms: Survey

An annual survey of 11,000 public company directors and 2,000 general counsels shows that for the first time data security is now a prime concern for US boards. The survey, conducted by advisory firms Corporate Board Member and FTI Consulting, shows that over half (55%) of general counsels surveyed rate data security as a major concern while 48% of the directors surveyed felt the same. A similar survey in 2008 found that only 25% of directors and 23% of general counsel noted data security as a high area of concern, which reflects a doubling of this concern in four years. TK Kerstetter, President, Corporate Board Member said about the results “While a number of companies are taking steps to become more educated on IT risks, the fact is that not enough are taking the appropriate actions to fully prepare their organization.” He went on to say “I think it is going to take several well-publicized security breaches before a majority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster.” [ComputerWorldUK] [Yahoo!]

Surveillance

WW – Researchers Find Spyware Being Used by Police in Countries Around the World

Researchers have found evidence suggesting that governments in several countries around the world are using spyware sold by UK company Gamma International. The spyware, known as FinSpy, can monitor calls and report back about calls and GPS location; record Skype sessions on PCs; log keystrokes; and take control of cameras and microphones. The researchers found the spyware while investigating email attachments sent to Bahraini activists. FinSpy can infect PCs and “a broad range of smartphones.” Research conducted elsewhere found FinSpy command-and-control servers in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, UAE, as well as one in the US running on Amazon cloud systems. Shortly after the research was published, several of those servers were shut down. [The Register] [Source] [Software Meant to Fight Crime Is Used to Spy on Dissidents]

UK – Surveillance Device Uses Wi-Fi to See Through Walls

Researchers in England have created a prototype surveillance device that can be used to spy on people inside buildings and behind walls by tracking the frequency changes as Wi-Fi signals generated by wireless routers and access points bounce off people as they move around. The device, which is about the size of a suitcase and has two antennae and a signal processing unit, works as a “passive radar system” that can “see” through walls, according to PopSci.com. It was able to successfully determine the location, speed, and direction of a person behind a one-foot-thick brick wall, but cannot detect people standing or sitting still, the article said. The U.K. Ministry of Defence is looking into whether the device — designed by Karl Woodbridge and Kevin Chetty of the University of College London — can be used in “urban warfare” for scanning buildings, PopSci reported. The paper on the research, “Through-the-Wall Sensing of Personnel Using Passive Bistatic WiFi Radar at Standoff Distances,” appeared in the April issue of iGeoscience and Remote Sensing, IEEE Transactions. [Source]

Telecom / TV

AU – Telstra Charges Crime Victims for Privacy

Consumer advocates have called for Australia’s largest telecommunications provider to stop charging victims of crime to keep their addresses out of the public phone directory. Both Choice and the Australian Communications Consumer Action Network have criticised Telstra for charging a monthly fee for silent home phone numbers, even though the Australian Law Review Commission recommended the law be changed to stop carriers charging for the service. Despite the recommendation, the law has not been changed and Telstra charges users $2.93 monthly to keep numbers out of the White Pages. ACCAN spokeswoman Elise Davidson said the ongoing fee was an “unfair practice” that affected the country’s most at-risk telephone users. [Source]

AU – Tax Office Wants Access to Real-Time Data

The Australian Tax Office (ATO) is asking for changes to the nation’s phone-tapping laws so investigators can intercept data in real time. The office has access to stored communications such as voice mail, e-mail and SMS messages under the Telecommunications (Interception and Access) Act 1979, the report states. “Access to real-time telecommunications data would enable our investigators to quickly identify those involved in suspected fraud, establish an association between two or more people, prove that two or more people have communicated at a particular time and by what means or show that a person was at a location at a particular time,” said the ATO. [iTnews]

US Government Programs

US – White House Considering Establishing Cyberthreat Information Sharing Program

A draft document circulating in the White House suggests that the President may be considering a new program that would protect government and private industry computer networks that are part of the country’s critical infrastructure from cyberattacks. The program would call for the government to establish a continuous threat collection and information dissemination system. The program is being considered in lieu of legislation, as lawmakers have been unable to come to any agreement on a cybersecurity bill. The draft “is not close to being done,” according to a White House spokesperson. The document indicates that the program would aim for “a near-real-time common operating picture” for critical infrastructure threats and establish “strong cooperation” between government and private sector entities. [Business Week]

US – Interior Dept. Seeking Cloud Tool Capable of Wiping Mobile Devices Remotely

The US Department of the Interior has issued a request for information (RFI) seeking a tool that would allow the agency to remotely update, monitor, shut down, or wipe employees’ mobile devices, even when they are overseas. The product sought would have to work on Apple, Android, BlackBerry and Windows mobile devices; the agency prefers cloud-based tools. Just one compromised device could infect other portions of the department’s computer systems. A 2011 study from the Government Accountability Office (GAO) noted that the Interior Department had not put in place “effective controls to prevent, limit, and detect unauthorized access to its systems” nor had it “manage[d] the configuration of network devices to prevent unauthorized access and ensure system integrity.” The RFI wants tools that can determine when a mobile device is being compromised. The Interior Department is seeking to have proposals submitted by September 7, 2012. [FCW] [NextGov] [FBO]

US Legislation

US – Bills to Watch

In California, Assembly Member Fuentes’ bill (A 2055) continues its progress through the California Senate and is now on the consent calendar. The Bill contemplates allowing a search warrant to be issued when the information to be received from the use of a tracking device constitutes evidence that tends to show: a felony has been committed or is being committed; that a particular person has committed a felony or is committing a felony; or will assist in locating an individual that has committed or is committing a felony. As proposed, the bill requires that a search warrant identify the person or property to be tracked and limits the time that the device may be used to a specified number of days. The bill also requires execution of the warrant within 10 days.

Likewise, Senator Leland Yee’s Social Media Privacy Act (S 1349) has progressed to the Assembly’s consent calendar. The bill would prohibit a postsecondary educational institution from requiring, or from formally requesting in writing that a student or prospective student disclose the user name and account password for a personal social media account, or provide the institution with access to any content of that account.

In Michigan, Sen. Richard Jones introduced a bill (S 1228) that would create a Do Not Call list for political calls. “Robo calls are disruptive, and they always seem to come at dinnertime or in the middle of a ball game” said Jones “If a candidate or volunteer wants to contact a voter directly, this measure will not prevent them from doing so. This legislation simply gives citizens a choice whether or not they want to receive automated phone calls.”

In New York, two bills previously reported as awaiting signature have now been enacted. A 8992 prohibits non-governmental entities from requiring individuals to provide their social security number, unless for one of several designated purposes. And A 10569 prohibits telemarketers – regardless of where they are located – from delivering pre-recorded messages by telephone without the consent of the recipient. In addition, this measure will require outbound, pre-recorded sales calls to provide the recipient with a key-press or interactive voice response to be placed on the “do not call” list, as well as immediately disconnect the call. In the event of a voicemail, outbound sales calls will also have to deliver a message with a toll free number for recipients to call to have their names removed from the call list.

In the United States Senate, Senator Johanns of Nebraska introduced a bill (S 3467), which would enact a moratorium on aerial surveillance conducted by the Administrator of the Environmental Protection Agency. The EPA currently uses these flights to determine compliance with the Clean Water Act.

Workplace Privacy

CH – Former Swiss Bank Employee Arrested in Connection with Customer Data Leak

An employee at a private Swiss bank has been arrested for allegedly stealing data from the institution. An internal investigation turned up evidence of data abuse and an alleged perpetrator was identified. The suspect is a Zurich-based employee of the Julius Baer bank; he has been fired and was subsequently arrested. The bank has contacted customers in Germany who may have been affected by the incident. The stolen data were found on a CD that is now in the possession of German tax investigators. A German magazine recently reported that tax investigators raided the homes of several Julius Baer clients in Germany in connection with allegations of untaxed funds being held in Swiss bank accounts. [Bloomberg] [Swissinfo]

CH – Data Disclosure Angers Swiss Bank Employees

Employees at several Swiss-based banks have expressed disapproval over the disclosure of their personal information to U.S. authorities investigating American tax evaders, The Wall Street Journal reports. In some cases, employees were not told of the handover or were told but not allowed to review the data. The Swiss government, in order to avoid an indictment of its banks, allowed banks to share data of thousands of employees with the U.S. Department of Justice. A Zurich University professor said, “The Swiss should offer whatever help is required for the U.S. to track down tax dodgers, but they should make clear that they will do so within the country’s legal framework.” [Wall Street Journal]

+++

Privacy News Highlights: 01-20 August 2012

Biometrics

US – FBI to Provide Facial Recognition to Law Enforcement

A FBI initiative will provide law enforcement agencies free facial recognition software. The new software will help agencies match suspects to the FBI’s biometric database of 12 million mug shots. In his annual report to Congress, Office of the Director of National Intelligence Information Sharing Environment Program Manager Kshemendra Paul wrote, “Later this summer, the FBI will deploy the Universal Face Workstation software, a free-of-charge client application that will provide users with the tools for conducting and managing facial/photo searches with a minimal resource investment.” [NextGov] See also: [US – Senator Franken: Facial recognition may need regulating]

WW – Biometric Recognition Systems Becoming Ubiquitous

Naomi Wolf reports on the growing use of biometric identifying systems in the public space. Wolf writes that she witnessed the installation of facial recognition cameras in several Manhattan public venues, allegedly allowing “police to watch video that is tagged to individuals, in real time.” Last week, New York City officials unveiled a system that “links existing police databases with live video feeds, including cameras using vehicle license plate recognition software,” she writes, adding, “In the name of ‘national security,’ the capacity is being built to identify, track and document any citizen constantly and continuously.” [The Guardian]

WW – Consumer ID Cameras Introduced, Raise Concerns

A U.S.-based company is rolling out facial recognition services for businesses wanting to offer more specified deals to customers. Facedeal users opt in to the service by uploading photos of their faces via Facebook, allowing the service to track users’ shopping habits at businesses using the technology. The creation of a database comprised of faces has raised red flags for Ontario Information and Privacy Commissioner Ann Cavoukian. In addition to data security concerns, she warned, “You don’t know where the information is going to end up, and I always say, beware of unintended consequences.” [The Ottawa Citizen] [Source]

Canada

CA – ‘Unprecedented’ Breach of Privacy at Elections Ontario

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recent investigation into the Elections Ontario breach, which lost the information of over 2.4 million voters from the 2011 general election, should be a summer must-read for every bureaucrat coast to coast. The 30 page-plus admonishment of election officials is unnerving, considering the missing information is a “goldmine” for identity thieves. Cavoukian called it an “unprecedented privacy breech” and lambasted Elections Ontario for failing to implement privacy safeguards in any meaningful way. In other words, they ignored their own policies. [Source] [Investigation Report]

CA – Feds’ Collection, Transfer of Online Data Cause for Concern: Privacy Watchdog

Canada’s privacy watchdog is raising red flags over the way the government handles data from people who visit their web sites. Newly-released documents suggest Privacy Commissioner Jennifer Stoddart was caught off guard when she learned last year that departments and agencies were independently collecting and storing data from people who visited their sites and, in some cases, transferring that information across borders to third parties such as Google. Stoddart’s four-page letter to Clement sent last year meticulously lays out her concerns about the privacy risks of web analytics — the practice of collecting and analyzing data from computers that visit a particular site, in an effort to determine how users interact with it. Coordinating and collecting the data that comes from web traffic can be time-consuming and laborious, which has prompted more than 40 government departments to rely on Google Analytics. Uncertainty concerning how information is treated once it leaves the government’s hands prompted Stoddart to ask that Clement place a moratorium on transferring Canadians’ data to third parties “particularly those located outside of Canada, until the privacy implications of such practices are fully addressed.” One of Stoddart’s main concerns stems from the fact that Treasury Board has neither assessed the privacy impacts of web analytics nor set up government-wide guidelines. Because of that, each federal department and agency is free to decide how it collects data, how the data is stored, and whether that information is transferred. Although a moratorium was not issued, the minister asked that the government develop minimum requirements to help inform departments on the safest ways to set up web analytics to diminish privacy concerns, a spokesman for Clement wrote. [Source] See also: [Canadian spy agency disciplines employees over security policy breaches]

CA – BC First responder Protection Law Clashes with Privacy Rights

The B.C. Information and Privacy Commissioner is slamming a law aimed at ensuring that provincial first responders have more peace of mind for their health and safety. Elizabeth Denham says the Emergency Intervention Disclosure Act, has a “serious impact on the privacy rights of individuals.” Bill 39, which was passed in May, allows police officers, firefighters and paramedics to seek court orders to access someone else’s medical records if the first responder has come into contact with bodily fluids. Denham says that the bill will not be useful, as there are “very few instances where emergency responders contract communicable diseases.” “Government should only contemplate a privacy intrusion of this nature where there is a significant demonstrated need,” she wrote in a letter to Margaret MacDiarmid, minister of labour, citizens’ services and open government. “Any initiative that limits (an individual’s right to control their bodily integrity) must strike a balance between the reasonableness of restricting an individual’s liberties with the commensurate need to infringe them. I do not see such a balance within Bill 39.”[Source]

CA – Conviction for a Privacy Breach: Councillor Skakun and Breaches of FOIPPA

The BC Supreme Court has affirmed the conviction of Prince George Councillor Brian Skakun in a prosecution for breaches of the Freedom of Information and Protection of Privacy Act (FOIPPA). This case has implications for public employees and officials with respect to the handling and disclosure of personal information. Councillor Skakun was convicted on May 24, 2011 because he released a City investigation report into interpersonal workplace conflict involving civilian staff working in the City’s RCMP detachment. Councillor Skakun appealed his Provincial Court conviction to the Supreme Court on a number of grounds, including bias by the Judge and that he was not afforded due diligence or whistleblower defences. Councillor Skakun also argued that the trial Judge was wrong in applying the FOIPPA prohibitions since he was not an officer of the City in accordance with FOIPPA. On appeal, the Judge restated a number of reasons why a Councillor is an official of the City. The Court relied on the language in the Local Government Act describing Councillors as municipal public officers. The Court affirmed that public bodies may only release personal information about individuals in its possession or control through the processes set forth in FOIPPA. In this case, the Court confirmed that none of the processes specified in FOIPPA for the release of personal information were followed. This included the fact that the head of the public body, who in this case was the City Manager, was not asked to review the report to determine what, if anything, could be the subject of lawful disclosure. The Court concluded that nothing in FOIPPA authorizes the release of personal information by a Councillor acting alone as an officer of the municipality. [Source]

Consumer

US – E-Scores Help E-Commerce, Raise Concerns

The growing use of e-scores—the digital valuations of a consumer’s purchasing potential—is becoming an important component to predictive consumer analytics but has federal regulators and consumer advocates worried it could put certain consumers at a financial disadvantage. Some advocates believe the practice creates a two-tiered system that can deny low-value consumers various opportunities. Neustar CPO Becky Burr, said the system helps companies locate and communicate with their markets. “They want to allocate their marketing money efficiently, and consumers want messages that are relevant,” she said, adding, the scores are predictions about consumer groups, not individuals. [The New York Times] See also: [NYT: Shopper Alert: Price May Drop for You Alone]

WW – Getting Customers to Share Personal Data

Customers are willing to share personal information with companies in exchange for perks like free Internet and mobile services. And the more valuable the benefits, the more information customers are willing to share, according to a recent report from PwC, “Consumer Privacy: What Are Consumers Willing to Share?“ Consumers want to be in control of the information they share, which means companies who want to build good relationships have to give them granular control of what and how they share data. And the more transparent a company can be, the more trusted it will be, the survey finds. Targeting various age groups with different perks and making sure information sharing is explicit and done with permission can also help build relationships with customers. Having strong security practices in place is a must for companies that want consumers to share data: 61% of the respondents said they would stop using a company’s online services after a breach. [Source]

US – Mobile Data Privacy Laws Misunderstood by Users

Smartphone users’ understanding of privacy laws may not be accurate, according to a recent survey by law researchers from the University of California at Berkeley. The survey considered data from 1,200 users telephoned on either a landline or a mobile phone and sought to gain insight on perceptions about privacy as it relates to data stored on mobile devices. Researchers found that over 80% of users surveyed believed that their mobile phone was as private at their personal computer. Further, 70% of users would not want their cell phone provider to use location-based data to target ads to them, nor would they wish for social networking apps to use their contact lists. [Source] See also: [Commission nationale de l’informatique et des libertés, France - Smartphones and Privacy: Towards a New Vision of Data Protection?]

E-Government

ON – Ontario Withholding ‘Sensitive’ Statistics on Abortion in the Province

The Ontario government says it recently restricted public access to records of abortion services because the data is “highly sensitive.” The change has prompted criticism from some anti-abortion groups, saying the public’s ability to request abortion data was important because statistics currently released by government entities are “shoddy.” B.C. has had a similar clause in its Freedom of Information act since 2001, restricting the disclosure of information relating to abortion services. The change came after several clinics and hospitals in the province were targeted by anti-abortion groups, as well as violence against North American abortion providers, and was intended to protect the providers. But in recent years, as provinces change the way they report abortion data, the quality of the statistics around the procedure have declined. The recent Ontario change came as part of Bill 122, aimed at greater financial accountability for the broader public sector, exempting “records relating to the provision of abortion services” from the Freedom of Information and Privacy Protection Act. This clause, which came into effect along with Bill 122 in January this year, prevents the public from requesting information from Ontario institutions related to the procedure. [Source]

US – GAO: Update Federal Privacy Law to Address Changing Technology Landscape

Technological developments such as federal agencies’ use of Web 2.0 and data-mining technologies have rendered some of the provisions of federal legislation inadequate to protect all personally identifiable information (“PII”) collected, used, and maintained by the federal government; the 3 major areas of concerns are applying privacy protections consistently to all federal collection and use of personal information (“PI”) (e.g., the Privacy Act’s protections only apply to PI when it is considered part of a “system of records” as defined by the act, but agencies routinely access such information in ways that may not fall under this definition), ensuring that use of PII is limited to a stated purpose (e.g. current law imposes only modest requirements for describing the purposes for collecting PI and how it will be used, which could allow for unnecessarily broad ranges of PII use), and establishing effective mechanisms for informing the public about privacy protections (e.g. concerns have been raised as to whether the mandatory provision of notices by agencies in the Federal Register is an effective way of informing the public). Recommendations include setting specific limits on the use of information within agencies and requiring agencies to establish formal agreements with external government entities before sharing PII, revising the system-of-records definition to cover all PII collected, used and maintained systematically by the federal government, and setting requirements to ensure that purpose, collection, and use limitations are better addressed in the content of privacy notices and revising the Privacy Act to require that all notices be published on a standard website. [Source]

E-Mail

US – Gliph’s Cutting-Edge Cloaked Email™ Protects Email Privacy

Gliph, a one-of-a-kind mobile and web app, today announced the availability of Cloaked Email, a new and innovative method for protecting the privacy of users’ email addresses. Cloaked Email allows users to both send and receive email using their normal email client, while keeping their real email address a secret. Email sent to the cloaked address is smoothly forwarded to users’ real email addresses. When the user replies, their real email address is automatically replaced with the cloak address. This design is perfect for situations like Craigslist communications and transactions, where users often prefer to keep their real identity under wraps. In addition to general privacy protection, Cloaked Email offers Gliph users a new layer of protection against potential data breaches. By registering for a website or newsletter using a Cloaked Email address instead of a real one, Gliph users can limit their exposure to breach or attack. Gliph is available for free on the App Store (https://gli.ph/iphone); the Android Marketplace (https://gli.ph/android); and as a mobile web app (https://gli.ph/m). For more information, visit http://blog.gli.ph. [Source] See also: [US: Surge in spam text messages puts privacy at risk] and also: [Canadian Update - Current Status of the New Anti-Spam Law]

Electronic Records

US – Researchers Developing Patient-Controlled Exchange System

A prototype health information exchange technology allows patients and providers to exchange digital information across unaffiliated healthcare organizations. Developed by Wake Forest School of Medicine’s Department of Biomedical Engineering, the pilot system provides patients with an access key that can be shared with providers at the patient’s discretion. Privacy advocate Deborah Peel applauded the pilot system, saying, “The majority of current (health IT) systems and data exchanges violate medical ethics and patients’ long-standing right to control PHI…Bravo to the Wake Forest research team for finally building effective electronic patient consent tools.” [Modern Healthcare] SEE ALSO: [Cornell: New technique to share personal data while protecting privacy]

Encryption

US – NIST to Release Draft of New Government Encryption Standard Guidelines

The US National Institute of Standards and Technology (NIST) plans to release a draft regarding a new government encryption standard. Currently, NIST’s standard requires that government agencies support Transport Layer Security (TLS) 1.0 encryption; the update will require TLS 1.1 and 1.2. This means that “some agencies … will need to … acquire new web server products to support” the new versions of TLS. The lag time between a release for public review and finalization of a standard is usually about six months. NIST’s draft document for public comment is expected to be released next month. [Source]

WW – RIM Denies India’s Claims That it Has Encryption Keys for Enterprise Customers

BlackBerry parent company Research in Motion (RIM) is refuting India’s claims that the company has provided the Indian government with encryption keys that allows it to access communications between BlackBerry enterprise customers. RIM has reiterated that it “cannot access information encrypted through BlackBerry Enterprise Server as [it] is not ever in possession of the encryption keys.” History supports RIM’s assertions. The company has in the past refused to relinquish customer data and has refused law enforcement requests to build back doors into its products. What is likely is that India now has a Blackberry Enterprise Server (BES) located there for consumers who don’t connect to a corporate BES.[v3.uk] [The Register]

CN – Chinese Gov’t Proposes Healthcare Privacy Draft Regulation

China’s Ministry of Health has proposed a draft regulation requiring health departments to protect and secure patient privacy. The regulation would amend the Tuberculosis (TB) Prevention and Control Regulation and is now open for public comment. The draft says, “Health departments can obtain information from units or people and inspect related venues out of the need for TB prevention and treatment” but should also maintain patient privacy. Entities that leak private information will be disciplined or prosecuted, the report states. [Xinhua]

EU Developments

EU – German DPA Reopens Investigation into Facebook Facial Recognition

Hamburg Data Protection Officer Johannes Caspar has reopened an investigation into Facebook’s facial recognition practices, saying the company is illegally amassing a photo database without users’ consent. Caspar said, “We have met repeatedly with Facebook but have not been able to get their cooperation on this issue, which has grave implications for personal data.” Caspar’s office wants Facebook to destroy its database of faces collected in Germany and alter its website to obtain express consent, the report states. Facebook said, “We believe that the photo tag suggest feature…is fully compliant with EU data protection laws.” [The New York Times]

UK – ICO Issues Guidance for SMBs

The Information Commissioner’s Office (ICO) has issued guidance on the top five areas of improvement recommended for small- and medium-size businesses. Among the suggestions, staff training and communication with customers are the most important. The office suggests organizations tell people how their data is being used; ensure proper staff training; use strong passwords; encrypt portable devices, and only retain data for as long as necessary. The ICO recommends charities and third parties conduct data protection checkups given that they often handle sensitive information. The office also offers advisory visits to organizations seeking advice on data protection improvements. [SC Magazine] [Always-on encryption justified, say analysts] See also: [ICO, UK - A Guide to ICO Advisory Visits]

UK – ICO “Not Ready” for Cookie Investigations

The Information Commissioner’s Office (ICO) has said it is “not ready” to investigate any cookie consent rule complaints because staff is not yet in place for such a task. Since the ICO unveiled its online submission tool, 320 websites have been reported. “At present the information has not yet been analyzed as the team which will have responsibility for this is not in place yet,” the ICO said. Meanwhile, according to a new study, fines issued by the ICO have totaled £1.8 million in the last year, up from £431,000 in the previous 12 months. [PCPro] See also: [DLA Piper: How the EU has Implemented the New Law on Cookies – July 2012]

UK – ICO Fines Health Trust £175,000

The Information Commissioner’s Office (ICO) has fined a health trust £175,000 for inadvertently publishing the sensitive personal information of approximately 1,000 staff members on its website in April 2011. Torbay Care Trust released a spreadsheet that contained staff members’ sexual orientations and religious beliefs in addition to names, birth dates, salaries and National Insurance numbers. Describing the incident as “serious” and “extremely troubling,” the ICO’s investigation revealed that the organization has poor privacy guidance for staff. The ICO said the trust is “taking action to keep its employees’ details secure.” The Independent | ICO source and see also: UK ICO investigating Tesco Website Security | Source]

EU – Member States Concerned About Proposed EU Regulation

A leaked file from the Council of Ministers contains concerns by the UK government about proposed EU data protection reforms. “We are of the view,” the file states, “that the proposed general regulation should be a directive in order to provide greater member state flexibility to implement the measures—a regulation would allow the EU to prescribe rules without necessarily giving due regard to national tradition and practice.” The leaked document was published by civil liberties organization Statewatch and contains the opinions of 20 European states on the proposed reform. [Out-Law.com]

EU – Committee: Too Many Exceptions and Restrictions in EC Proposals

The European Economic and Social Committee has said search engines, social networks and some cloud computing services should be brought within the scope of forthcoming European data protection reforms. The committee said the European Commission’s proposals need to be “more in line with the needs and expectations of the public” and it is concerned about the number of exceptions and restrictions within the commission’s proposals. “The proposal could have gone further in increasing the protection offered by certain rights,” the committee said in a report, adding that the rules should be “applied more systematically to certain fields of economic and social activity.” Out-Law.com

Facts & Stats

WW – IXMaps: Mapping Canadian Privacy Risks in the Internet Cloud

Most Canadians don’t realize how much of our ‘domestic’ Internet traffic goes outside the country before getting to its destination, as a new website shows in dramatic and graphic fashion. IXMaps is a Canadian developed website and interactive tool that lets you know where your data goes. It tracks the packets that make up our e-mails, website requests and other data transmissions. “What IXmaps does is show what’s inside the Internet,” explained Professor Andrew Clement of the Faculty of Information at the University of Toronto; he’s also project manager at IXMaps. “I was surprised to see so much ‘boomerang’ traffic,” Clement said, referring to transmissions that start and end in Canada, but end up travelling to the U.S., where they can be subject to laws and regulations that are not Canadian in origin or application. The Office of the Privacy Commissioner of Canada is funding IXMaps. The team will receive support for its ‘Mapping Canadian Privacy Risks in the Internet Cloud’ project, and to conduct an information session about Internet routing and cloud computing, and its privacy implications for all Canadians. [Source]

Filtering

WW – Google Changes Search Results to Favor Legal Downloading Sites Over Pirates

Google is altering the way it displays search results to ensure that sites offering legitimate downloads of digital content appear before sites offering pirated content. Google revised algorithm will consider the volume of “valid copyright removal notices” a site has received. Google says it has received copyright removal notices for more than 4.3 million URLs in the last 30 days. [BBC] [Money.com] [Washington Post]

SK – South Korea Censoring the Net

“A government critic who called the president a curse word on his Twitter account found it blocked. An activist whose Twitter posting likened officials to pirates for approving a controversial naval base was accused by the navy of criminal defamation. And a judge who wrote that the president (“His Highness”) was out to “screw” Internet users who challenged his authority was fired in what was widely seen as retaliation. [New York Times]

Finance

IR – Top Banks to Be Audited: Privacy Commissioner

The Office of the Data Protection Commissioner (DPC) will audit Ireland’s top banks in the coming months. The announcement comes after the DPC discovered that AIB “supplied inaccurate personal data” to the Irish Credit Bureau (ICB) in breach of data protection law and resulting in the denial of credit to individuals. AIB has confirmed the incorrect reporting of missed loan repayments to the ICB over a six-year period. One MEP said the DPC “has performed excellently in this case; however, we need to strengthen and reinforce the office to ensure that it can effectively monitor companies, investigate breaches and protect individuals.” [Irish Times]

WW – Mobile Payment Systems on the Rise: Report

Starbucks’ has partnered with technology startup Square, which will allow customers to pay for things with a smartphone. But “any company offering mobile payments faces a big challenge: convincing people that paying with a phone is safer and more convenient than using cash or a credit card,” the report states. Some have said the convenience “may present a compromise on user privacy.” [The New York Times] See also: [Remote Payments Plan May Compromise Privacy]

Health / Medical

AU – E-Health Reforms Expand Commissioner’s Powers

Australia is rolling out new privacy safeguards in the Personally Controlled Electronic Health Records program. Under the reforms, which expand upon existing obligations under Australia’s Privacy Act 1988, Australian Privacy Commissioner Timothy Pilgrim may seek civil penalties and enforce undertakings by organizations that fail to protect patient records. Healthcare providers are now obligated to refrain from collecting more patient information than is necessary and to ensure staff are appropriately trained in data protection. The reforms expand Pilgrim’s powers and allow consumers to make decisions about who sees their records and what information is shared with third parties. [FutureGov] See also: [Australian Privacy Foundation slams privacy amendments saying ‘Once-in-a-generation’ opportunity to improve credit reporting and data off-shoring protections lost]

US – Study: Consumers Concerned About EHRs

A new survey has found that patients have strong concerns about privacy and security when it comes to switching from paper to digital medical records. The Harris Interactive study on behalf of Xerox indicates 40% of those surveyed believe electronic health records (EHRs) will help doctors deliver better care, but only 26% said they want their records to be digital, and 9% said the idea “frightens them.” Privacy is a “common concern” about EHRs, said Xerox’s chief innovation officer for healthcare. “There is definitely a need for better information systems and interfaces.” [InformationWeek] See also: [Nunavut government passes half-way point in digitizing health records] See also: [County Jail Nurses Unhappy With Electronic Health Record System]

WW – Comparing Each Nation’s Privacy Enforcement Strategies

A new report analyzes the healthcare breach enforcement strategies of the UK and the U.S. In the UK, emphasis relies on “publicizing frequent financial penalties” while the U.S. focus has centered on the announcement of less frequent “resolution agreements.” This year, the UK has handed out 11 fines totaling £1.4 million—approximately $2.2 million—and the U.S. has issued three resolution agreements totaling $3.3 million. “The jury is out on which nation’s approach will be more successful in reducing the number of breaches over the long haul,” the report states. [GovInfoSecurity] See also: [SASK: Health privacy law needs teeth] See also: [CA – All Privacy Breaches should be Made Public: NDP]

US – Study: Patient-Controlled Sharing Best for Privacy

A new scientific study by the Journal of the American Medical Informatics Association “validates the workability of a digital medical-imaging sharing system controlled by patients, not providers.” While images are now shared with patients via a hand-carried CD, digital sharing networks challenge patient privacy, the report states. But the Patient Controlled Access-key Registry (PCARE) allows patients to control the access keys. The same PCARE framework can be used for electronic health records, the study states, adding that such a framework protects patient privacy with “minimal burden on patients, providers and infrastructure.” [FierceHealthIT]

Horror Stories

US – Data Breaches Up 19%; Public-Sector Breach Numbers Rise: GAO

Hospitals in Connecticut and Ohio have reported breaches of protected health information, while a Tennessee school district is notifying 9,200 students and employees that their personal data was compromised in a breach involving nine of the system’s databases. Meanwhile, Federal Times reports that the Government Accountability Office’s information security director told a Senate subcommittee this week that the number of federal data breaches rose 19% between 2010 and 2011.[Source]

US – Hackers Encrypt Medical Records and Demand Ransom

A medical facility in northern Illinois has acknowledged that hackers broke into its computer network and encrypted data, demanding a ransom to be paid for revealing the password to decrypt the data. The Surgeons of Lake County instead turned off the compromised server and contacted authorities. This is not the first time that health data have been held for ransom. Prescription drug benefits management company Express Scripts was the target of cyber criminals who took the data and demanded payment if the company did not want the stolen information made public. [Source] http://www.bloomberg.com/news/2012-08-10/hackers-encrypt-health-records-and-hold-data-for-ransom.html

US – Breaches Hit Health Orgs, EPA; Costly for LinkedIn

In three separate incidents, Palm Beach County Health Department (PBCHD), Stanford’s medical school and the Environmental Protection Agency (EPA) have announced personal data breaches. A PBCHD employee was fired for illegally accessing patient records to allegedly create a list for identity theft. Stanford School of Medicine officials have warned 2,500 patients their personal health data may have been breached after the theft of a computer, and the EPA confirmed that approximately 8,000 individuals’ Social Security numbers and bank routing numbers may have been exposed. Meanwhile, LinkedIn said that a breach earlier this year has already cost the company at least $1 million [SC Magazine] See also: [CBC News: Woman Sues Western Health for Breach] and Apria Healthcare is offering 11,000 patients free credit monitoring] and [CNET News: Gamers Urged to Change Passwords After Breach] and [The Boston Globe: Retailer, Healthcare Company Offer Credit Monitoring Following Breaches] and [UK: Confidential children’s data leaked on the net] and [ONT: Police Officer guilty of misusing police data] and [NATO Employee Charged With Stealing Secret Data

US – Yahoo Sued After Disclosure User Names, Passwords Stolen

A New Hampshire man has sued Yahoo for negligence after hackers accessed and disclosed as many as 450,000 users’ names and passwords. Allan v. Yahoo has been filed in a San Jose, CA, federal court and seeks an order mandating the company compensate some of the users for account fraud and for failing to have adequate security measures in place at the time of the event, the report states. The hacker group responsible said it did not perform the attack for malicious reasons but to provide businesses with a wake-up call to better secure personal data. [Source]

US – VA Improves Security, Other Breaches Persist

Improvements in data protection at the Veterans Affairs Department are due to the use of encryption. The department now encrypts all of its information operations laptops following a 2006 data breach involving the theft of a laptop containing data on millions of veterans. Additionally, the department’s chief information officer now oversees its IT operations, and privacy and security policies and procedures as well as employee training have been put in place. Meanwhile, COMPUTERWORLD reports that in the last three years, about 21 million patients’ medical records have been exposed in data security breaches large enough to require reporting to the federal government. GovernmentHealthIT

WW – Dropbox Customer eMail Breach Explained

Dropbox has confirmed a security breach that exposed customer data. Last month, Dropbox users in Europe reported receiving spam email advertising online casinos. The customer data were contained in a document that was stolen from the Dropbox account of one of the company’s employees. The intruder managed to gain access to the account because of a different attack on another website; the account holder used the same password for both accounts. Dropbox says it plans to introduce two-factor authentication in the coming weeks, but did not offer any specific information. [Heise Online] [SC Magazine]

Identity Issues

SE – Government Gets Go-Ahead for Blacklist Database

The Swedish Data Inspection Board will allow the government to start a registry of blacklisted sports supporters. The board says there are a number of issues that need to be addressed before the registry moves forward, including exactly what information would be kept on blacklisted individuals and the way innocent individuals would be affected by proposed measures such as increased surveillance. The board also says an in-depth analysis of what information would be available to sports associations and event organizers is necessary. “There’s always a risk that information kept in these types of sensitive registers will fall into the wrong hands,” said the board’s director general. [The Local]

US – Amazon, Apple Address Security Loopholes

Following the identity hacking of a Wired reporter, Amazon and Apple have altered security authentication protocols. The assailants allegedly accessed the reporter’s Amazon account by calling the company and using his name, e-mail address and mailing address and then used the last four digits of the user’s credit card to access his Apple account. In response, the companies are not allowing customers to call in and change account settings. An Apple representative said, “When we resume over-the-phone password resets, customers will be required to provide even stronger identity verification to reset their password.” [Wired]

EU – ENISA Calls for End User, Service Provider Collaboration

The European Network and Information Security Agency has called for collaboration between service providers and end users to protect online identities. The agency said this week that in the first half of 2012, millions of citizens’ personal data was exposed due to data breaches, often affecting multiple sites at once. The agency published guidelines for online service providers on passwords, authentication systems and data breach notifications—which it believes will contribute to better data protection in the long term. ComputerWeekly

Internet / WWW

WW – Google to Include Gmail Content in Web Searches

Google has announced plans to roll out a new feature to a million Gmail users who sign up for it, and after accepting feedback, hopes to give all accountholders the ability to opt in to the feature that would allow contents of users’ Gmail correspondences to be included in their Google searches. The feature is a response to a more people-centered Internet driven by the prevalence of information sharing on social networks, the report states, and may bring with it privacy concerns. To alleviate these concerns, Google will show Gmail communications in a collapsed format that users have to open in order to see details. [Associated Press]

Law Enforcement

US – Federal Appeals Court Says Utilities Must Provide Customer Data to Authorities

The 9th US Circuit Court of Appeals has unanimously ruled that utility companies must provide authorities with customer records upon request if drug agents believe the information is relevant to an investigation. The Comprehensive Drug Abuse Prevention and Control Act of 1970 allows law enforcement authorities to demand data with an administrative subpoena, which does not require judicial oversight. The case in question involves demands from the Drug Enforcement Agency for account information about three customers of Fairbanks, Alaska’s Golden Valley Electric Association. [WIRED]

US – Federal Court Says Case Challenging Warrantless Wiretapping May Not Continue

The 9th US Circuit Court of Appeals has ruled that the plaintiff in a case brought against the government challenging the warrantless wiretapping program may not proceed. The court ruled unanimously that the organization, a Muslim charity, could not bring a lawsuit against the government, but could, if it wished, bring a lawsuit against individual government officials. A lower court had ruled that two attorneys working with the al-Haramain Islamic Foundation were spied on without warrants and awarded them more than US $20,000 each and US $2.5 million in legal fees. [WIRED] [ArsTechnica]

Location

UK – Cellphones Are Now Able to Predict Location; Invasion of Privacy?

Soon, companies and law enforcement agencies will be able to predict your location in 24 hours A group of scientists from the University of Birmingham have developed an algorithm that predicts where mobile phone users will be in 24 hours. Using mobile tracking data for your phone and the mobile devices of the people in your address book, the algorithm is able to predict your future location and is accurate up to 65 feet. The program has helped the group of scientists win this year’s Nokia Mobile Data Challenge. Although tech-savvy criminals can turn off the GPS and tracking data, the algorithm uses data from cell phone towers, which “no one can hide from.” “Predictive Tracking” also extends to advertisers and companies. Even though the authors hope that the law enforcement will be able to use this prevent crimes, he feels that it would make more sense for advertisers to use. [Source]

AU – Privacy Commissioner Wants Payload Data Deleted

The Australian Privacy Commissioner has called on Google to destroy data collected from open WiFi networks. The commissioner sent a letter to Google’s Australian head of public policy and government affairs ordering its immediate destruction, the report states. “I do not require Google to retain the additional payload data, and unless there is lawful purpose for its retention, Google should immediately destroy the data,” Pilgrim wrote. “Further, I also request that Google undertakes an audit to ensure that no other disks containing this data exist and to advise me once this audit is completed.” Commissioners from the UK, France and other jurisdictions have made similar requests. iTnews see also: [Datatilsynet, Norway - Notice of Decision on Violation Charge - Google Street View WIFI Data, Payload]

US – EPIC: Voters Should Be Wary of 2012 Election Apps

A mobile app created by the Obama campaign shows a map with lists of the first and last names of nearby voters. The app is meant to help campaign volunteers canvass for potential voters and send the data back to the campaign. EPIC has released a report, “Smartphones and the 2012 Election,” focusing on the potential risks to voters who download election-related apps to their smartphones and tablets. The report contends that these apps promote greater citizen participation in e-democracy, but also may contain malware, disseminate false information – or, as was recently reported of an Obama campaign app, compromise voter privacy by making voters’ personal and locational information widely available. A recent study by the University of Pennsylvania’s Annenberg School for Communication revealed that voters are ambivalent about “personalized” political advertising, a practice likely to increase with the number of election and political apps available for download. EPIC’s report also examines the role of federal and state regulation in protecting voters and providing guidance to campaigns, and recommends actions that voters, election administrators, and campaigns can take to better protect voter privacy. The Washington Post See also: [Election Day impersonation, an impetus for voter ID laws, a rarity, data show] [EPIC: Paper on ‘Smartphones and the 2012 Election’] [U. Penn. Annenberg School: Study on “Tailored” Voter Ads]

Offshore

WW – The Cloud and Its Privacy Risks

Privacy in the cloud “may be an illusion,” and businesses relying on the cloud should be aware of its privacy risks. Laws in the U.S., EU and elsewhere allow government agencies access to cloud data, and Mutual Legal Assistance Treaties facilitate cooperation across borders, allowing law enforcement to request data in any country that is a part of such a treaty. The report points to a recent whitepaper that concludes “it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities.” TECHNEWSWORLD See also: on May 23, 2012, international law firm Hogan Lovells published a white paper entitled A Global Reality: Government Access to Data in the Cloud: On the fundamental question of governmental access to data in the Cloud, we conclude … that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities. Government’s ability to access data in the Cloud extends across borders. And it is incorrect to assume that the United States government’s access to data in the Cloud is greater than that of other advanced economies.” See also: [ECPA Reform Would Require Warrant for Cloud Data

WW – Apple and Amazon Amend Security Practices After Journalist Suffers Hack

Apple and Amazon have changed their security policies after a hacker was able to exploit weaknesses in the systems to gain access to a journalist’s accounts and wipe several of his devices. Apple said earlier this week that users will temporarily be unable to reset AppleID passwords over the phone, and will instead have to use the iForgot online system. Amazon said that the exploited weakness was closed, but declined to offer details about what that weakness was and what was done to correct it. [Money.com] [ArsTechnica] [Mat Honan details the Amazon and Apple security flaws that let hackers wipe his MacBook from the Cloud]

Online Privacy

US – Judge Rejects Facebook Settlement

A judge has rejected Facebook’s settlement offer in a lawsuit over the company’s “Sponsored Stories” features and its lack of an opt-out provision. Judge Richard G. Seeborg of U.S. District Court in San Francisco, who earlier this month voiced concerns about the proposed settlement and its plan to pay $10 million to charity but nothing to class members, rejected the settlement, saying there are “sufficient questions regarding the proposed settlement” and asking for clarification on remediation for those affected and the size of the legal fee payment. [The New York Times]

US – FTC and Facebook Reach Settlement Over Privacy Practices

The US Federal Trade Commission (FTC) and Facebook have agreed to the terms of a settlement regarding the social networking site’s privacy practices. The settlement requires Facebook to obtain users’ “express consent” prior to sharing their information beyond the limitations in users’ privacy settings. Facebook must also provide users with “clear and prominent notice” whenever their data are shared. Failure to comply will cost Facebook US $16,000 in civil penalties for each violation. The FTC alleged that Facebook told users they could make their data private, but then allowed the information to be shared and made public. In the settlement, Facebook denies the allegations and admits no guilt. Morrison & Foerester LLP Partner D. Reed Freeman said that the FTC “has been accepting settlements with express denials of liability for decades without any adverse consequences. This policy has helped encourage companies to enter into settlements because any follow-on litigation would still bear the burden of proving liability on their theories. Requiring an admission of guilt will lower the settlement rate, increase the litigation rate and draw precious commission resources from investigating and bringing new cases to proving up old ones in court.” [The New York Times] [CNET] [ComputerWorld]

US – Court: Police Did Not Violate Law in Viewing Facebook Profile

FourthAmendment.com reports on a case involving a search warrant for all of a defendant’s Facebook content. In United States v. Meregildon, the defendant argued the government’s method of collecting evidence to obtain the warrant violated the Fourth Amendment. An online friend of the defendant’s reported him to the police on suspicion of gang activity and gave them access to the defendant’s Facebook profile. The court ruled the defendant had no reasonable expectation of privacy in his Facebook postings that others could see. The “friends” he shared his information with were free to do with that information what they wanted, the court said. [FourthAmendment.com]

WW – The Rising Market of Personal Data Control

The emerging personal data control market is “the asset class of the twenty-first century,” consumers should view their personal information like “money in a bank,” the report states. According to Forrester Research, the business of personal data management is already worth billions and could grow within the next two years. More than $2 billion is spent annually in the U.S. harvesting consumer data from third parties. One expert says “cyber vaults”—cloud-based “hubs” that act as personal data safes and managers—could store financial, health and other personal information and ensure correct elements of a user’s data are provided to websites, potentially replacing traditional computers. CNN

UK – Advocate: Gambling Industry “Ignores” Privacy Laws

The founder of Privacy International, Simon Davies, said the online gaming industry is failing to adequately protect its customers’ personal data and violates the UK’s Data Protection Act (DPA). After analyzing the industry for two years, Davies says many online sites collect vast amounts of personal information, including passport and credit card scans, driver’s licenses and utility bills. “All the available evidence indicates that this information is stored permanently,” Davies has said, adding that this constitutes a violation of the third and fifth principles of the DPA, the report states. computing.co.uk

WW – Creepy Exploitation of Unknowingly Public Photos on Photobucket

Inspired by the “hackers” who were able to access Wired writer Mat Honan’s online accounts and fully wipe his MacBook, BuzzFeed’s Katie Notopoulos took a look at “fusking,” the not-actually-hacking technique of finding private – and often nude – pictures on Photobucket by exploiting its privacy settings.” [Gawker] [ www.reddit.com/r/photobucketplunder ]

Other Jurisdictions

JA – Info Regulator, Data Protection Law on the Way

Jamaica forthcoming Data Protection Act “will regulate the use of personal information filed on Jamaicans.” Ministry of Science, Technology, Energy and Mining Minister of State Hon. Julian Robinson told the government recently that there is “a need for a more uniformed, robust and clear mandate to protect privacy and personal information.” The law will regulate data collection, processing, storage, use and disclosure of information about Jamaicans. Robinson added that a position will be established for a single information and communication technology regulator within the next couple of years. [Jamaica Observer]

HU – Hungarian DPA Issues First Fine

The Hungarian Data Protection Authority has imposed a fine of €35,700 on an online real estate marketplace for unauthorized data processing. The fine is significant in that it is the first maximum fine imposed under Hungary’s new Privacy Act, which took effect January 1. The company controlled websites that offered users free trial periods but later invoiced them high fees and transferred customer data to third parties without consent or notification. In this exclusive for The Privacy Advisor, Bird & Bird’s Bálint Halász discusses the details and implications of the case.

HK – New Ordinance Will Change Privacy Landscape

Following Hong Kong’s Personal Data (Privacy) (Amendment) Ordinance (PDPAO) publication in the Government Gazette this month, DLA Piper analyzes the key amendments that will be implemented in several phases, starting October 1. Key amendments of the PDPAO include the regulation of the use of personal data for direct marketing; regulation of third-party processors; new powers for the data protection authority to assist in civil actions and to verify data user returns’ accuracy, and new rules against unauthorized personal data disclosure and repeated violations of an enforcement notice. Provisions related to direct marketing and new regulatory powers are slated to go into effect in 2013. [Source]

BR – Brazil to Vote on Internet Bill of Rights

Brazil’s Marco Civil da Internet—a proposed “bill of rights” for Internet users—is expected to come to a vote before Congress on August 8. The bill “establishes a clear set of rights and responsibilities for users, sets strong net neutrality principles and shields Internet intermediaries from liability for illegal content posted by users,” the report states. The Bureau of Legislative Affairs of the Brazilian Ministry of Justice began collaborating with Rio de Janeiro Law School on the creation of the Marco Civil da Internet in 2009. Global Voices

Privacy (US)

US – Google Agrees to $22.5 Million Settlement; FTC Settles with HireRight

Google has agreed to pay a US $22.5 million fine for misrepresenting its activity when it monitored the activity of web surfers who were using the Safari browser and had selected “do not track” privacy setting. The fine was imposed as part of a settlement with the US Federal Trade Commission (FTC). The settlement requires that Google disable all cookies it has placed on the computers of Safari users who had selected the do not track preference. The FTC has also settled with an employment background screening company for $2.6 million on charges it violated the Fair Credit Reporting Act. The FTC says HireRight Solutions failed “to use reasonable procedures to assure the maximum possible accuracy of information it provided,” failed to give consumers copies of their reports and failed to resolve consumer disputes. The FTC also alleges HireRight failed to ensure the information reflected updates to criminal records and “in numerous cases, even included the records of the wrong person,” leading to consumers being denied job opportunities.[FTC Press Release] [Record-Setting Settlement Stirs Debate] [Source]

US – TSA Petition Closes 2,500 Signatures Short, Other Efforts Move Forward

The White House has pulled a petition on Transportation Security Administration (TSA) airport screening procedures from its “We the People” website, the Cato Institute’s Jim Harper, who initiated the petition, said it expired on schedule and was short “by about 2,500 signatures, or 10% of the 25,000 needed.” Harper added that other “parts of the effort to require the TSA to follow the law are moving forward. The DC Circuit Court of Appeals recently instructed the TSA to answer legal filings calling for it to go forward with the process for public review of its rules.” [EPIC]

US – The Political Struggles of the PCLOB

About the Privacy and Civil Liberties Oversight Board (PCLOB),”it’s probably fair to say that few governmental bodies have had a more troubled childhood than this one.” Chief among the concerns, the report states, is that, “because of the objection of unnamed senators,” the Senate has yet to confirm David Medine as PCLOB chairman. Alan Charles Raul, a Washington lawyer who previously served as vice chairman of PCLOB during the Bush administration, said that he is “not aware of any reason why the committee would not have confirmed” Medine. Raul believes that Medine “would make an excellent choice for chairman” and, in a letter to Congress last April, wrote “in strong support” of Medine’s nomination. With new cybersecurity initiatives being considered by the White House and Congress, Raul said “it is imperative that (PCLOB) become operational once again.” [The New York Times] [Senate Confirms Four to Oversight Board]

US – Court Reinstates Driver’s Privacy Class-Action Suit

A federal appeals court has decided to reinstate a class-action suit involving private data on parking tickets. The 7th U.S. Circuit Court of Appeals has decided against Chicago’s Palatine Village Police Department, ruling that putting too much personal information on parking citations violates U.S. law. The information on the department’s parking citations includes the vehicle owner’s name, address, driver’s license number, date of birth, sex, height and weight, the report states, and is usually left under a windshield wiper blade. One motorist filed suit in 2012, but a federal judge then denied the claim, citing a law enforcement exception in the Driver’s Privacy Protection Act. [Wired] [Illinois: Appeals Court Upholds Parking Ticket Privacy] See also: [AU: Privacy commissioner’s letter to Myki: please explain security flaw]

US – Court: ZIP Code Ruling Applies Retroactively

A U.S. District Court has upheld that the California Supreme Court’s ruling in Pineda v. Williams Sonoma that ZIP codes are personal information applies retroactively. Retail stores in California frequently ask for ZIP codes during purchase transactions, but Jessica Pineda filed suit after a 2008 visit to a Williams Sonoma store in California where a cashier asked for her ZIP code without telling her how the information would be used. The U.S. District Court has ruled that the decision applies retrospectively to a class-action lawsuit filed against OfficeMax. [The Privacy Advisor]

US – DOC Reports on First NTIA Stakeholder Meeting

The Department of Commerce National Telecommunications and Information Administration (NTIA) Director of Privacy Initiatives John Verdi reports on progress toward implementing the Obama administration’s Consumer Privacy Bill of Rights. The first stakeholder meeting drew hundreds of participants and raised “constructive suggestions regarding what elements might be included in the code,” Verdi writes, adding that the NTIA’s role will not be to weigh in on issues but to guide a transparent and consensus-based process. The NTIA will hold the next two stakeholder meetings August 22 and August 29 and has posted discussion lists from the last meeting. In the meantime, stakeholders have created a public mailing list to discuss the process. [Source]

US – Court Orders TSA to Open Body Scanner Comment Period

A federal court has ordered the Transportation Security Administration (TSA) to explain why it has not offered a public comment period for the installation of body scanners in U.S. airports. The U.S. Circuit Court of Appeals for the District of Columbia gave the order after the third request by the Electronic Privacy Information Center (EPIC). The three-judge appellate court originally ruled the agency violated the Administrative Procedures Act by not initiating a 90-day public comment period. EPIC Executive Director Marc Rotenberg said the “order indicated that we have meritorious arguments.” The agency has until August 30 to respond. Wired

US – COPPA Modifications Play Catch-Up with Technology

The FTC has proposed modifications to the Children’s Online Privacy Protection Act Rule, which would “dictate that both the operator of a website that is directed at children and any third-party advertising network or application” would be responsible for complying. An FTC spokeswoman said the change would “close an apparent or possible loophole in the rule,” which was enacted four years before Facebook and the third-party apps it hosts. The proposal would also apply to a website that attracts both children and adults, requiring it ask a user’s age and then apply privacy protections to those under the age of 13. The New York Times

US – DHS CPO Departs to Initiate Privacy Practice

U.S. Department of Homeland Security (DHS) Chief Privacy Officer (CPO) Mary Ellen Callahan has left the DHS to start a new privacy and information governance practice at the Jenner & Block LLP law firm. The DHS privacy office more than doubled and conducted upwards of 200 privacy impact assessments while Callahan served as CPO. Her last day in office was August 1, and Deputy Chief Privacy Officer Jonathan Cantor will fill the role until a new CPO is appointed, a DHS spokeswoman said. The Wall Street Journal

US – State’s Supreme Court Upholds Opt-Out Fee Program

Maine’s Supreme Court has upheld the state’s public utilities commission (PUC) decision to allow Central Maine Power (CMP) to charge a fee to customers wishing to opt out of the company’s smart meter program. CMP was one of the first utilities in the U.S. to face legal opposition to smart meter implementation after customers challenged the program in early 2011, alleging CMP’s smart meter installations violated their Fourth Amendment privacy rights. The PUC ruled the fee would be permitted, and, despite the customers’ challenge to the decision, Maine’s Supreme Court upheld the decision on July 12, stating the utility’s opt-out provision negated any privacy concerns. Info Law Group

US – Court: License Plate Decal Doesn’t Violate Privacy

New Jersey’s Supreme Court has found that requiring young drivers to affix a red decal to their license plates is not an invasion of privacy. The court ruled 6-0 that the law mandating the decal does not violate the Driver’s Privacy Protection Act, which forbids the disclosure of information about a driver except that they are under 21 and hold a learner’s permit, examination permit or probationary license, the report states. Young drivers “have no reasonable expectation of privacy in their age group, because a driver’s age group can generally be determined by his or her physical appearance, which is routinely exposed to public view,” the court said. The Star Ledger

Privacy Enhancing Technologies (PETs)

WW – IE10 Users Can Change DNT Default on First Run

Microsoft Windows 8 users will be able to change the default setting for the do not track (DNT) feature in Internet Explorer 10 (IE10) when the operating system is first run. Early this year, Microsoft said that the DNT feature would be turned on by default in IE10. When Windows 8 is first run, users will have the option of allowing the Express Settings, which accepts all default Microsoft settings, or they can choose Customize, which will give then the opportunity to turn off the DNT setting if they wish. Windows 8 users who select the Express Settings will also see a notice telling them that DNT will be on by default in IE10. [ComputerWorld] [Ars Technica]

US – Scholars Present Technology-Centered Privacy Approach

Two legal scholars have released an article that proposes “a technology-centered approach to measuring and protecting Fourth Amendment interests in quantitative privacy.” Scholars David C. Gray and Danielle Keats Citron note that “technology can permit government to know us in unprecedented and totalizing ways at great cost to personal development and democratic institutions,” adding, “these concerns about panoptic surveillance lie at the heart of the Fourth Amendment as well.” Instead of “case-by-case assessments of information mosaics,” they argue that government access to “broad programs of continuous and indiscriminate monitoring should be subject to the same Fourth Amendment limitations applied to physical searches.” [Source]

WW – Burner Delivers Instant Privacy to the Phone

Have you ever given someone your phone number and wish you hadn’t? Now there’s an app for that: Burner, created by Ad Hoc Labs and launching publicly today on the iOS platform, issues disposable phone numbers at the touch of a button. Burner is available in the iTunes App Store for $1.99. Burner is ideal for dating, buying and selling online, posting via social media, and many more use cases. Simply give the number to anyone you like, keep it active for as long as you like, then burn it when you’re through. [Source]

Security

WW – Survey: Data Security Tops Firms’ Concerns

A new report has found that, “for the first time, data security was earmarked by the largest percentage of responding directors—48%—and general counsel—55%—as an issue of concern.” The Corporate Board Member (CBM) and FTI Consulting report surveyed 11,000 public company directors and nearly 2,000 general counsels in U.S.-based firms. One-third of the lawyers said their companies were “not effective at managing cyber risk,” while almost half of the directors said their companies had no formal response plan in place. CBM’s president said the discrepancy between the two is a “cause for concern.” [Source]

WW – PwC Whitepaper Discusses Importance, Pitfalls of Internal Audits

A PricewaterhouseCoopers whitepaper discusses internal audits’ ability to bolster security and prevent network breaches. The whitepaper outlines how internal audits “have become a key pillar of security strategies in the age of data breaches” and how companies can makes audits more effective. Believing adequate security measures already exist, for example, can sometimes undermine an audit’s purpose, the report states. “Internal audit departments need strong governance, which leads to respect, credibility and visibility,” said PricewaterhouseCoopers’ Carolyn Holcomb, who says senior management need to become more aware of the risks and concerns associated with security and privacy, and board-level support for audits is very important. [eWeek] See alswo: [WikiLeaks endures a lengthy DDoS attack]

Surveillance

WW – Police Chiefs Sign Drone Codes of Conduct

The International Association of Chiefs of Police (IACP) has adopted codes of conduct for the use of unmanned aerial vehicles (UAVs). The recommended guidelines provide that captured images will be open for public viewing and will not be stored if there is no evidence of a crime or ongoing investigation. The codes recommend obtaining a warrant in cases where flights may intrude on an individual’s reasonable expectation of privacy, the report states. The IACP said, “Privacy concerns are an issue that must be dealt with effectively if a law enforcement agency expects the public to support the use of UAV by their police.” [The Washington Times] See also: Lawmaker Releases Draft Drone Privacy Bill

CA – Privacy and Drones: IPC Issues Report on Unmanned Aerial Vehicles

By: Ann Cavoukian, Ph.D., Information & Privacy Commissioner: Unmanned Aerial Vehicles (UAV) present unique challenges due to their ability to use a variety of sensors to gather information from unique vantage points, often for long periods and on a continuous basis. The prospect of having our every move monitored, and possibly recorded, raises profound civil liberty and privacy concerns. At the same time, there are many desirable benefits associated with these technologies. The aim of this paper is to provide a background for general privacy readers, as well as for potential users or regulators of UAV activities, as they relate to the collection, use, and disclosure of personal information. Full report Source

Telecom / TV

AU – Australia Delays Internet Surveillance Plan

The Australian government has tabled an initiative that would have stored the web history of Australians for up to two years. Attorney-General Nicola Roxon has referred a discussion paper on the expanded governmental surveillance powers to a parliamentary committee, which will stall the plans until after the next election. Roxon recently said she’s not yet convinced the data protection proposals have merit. Supporters of the reforms are concerned with the delay, with one security official saying the reforms “are urgently needed to deal with a rapidly evolving security environment.” [The Sydney Morning Herald] See also: [AU: Privacy threat worries charities]

US – Rise in License-Plate Scanners Prompts Debate

Growing use of automated license plate readers (ALPRs) by law enforcement is raising concerns about privacy, security and whether license plates constitute personally identifiable information. ALPRs integrate cameras and optical character recognition software with a license plate database. The American Civil Liberties Union has released a report on the privacy and security implications of ALPRs. An ACLU representative said, “It’s not an exaggeration to say that in 10 years there will be ALPRs just about everywhere, making detailed records of every driver’s every movement and storing it for who knows how long.” [InformationWeek] See also: [Ontario Privacy Commissioner questions Waterloo license-plate recognition parking plan] and [BC: Police policy on license-plate cameras lacks detail, critics say]

US Government Programs

US – GPS Tracking: No Expectation of Privacy, Court Rules

A federal appeals court has ruled that authorities do not need a probable-cause warrant to track a suspect’s every move via GPS signals from a suspect’s mobile phone. The 6th U.S. Circuit Court of Appeals upheld a 20-year term for a drug courier that the authorities tracked via his mobile phone pinging cell towers. In the majority opinion, U.S. Court of Appeals for the Sixth Circuit Judge John M. Rogers wrote, “There is no Fourth Amendment violation because (the defendant) did not have a reasonable expectation of privacy” in the data emitted from his phone. The decision, a big boost for the government’s surveillance powers, comes as prosecutors are shifting their focus to warrantless cell-tower location tracking of suspects in the wake of a Supreme Court ruling in January sharply limiting the use of GPS vehicle trackers. The Supreme Court found law enforcement should acquire probable-cause warrants from judges to affix GPS devices to vehicles and monitor their every move. The court of appeals ruling comes a month after a congressional inquiry found that law enforcement made 1.3 million requests for cellphone data last year alone while seeking out subscriber information like text messages, location data and calling records. [The Wall Street Journal] [Source] [WIRED] [CNET] [US: Appeals Court OKs Warrantless, Real-Time Mobile Phone Tracking] See also: [Manitoba: Police use of infrared cameras prompts privacy concerns]

US – ACLU Sues DOJ for FBI Memos on GPS Tracking Guidelines

The American Civil Liberties Union (ACLU) is suing the US Justice Department (DOJ); the documents filed in US District Court in New York seek the release memos regarding the FBI’s use of GPS technology. The information is being sought in the wake of a Supreme Court decision that said placing a GPS tracking device on a suspect’s vehicle is equivalent to a search under the Fourth Amendment. The memos being sought are the FBI’s guidelines to agents regarding the use of the GPS devices to track suspects. [NextGov] [ACLU Complaint] [WIRED] [ArsTechnica] ACLU documents:

US – Privacy Assessment Discloses TSA Gathering Data on Airline Passengers

DHS has unveiled the details of 15 separate “privacy impact assessments” of some of the department’s management systems and databases which its privacy office issued between March and May of 2012, including one that reveals that TSA’s Secure Flight program has begun gathering frequent flyer status codes about the airlines that run the frequent flier programs. Such frequent flyer data is collected from aircraft operators “in conjunction with risk-based security rules,” explains a notice published in the Federal Register on August 2. In other summaries of its recently-approved privacy impact assessments (PIAs), DHS disclosed that:

  • The U.S. Secret Service’s criminal investigation division has established a new “Field Investigative Reporting System” that contains PII gathered during investigations involving counterfeiting, electronic crimes and other matters.
  • The DHS Directorate for Management has created an “Email Secure Gateway” (EMSG) which is used by all of the department’s email users. “EMSG handles email traffic in, out, and between DHS, its components, and the Internet, and provides a directory of users’ official contact information,” much of which is considered PII.
  • ICE has created a new database, known as the “Enforcement Integrated Database,” which maintains personal information about individuals involved in investigations, arrests, bookings, detentions and removals from the U.S. conducted by ICE. This database takes advantage of “technology which helps ICE prioritize aliens for immigration enforcement action based on criminal history” and enables ICE to “conduct risk classification assessments of aliens arrested under immigration laws.” [Source]

US Legislation

US – Rep. Markey Releases Cellphone Privacy Proposal

Rep. Ed Markey (D-MA) has released a discussion draft of legislation that would limit the number of requests by law enforcement for private cellphone data. The Wireless Surveillance Act of 2012 would require law enforcement officials to provide regular request disclosures and to acquire warrants prior to using geolocation tracking as well as stipulate data retention limits on personal information held by carriers. The proposal comes after Markey’s inquiry of nine wireless providers earlier this year. “With searches and seizures now happening in cyberspace,” Markey said, “this legislation will update the Fourth Amendment for the 21st century.” [The Hill] See also: [Lone Senator (Ron Wyden (D-OR) is Fighting Widespread And Illegal Government Surveillance of US Citizens] and See also: [California Community Mulls Driving Tax Amid Privacy Concerns] and [Invasion of Privacy: Arizona State Wants to Track Student Eating Habits Using ID Cards to Prevent College Drop Outs]

US – NY Gov. Signs Laws to Protect New Yorkers’ SSNs

New York Gov. Andrew Cuomo has signed a series of bills aimed at protecting New Yorkers’ privacy and personal information. The new laws, effective later this year, prevent inmates from having access to individuals’ Social Security numbers and limit instances where entities may request the numbers. The governor said, “New Yorkers deserve the strongest protections possible,” and the bills “will ensure that New Yorkers’ personal information is kept private.” [WKBW]

US – Magistrate Says Video Privacy Law Applies to Digital Content

A US federal magistrate has ruled that information collected about which videos people watch online is protected under US privacy law, possibly putting Hulu on the spot for sharing users’ viewing habits with third parties. US Magistrate Laurel Beeler ruled that the Video Privacy Protection Act of 1988 applies to Hulu. Hulu argued, unsuccessfully, that the law applies only to video rental stores not video streaming services. Beeler wrote that, despite Hulu’s assertion that the VPPA does not specifically cover digital distribution, “Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects that argument.” University of Minnesota law professor William McGeveran said, “Congress was really clear about wanting the interpretation to be technology neutral.” [WIRED] [MediaPost]

IN – Court Issues Guidelines on Children in the Media

The Delhi High Court has issued new guidelines on the broadcast of news about children after a complaint was lodged when an injured child was shown on TV. The guidelines state that the media “shall ensure that a child’s identity is not revealed in any manner, including but not limited to disclosure of personal information, photograph, school or locality and information of the family including their residential or official address.” The rules aim to protect children’s privacy “so that he or she may not be exposed to anxiety, distress, trauma or social stigma in the future,” the report states. [Deutsche Welle]

US – NJ Gov. Signs Emergency Responders Privacy Bill

New Jersey Gov. Chris Christie has signed into law a bill that aims to protect the privacy of accident victims by prohibiting emergency responders from photographing or disclosing such photographs. Assemblyman Craig Coughlin said S199/A789 is “not an injunction on our first responders…but the callous few who violate the privacy of the people they are charged with protecting.” Coughlin added, “In an era where photos and videos can live in perpetuity online, no family should ever have to worry about distressing images of their loved ones being displayed without their consent.” [NJTODAY]

US – Illinois Law Prohibits Employers from Asking for Social Media Passwords

Illinois became the third state to pass a law prohibiting employers from requiring employees or job applicants to provide access to their social media accounts when Illinois Gov. Pat Quinn signed the bill this month. Maryland and Delaware have passed similar laws. In addition, California is considering a similar bill, and Michigan and New Jersey have their own versions in the works. In total, at least 15 states have introduced social media legislation in some form, according to the attorney who advised the Illinois bill’s sponsor. [The Wall Street Journal] See also:: [US: Judges Get Michael Lefkow and Donna Humphrey Judicial Privacy Improvement Act of 2012 Privacy Law in Illinois]

US – Cybersecurity Bill Dies in Senate

The cybersecurity bill introduced by Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME) has died in the Senate. The legislation failed to garner enough support in a cloture vote. The legislation, according to the report, “reflects a confluence of concerns over civil liberties and national security.” The one measure that survived would allow private businesses and government agencies to share data about cybersecurity threats. [The New York Times] See also: [White House Considering Executive Order on Cybersecurity in the wake of the failure of cybersecurity legislation in the US Senate | Source | Source | Source]

US – House Democrats Propose ECPA Reforms to Require Warrants

Members of the House Judiciary Committee yesterday introduced legislation aimed at updating and clarifying the Electronic Communications Privacy Act (ECPA). Submitted by Reps. John Conyers (D-MI) and Jerrold Nadler (D-NY), the bill would require law enforcement to obtain warrants for electronic communications and would set clear standards and notice obligations for when government authorities can access such data. Business Software Alliance President and CEO Robert Holleyman supports reform of ECPA, saying, “Any country that wants to succeed in the cloud needs clear and consistent rules to protect users’ privacy while enabling the free flow of data and commerce.” [NationalJournal]

Workplace Privacy

US – Federal Worker Monitoring Raises Privacy Concerns

Many federal agencies monitor workers’ activities online. The WikiLeaks scandal and other unauthorized disclosures have prompted the government to collect larger, timely and detailed profiles of federal employees. The increased use of monitoring worries some privacy advocates, the report states, because of potential abuse, particularly related to whistle-blowing and the monitoring of personal e-mails. A 2010 incident with Food and Drug Administration scientists has been cited as one such example. A Defense Department representative said, “Nobody’s reading e-mails here…There has to be probable cause.” [The Washington Post]

AU – Privacy Foundation Provides Policy Statement on Substance Abuse Testing

Substance abuse testing must not be imposed unless pre-conditions have been fulfilled, including the following – a privacy impact assessment (“PIA”) has been undertaken (in advance of any commitment being made to impose testing) and has included consultation with representatives of and advocates for the categories of affected people, justification has been exposed in advance and subjected to examination, the privacy intrusions are proportionate to the need, and all privacy intrusions that are found to be justified are the subject of mitigating measures to reduce their negative impacts. Where substance abuse testing is imposed, explicit and clear information must be given to employees in relation to the following matters – the specific purposes for which it is being imposed, the circumstances under which it will be imposed, the procedures involved in extracting the sample and the data from the sample, the employer’s responsibilities, the employee’s rights, the uses to which the resultant samples and data may be put, and any disclosures that the resultant samples and data may be subject to. [Source]

+++

01-30 September 2011

Biometrics

US – Sen. Rockefeller Requests FTC Report on Facial Recognition Technology

Senator John D. Rockefeller IV (D-WV) has sent a letter to the FTC, requesting that the Commission submit a report summarizing the use of facial recognition technology and recommend potential legislative solutions to protect privacy. Rockefeller’s letter specifically cited mobile applications such as SceneTap, which “tracks the male/female ratio and age mix of the crowd [in bars]” and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC’s complaint regarding Facebook’s use of facial recognition technology is still pending before the FTC. [Sen. J. Rockefeller Letter to FTC (Oct. 12, 2011)] See also: [EPIC Complaint Re: Facebook Facial Recognition (June 10, 2011)] and [EPIC: In re Facebook] and [EPIC: Facial Recognition] as well as [Forbes: Kraft To Use Facial Recognition Technology To Give You Macaroni Recipes]

US – FTC to Hold Workshop on Facial Recognition Security, Privacy Issues

The FTC said it will hold a workshop that examines how burgeoning use of facial recognition technology impacts privacy and security. The agency said the workshop will look at many topics including:

  • What are the current and future uses of facial recognition technology?
  • How can consumers benefit from the technology?
  • What are the privacy and security concerns surrounding the adoption of the technology; for example, have consumers consented to the collection and use of their images?
  • Are there special considerations for the use of this technology on or by children and teens?
  • What legal protections currently exist for consumers regarding the use of the technology, both in the United States and internationally?
  • What consumer protections should be provided?

The workshop will take place in Washington, DC on Dec. 8, 2011 is free and open to the public. [Source]

EU – Facial Recognition Cameras to be Installed on Rotterdam Trams

Rotterdam’s public transport company RET is planning to use facial recognition technology to make sure people who have been banned from using the city’s trams don’t sneak on anyway. RET is planning to install cameras in every compartment on the tram 2 route to test the system. In theory, the cameras will scan the faces of everyone entering the tram. If someone who has been banned gets on, the driver will be given a signal. RET denies there are privacy concerns because no names will be attached to the recorded images. [Source] See also: [Scanning 2.4 Billion Eyes, India Tries to Connect Poor to Growth]

US – Palm Scans: School Cafeterias Go High Tech

A new palm reader for Pinellas County middle and high schoolers cannot predict the future. But this high-tech scanning system will make the lunch line move faster. Pinellas County Schools are the first in the nation to use a palm scanning system, which is manufactured by Fujitsu. The new palm-scanning program, piloted at Boca Ciega High School, cost the district $105,000. It replaces a finger scan system used in county middle and high schools since 2005. The palm scan system connects with the district’s lunchroom software. Gone is the need for a lunch card or ID number to pay for meals. The scanner photographs and stores each person’s unique palm vein. [Source] See also: [AU: Finger scanners to keep tabs on librarians]

 

Canada

CA – Industry Canada Proposes Amendments to PIPEDA

A bill that would amend PIPEDA has been reintroduced, focusing on empowering consumers by furthering protection for children online (requiring organizations to consider the ability of their target audience to comprehend the consequences of sharing their personal information online), and allowing organizations to release personal information in certain circumstances (protect victims of financial abuse, locate missing persons and identify injured, ill or deceased individuals), and requiring notification of security breaches (to the Privacy Commissioner of Canada, as well as affected individuals where there is a real risk of significant harm). Rules for business would also be streamlined by providing exceptions to the consent requirements for the collection, use and disclosure of information needed to manage employment relationships, produced for work purposes, used for due diligence in business transactions, or disclosed for private sector investigations or fraud prevention. To aid law enforcement, organizations may collaborate with security agencies in the absence of a warrant, subpoena or order, and may be prohibited from notifying the individual about the disclosure of his or her personal information. [Press Release and Backgrounder] See also: [Federal Court slaps law firm for publishing a Privacy Commissioner finding that identified the complainant]

CA – Mandatory Data Breach Reporting Proposed

Proposed changes to Canadian privacy laws would force companies to report breaches of personal information to the privacy commissioner and affected individuals. The change was among proposed amendments to PIPEDA introduced late this month by Industry Minister Christian Paradis in the House of Commons. Organizations would be required to report breaches of personal information to Privacy Commissioner Jennifer Stoddart where there is a risk of “significant harm” such as identity theft, fraud or risk to a person’s reputation. In that way, the government said, those affected could take steps to mitigate the damage that might arise from the breach. Other proposed changes to the law introduce exceptions to rules for handling personal information:

  • They would clarify that organizations can disclose personal information requested by government institutions and law enforcement and security agencies without a warrant, subpoena or court order. They would also prohibit such organizations from notifying those affected by the disclosure of their personal information if the law enforcement or government institution requesting the information objects to the disclosure.
  • They would allow for the release of personal information to help protect victims of financial abuse, locate missing persons or identify people who might be injured, ill or deceased.
  • Disclosure of personal information without consent would be allowed for private sector investigations and fraud prevention.
  • Consent would no longer be required for the collection, use and disclosure of information needed for managing employment relationships, information produced for work purposes, information used for due diligence in business transactions, or business contact information for day-to-day business.

In addition, the rules concerning consent to disclosure of personal information would require organizations to consider the ability of their target audience, such as children, to understand the consequences of sharing their information. [Source] See also: [AU – Data breach laws to follow privacy paper] and: [Video contest lets youth express ideas about privacy]

CA – Alberta Court Declares Portions of Provincial Privacy Law Unconstitutional

The Alberta Courts have once again issued a stunning decision regarding privacy laws in that province. In this case, United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner), 2011 ABQB 415 (CanLII), the Alberta Court of Queen’s Bench has determined that portions of the Personal Information Protection Act (Alberta) (“PIPA”) are unconstitutional. This particular case is a judicial review of a decision of the Office of the Information and Privacy Commissioner that held a trade union violated PIPA by videotaping at a picket line. PIPA allows the collection, use and disclosure of personal information that is “publicly available”, which is very narrowly defined in the Act and its regulations. In addition, it does not apply to information that is collected for journalistic purposes “and for no other purpose”. On a bare reading of the Act, information from a public protest or picket line does not fit within the definition of “publicly available”. In addition, the information collected by the union was collected for journalistic purposes, among others, which meant that exception was not available. The Court found that PIPA violates freedom of expression under Section 2(b) of the Charter and these provisions cannot be justified by Section 1 of the Charter. [Source]

US – U.S. Border Deal Could Compromise Canadian Privacy: Report

The anticipated trade and security agreement with the U.S. carries no guarantee of a reduction of red tape at the border for Canadian business and is more likely to violate national privacy laws, suggests a new report from the Rideau Institute, which offers a scathing rebuke of a new cross-border agreement with the U.S., expected to be announced within weeks, that the federal government says will increase perimeter security and ease trade with our neighbours to the south. Canada is being asked to compromise the civil rights of millions of Canadians without any guarantee the Americans will hold up their side of the bargain, says the report, written by Gar Pardy, a former senior diplomat to Washington. Pardy recommends Canada create a “single authority” to oversee the various security agencies that share information with the U.S. and ensure privacy laws aren’t violated. Pardy also recommends the privacy commissioner review and monitor all information sharing agreements with the United States and report annually to Parliament. Pardy also calls on the federal government to update the 28-year-old Privacy Act. The report also disputes that information sharing between security agencies on both sides of the border has made either country safer. Pardy argues that the lack of terrorist attacks since Sept. 11, 2001, is “less an indication of the effectiveness of security measures than it is of the ineffectiveness of terrorist organizations to reach beyond their traditional areas of operations.” [Source] See also: [Canadians with mental illnesses denied U.S. entry]

CA – Commissioner Urges Teenagers to Protect Privacy

Privacy Commissioner Jennifer Stoddart is encouraging teenagers to consider the consequences before posting personal data online so that they can “take advantage of all of the benefits that the online world has to offer–without having any regrets later.” Stoddart has released “Protecting Your Online Rep“ to help educate high school students about how to protect their privacy and is planning to release similar packages for younger students later this year. “Think twice about every piece of information before you post it on the Internet,” Stoddart said, “because once it’s up there it can be impossible to take down.” [Toronto Star]

CA – Federal Privacy Commissioner Releases Lawyer Guidance

The Office of the Privacy Commissioner (OPC) has created a handbook for lawyers explaining how the Personal Information Protection and Electronic Documents Act applies to law practice in the private sector. “While lawyers may be familiar with privacy laws in general, they may benefit from some concrete guidance on how to apply the laws to their own practice,” said the OPC’s general counsel, adding, “Canadian lawyers have a leadership opportunity to serve as exemplars of ethical and respectful conduct on behalf of their profession and the clients they serve.” [Source] See also: [CA – No Online Monitoring in Crime Bill] See also: [9/11 brought lasting changes to Ottawa security] and [Did the terrorists take U.S. Freedom?]

CA – Ontario Privacy Commissioner Releases Whitepaper

Ontario’s Information and Privacy Commissioner has released a whitepaper for regulators, decision-makers and policy-makers. “Privacy by Design in Law, Policy and Practice“ aims to “help support the wide implementation of the principles of Privacy by Design,” the paper states. It encourages companies to “go beyond mere legal compliance with notice, choice, access, security and enforcement requirements” and, instead, design their own approaches to risk management within regulatory frameworks. [Source]

CA – Manitoba Pawn Shop Handed 16 Tickets

A West End pawn shop is facing $80,000 in fines after it refused to comply with a city order to shut down. Last week, the city ordered A & C Pawn to close for 30 days after it repeatedly failed to comply with a city bylaw that requires them to take photographs of all pawned items and the people who sell them. The Sargent Avenue shop owner appealed the order and his lawyer argued the bylaw is a breach of privacy rights. City officials dismissed the appeal and suspended the pawn shop’s business licence. It’s the first time Winnipeg has suspended a business’s licence to operate. This week, however, pawn shop staff said A & C has no immediate plans to shut down. The store was open Monday to Thursday. [Source]

 

Consumer

US – Poll: OK to Trade Some Freedoms to Fight Terrorism

The same Americans who are increasingly splashing their personal lives across Facebook and Twitter trace a meandering path when asked where the government should draw the line between protecting civil liberties and pursuing terrorism. 10 years after the 9/11 attacks led to amped-up government surveillance efforts, two-thirds of Americans say it’s fitting to sacrifice some privacy and freedoms in the fight against terrorism, according to a poll by The Associated Press-NORC Center for Public Affairs Research. A slim majority — 54% — say that if they had to choose between preserving their rights and freedoms and protecting people from terrorists, they’d come down on the side of civil liberties. The public is particularly protective of the privacy of U.S. citizens, voicing sharp opposition to government surveillance of Americans’ emails and phone calls. Two-thirds of those surveyed believe the resulting policies are a mish-mash created in reaction to events as they occur rather than clearly planned. The poll found that about half of those surveyed felt that they have indeed lost some of their own personal freedoms to fight terrorism. Was it worth it? Close to half of those who thought they’d lost freedoms doubted it was necessary. While 47% of Americans support allowing the government to read emails sent between people outside the United States without a warrant, just 30% supported similar monitoring of emails sent between people inside the country. And while nearly half supported government eavesdropping on phone calls between people outside the country without a warrant, only a quarter favored such surveillance of calls inside the U.S. More results:

  • 71% favor surveillance cameras in public places to watch for suspicious activity.
  • 58% favor random searches involving full-body scans or pat-downs of airplane passengers.
  • 55% favor government analysis of financial transactions processed by U.S. banks without a warrant.
  • 47% favor requiring all people in the U.S. to carry a national ID card and provide it to authorities upon demand.
  • 35% favor racial or ethnic profiling to decide who should get tougher screening at airports. [Source]

NZ – Confusion Over Reality TV Privacy Issues: Report

Reality television viewers and the people who unwittingly appear in local reality shows are confused about privacy issues, new research has found. The Real Deal report, commissioned by the Broadcasting Standards Authority (BSA), focused on three local reality shows where people had been “caught up” in filming rather than agreeing upfront to take part. Both viewers and participants were found to be confused over privacy issues such as the right to film in public places, whether or not consent was needed before footage was broadcast, the conditions under which people’s faces should be pixellated, and the use of hidden cameras. BSA chief executive Dominic Sheehan said the report’s key recommendation was that the public would be well served by clear, accessible information about rights to privacy, filming and broadcast. [Source] See also: [Here’s Looking at You Kid - Proximity Marketing and Customer Tracking Embedded in Advertising] See also: [CA – Poster shaming for public peeing]

 

E-Government

CA – Complaint Lodged Against PEI Liberal Party

A woman has lodged a complaint with the Prince Edward Island (PEI) privacy commissioner after e-mails she sent to a cabinet minister were released to the media by the Liberal Party. The woman claims she thought the two e-mails–in which she alleges corruption in the immigration nominee program–would be kept confidential, but the Liberal Party denies any reasonable expectation of privacy. PEI Privacy Commissioner Maria MacDonald said, after initial examination, she doesn’t see any relevant exemptions in the law allowing for the release of the e-mails, but the Liberal Party is not a public agency and therefore not covered by the privacy law. MacDonald will not confirm whether her office is investigating the complaint. [Source] See also: [B.C. Government Employee Resigns After Email Security Breach] and [Tory candidate Ted Morton investigated by Alberta privacy commissioner]

SK – South Korea: Help Wanted: Busybodies With Cameras

With his debts mounting and his wages barely enough to cover the interest, Im Hyun-seok decided he needed a new job. The mild-mannered former English tutor joined South Korea’s growing ranks of camera-toting bounty hunters. Known here sarcastically as paparazzi, people like Mr. Im stalk their prey and capture them on film. But it is not celebrities, politicians or even hardened criminals they pursue. Rather, they roam cities secretly videotaping fellow citizens breaking the law, deliver the evidence to government officials and collect the rewards. The opportunities are everywhere: a factory releasing industrial waste into a river, a building owner keeping an emergency exit locked, doctors and lawyers not providing receipts for payment so that they can underreport their taxable income. Mr. Im’s pet target is people who burn garbage at construction sites, a violation of environmental laws. “I’m making three times what I made as an English tutor,” said Mr. Im, who began his new line of work around seven years ago and says he makes about $85,000 a year. The outsourcing of law enforcement has also been something of a boon for local governments. They say that they can save money on hiring officers, and that the fines imposed on offenders generally outstrip the rewards paid to informers. [The New York Times] See also: [Atlanta Police Including Private Surveillance Cameras in Monitoring Center] and also: [AU – Audit for hidden CCTV cameras after backpacker’s pole dance goes viral]

UK – Twitter and Facebook is a Two-Way Street, Says Information Commissioner

Public sector organisations that use Twitter and Facebook cannot complain when citizens use the same social media to ask for information. That was the message from Information Commissioner Christopher Graham in a speech marking ‘International Right to Know Day 2011’ and posted, social media style, on, of course, YouTube. Graham recently made it clear that public sector organisations must be prepared to receive and respond to requests under the Freedom of Information Act (FoI). [Source] See also: [UK – Britain Juggles Right to Know With Privacy Concerns] and [Ex-P.E.I. gov’t worker files complaint over leaked emails]

UK – Intelligence Community Gets Social

Digital media is mostly about entertainment for some, while for others, the value lies in being able to spread messages to a large audience. But, as many news organizations are discovering, Web 2.0 technologies are as good for listening as they are for broadcasting. The notion of social media as a trend-monitoring tool is spreading — and now U.S. spy agencies are jumping on board. Intelligence Advanced Research Projects Activity (IARPA), the intelligence community’s research arm, says it hopes to use data gathered from social media to predict political unrest and natural disasters. While the proposal may rankle privacy critics, it’s just the latest example of the way intelligence officials are turning to the social Web to collect policy-relevant information. [Source]

CA – Council Pushes for Online Voting in B.C

Nanaimo council members will push for online voting when representatives from B.C. communities meet later this month to discuss provincial policy issues. Three communities have aggressively lobbied for online voting. Coquitlam, North Vancouver City and Fort St. John have all urged the Union of B.C. Municipalities to take the issue to the provincial government. Minister of Communities Ida Chong said the B.C. Elections Act has to change to allow Internet voting. Privacy concerns remain the largest fear against the new format, whether it be at the local, provincial or federal level. Some communities in other provinces have successfully adopted online voting, but larger scale elections are much more difficult, according to industry experts. Three major municipalities have used these systems, according to Elections Canada. Ontario’s Markham and Peterborough as well as Nova Scotia’s Halifax have used Internet voting in several elections. The majority of Canadian voters would use Internet voting, according to a survey conducted by Elections Canada after the 2008 federal election. About 54% said they would likely vote online, while 69% of youth voters (between 18 and 25) said they vote online. [Source]

CA – Ontario CIO Wants to Team With Feds on Joint Data Centres

Speaking at this year’s gathering of Ontario IT workers, David Nicholl expressed a desire for vendors to build Canadian-based data centres. The IT leader also expressed an interest in working with Ottawa a lot more closely For Ontario’s IT chief, the lack of Canadian-built data centres is the only thing standing in the way of increased provincial adoption of cloud services. [Source]

 

E-Mail

US – Spammer Banned From Sending Unsolicited Texts

The FTC has settled with an operator who allegedly sent millions of illegal text messages to consumers. Operator Phil Flora is banned from sending any unsolicited text messages or “making false or misleading claims about any good or service” after he sent a “mind-boggling” number of spam text messages to consumers for mortgage services and claimed he was affiliated with a government agency, according to the FTC complaint filed in February. Flora’s actions violated the FTC Act and the CAN-SPAM Act, the FTC charged, ordering Flora to pay $58,946. [FTC Press Release] [Complaint] [Settlement Order] See also: [Open this malware or I’ll sue you] and also: [US: Lobbyists exposed by email slip up]

 

Electronic Records

CA – Health Canada Research Project Taps CANARIE for Network

The Canadian Network for the Advancement of Research, Industry and Education will be the foundation for a new venture into patient-orientated research in Canada. While Ottawa, Ont.-based CANARIE may not be the only FiOS infrastructure out there for high data yield research, there are a few reasons why it’s being used by 89 universities and 60 hospitals in Canada. It comes down to the nature of the work being done and the fact that it’s a closed network. Health Canada unveiled a new plan recently to promote and fund more patient-based research. This strategy will allow for more medical research to be conducted on health issues most important to Canadians while also developing strategies and solutions that better address the way we live. [Source]

US – National Doctor Database Goes Dark Over Privacy Concerns

There was no national tracking of malpractice or disciplinary actions by hospitals, licensing boards or professional societies. That changed after Congress established the National Practitioner Data Bank in 1986: a clearinghouse for hospitals, professional societies and state regulators to check doctors’ credentials. It went online in 1990. The data bank was set up to be confidential. But a “public-use” file, scrubbed clean of identifying information, has been released each quarter by the federal Health Resources & Services Administration. That database was removed Sept. 1 so that the government could make sure people can’t use it to find specific information about individual doctors. Recently, reporters with newspapers in Kansas City and Duluth, Minn. did. [Source] See also: [Florida: Picking up a prescription could cost you some privacy]

 

Encryption

WW – DigiNotar Certificates Blocked Following Breach

The number of certificates issued as a result of a security breach at Dutch certificate authority DigiNotar is growing; the latest official estimate has the figure at 531. The breach had prompted Mozilla to take measures so “that all DigiNotar certificates will be untrusted by Mozilla products,” which includes the Firefox browser. The most recent version of Google’s Chrome browser also places DigiNotar certificates on a permanent block list. There is evidence that the stolen certificates were being used to spy on people in Iran. The sites for which fraudulent certificates were issued include MI6, the CIA, Microsoft, Facebook and Twitter. Microsoft said that the forged certificate cannot be used to force malware through Windows Update. Internet Storm Center| Source | Source | Source | Source | Source | Source] [DigiNotar Barred From Issuing Qualified Certificates; Existing Signatures Invalidated | Source | Source] [Microsoft Updates Patch That Blocks DigiNotar Certificates | Source | Source | Source] and [GlobalSign to Resume Issuing New SSL Certificates | Source | Source | Source] and [Certificate Hacker Claims He Can Issue Fake Microsoft Updates] and [Apple Updates OS X Trusted Root List to Exclude DigiNotar | Source | Source] and [Mozilla Demands Certificate Authorities Ensure Security | Source | Source] and [Microsoft Joins Mozilla and Google in Blocking DigiNotar Certificates | Source | Source | Source] and [Belgian Certificate Authority Investigating Attack Claims | Source] and, finally: [DNS Attack Affects Prominent Websites] and [Google contacts Iranian users to secure Gmail accounts: A rogue SSL certificate could have compromised about 300,000 users in Iran] and [Dutch government says it cannot guarantee safety of its websites after hacker attack] and finally, [The Economist: Internet security: Duly notarised]

WW – Researchers Demonstrate Flaw in Browser Security Protocol

A pair of researchers has cracked a ubiquitous browser encryption protocol. Thai Duong and Juliano Rizzo have found a vulnerability in versions 1.0 and earlier of transport layer security (TLS), the technology that used to enable secure sockets layer (SSL). The vulnerability also exists in SSL version 3. The flaw can be exploited to decrypt information flowing between a web server and a user’s browser. The researchers plan to demonstrate their findings with a tool they call BEAST (browser exploit against SSL/TLS) at a conference in Argentina. Opera has already released a patch for the flaw, and Google has added a fix to its most recent developer version of Chrome. [Source] [Source] [Source] [Source]

SA – South Africa Joins the Call for BlackBerry Messaging Keys

South Africa has joined the call for access to the BlackBerry Messaging service, quoting the usual security concerns and pointing out that the UK plans much the same thing. “There is evidence that criminals are now using BBM to plan and execute crime,” the deputy comms minister told his audience at a London conference on African telecommunications: “We want to review BBM like in the UK and Saudi Arabia.” It seems that RIM has already shared that key with India, Saudi Arabia probably has a copy too and one can be certain that the UK and US governments wouldn’t be without a copy. [Source]

PK – Pakistani Directive Requires ISPs to Block Encrypted Communications

According to a memo from the Pakistan Telecommunication Authority, Internet service providers (ISPs) in that country are required to block encrypted communications that are sent over virtual private networks (VPNs). The memo, leaked by a Pakistani ISP, served as a reminder of the policy and notice that the “directive has not been followed in true letter and spirit.” The policy’s stated intent is to prevent militants from communications over channels that cannot be monitored. Entities can apply for special exemptions. [Source | Source | Source]

 

EU Developments

EU – Privacy Directive Reform Publication Likely Delayed

The European Commission’s publication of the EU Data Protection Directive (95/46/EC) reform will likely be delayed beyond the expected November deadline. Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, said that “this is a comprehensive reform” and the timing for publication will be “within 20 weeks.” [IAPP Europe Data Protection Digest] [Source]

EU – EU Council Reaches Agreement with Australia on PNR Data

The EU has endorsed a deal allowing Australian authorities to keep the personal information of passengers flying between Europe and Australia for five-and-a-half years. Australian officials will be able to store data such as names, credit card numbers, phone numbers and addresses as part of efforts to fight crime and terrorism under the deal backed by EU interior ministers. The agreement is expected to be signed by the end of September, the 27-nation EU said in a statement. It must then be approved by the European Parliament. Euro MPs, concerned about the privacy of EU citizens, demanded new negotiations on the use of passenger information with the United States, Canada and Australia. While the Australian deal is finalised, talks with the Americans and Canadians are ongoing. Negotiations with the United States are more controversial, with EU MPs already voicing criticism in May over a preliminary agreement that would allow US authorities to store personal data for 15 years. [Source] [Source] See also:

EU – Facebook Rebuked by EU Privacy Platform; Patriot Act a ‘Distraction’?

The European Parliament’s Privacy Platform met to discuss a wide range of transatlantic data protection matters, which have yet to be resolved. With representatives from Facebook, along with Microsoft’s former privacy chief, privacy groups and advocates met from across Europe to discuss the ongoing negotiations between Europe and the United States on data transfer rules. Facebook spokesperson Richard Allan said Facebook operates under Safe Harbor rules, and that “all European users are with Facebook Ireland and protected under data protection laws”. However, Facebook Ireland, where European’s data is stored, has a relationship with Facebook Inc. based in the United States, to allow “data processing in the United States”. The discussion was interrupted by former Microsoft privacy chief Caspar Bowden, who claimed that Facebook was not as open as it said it was. Bowden described how a subject access request – a Europe-wide information gathering tool, designed to be used by end-users and ordinary citizens to see what data a company, public or private, has on them – was flat-out denied by Facebook. Sophie in ‘t Veld, Dutch MEP and vice-chair of the European Parliament’s civil liberties and justice committee, had asked the European Commission, Europe’s upper house, for clarification in questions regarding data jurisdiction put forward last week. Bowden pointed out that “the Patriot Act has become a distraction” against the “real threat to European data”.[Source] See also: [European companies ‘need confidence’ over Patriot Act concerns] and [EDPS - Opinion on the Proposal for a Regulation of the European Parliament and of the Council on European Statistics on Safety from Crime]

EU – Pro-Hacker Party Wins Parliament Seats in Berlin Elections

Issues of Internet freedom and political transparency are coming to the fore as a political party with philosophical ties to hacker collectives like Anonymous wins seats in the German capital’s recent elections. The Pirate Party of Germany, or Piratenpartei Deutschland, recently took 8.9% of the vote in Berlin’s elections on Sunday. All 15 candidates won seats in the city-state’s parliament in their first election, surpassing expectations for what many supposed was a fringe, one-issue party. Some German political commentators downplay the success of the Pirate Party as a “protest vote” for underrepresented blocks of voters in Berlin, and many noted the markedly different style of the party members, remarking on the pirates’ casual dress of t-shirts and jeans at official ceremonies and their post-victory celebrations infused with alcohol, marijuana and nightclubbing. But the Pirate Party’s emergence marks the rise of issues related to technology, politics and freedom in the European political agenda, highlighting their growing relevance in a changing electorate. “They are absolutely not a joke party,” said Christoph Bieber, professor of political science at the University of Duisburg-Essen. “In the Internet, they had really found an underexploited theme that the other political parties are not dealing with.” [Source] See also: [Former North Vancouver Mountie sues RCMP over pot raids]

EU – CNIL Elects New Chair

The board of France’s data protection authority–CNIL–has elected Isabelle Falque-Pierrotin as its new chair, Hunton & Williams’ Privacy and Information Security Law Blog reports. The move comes after the resignation of Alex Türk, which became official on September 21. Prior to becoming a member of CNIL in 2004 and Deputy Chair in February 2009, Falque-Pierrotin worked for the Organisation for Economic Cooperation and Development and was chair of the French Internet Rights Forum. [Source] [CNIL Press Release]

 

Filtering

UK – UK Police May Get Authority to Shut Down Domains Without Court Order

Law enforcement authorities in the UK may gain the power to suspend Internet domain names without a court order if they suspect the domains are being used for illegal purposes. A proposed rule would allow police the expanded authority when “the urgent suspension of the domain name is necessary to prevent serious and immediate consumer harm.” Prior to the takedown, police would have to file a declaration with Nominet, which manages the .uk registry, that the action is “proportionate, necessary and urgent,” but would not need to get court approval. [Source]

 

Finance

WW – Firms Scrambling Ahead of PCI DSS Audits

Firms are struggling to maintain compliance with PCI DSS standards. That’s based on the “2011 Verizon Payment Card Industry Compliance Report,” which looked at more than 100 PCI DSS assessments conducted by Verizon’s PCI Qualified Security Assessors in 2010, based on compliance with 12 PCI DSS standards. The report found 21% of organizations were fully compliant, and when compliance is achieved, it’s not maintained through the next assessment period. Organizations are meeting about 80% of requirements, a Verizon spokesman said, adding, “We’re seeing lots of scrambling to get things in order for the assessor, and that’s not the intent of PCI DSS at all.” [SearchSecurity.com] [Source]

CA – RBC on the Hook for Damages After Employee Breaches Client’s Privacy

The Royal Bank of Canada (RBC) must pay monetary damages to a client for the disclosure by one of its employees of the client’s account information, the Federal Court of Canada has ruled. The client, Nicole Landry, was going through divorce proceedings. As part of the proceedings, Landry’s husband’s lawyer sent a subpoena to RBC ordering a bank employee to attend court with information on Landry’s accounts. The employee also faxed account statements to the husband’s lawyer without Landry’s consent. This was a violation of RBC’s own policies, which required the consent of an account holder before releasing information. The faxing of the documents directly to the husband’s lawyer was also a violation of PIPEDA, as it was outside the scope of the subpoena, which requested the documents for court records. The disclosure of Landry’s account information exposed the fact that she had been concealing the existence of a personal bank account, contrary to her legal obligation to reveal all her assets in the divorce proceedings. Landry sued RBC, claiming its disclosure of information contrary to its policies and PIPEDA had caused her personal harm and humiliation. The court found most of the humiliation and personal harm Landry suffered came from the release of the divorce settlement and her own secretive conduct. However, in recognition of the bank’s breach of her privacy, it awarded Landry a token amount of $4,500 in damages. She had asked for $100,000 in her claim. [Source] See also: [UK: Cashier spied on sex attack victim’s bank records]

 

FOI

[Economist: WikiLeaks: Swept up and away - The release of all the leaked embassy cables marks both the end of WikiLeaks and the beginning of an era] and also: [CBC execs to fight info commissioner: The CBC’s average time for responding to access-to-information requests last year was five months]

 

Genetics

NZ – Newborn Blood Sample “Guthrie” Cards to Be Kept Indefinitely

Cards containing the blood spots from heel prick tests on newborn babies will be kept indefinitely, with greater protections on access to the cards. “The Ministry of Health is moving to enhance and protect privacy relating to the cards. The blood spot cards are collected from every newborn as part of an important screening programme that identifies and then treats babies born with serious metabolic disorders. They have been collected since the late 1960s. Parents can choose whether the card is retained in indefinite storage. The protections around use of the cards for research include:

  • Individual written consent required for research on samples collected before June 2011
  • For cards collected after June 2011, parents are informed about what the cards may be used for before they agree to long term storage
  • Any proposal for research using the cards must have ethics committee approval. [Source] See also: [Connecticutt DNA Sampling Law Goes Into Effect Oct. 1]

 

Health / Medical

UK – Privacy Watchdog Rebukes Health Trust Over Lost Data

An NHS trust has been reprimanded by the Information Commissioner after the personal details of 1.6m patients were lost when a filing cabinet was accidentally sent to landfill. containing a CD holding the addresses, dates of birth, NHS number and GP practice details of patients. A spokesman for the ICO said: “This case highlights that clear policies and procedures should be put in place to support staff when handling personal information as part of an office move.” The Information Commissioner opted against serving a formal enforcement notice against the PCT as he noted it had taken substantial measures to improve its data protection procedures and had made attempts – in the event, futile – to retrieve the cabinet once it was discovered missing. [Source]

US – Federal IT Strategic Plan Needs More, Some Say

GovInfoSecurity reports that some experts say the Federal Health IT Strategic Plan “doesn’t go far enough in spelling out specific action steps and priorities.” Following a public comment period, the Department of Health and Human Services’ Office of the National Coordinator for Health IT issued the final version of the plan earlier this month. One expert says the plan “incorporates all the right areas of focus with respect to privacy and security but misses the chance to address some important issues that will be critical to healthcare’s future success in addressing data security,” including giving Health Insurance Portability and Accountability Act enforcement sharper teeth. [Source] See also: [Pharmacy kiosks launched: Markham company bringing technology to region]

AU – E-Health Violations to Result in Fines

Australia’s government will fine health practitioners $66,000 for breaches of electronic health records. Draft legislation includes penalties of $13,200 for each instance of a record being either breached or accessed without authorization. It also states that healthcare practitioners can only upload patient data if consent is obtained and that Australians will have access to their own data. Exceptions to patient records access rules include “to prevent a serious threat to an individual’s life, health or safety” or to public health and safety. Health Minister Nicola Roxon said the Personally Controlled Electronic Health Record system will be more secure and private than paper-based records. [iTNews] [Draft legislation]

US – Survey: Industry Lacks Data Security

A survey of the healthcare industry reveals that less than half the companies surveyed are bolstering privacy and security measures to keep up with the growing use of digital technology, Reuters reports. Of the 600 executives interviewed by PricewaterhouseCoopers’ Health Research Institute, nearly 74% are planning to expand the use of electronic health records, but only 47% are addressing related privacy and security implications. One of the report’s contributors, Jim Koenig, CIPP, said, “health IT and new uses of health information are changing quickly and the privacy and security sometimes may not be moving in step…That is some of the most sensitive and important information to a consumer, so with the advancement of healthcare IT, it’s only natural that advancements in privacy and security should come along.” [Source] See also: [Nurse fired after breach of privacy at hospital]

US – Health Breaches Rise, AGs Slow to Act

Only two state attorneys general have used the powers given to them by Congress to enforce the Health Insurance Portability and Accountability Act (HIPAA). Since the government bestowed enforcement powers to attorney generals in 2009 through the economic stimulus package, former Connecticut AG Richard Blumenthal and Vermont AG William Sorrell are the only ones to have taken action. Some experts say that high rates of HIPAA compliance, limited budget resources and AG’s choosing to prosecute under state rather than federal laws may be contributing to the lack of action. Meanwhile, Health and Human Services reports that patient data breaches more than doubled from 2009 to 2010. [Source] See also [Senator Introduces Data Protection Legislation | Source]

US – HHS Unveils Personal Health Record Privacy Notice

The Department of Health and Human Services (HHS) has unveiled an easy-to-read, standardized template to help consumers to learn more about the privacy and security policies and data practices of personal health record (PHR) products. With the goal of helping PHR companies build greater trust among consumers, the PHR model privacy notice is similar to nutrition labels on foods, in that it simplifies complex information to improve transparency and consumer understanding, HHS officials said. The PHR model privacy notice was launched at the first-ever HHS Consumer Health IT Summit, held Sept. 12 at the Department of Health and Human Services in Washington, D.C. The summit brought consumers, providers, and the public and private sectors together to discuss how best to empower consumers to be partners in their health and care through health IT. The FTC worked closely with HHS on the development of the template and will enforce it for entities under their jurisdiction. PHR vendors Microsoft, Dossia, and NoMoreClipboard have all agreed to use the notice on their websites. [Source] See also: [IPC recognizes “Right to Know Week 2011” with educational outreach at Ontario hospitals] and [Commissioner Urges Hospitals to be Proactive with the Release of Public Information]

 

Horror Stories

US – Data Breach Affects 4.9M Active, Retired Military Personnel

Sensitive data including SSNs, names, addresses, phone numbers and personal health data belonging to about 4.9 million active and retired U.S. military personnel may have been compromised after backup tapes containing the data went missing recently. The information on the tapes was from an electronic healthcare application used to capture patient data. It does not include bank, credit card or other financial data, according to a statement released by TRICARE, a healthcare system for active and retired military personnel and their families. The breach affects all those who received care at the military’s San Antonio area military treatment facilities between 1992 and Sept. 7 of this year. Those affected include individuals who had filled pharmacy prescriptions or had laboratory tests done at any of the facilities. As is often typical with such incidents, the information on the backup tapes does not appear to have been encrypted. But in its statement, TRICARE maintained that the risk of the data being misused was low “since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.” [Source] See also [NS: Commissioner is investigating release of 1,500 confidential patient files] and [Investigation launched after medical records found on Calgary street] and [Colorado Nurse Faces 51 Counts for Records Theft] and [Auction Win: Storage Space and Medical Records] and [50,000 Patient Records Lost in System Crash] and [Vending Machine Company Point-of-Sale Breach Affects 40,000 | Source | Source] and [Security Breach Exposes Stanford University Hospital ER Patient Data | US: Medical data breach probed]

US – Former Employee Ordered to Pay $1.2 Million in Restitution for Data Breach

A former employee of Countrywide Home Loan was sentenced to prison and ordered to pay restitution in connection with a large-scale data breach at Countrywide, now Bank of America. The judge also imposed restrictions with regard to Rebollo’s future access to consumer information. Rebollo was employed as a senior financial analyst for Countrywide’s subprime mortgage division in Pasadena where he had access to computer databases, many of which contained sensitive consumer information maintained in private Countrywide databases. Rebollo admitted that he saved the reports to personally owned flash drives and distributed financial information and contact information pertaining to approximately 2.5 million individuals. Rebollo further admitted that, in at least 50,000 instances, the individuals’ Social Security numbers were disclosed. [Source]

AU – Privacy of Patients Breached by Professional Services Review

PATIENT privacy has been compromised in the federal government’s bid to control health spending, with a key agency found to have illegally merged data from Medicare and the Pharmaceutical Benefits Scheme. In a case likely to fuel privacy concerns over planned electronic health records, the embattled Professional Services Review has been ordered to add computer system and practice changes to a growing list of reforms. The PSR investigates alleged doctor rorts, but a wave of legal challenges has this year forced 39 potential cases to be abandoned and left about 50 completed cases at risk of collapse. The government, which is preparing an appeal to the High Court, has ordered an independent review and a parliamentary committee is also examining the PSR. Privacy Commissioner Timothy Pilgrim said that after a 14-month investigation the PSR was found to have breached the Privacy Act with regard to its handling of patient information. “I found that PBS and MBS (Medicare Benefits Schedule) claims information were being stored in the same database and this was in contravention of PSR’s obligations under the privacy guidelines for Medicare benefits and Pharmaceutical benefits programs,” Mr Pilgrim said. [Source]

 

Identity Issues

US – Twitter Study Tracks When We Are

However grumpy when they wake up, and whether they stumble to their feet in Mumbai, Mexico City or Minnetonka, Minn., people tend to brighten by breakfast time and feel their mood taper gradually to a low in the late afternoon, before rallying again near bedtime, a large-scale study of posts on the social media site Twitter found. Drawing on messages posted by more than two million people in 84 countries, researchers discovered that the emotional tone of people’s messages follows a similar pattern not only through the day but also through the week and the changing seasons. The new analysis suggests that our moods are driven in part by a shared underlying biological rhythm that transcends culture and environment. The report, by sociologists at Cornell University and appearing in the journal Science, is the first cross-cultural study of daily mood rhythms within the average person, using such text analysis. Previous studies have also mined the mountains of data pouring into social media sites, chat rooms, blogs and elsewhere on the Internet, but looked at collective moods over time, in different time zones or during holidays. [The New York Times] See also: [Mobile Authentication] and [Defamatory Blog Postings: Anonymity and the Law] and also: [NYT: Senator Rick Santorum: Dealing With an Identity Hijacked on the Online Highway]

 

Intellectual Property

CA – UBC Tries to Protect Student Privacy on Plagiarism Checking Website

Students in the social sciences should be familiar with the plagiarism-checking website, Turnitin. But few may be aware that UBC required a review of Turnitin’s privacy policy earlier this year. UBC has maintained a contract with Turnitin, a California-based online tool, since 2001. It’s meant to aid instructors in detecting copied phrases or misquoted texts that could constitute a breach in academic integrity. Students can also use it to pick out and correct originality errors in their papers before submitting it to their instructors. But returning students may have observed that the convenient link to Turnitin through WebCT Vista has been disconnected. It was discovered around mid-March this year that Turnitin had been saving student information on American servers, going against BC’s Freedom of Information and Protection of Privacy Act (FIPPA), which states that personal information in university control must only be stored in Canada. The Vista connection was disabled and UBC entered negotiations with Turnitin. Marianne Schroeder, senior manager of Teaching and Learning Technologies at UBC, explained that in 2006, Turnitin agreed to move their servers to Canada in order to renew their contract with UBC. The recent discovery in March of this year was a complete surprise. Schroeder said UBC took immediate action. UBC first requested that Turnitin stop backing up data to the US, in order to comply with FIPPA. However, the request was rejected. The second option was to design a connection between UBC’s Vista and Turnitin’s website, so that information identifying a student would be removed before a paper was submitted to Turnitin. Again, Turnitin was unwilling to invest in the option. While Turnitin is still being used by the university, the Vista connection remains disabled. New accounts and passwords must be created by visiting Turnitin’s website, as opposed to the simpler access through Vista. As extra precaution, students are instructed to register under a pseudonym and remove any personal information from their papers. The added complications are inevitable in order for UBC to be compliant with FIPPA and protect students’ privacy. [Source] See also: [U of M prof to testify for arbitrator] and also: [Fasken: FIPPA and Ontario Hospitals: Delegation of Authority]

US – Appeals Court Reinstates Hefty Filesharing Verdict Against Joel Tenenbaum

The 1st US Circuit Court of appeals has reinstated a US $675,000 illegal filesharing verdict against Joel Tenenbaum. A jury in the original case awarded the large verdict, but the judge in the case found the amount “unconstitutionally excessive” and reduced it to US $67,500. The verdict was for making 30 songs available over a peer-to-peer filesharing network. The Appeals Court said that US District Judge Nancy Gertner should have reduced the verdict under “remittitur.” The plaintiffs could accept the remittitur or receive a new trial. The Appeal Court noted that their decision was procedurally appropriate, but added that, “This case raises concerns about application of the Copyright Act which Congress may wish to examine.” [WIRED] [ArsTechnica]

CA – Internet Customer Names Sought for Hurt Locker Suits

The court order was requested by Voltage Pictures LLC, which owns the copyright for The Hurt Locker. Three Canadian internet service providers have until the end of Monday, Sept. 12, to hand over the names of customers suspected to have illegally shared The Hurt Locker movie online. “What makes this a particularly noteworthy case is it’s the first big peer-to-peer copyright litigation in Canada in a number of years,” said Michael Geist, a law professor at the University of Ottawa who holds a Canada Research Chair in internet and e-commerce law. Geist said under existing Canadian copyright law, defendants could be liable for up to $20,000 in damages.[Source]

CA – Government to Reintroduce Bill C-32 “In Exactly the Same Form”

Canadian Heritage Minister James Moore has told the Canadian Press that the government plans to reintroduce Bill C-32 in “exactly the same form” as the legislation that died on the order paper with the election call earlier this year. Moore suggested that the government plans to pick up where it left off with the same bill and a legislative committee that will not call groups that appeared during the last round of hearings. That suggests the bill will be on the fast track as the committee heard from dozens of groups on Bill C-32 over several months in late 2010 and early 2011. Moore was also asked about the Wikileaks cables and the revelations of Canada caving to U.S. pressure on digital lock rules. He argued that elements of the bill run contrary to what the U.S. prefers. While that is true with respect to ISP liability, that issue is seen as secondary by the U.S., which is far more focused on digital locks. On digital locks, Bill C-32 was precisely what the U.S. was looking for and contrary to what the government heard during its national copyright consultation. [Source]

 

Internet / WWW

EU – EU to Legislate on Cloud Security

The European Union will introduce new data protection laws on cloud computing in November. The Binding Safe Processor Rules will ask EU cloud providers to agree to be legally liable for any data breaches or losses, the report states, acting as a cloud provider accreditation service. Eduardo Ustaran of Field Fisher Waterhouse said service providers can use the accreditation as a selling point for their security models, while those who don’t have it may be seen as unsafe. Field Fisher Waterhouse’s Stewart Room described the rules as a “bridge” for cloud adoption in light of concerns about liabilities. [Source]

EU – Civil Liberties Groups Slam EU Data Retention as Unnecessary

More than 30 civil liberties organizations have signed and submitted a letter to the European Commission voicing opposition to the blanket retention of telecommunications data required under the EU Data Retention Directive. In the letter to Home Affairs Commissioner Cecilia Malmström, the groups argue that the retention of data is disproportionate and “therefore illegal” under the Charter of Fundamental Rights and the European Convention on Human Rights, the report states. The groups also query whether the practice has a “demonstrable, statistically significant impact on the prevalence or the investigation of serious crime in a given member state…” [PCWorld] See also: [German Crime Stats Deal Blow to EU’s Data Retention Laws]

US – FCC “Open Internet” Rule Published

The Federal Communications Commission (FCC) has published its “open Internet” order in The Federal Register. The order aims to balance consumer and content provider interests with those of Web access providers, and one access provider has pledged to take the FCC to court over it. The rules, adopted last December, go into effect on November 20 and stop ISPs from blocking legal content such as applications that require a lot of bandwidth. An FCC spokesman said the rules will increase certainty and predictability, but some public interest groups are saying the FCC succumbed to industry pressure and the rules don’t go far enough. [Reuters] See also: [FCC’s Net Neutrality Rules Will Face Legal Challenges | Source] See also: [Hewlett-Packard shows hazard of sharing LinkedIn profiles]

 

Law Enforcement

US – Supreme Court Hears Oral Argument in Strip Search Case

The US Supreme Court heard oral arguments October 12 in Florence v. Board of Chosen Freeholders of the County of Burlington. At issue is whether the Fourth Amendment permits a jail to conduct a suspicionless strip-search of every suspect, even those arrested for minor traffic offenses. The Petitioner, Albert Florence, was arrested based on an inaccurate police record of his previously resolved traffic fine. Florence was held for six days and subject to multiple strip searches before he was eventually brought before a judge and released. EPIC successfully argued before the Third Circuit in a related case, Doe v. Luzerne, that an individual has a reasonable expectation of privacy in remaining free from the government’s recording of nude images. EPIC also filed a “Friend of the Court” brief in Herring v. US, a related case involving a Fourth Amendment challenge to an arrest and search based on incorrect information in a government database. [SCOTUSblog: Florence v. Board of Chosen Freeholders] and also: [EPIC: Doe v. Luzerne County] [EPIC: Herring v. U.S.]

AU – Social Media Could Render Covert Policing ‘Impossible’

Facebook has proven to be one of the biggest dangers in keeping undercover police officers safe due to applications such as facial recognition and photo tagging, according to Australian researchers. Mick Keelty, a former Australian Federal Police (AFP) commissioner, told the audience at Security 2011 in Sydney that because of the convergence of a number of technologies including biometrics, undercover policing may be “impossible” in the future. He explained that were safety risks associated with undercover policing if people could be identified online. Keelty is currently undertaking research into the policy implications of social networking for covert operations by police and security agencies. The results found that 90% of female officers were using social media compared with 81% of males. The most popular site was Facebook, followed by Twitter. 47% of those surveyed used social networking sites daily while another 24% used them weekly. All respondents aged 26 years or younger had uploaded photos of themselves onto the internet. Of the people surveyed, 85% had their photos uploaded on to the internet by another person. Keelty said that until recently this has been a real problem because Facebook refused to remove photographs, but because of competition from Google+ it had started to remove photos at people’s request. Alarmingly, 42% of respondents said it would be possible to identify their relationship with other people, including family and friends. The results of the survey would be used to inform future policy guidelines within both state and federal police agencies. [Source]

CA – Marijuana Grow-Op Sites Listed by RCMP

The RCMP is now publishing online the addresses of homes where marijuana grow-ops and other drug production operations were found. The new page on the RCMP’s website is part of a stepped up effort by the Mounties to target marijuana grow-ops and the organized crime gangs behind them. The Marijuana Grow Initiative was launched this week and the RCMP says it complements its National Anti-Drug Strategy. Split up by province, the website lists the addresses where search warrants were executed and lists how many marijuana plants were discovered and when. The database also covers clandestine drug labs that were found in homes. The page also includes links to the websites of local police services in Ottawa, London and Winnipeg. They also list addresses in their cities where search warrants were executed. RCMP Commissioner William Elliott said publishing the addresses is part of the deterrence and awareness elements of the new strategy. [Source]

NZ – NZ Police Storing Info of 500,000 Innocent Motorists

Figures released to 3 News show police are storing almost half a million photos of innocent motorists’ number plates and cars. The database is being kept as part of a trial of new surveillance technology. But privacy advocates are alarmed and say there is no need to keep such records of the innocent. Cameras equipped to vans have been snapping away in Auckland and Wellington since April last year, feeding images of cars and number plates into a police database. The technology, called automated number plate recognition, can take up to 3000 photos an hour. The database holds the details of 419,631 motorists, including the date, time and location of the picture. But only 4,492 vehicles are classified as “vehicles of interest”. A spokesperson for the Privacy Commissioner says such technology has to be used carefully and even police need to remember it is never 100% accurate. [Source] See also: [CA – Automated Technology helps OPP check every license plate] and [POLICE BEAT: Vehicle owners should guard those plates]

US – Privacy Laws May Prevent Seattle Police from Wearing Body Cameras

Seattle City Counci lmember Bruce Harrell is spearheading a pilot program that could put small cameras on officers by the end of 2012. However, Bob Scales who work at the Seattle City Attorney’s Office, said a few issues under current Washington State privacy laws may stand in the way. During a city council meeting on September 8, Scales said, “Under the Washington state Privacy Act, it is unlawful to make an audio recording of a private conversation except as authorized by the Act.” In 2000, the state legislature made allowances for the video, but not audio to be recorded on dash cams of some patrol cars. The body camera would record both video and audio, so some argue that provisions have not been made for that under the current law. Scales added, “Because there are no exemptions for the body-worn camera, the officers would have to do a two-part analysis every time they would decide to make a recording. They would need to do an assessment over whether the conversations they were recording were private or not.” “Right now, our legal counsel tells us that there needs to be a similar legislative fix.” [Source] See also: [Ontario - Secret school cameras angers staff] and [Ottawa woman plans webcam childbirth] and [US: ‘Granny cams’ are catching on as a tool to deter elder abuse] and [Calgary City eyes cameras to nab dumpers] and [‘Up-skirt’ photos snapped at CNE air show: police]

 

Location

WW – Google Will Allow Users to Opt-Out of Wi-Fi Access Point Registry

Google says it plans to allow Wi-Fi access point owners to opt-out of the company’s data collection program. Google uses the Wi-Fi hotspots to pinpoint mobile phone users’ locations. The same vehicles that drive around neighborhoods gathering images for Google Street View have been collecting wireless access point information as well. The decision to allow users to opt out of participation was prompted by requests from European data protection authorities. [CNET] [ZDNet] [The Register]

US – Microsoft Facing Lawsuit Over Windows Phone 7 Location Data Collection

A complaint filed in district court in Seattle alleges that Microsoft’s Windows Phone 7 tracks users’ locations without permission. The complaint alleges that Microsoft is attempting to map the locations of cell towers, wireless routers, mobile phones and computers to support its location-based advertising service, and that the company is using the Windows Phone camera application to gather the information. The first time users open the camera application, they are asked for permission to log their location. Users’ responses are ignored when the application is opened subsequently. [Source]

SE – Sweden: Teachers Use GPS to Track Children

Daycare centres in Sweden have started using GPS systems and other electronic tracking devices to keep tabs on children during excursions – a practice that has raised ethical and practical questions. Some parents are worried day care centres will use the technology to replace staff. Others wonder whether getting children used to being under surveillance could affect their idea of privacy when they grow older. Monica Blank-Hedqvist, the principal of a daycare centre in the city of Borlange, said yesterday her staff had been using such devices during supervised walks in the forest. A spokesman for Sweden’s Data Inspection Board said the authority may investigate the matter. “It could be quite harmless, or it could affect aspects of privacy,” Erik Janzon said. “It depends on what kind of information you feed into the system and the purpose of the use.’ [Source] See also: [US: GPS Surveillance Does Not Invade Spouse’s Privacy, Court Finds] and [Jealous on your boyfriend? Spy him on his mobile]

 

Offshore

US – Bank of America Sued Over Privacy Violations Due to Overseas Outsourcing

A new lawsuit was filed in the District of Columbia against Bank of America Corporation; the nations largest bank holding company. The suit alleges that B of A has been outsourcing certain functions to overseas companies and that as a result has given access to the personal financial records of American citizens to foreign nationals. If the allegation is correct, it would appear that B of A has violated the Right to Financial Privacy Act – a federal law – and could have exposed millions of account holders in such a way that they can easily become victims of financial crimes. Just as importantly, those same account holders may also be targeted for government snooping; no search warrant required.The suit is known as STEIN et al v. BANK OF AMERICA CORPORATION et al. [Source]

PH – Philippines Senate Introduces Data Protection Legislation

New legislation has been introduced in the Senate that would enact a data protection bill. The Data Privacy Act was sponsored by Sen. Edgardo J. Angara and supported by information technology and business process outsourcing industry representatives. The present version of the bill follows the information privacy principles laid out in the Asia-Pacific Economic Cooperation Privacy Framework, including harm prevention notice and data collection limits. Angara said, “Our Data Privacy Act will act as another layer of legal protection…This is a clear signal to potential investors that the Philippines is seriously committed to safeguarding information.” [Source] See also: [Applications of China’s New Personal Information Protection Standards - Henry L.T. Chen, MWE China Law Offices and Rohan Massey and Heather Egan Sussman, McDermott Will & Emery]

 

Online Privacy

WW – Facebook Introduces Timeline

At the annual f8 conference, Facebook showed off new features that it plans to roll out within the next few weeks to select users. One of the new features that Facebook introduced was Timeline. Timeline is a completely reformed profile that resembles a WordPress blog with a header that spans across the page with a photo of your choosing. Under the header is your information along with statuses, locations you have visited, photos, and other activities. They related the new profile to that of a scrapbook, somewhere where you will be able to keep the memories of your past and look back on them whenever you choose. The changes for the new Timeline profile will be rolled out periodically to Facebook’s users over the next couple of weeks as the small tweaks and bugs are worked out. [Source] See also: [The Economist: Facebook: Sharing it all on Open Graph] See also: [German Federal Ministry of the Interior - Press Release: Federal Interior Minister and Facebook To Communicate Better Protection For Users] and [Datatilsynet, Norway - Facebook’s Response to Questions from the Data Inspectorate of Norway] and [How to disappear without a trace online: Internet Suicide Machine]

WW – Facebook to ‘Automate’ Data Requests

The Austrian-based organisation Europe v Facebook said that Facebook was working on an automated system in response to a campaign, in which the group had urged people to request the personal data it holds on them. Europe v Facebook says the current system, in which users can wait up to 30 days to get the data, contravenes European privacy law. It is possible for users to download most of their own data from the site, but that only covers the information that they themselves have uploaded. It does not include information that other people have put up, which Facebook has linked to the user in question. “A Facebook representative has now told the group that, after receiving a massive amount of access requests following the campaign of Europe v Facebook in German-speaking countries, Facebook is now working on a system to automatically process access requests,” the campaigners said in a statement. [Source] See also: [Logging out of Facebook is not enough] and [Privacy Journal: Two-Faced Digital Execs Are Saying Privacy is Essential for Me, but Not for You]

EU – DPC Opens Investigation; Data Use Concerns Persist

Following an advocacy group’s logging of more than 20 complaints, Ireland’s Data Protection Commission “will examine all of Facebook’s activities outside the U.S. and Canada” with a goal of publishing its findings by the end of the year. Privacy advocates are concerned that the social network is not adequately informing users of the potential for information “it will collect from new entertainment and media applications” to be used in advertising. One advocate said, “If the ad were to publish facts about you without your knowledge…it would cross into extremely creepy territory,” while Facebook stressed its features “only work if people explicitly opt in to them.” [siliconrepublic]

US – Groups Ask FTC to Investigate Facebook

The Electronic Privacy Information Center and 10 other privacy and civil rights advocacy groups have asked the FTC to investigate Facebook’s use of cookies and recent changes to its site. The request follows an Australian technologist’s discovery earlier this week that the site tracked users even after they’d logged out. Facebook has since reportedly made changes addressing the concerns. The groups have also raised concerns about Facebook’s new “Timeline” feature, writing in a letter to the FTC that it is a “treasure trove of personal information” that could “provide a tempting target for stalkers, government agents or employers.” [The Washington Post] UPDATE: [Technologist Says Site Fixed Cookie Problem: Facebook fixes cookie behavior after logging out]

WW – Spotify Introduces New Privacy Features

Music streaming site Spotify has introduced new privacy features in the wake of complaints about its integration with the world’s largest social network. The music service had “quietly introduced the requirement that all new users sign up with a Facebook account rather than the usual e-mail” and “defaulted to sharing all a user’s listening habits,” the report states. While users could choose to opt out of sharing their music tastes through Facebook, in response to “hundreds of complaints,” Spotify’s CEO has announced a new “private listening” mode, noting, “we value feedback and will make changes based on it.” [Financial Times]

WW – Amazon’s Silk Browser Raises Privacy, Security Eyebrows

Amazon rolled out its new line of Kindle tablets, adding the seven-inch $199 color Android Fire, the $99 keyboard-free 4GB Touch model and a $79 2GB non-touchscreen version to its ranks. Yet the Amazon product causing the most stir was not an e-reader or tablet, but Amazon Silk, the company’s new mobile web platform powered by Amazon’s incredibly extensive web services platform. Unlike traditional browsers, housing of the Silk subsystems is split between one’s device and the Amazon computing cloud. Instead of multiple requests from remote servers, Silk would benefit from a drastically simplified asset retrieval process. Webpage requests are routed to Amazon’s servers in the cloud and are loaded there, taking advantage of Amazon’s high-speed connection, then streamed back to the device as a completed page. The user wait time that accumulates as a result of the back-and-forth dialogue between the mobile device and the servers from which it is requesting content would be reduced from 100 milliseconds per exchange to 5 milliseconds. Yet, with the introduction of a native cloud-based browser comes questions of privacy. Browsing will be done on the cloud, but so will shopping, bill-paying and banking. Because target websites will only see Amazon’s IP address and not the user’s, surfing will essentially be anonymous from the customer’s point of view. This is unlikely to assuage the concerns of customers who are equally concerned about Amazon’s access to their data as they are about that of third-party sites. [Source] [Source] See also: [Mozilla issues The Do Not Track Field Guide]

US – 4.9 Million Health Records Lost

Three healthcare providers have suffered recent data breaches. A Pentagon contractor’s website alerts of a data breach affecting as many as 4.9 million patients. Science Applications International says the lost information—stored on backup computer tapes from electronic health records—included SSNs, addresses, phone numbers and other private health information of patients who received care from San Antonio military facilities since 1992. The Veterans Affairs Illiana Health Care System in Illinois has notified patients of a potential data breach involving 518 veterans. Meanwhile, two Minnesota healthcare facilities report that a stolen laptop contained personal information including Social Security numbers on more than 14,000 patients. [Source] See also: [IPC Paper: Safeguarding Personal Health Information When Using Mobile Devices for Research Purposes]

 

Other Jurisdictions

AU – Australian Privacy Commissioner: Sony Did Not Breach Privacy Act

Privacy Commissioner Timothy Pilgrim has cleared Sony Computer Entertainment Australia of wrongdoing in the hacks earlier this year that exposed the personal information of 77 million customers. Pilgrim today published his investigation report, which found no breach of the Privacy Act because there was no evidence that Sony “intentionally disclosed” data and the company “took reasonable steps to protect its customers’ personal information.” However, Pilgrim said he “would have liked to have seen Sony act more swiftly to let its customers know about this incident.” Last week, U.S. officials arrested a man in connection with the Sony hackings. [The Sydney Morning Herald] See also: [Man Arrested in Sony Hacking] and [Former U.S. official to head cybersecurity at Sony] and [Sony’s New TOS Agreement Limits Users to Binding Arbitration | Source | Source | Updated TOS]

AU – Minister: Breach Notification Laws Possible

A discussion paper for Australia’s proposed federal privacy reforms, announced last week, could introduce a statutory cause of actions for victims of privacy invasions. A spokesperson for Home Affairs Minister Brendan O’Conner says that “proposals for mandatory breach notification rules (would be) considered by the government once foundational reforms to the Privacy Act have been progressed.” O’Conner’s department has said that it would consider breach notification laws if there is sufficient evidence that the loss of personal information within business is increasing and information security is lacking. The Australia Law Reform Commission recommended breach notification laws in 2008, and they have remained under consideration since. [SC Magazine]

SG – Singapore Launches Consultations on New Consumer Privacy Law

Singapore will have a new consumer privacy law starting from next year that will protect the data of consumers in an age of information explosion. The new legal framework may allow consumers to “do something” about unwelcome calls and text messages. Singapore currently has no overarching consumer privacy law but only specific regulations requiring the protection of consumer information in banking, telecommunications and healthcare. Under the proposed framework going into public consultations, all telemarketers will have to check against names in a “ Do Not Call” registry that allows consumers to opt out of all unsolicited calls or text messages. If an individual puts his name on the registry and still receives an unsolicited call, he can make a complaint to a new Data Protection Commission. The commission will be given the power to investigate such complaints and fine offending parties. The maximum fine will be a hefty 1 million Singapore dollars (813,008 U.S. dollars). It is not clear, however, if a service provider like a bank can still call its customers for telemarketing purposes if they put their names on the registry. The Ministry of Information, Communications and the Arts said such issues will be addressed in a second round of consultations. [Source] [Ministry of Information, Communications and the Arts:- Public Consultation: Proposed Consumer Data Protection Regime for Singapore] See also: [Thailand: Too many caveats kill privacy in bill on personal data] and [Personal Data Protection Authority of Ukraine - Law of Ukraine on Protection of Personal Data] and [Angola Passes Personal Data Protection Law - Hunton & Williams LLP]

 

Privacy (US)

US – Real-Life ‘Minority Report’? EPIC Obtains Gov’t Documents

EPIC has obtained, via a Freedom of Information Act request, documents from the Department of Homeland Security about a secretive “pre-crime” detection program. Under the “Future Attribute Screening Technology” (FAST) program, the DHS will collect and retain a set of “physiological and behavioral signals” from individuals at large-scale venues. According to a 2008 Privacy Impact Assessment prepared by the agency, the DHS intends to monitor and collect data including “video images, audio recordings, cardiovascular signals, pheromones, electrodermal activity, and respiratory measurements,” in order to attempt to determine perceived “mal-intent.” EPIC filed the FOIA request after news sources reported that Homeland Security tested the FAST Project in a public location in early 2011. DHS acknowledged the test but has refused to disclose the test results. Similarly, the agency has refused to provide the test’s location or duration, stating only that testing occurred in the “northeast” and in a “large venue that is a suitable substitute for an operational setting,” although not an airport. According to the documents obtained by EPIC, Homeland Security is considering the use of the device at conventions and sporting events. The documents corroborate that a field test was conducted on the public, as well as on DHS employee volunteers. DHS, however, failed to comply with federal law when the agency neglected to do a privacy impact assessment regarding the public testing. [EPIC: FAST Project] [EPIC: FOIA’d Documents FAST Privacy Threshold Analysis] [Declan McCullagh, CNet: Article on FAST Technology (Oct. 7, 2011)] and [Department of Homeland Security: FAST Project]

US – Appeals Court: ECPA Protects Noncitizens

The Ninth Circuit Federal Appeals Court has ruled that foreign citizens are protected by the Electronic Communications Privacy Act, or ECPA . The court’s decision in Suzlon Energy v. Microsoft Corp. reaffirms that ECPA protects consumer data without regard to nationality, by forbidding companies in most circumstances from disclosing communications data with third parties. Suzlon involves a civil suit in which Microsoft refused to disclose data from the Hotmail email account of Rajagopalan Sridhar, an Indian citizen. Indian company Suzlon Energy claimed that Sridhar, an employee, had committed fraud. [Ninth Circuit Court: Suzlon Energy v. Microsoft Corp. (Oct. 3, 2011)] [EPIC: Wiretapping and Electronic Surveillance]

US – California Law Forbidding Warrantless Cell Phone Searches in Effect

A California law took effect this week that requires law enforcement officers to obtain a search warrant before seizing and searching a suspect’s cell phone. The law unanimously passed the California Assembly, overturning a California Supreme Court decision last January that allowed police to search the cell phones of assailants. The law applies not only to cell phones but also to all “portable electronic devices…capable of creating, receiving, accessing or storing electronic data or communications.” Attorney Hanni Fakhoury of the Electronic Frontier Foundation said the law sends a strong message to other courts and U.S. legislatures–as well the U.S. Supreme Court. [Source]

US – Court Upholds Order for DOJ to Hand Over Warrantless Cell Phone Tracking Info

The American Civil Liberties Union (ACLU) has called a recent ruling from the US Court of Appeals for the DC Circuit “a significant victory in the fight against warrantless tracking of Americans by their government.” The court ordered the US Justice Department to surrender names and case docket numbers of cases in which it “accessed cell phone location data without a warrant.” The court’s order upholds a lower court ruling. [Source][Source] [Source] See also: [Israel: Police Arrest 22 in Phone Tapping Case]

US – Judge Approves Bookseller Deal

A New York bankruptcy judge has approved a deal that will make way for Barnes & Noble to purchase a defunct bookseller’s customer list. Judge Martin Glenn approved the deal on Monday. It will give Barnes & Noble access to details on 48 million former Borders’ customers. The deal was halted late last week due to privacy concerns related to Borders’ privacy policy. Under new data protection provisions in the deal, customers will be notified that Barnes & Noble will take possession of their personal information, and they will have 15 days to opt out of the transfer. [paidContent]

US – FTC Proposes New Children’s Online Privacy Rule

The FTC announced it is seeking comment on revisions to the Children’s Online Privacy Protection Act that would extend it to cover evolving technologies such as web and mobile platforms for children under the age of 13. The proposed changes would require operators to post notice and obtain parental consent before collecting information from children, offer a larger variety of ways to obtain that consent, and provide proof that they are capable of adequately protecting children’s personal information. It would also extend the definition of personal information to include geolocation information and information gathered from technologies such as cookies that track young users online for advertising purposes. Written comments on the proposal must be submitted to the FTC by Nov. 28. [Source] See also: [UK Information Commissioner’s Office: Data privacy ‘should be taught in schools’ | The Guide to Privacy and Electronic Communications] and UK ICO: Call for jail option for data privacy breaches] and [European Commission - Communication From The Commission To The European Parliament, The Council, The European Economic and Social Committee and the Committee of the Regions - Protecting Children in the Digital World]

US – Facebook Continues D.C. Hiring Spree With White House, Privacy Expert Hires

Facebook announced new hires for its Washington policy and lobbying office, drawing high-profile figures from the White House and a privacy expert as the social networking site continues to grow — and come under scrutiny for its security and privacy practices. The hirings have created a politically connected team in Washington, with inroads in both parties and years of experience on the Hill and in the White House. Louisa Terrell, special assistant to President Obama for legislative affairs, will join the Silicon Valley-based firm in October as director of public policy. She helped the White House craft legislative strategy in the Senate. She is coming back to the tech world, having worked for Yahoo’s public policy office before joining the administration. Privacy expert Erin Egan, partner and co-chair of Covington & Burling’s global privacy and data security practice, will join Facebook in mid-October. She will be senior policy adviser and director of privacy. As Facebook comes under the microscope in Europe, where countries largely abide by their own privacy rules, the company has hired Erika Mann to lead its Brussels office and serve as the lead spokeswoman for E.U. institutions. Mann most recently represented trade group Computer and Communications Industry Association (CCIA) in Europe as well as being on the board of ICANN. She was a member of the European Parliament from 1994 to 2009, representing the state of Lower Saxony in Germany. The hires add to a slew of politically connected policy veterans joining the company. Faceboook’s chief operating officer, Sheryl Sandberg has worked at the Treasury Department and was a mentee of former Treasury Security and Obama Economic Adviser Lawrence Summers. Last week, Facebook named Erskine Bowles, former chief of staff to president Bill Clinton, to its board. In June, it hired former Clinton White House spokesman Joe Lockhart to head its communications team. In May, Facebook nabbed Republicans Joel Kaplan, a former aide to President George W. Bush, to head its Washington office. In June 2010, Obama White House staffer Marne Levine was hired to work on policy issues based in Washington. And in September 2008, Ted Ulloyt, a former counsel to President George W. Bush, was named vice president and general counsel. [Source]

US – DHS Off the Hook for Airport Screening Snafu

A man who was allegedly arrested after he stripped down in airport security to reveal the Fourth Amendment written on his chest cannot sue the government for violating his constitutional rights, a federal judge ruled. On Dec. 30, 2010, Aaron Tobey entered the security checkpoint area at Richmond International Airport before boarding a flight to Wisconsin for his grandfather’s funeral. A transportation security officer directed Tobey to take a body scan. Before entering the scanning unit, however, Tobey allegedly stripped down to his running shorts to reveal the text of the Fourth Amendment written in black marker on his chest. The officer, referred to in court documents through the pseudonym, Rebecca Smith, had explained that clothing removal was unnecessary. She radioed for help when Tobey got undressed. In a federal lawsuit, Tobey said he was handcuffed and questioned at the on-site police station for 1 1/2 hours. The officers also allegedly discarded Tobey’s belongings and gave him a summons for disorderly conduct, but did not prosecute the charge. Tobey said one officer advised him “that the police would make sure” he had “a permanent criminal record as a result of his actions.” Tobey boarded his flight after going back through the security checkpoint. U.S. District Judge Henry Hudson agreed to dismiss the claims in a 35-page decision states. [Source] See also: [US: ‘Don’t ask, don’t tell’ ends in quiet, personal ways]

 

Privacy Enhancing Technologies (PETs)

UK – Product Designer Gives Patients Privacy in Hospital

The inventor of the “KwickScreen” retractable room divider has pipped six other industrial designers to become the UK winner of the James Dyson award. Londoner Michael Korn, 30, has taken the “lean manufacturing” theory he learnt at Cambridge University’s Institute of Manufacturing and applied it to two of the most common causes of patient frustration in NHS hospitals: unnecessary spread of infection and lack of privacy. Mr Korn said his screens worked well for hospitals because of the “severe shortage of slide screen, isolation facilities, and for dignity screens” and because most infections were not airborne and the screens, manufactured in Corby, are easy to clean. [Source] See also: [Wall Street Journal: Rise of the CPO and PIAs] and [New Technologies and Tips for Protecting Data]

 

RFID

EU – Product Tagging Increasing

It’s not only a computer that can be connected to the Web now, it’s your smartphone, your car, your home and even your jeans. Retailers are increasingly tracking products with radio frequency identification tags (RFID), interconnectivity that could allow for monitoring of virtually anything at any time. Privacy advocates have raised concerns that RFID tags could read more data than intended, such as a consumer’s RFID-tagged passport or driver’s license, and could lead to cases of identity theft. European Data Protection Supervisor Peter Hustinx has warned that with any tracking devices, “there’s privacy relevance” and uses must be compliant with the new European Commission Framework, signed by the commission this year. [BBC News]

 

Security

US – NIST Seeks Feedback on Risk Assessment Guide

The National Institute for Standards and Technology (NIST) is seeking comments on its “Guide for Conducting Risk Assessments.” The guidance aims to help agencies assess risk within their IT systems and strengthen federal cybersecurity. NIST describes assessment as one of four steps in agencies’ general security risk management strategy, the report states, noting risk assessment helps thwart incidents before they can occur. A federal IT official testified to Congress this week that risk mitigation is a key feature to the government’s future security measures, especially when it comes to cloud computing. [Source]

US – US Agencies Must Now Submit Cyber Security Reports Monthly

Starting in October, US government agencies will be required to move from annual to monthly cyber security reports to maintain compliance with new Federal Information Security Management Act (FISMA) rules. The new mandates for FISMA compliance include sending monthly feeds to the CyberScope compliance tool, which aims to reduce the expense associated with FISMA compliance and provide more current and pertinent information. [Source]

AU – Shopping Center “Find My Car” Tool

A shopping center in Sydney, Australia has removed a “Find My Car” feature from its iPhone app after learning that the information was accessible in unencrypted form over the Internet. Cameras at the Westfield Shopping Centre photographed cars’ license plates and indexed the vehicles’ locations. The feature of the application was designed to help people who had forgotten where they parked their cars. A blogger found that the information logged by the shopping center systems was available on the Internet and that people could use the application as a tool to track other’s whereabouts. The feature is not functional at the moment, and will remain unavailable until the privacy issue is addressed. [The Australian] [The Register] See also: [ENISA Issues Report - Appstore Security: 5 Lines of Defence Against Malware] and  [US: Court Approves Lawsuit Against Toyota Over Cyberstalking Ad Stunt]

UK – Heathrow Airport to Trial New ‘Privacy-Friendly’ Body Scanners

Body scanners, which show a ‘naked’ image of passengers to security staff, have long been a controversial addition to airport departures. Which could be why Heathrow is trialling ‘privacy-friendly’ body scanners that replace invasive images of the human torso with a cartoon-like figure. Instead of using X-ray beams, the new technology uses millimetre-wave scanners, which bounce electromagnetic waves off a passenger’s body. Anyone who sets off a metal detector in Terminal 4 will be taken to a passenger-screening area and shown the scanner’s image on screen. Suspicious packages or items will be depicted as a yellow box on the computer-generated outline of the passenger’s body. The new body scanners are already in use in some American airports. [Source]

UK – Data Protection Fears Undermine IT Recycling

Data protection concerns are preventing many UK companies from disposing of their working computers by sending them for reuse, a new survey from charity Computer Aid International has revealed. In a survey of 100 senior IT decision makers in UK companies with more than 1,000 employees, researchers found that just 14% of companies send all their working computers for reuse. The remainder sent their equipment to be dismantled and recycled or to lanfill. Legislation around e-waste recommends reuse as the preferred disposal method. Of the companies that did not opt for reuse, 63% cited data protection concerns, 53% blamed cost, while 24% said that contractual obligations to a leasing company prevented them from choosing reuse. However, 83% of these respondents said that they wanted to reuse working equipment if data protection and cost issues were addressed. Of those recycling IT equipment, 28% of companies recycled all of their IT, and 41% recycling more than half. The survey found that companies dispose an average of 542 computers a year, with companies replacing their base units (one third of respondents) and monitors (20%) every three years. [Source]

 

Smart Cards

AU – Australian Passports Now Offer 3 Gender Options

Australian passports will now have three gender options – male, female and indeterminate – under new guidelines to remove discrimination against transgender and intersex people, the government said. Intersex people, who are biologically not entirely male or female, will be able to list their gender on passports as “X.” Transgender people, whose perception of their own sex is at odds with their biology, will be able to pick whether they are male or female if their choice is supported by a doctor’s statement. Transgender people cannot pick “X.” Previously, gender was a choice of only male or female, and people were not allowed to change their gender on their passport without having had a sex-change operation. The U.S. dropped the surgery prerequisite for transgender people’s passports last year. Any country that complies with the International Civil Aviation Organization’s specifications for machine-readable passports can choose to introduce a gender “X.” [Source] See also: [The future of passports]

 

Surveillance

US – OnStar Reverses Privacy Changes After Public Outcry About Privacy

GM’s subsidiary OnStar has reneged on highly controversial privacy changes it announced last week after enormous resistance and threats of a congressional investigation. On September 21, OnStar announced several changes to its terms of service. The company stated it would now track the position, speed, diagnostic error codes, seatbelt usage data, and crash information of all vehicles, even if drivers didn’t have an active subscription. The company also reserved the right to sell the GPS data it gathered, though it claimed no personal information would be attached. A GM spokesperson justified the change by claiming it made it easier for customers to re-enroll in the service and gave GM a way to contact people in the event of a recall or consumer hazard. Phone numbers, mailing addresses, and email information evidently weren’t good enough. GM customers could opt out of the tracking, but had to specifically choose to do so. The announcement sparked a wave of protests, multiple letters to the company from Congressmen, and calls for an investigation into whether or not the service’s new terms were a violation of one’s right to privacy. GM has since backed down. [Source] [Source] [OnStar Tracks Your Car Even When You Cancel Service] [GM OnStar cars will upload all data unless owners opt out] [Charles Schumer] See also: [Senators Coons, Franken to OnStar: Tracking, Sharing Customers’ Location Without Consent is a Serious Violation of Privacy - Press Release]

US – DOJ Document Reveals Cell Phone Data Retention Periods

Wired is reporting on the retention periods of major cellular service providers after the American Civil Liberties Union of North Carolina obtained a Department of Justice document intended for law enforcement through a Freedom of Information Act request. The document reveals carriers’ retention terms for text messages and cell-site data. “This brings cellular retention practices out of the shadows so we can have a rational discussion about how the law needs to be changed when it comes to the privacy of our records,” said Kevin Bankston of the Electronic Frontier Foundation. [Source]

US – Lawsuit Challenging Warrantless Wiretapping May Proceed

The 2nd US Circuit Court of Appeals has ruled that a lawsuit challenging the constitutionality of a federal law that allows warrantless wiretapping may proceed. The plaintiffs, a coalition of groups and attorneys concerned with civil liberties, are challenging the 2008 Foreign Intelligence Surveillance Act (FISA). The government maintains that the plaintiffs lack the necessary legal standing to bring the suit. [WIRED] [US Courts] See also: [AB: RCMP warn of fake wireless network]

US – Report: Location-Based Tracking Should Require Warrants

A report from the Constitution Project’s Liberty and Security Committee says that law enforcement agents should have to obtain warrants based on probable cause before using location-based tracking. The report also urges legislators to amend the Electronic Communications and Privacy Act (ECPA) to require probable cause warrants before cell phone location data can be accessed. [Source]

EU – Researchers: TV Habits Determinable with Smart Meters

A Münster University of Applied Sciences study found that, by analyzing patterns in electricity consumption transmitted by a household smart meter, researchers could figure out what program was playing on a television. Previously, it was thought that smart meter data could only be used to distinguish between appliances, but because of the frequency of the data transfers–every two seconds–this finer analysis is possible, the report states. According to the research team, the discovery means tighter regulations on this data are needed. [The H Security]

 

Telecom / TV

US – Federal Judge Dismisses Privacy Complaints Against Apple

A California judge has dismissed an app-related privacy lawsuit against Apple, arguing that the plaintiffs failed to prove that Apple and its products caused them any harm. The individuals suing Apple have the right to appeal, the judge said, but they need to seriously bulk up their suit if they want to prevail. Back in December, California resident Jonathan Lalo accused Apple of producing devices that allow ad networks to track a user’s app activity. His suit also named Pandora, Paper Toss app maker Backflip Studios, The Weather Channel, and Dictionary.com. A second lawsuit was filed by Dustin Freeman several weeks later, and the cases were eventually combined. The suits cited a Wall Street Journal study published last year that examined 101 apps and found that iPhone apps distributed more personal data without the users’ permission than Android apps. [Source] [Source] [Why the Apple UDID had to Die] See also: [Japan: Smartphone app draws heat for invading user’s privacy]

WW – Researcher: Smartphone IDs Not Secure

The Wall Street Journal reports on the use of smartphones’ unique ID numbers as a way for criminals to access users’ social networks. While the IDs do not contain user information in and of themselves, the report notes that “app developers and mobile ad networks often use them to keep track of user accounts, sometimes storing them along with more sensitive information like name, location, e-mail address or social networking data,” effectively using the IDs as what researcher Aldo Cortesi describes as a not-too-secure key to that information. “Mobile security is not limited to a singular app or games overall–it’s an issue that the entire mobile ecosystem needs to address,” Cortesi said. [Source]

 

US Government Programs

US – Lawmakers Want “Supercookie” Investigation

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have called for an investigation into the use of “supercookies” by websites. In a letter to the FTC, the co-chairmen of the House Bipartisan Privacy Caucus said the technology could violate the FTC’s “unfair and deceptive acts of practices” rule, adding, “We believe this new business practice raises serious privacy concerns and is unacceptable…the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for misuse of personal information and provides another way for consumers to be tracked online.” [The Washington Post]

US – Congressional Watchdog: DHS Data Mining Programs Pose Risk to Privacy

The Government Accountability Office (GAO) has performed a detailed evaluation of data mining practices at the Department of Homeland Security. According to the GAO’s report, privacy protections and transparency are vital to data mining operations; however, the report states that Homeland Security’s practices did not “adequately ensure the protection of privacy-related information.” in 2009, EPIC called for an investigation of the DHS Privacy Office and maintained that the agency’s Chief Privacy Officer was not complying with the statutory requirements necessary to protect privacy. [GAO: Report on DHS Data Mining Practices (Sept. 2011)] and [EPIC Letter to Congress Re: DHS Chief Privacy Officer (Oct. 23, 2009)] and [DHS Privacy Office] and [EPIC: DHS Chief Privacy Officer and Privacy]

US – DHS Privacy Office Outlines Progress

During the past year, the Department of Homeland Security (DHS) Privacy Office expanded the breadth of its privacy and FOIA-related initiatives throughout the department, the federal community and with international partners, according to an annual report issued by DHS’s Chief Privacy and Freedom of Information Act Officer, Mary Ellen Callahan. According to the report, The DHS Privacy Office 2011 Annual Report, the Privacy Office made significant progress on a number of fronts. The office last year approved and published 68 Privacy Impact Assessments (PIAs) and 20 System of Records Notices (SORNs), on Department programs, systems, and initiatives. The report noted the development of a DHS “Privacy Policy and Compliance” management directive that reinforced department privacy policy based on Fair Information Practice Principles (FIPPs) and detailing privacy-related responsibilities of all DHS employees, and issuance of the new privacy policy guidance memorandum, Roles & Responsibilities for Shared IT Services, signed by the Chief Privacy Officer, the Chief Information Officer, the Assistant Secretary for Policy and the Director of Records. Another achievement of the Privacy Office, the report said, was the “launching [of] a new intranet site featuring the office’s privacy and FOIA training resources, distribution of a two-page factsheet detailing best practices for safeguarding Sensitive Personally Identifiable Information (PII), developing a new online Culture of Privacy Awareness annual mandatory training course, and providing guidance to components developing component-specific privacy training.” During the past year, the report said, DHS investigated, mitigated and closed 88% of reported privacy incidents and reviewed all new DHS information sharing agreements involving PII being shared outside of DHS, and ensured application of the FIPPs to protect PII and comply with DHS policy. [Source] See also: [US: Flight passenger ‘humiliated’ by hairdo security check for weapons]

US – IG Deems DHS Financial, Operational Data at Risk

The inability of DHS to implement appropriate IT and application controls has placed at risk the confidentiality, integrity and availability of DHS’s financial and operational data, according to an audit conducted for the department’s inspector general. Auditors from KPMG released its findings to the DHS IG in April, but the inspector general didn’t provide a public version, which was redacted, until this past week. According to the report, the most significant weaknesses included:

  • Excessive unauthorized access to key DHS financial applications.
  • Configuration management controls that are not fully defined, followed or effective.
  • Security management deficiencies in the area of the certification and accreditation process and the lack of adhering to or developing policies and procedures.
  • Contingency planning that lacked current, tested contingency plans developed to protect DHS resources and financial applications.
  • Lack of proper segregation of duties for roles and responsibilities within financial systems

Nearly two-thirds of the 161 weaknesses discovered in the fiscal year 2010 audit were identified but not remediated from an FY 2009 audit. “Disagreements with management’s self assessment occurred almost entirely at the Federal Emergency Management Agency,” the IG audit said. “Collectively,” the IG report said, “the IT control deficiencies limited DHS’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted the internal controls over DHS’s financial reporting and its operation and we consider them to collectively represent a material weakness for DHS under standards established by the American Institute of Certified Public Accountants and GAO.” [Source]

 

US Legislation 

US – Data Breach Bills Move in House, Senate Panel

The Senate Judiciary Committee has narrowly approved three bills that would require organizations to secure personal data and notify customers if their data is compromised. When addressing Sen. Diane Feinstein’s (D-CA) bill, Sen. Chuck Grassley (R-IA) said, “we may end up with more burdensome regulations…and consumers still going unprotected because the over-notifications will be ignored.” Sen. Patrick Leahy’s (D-VT) Personal Data Privacy and Security Act of 2011, would make data breach notification a national standard and data breach concealment a crime. Meanwhile, Rep. Mary Bono Mack’s (R-CA) SAFE Data Act was approved by a House subcommittee and will move to the full committee for approval. Bono Mack said, “Consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state regimes.” [Bloomberg] [NextGov] [Source] See also: [Pennsylvania State Senate Passes Breach Notification Legislation]

 

Workplace Privacy 

US – Fired NY State Employee Sues for GPS Tracking Without Consent

Managing employees in the field has always been a challenge. How do you know if employees are where they say they are? What if a customer calls to complain that a driver never showed up, but he swears he did. What is a manager to do? This is where GPS tracking can offer huge benefits. But is it OK to monitor an employee with a GPS tracking device without their knowledge or consent? How far can the state government go in monitoring a mobile employee? This question will be addressed by a mid-level appeals court in New York very soon in about 6 weeks. The lawsuit was filed by the New York Civil Liberties Union (NYCLU) against the state Labor Department, on behalf of a fired state worker whose personal vehicle was being monitored with a GPS tracking device, without his knowledge or consent. NYCLU believes the surveillance, which was done without a court warrant, violated state constitution protections against unreasonable search and seizure, and violated Mr. Cunningham’s privacy rights. The NYCLU says the GPS tracking went beyond what would normally be termed Cunningham’s work hours, since the device was on for 24 hours a day, seven days a week. They even tracked him on a multi-day family vacation. Mr. Cunningham became aware of the surveillance only a year after it was conducted when the state charged him with misconduct, citing evidence from the GPS tracking to show that he had claimed pay for hours he hadn’t worked. He was fired from his management job last year. [Source] See also: [US: Prison Sentence for Insider Crimes] See also: [Employee mobiles a vector for stealing data

US – Unemployed May Face Drug Test

The governor of South Carolina wants to drug test people who are unemployed before she gives them any unemployment benefits. Governor Nikki Haley says, “I love the idea of drug testing because I think it brings accountability to the process.” Victoria Middleton with the ACLU-SC said, “the organization believes that this kind of sweeping, suspicionless mandatory drug testing is discriminatory, an invasion of privacy and a waste of our limited state funds.” [Source] See also: [US: Mandatory drug tests invade student privacy]

+++

 

01-31 August 2011

Biometrics

US – Scientists Warn Face Recognition Searches Pose ‘Ominous’ Privacy Risks

Computer based facial recognition will pose a serious threat to people’s privacy in the near future, according to Alessandro Acquisti at Carnegie Mellon University, who undertook the work with partial funding from the U.S. Army, and after conducting experiments using nothing more than a webcam enabled PC and access to Facebook. Presenting the results at the Black Hat computer security conference in Las Vegas, Acquisti said: ‘Facial visual searches may become as common as today’s text-based searches.’ In collaboration with fellow researchers Ralph Gross and Fred Stutzman, the team set up a computer, webcam and facial recognition software at the university. Using willing participants, the team asked random participants to peer into the camera and have their faces scanned. Using a database of 5,000 publically available student Facebook profile pictures, the recognition software was able to correctly guess the face in 31% of cases – most in under 3 seconds. The team also created software for the iPhone that scanned sites such as facebook to come up with a positive match and corresponding vital statistics of the subject. According to Acquisti widespread facial recognition poses an ‘ominous risks for privacy’ as publicly available databases could allow anyone to bring up a persons real name and other information using only a quick face shot. According to website CNET, the university researchers also compared 277,978 Facebook profiles against 6,000 profiles from an on-line dating. The team were able to match 1 in 10 of the site’s members with their real names. [Source] See also: [Will Privacy Concerns Spawn the Faceless Book?] [Bruce Schneier: Developments in Facial Recognition] and [Mug-Shot Industry Will Dig Up Your Past, Charge You to Bury It Again]

EU – Germany Asks Facebook to Disable Facial Recognition

The head of the German data protection authority has asked Facebook to disable its facial recognition feature over concerns that it violates European Union privacy laws. Johannes Caspar, head of the Hamburg Data Protection Authority, sent Facebook a letter, in which he argued that facial recognition amounts to unauthorised data collection on individuals. Caspar has given Facebook two weeks to respond. This is far from the first time Facebook’s facial recognition feature has been criticised – the feature was introduced in December, and it’s been constantly attacked since. Pushback against the feature increased in June after security firm Sophos warned Facebook’s users that the site had expanded its use of the facial recognition feature. This prompted Facebook to apologise for how it had handled the rollout. The European Union’s advisory board – the Article 29 Working Party – is also looking into Facebook’s facial recognition and whether it’s a violation of EU law. Investigations at the member-state level are underway in Ireland, the United Kingdom, and, now, Germany. [Source] and see also: [Manhunt is no way to deal with a social ill]

CA – Fotobounce Hypes Alternative Facial Recognition Option

In wake of Facebook Inc.’s decision to avoid launching its new facial recognition technology in Canada, one Toronto area firm is encouraging businesses and consumers to consider the risks associated with posting photos to a public Web site. Oakville, Ont.-based Applied Recognition Inc., which launched its Fotobounce Viewer app for Android last week, said users may be tiring of the typical model for online photo storage sites. The company is pushing its new mobile app and its integration with the existing Windows and Mac-based Fotobounce desktop software which allows users to organize their photos and share them across an encrypted, photo sharing network. The company, which refers to the technology as “Skype for photos,” also gives users the option to upload their sorted photos to Facebook, Flickr or Twitter. One of Fotobounce’s flagship features, however, is its face detection engine. The first time a user uploads photos to Fotobounce, the system automatically clusters similar unidentified faces together in groups. Users will then be asked to confirm the matches, individually or en masse, and assign a name to each cluster. Despite the similar functionality, Ganong envisions Fotobounce as a complimentary service to Facebook and other photo sharing networks. “We give users face recognition, but it remains on the desktop,” he said. “What they choose to share online only contains name tags or key words for the people in the photos. It’s a secure way of implementing face recognition without the associated risks.” Fotobounce said it currently has 150,000 users, but hopes to reach its target of 1 million users within the next 12 months. [Source]

CA – Facebook Sleuths Still Trying to Finger Vancouver Rioters

The online rage and name-calling that flooded Facebook after the June 15 Stanley Cup riot has now subsided. Still, a handful of Facebookers continue to pore over dozens of hours of footage to try to identify the perpetrators of last month’s mayhem. They post their findings to the Facebook Vancouver Riot Pics group, which has more than 101,100 “Likes.” One of the core members estimates that close to 300 rioters have been identified on the group’s page. So far 37 people have turned themselves in to police and, while no one has been formally charged, up to 1,700 potential suspects have been flagged by police for more than 202 separate incidents. [Source]

Canada

CA – Air Passenger Observation Plan Post 9-11 Raises Red Flag for Privacy Watchdog

Canada’s privacy czar is concerned about the potential unfairness of a plan to scrutinize the flying public’s behaviour at the airport. The federal government announced last year it would develop a passenger-behaviour observation program to detect terrorists. Officers of the Canadian Air Transport Security Authority would be on the lookout for suspicious actions at air terminals, such as a traveller wearing a heavy coat on a hot day, or sweating profusely. Privacy Commissioner Jennifer Stoddart says she’s not convinced the techniques will actually help screening officers zero in on genuine threats. “There is a huge possibility for arbitrary judgments to come into play,” Stoddart said in an interview. “This kind of initiative that doesn’t have a clear scientific basis is extremely worrisome.” [Source] See also: [European Data Protection Supervisor - Opinion on the Proposal for a Council Decision on the Conclusion of an Agreement between the EU and Australia on the Processing and Transfer of Passenger Name Record ("PNR") Data by Air Carriers to the Australian Customs and Border Protection Service]

CA – Federal Court Awards Minimal Damages Under PIPEDA

The Federal Court has recently released its second decision in which damages have been awarded for a breach under PIPEDA. Once again, the degree of damages are very low considering the costs associated with seeking redress before the Federal Court, but this very likely turns on the unique facts of the case. In Landry v. Royal Bank of Canada, 2011 FC 687 (CanLII), the applicant was embroiled in what appears to be a bitter divorce and was hiding certain bank accounts from her spouse. Her bank was served with a subpoena to produce records. It appears that the bank did not follow its prescribed procedures (which would have avoided the entire mess) and ultimately faxed the applicant’s bank records to counsel for her spouse. The applicant complained to the Office of the Privacy Commissioner of Canada, who found her complaint to be “well-founded and resolved”. The applicant started an application in the Federal Court, seeking at least $75,000 in damages. Neither party looked good appearing in court: the bank had not followed its procedures and tried to cover it up. The applicant was essentially caught trying to hide assets contrary to her legal obligations in connection with the divorce proceeding. In the result, the Court concluded fixing an amount of $4,500 with interest and costs to be paid to the applicant by the respondent. [Source]

CA – Electronic Search Powers Need Scrutiny, Experts Say

A group of experts in internet and privacy law want the government to study provisions they say could drastically affect Canadians’ privacy rights. The provisions were included in three lawful access technical surveillance bills from the last parliamentary session, but are expected to be rolled into the omnibus crime bill the Conservatives plan to table this fall. The Conservative election platform promised to reintroduce the electronic surveillance provisions, which critics call warrantless online spying, as part of the omnibus crime bill. The provisions would give law enforcement agencies more power to take information from ISPs and other private companies without a warrant, according to Open Media, a consumer watchdog group. Open Media is asking that the provisions be properly examined by MPs and senators in committee before the bill gets passed. The Conservatives have promised to pass the omnibus bill within 100 days of Parliament’s post-election return, which was June 2. Open Media worries that won’t be enough time when combined with all the other bills expected to be rolled together. “The overarching concern is its an erosion of civil liberties and online privacy with no real justification for it.” The legislation proposed in the last session would allow police to get some information without a warrant and other information with something like a court order, but with a lower standard of proof, Israel said.The group is also worried about a lack of oversight for the new powers. [Source] See also: [Letter to the Prime Minister re: Omnibus Crime Bill]

CA – Alberta Privacy Commissioner: Fines for Companies that Lose PII

With reports of privacy breaches mounting, Alberta’s privacy commissioner says it’s time the government consider slapping fines on companies that lose customer information. In the past 16 months, more than 90 breach reports have been received by the Office of the Information and Privacy Commissioner. In May 2010, under the Personal Information Protection Act, it became mandatory for companies to report privacy breaches. Currently, there are no penalties for non-compliance. Information and privacy commissioner of Alberta, Frank Work said the amendment gave his office a wake-up call. “It has proven to us how serious and how wide scale the problem is … It’s now hit home. I do think now the time has come for the government to seriously consider amending the legislation to provide for penalties.” He said monetary fines would be the most effective solution. [Source] [Privacy breaches overwhelm Alberta watchdog]

CA – Canada-U.S. Border Talks Raise Privacy Concern

Privacy and information sharing are a concern for Canadians who wrote to the government about border talks with the U.S., according to a report released by Foreign Affairs Minister John Baird. Canada and the U.S. are in negotiations over ways to integrate border security and ease trade access, though many of the details aren’t public yet. Two reports released this week summarize public consultations on the perimeter security talks. One is on implementing the agreement and the other on aligning regulations between the two countries. Business and trade groups were concerned about streamlining and speeding up approval for goods and wanted to align screening procedures for travellers between the two countries, the perimeter agreement report says They also want expanded pre-clearance programs. Individual Canadians were more concerned about maintaining privacy rights. The report says they voiced concerns about information sharing with the U.S. government. [Source] [Harper and Obama to meet in early fall on border deal]

CA – DPA Releases PIPEDA Guidance for Lawyers

The Office of the Privacy Commissioner of Canada (OPC) has announced the release of a handbook to help lawyers become more familiar with the Personal Information Protection and Electronic Documents Act (PIPEDA). Launched at the Canadian Bar Association Canadian Legal Conference and Expo 2011, PIPEDA and Your Practice—A Privacy Handbook for Lawyers provides best practices for personal information management, use, collection, disclosure and response. “While lawyers may be familiar with privacy laws in general,” says an OPC spokeswoman, “they may benefit from some concrete guidance on how to apply the laws to their own practice.” [Source]

CA – Critics Decry Outsourcing of Visa Processing

The federal government is working to create a global network of visa processing offices, many of which are now privately run-a move that critics say raises concerns over information security, privacy and oversight. The government is set to almost double the number of countries in which it outsources the operation of visa application centres, from 20 to 35. Citizenship and Immigration Canada says it wants to continue to expand its use of these centres globally, although a spokesperson says no final decisions have been made yet. Some centres could also collect and transmit biometric information, such as fingerprints, in the future. The handbook is available on the Privacy Commissioner’s website: http://PIPEDAhandbookforlawyers.priv.gc.ca [Source]

CA – Ontario Government’s First CIO Mark Vale Passes Away

Dr. Mark Vale, who died last Friday at St. Michael’s Hospital in Toronto, is best remembered for having led the development and implementation of standards for managing government information assets in the Ontario government. Not only did his work lead to improved access of government data, but he also helped secure sensitive information held within Ontario Public Service. Toronto-born Vale, a 25-year veteran of the information technology industry, was named chief information and privacy officer for the Ontario government in July 2006. At the time he accepted the job, he was president of Toronto-based Information Management & Economics, Inc., an organization that helps government bodies and companies across Canada become more efficient by better managing information.[Source]

Consumer

CA – OPC Releases Survey Findings on Consumer Views, Practices

A survey of 2,000 Canadians has revealed that many technology users fail to take basic steps to protect their personal information. The 2011 Canadians and Privacy Survey, which was commissioned by the Office of the Privacy Commissioner, revealed that the majority of respondents do not use password locks or device settings to protect their personal data. “Canadians are recognizing that their personal information is not safe in this new digital environment unless they take concrete measures to protect it,” said Privacy Commissioner Jennifer Stoddart. “Unfortunately…too few are taking even the most basic precautions, such as setting passwords on their mobile devices.” The survey also measured Canadians’ attitudes about privacy as it relates to social networking, national security and other areas. [Source[

CA – Canadian Youth Increasingly Aware of Online Privacy

Social media sites like Facebook have become a ubiquitous presence in the lives of young people and many parents may worry that their children are giving away too much information. “From the perspective of youth, the main concern is overexposure or embarrassment, which is to say that people are concerned that what they post online will be seen by unintended audiences,” said Matthew Johnson, director of education at the Media Awareness Network, a non-profit organization that promotes digital literacy among Canadians. Often, this unintended audience includes parents and authority figures, but the content can also be distributed to a wider audience for malicious reasons. Young people are generally aware of the risks of posting information online, Johnson said. [Source]

E-Government

CA – Caseloads and Privacy Laws Impede Social Workers

While police continue their investigation into the murder of 14-month-old Elizabeth Velasquez, social workers in the province are speaking out about child protection caseloads. The little girl was abused and murdered last year, despite pleas from her grandparents for social services to step in. A spokesman for the social workers’ union says child protection workers are juggling too many cases at a time. Privacy laws are getting in the way when are trying to share information. [Source] See also: [Cavoukian: Privacy laws are not to blame – they are designed to serve the public, not act as cover for inconvenience or incompetence] and [Feds mistakenly mail out private info]

US – VA Social Media Policy Adoption: Workers Must Ensure Data Privacy, Security

Department of Veterans Affairs employees must take steps to ensure the privacy and security of personal information that may appear in social media used by the department, according to a new VA social media policy made public Aug. 16. Under the new policy, dated June 28, all department social media must:

  • post a privacy policy on the introductory page;
  • not be used to monitor an individual’s exercise of his or her First Amendment rights;
  • “be restricted to those VA personnel who have a need to know;
  • ensure the confidentiality, integrity, and availability of posted information;
  • not post data protected by HIPAA or the Privacy Act;
  • consider whether a Privacy Act system of records notice is required if social media captures personal information.

VA employees using social media to interact with the public must “draw a clear distinction between their personal views and their professional duties” and not infer that they are communicating the department’s official position unless they are authorized to do so. [Source]

E-Mail

US – Court: Non-Citizen E-Mails Protected Under ECPA

The Ninth Circuit Court has ruled that under the Electronic Communications Privacy Act (ECPA), Microsoft does not have to turn over an Indian citizen’s e-mails. Indian energy company Suzlon Energy, claiming the man defrauded it, has requested copies of all e-mails sent to and from his Web mail account and of written agreements he had with Microsoft. The court ordered Microsoft to hand over the contracts but ruled the e-mails are subject to protection under ECPA, sparking a debate over the intent of the law. Suzlon’s lawyer commented, if by “parking” e-mails in the U.S. criminals could avoid discovery, “every felon in the world would do so.” But Judge Milan Smith remarked, if congress wants to distinguish between a U.S. citizen and noncitizen, “it knows how to do it.” [Courthouse News Service]

CA – Businesses Brace for Tough New Spam Law

Business are combing through their email lists as the date draws nearer for Canada’s tough new anti-spam legislation to come into effect, forever banishing Nigerian princes and Viagra peddlers from consumers’ inboxes. The law, passed last December and expected to come into force in late 2011 or early 2012, will restrict spam by requiring businesses to have explicit permission to send commercial electronic communication, including through email, text messages and social media. There is room in the law for implied consent, but recipients must have the option of opting out. Many email and mobile marketers support the law, saying it aligns with best practices already established by the industry’s legitimate businesses. But they’re not the only ones who will have to comply with the act. All businesses and individuals with an online presence will fall under its regulations. And the penalties for operating outside them are significant, up to $1 million for individuals and $10 million for businesses. [Source] [Source]

US – Google Sued in Massachusetts for Scanning Emails Sent to Gmail Account

A Massachusetts woman filed a class action suit in Mass. state court against Google, alleging that Google violated Massachusetts’ wiretap law by scanning messages she sent from her AOL account to recipients’ Gmail accounts. Massachusetts is one of several states that require all parties to give their consent to the interception or recording of communications (unlike federal law and the laws in a majority of states, which only require consent from one party to the communication).[Source]

US – Spam King Surrenders

Sanford Wallace, a.k.a. “the Spam King,” has surrendered to federal law enforcement agents in California. Wallace has been charged with sending millions of spam messages to Facebook users. He allegedly tricked users into submitting their account login details. An estimated 500,000 Facebook accounts were compromised. Once he had access to compromised accounts, he accessed their friends lists and posted junk messages on their walls. Facebook won a US $711 million judgment against Wallace in 2009. Wallace faces charges of electronic mail fraud, intentional damage to a protected computer and criminal contempt. He has been released after posting US $100,000 bail. [Source] [Source]

Electronic Records

UK – NHS to Axe £7bn Electronic Records? Ministers Ready To Pull The Plug on Fiasco

Ministers are set to announce that plans for an ambitious system that links all parts of the NHS are to be abandoned. Instead of a centralised set-up, local NHS trusts and hospitals will be able to buy computer systems to suit their needs. The decision to axe an important element of the £11 billion NHS IT project comes as MPs launch a scathing report into a system they describe as ‘unworkable’. The £7 billion electronic care records system – a key part of the botched NHS IT project – could be targeted under the new strategy. It follows years of controversy and criticism that the project has missed deadlines and run over budget. [Daily Mail] [The Register] [Report]

TW – Taiwan Readies to Launch Electronic Medical Records Plan

Patients in Taiwan will no longer have to undergo the same medical tests repeatedly, once the nationwide electronic medical records plan kicks off this November, the Department of Health said. “The plan allows doctors from different hospitals to access a patient’s EMR with the patient’s consent,” said Hsu Min-huei, director of the DOH’s Department of Medical Informatics. He added that many hospitals in other countries such as Canada, the U.K and U.S. are already using EMRs. According to Hsu, the plan works under an index mechanism. “Doctors will be able to look up the patient’s name, examination date and item,” he pointed out. “To ensure a patient’s privacy, the system will keep track of which doctors access which files.” Under the plan, doctors can access blood test results, CAT scans, MRIs, outpatient service records, a summary of a patient’s condition and medication prescribed during hospitalization. The plan will be launched at 126 hospitals in Taiwan. “There are 500 hospitals across Taiwan,” Hsu said. “We hope the plan can be implemented in every hospital by the end of 2012.” [Source] See also: [CA – Up-to-Date Health Information for Patients]

EU – NHS Scotland Overhauls Security With New Sign-On System

In one of the most significant security roll-outs in recent NHS history, patient health records at Scotland’s 1,300 GP practices and 97 hospitals are to be secured using Imprivata’s desktop single sign-on (SSO) system, OneSign 4.5, NHS Scotland has announced. At the head of the security features is the ability to access all applications after one sign-on process, backed up by self-service password resets, which overcomes the expensive hassle of calls to a helpdesk. OneSign 4.5 is a way for health workers to authenticate themselves using one of a variety of security technologies such as biometrics or smartcards in a way that fits in with the practicalities of the working environment. The deployment will also include ‘no-click access’, a way for workers to avoid the need to constantly login in during a work day using the keyboard. If workers move away from the screen, the desktop is locked and only unlocked at the moment they return once they have re-authenticated. [Source]

WW – Health Industry Prepares to Mine Patient Data

With the increased use of remote monitoring systems and new digital imaging technology, “tremendous amounts of data” are being generated but not analyzed. A vice president of an analytics company says that “doctors have live data coming out of these devices and equipment, but to date it really hasn’t been analyzed.” According to the report, healthcare suppliers will begin selling equipment and software that can analyze the streaming data. “If there was a national healthcare database in the U.S.,” he says, “the value of that information in terms of mining it to identify trends across population segments is phenomenal.” [The Australian]

EU Developments

EU – French Parliament Publishes Legislation on Cookies and Data Breach Notification

The French Parliament published legislation on cookies and data breach notification in accordance with Directive 2009/136/EC. “Pursuant to Article 17 of Law no 2011-302 of 22 March 2011, implementation of the Directive 2009/136/EC has been delegated by French Parliament to the government.” The legislation “introduces a requirement for consent to be obtained before cookies are placed” and that browser settings or another application can be used to signify consent. “Unlike the UK, consent given through browser settings is valid even if the subscriber does not amend or set the controls.” The legislation also introduces a data breach notification requirement for electronic communication providers. [Source] [Source] See also: [Garante Per La Protezione dei Dati Personali, Italy - Authorisation No 6-2011 for the Processing of Sensitive Data by Private Investigators, June 24, 2011]

EU – Council of Europe Report the Modernisation of Convention 108

The Convention should remain technologically neutral, with general principles set out in specific texts when required; the two converging approaches with regards to data protection law are a desire for greater harmonisation of basic concepts and rules and greater clarity in determining the applicable law. Definitions of the right to data protection and the right to respect for privacy should be clarified (e.g. private life and data protection are two different things and personal data may or may not be private). The concept of data controller is no longer as relevant due to the increasing use of data sharing systems and interconnection. Sensitive data should be linked to their use, rather than simply extending the list; any extension of the list should be preceded by an impact study. Opinions were divided on whether there should be a definition for “sub-contractor”; sub-contractors have to comply with so many obligations in respect of security and respect for privacy that their role becomes hard to identify and the mere distinction between controller of the file and subcontractor no longer reflects the complex relationship which exists between organisations processing personal data. Consent should not be presented as a condition to be met for processing to be legal and fair (e.g. in many cases the person who gives consent does not realise what they are agreeing to); the quality of consent causes a great deal of apprehension (e.g. the problem of determining whether consent is genuinely free). In regards to transborder data flows, there are limits to the extent to which these can or should be controlled in a networking world; adequacy could be assessed on the basis of broad data processing sectors or relate to the particular circumstances of the case and the particular controller. Data protection laws require clarification in the context of cloud computing; where such technologies are concerned, there should be a right to know the physical location and the country where data are kept or where distribution servers are situated. There should be an option not to be tracked (in relation to RFID tags); a right should not be based on a targeted technology, which would contradict the goal of preserving the Convention’s technologically neutral character. There should be a provision for a right to be informed about security breaches, applicable across the board to all sectors. Data protection authorities should be given the right to settle disputes; DPAs’ decisions should be mutually recognised by other states’ parties. [Source]

EU – Crisis-Hit Greece to Loosen Privacy Laws

Greece plans to loosen strict privacy laws to allow surveillance camera footage as evidence in court, following a “dangerous” escalation in violence during anti-government protests amid the financial crisis. The proposed reforms follow warnings from top law enforcement officials that violent protesters are using potentially lethal means against police, including acid, crossbows and firebombs packed with firecrackers and metal shavings. Justice Minister Miltiadis Papaioannou outlined the changes at a parliamentary committee hearing and published them on his website. He warned of a “major escalation” in violence in recent months. He said the reforms also aim at permitting the identification of Internet bloggers who incite violence and make it more difficult for small groups of protesters to block road traffic. Police have long sought the use of camera footage — currently only used to manage traffic — as evidence, arguing that violence during protests has escalated in recent months. If the reforms are passed, police also plan to install cameras in squad cars and motorcycles. [Source]

EU – Google Court Case Results from “Transatlantic Clash”

Spain’s government has ordered Google to halt its indexing of data on certain individuals. Ninety individuals who filed complaints with the Spanish Data Protection Agency will benefit from the order, which is now being considered in court. Google has asserted that the requirement “would have a profound chilling effect on free expression without protecting people’s privacy.” Experts weigh in on the order, the origins of the concept of a “right to be forgotten” and the differing perspectives. “What you really have here is a transatlantic clash,” said a Swiss native and Georgetown University professor. [The New York Times] [No Right To Be Forgotten]

UK – Commission: Privacy Laws Insufficient

A report from the Equality and Human Rights Commission says that UK privacy laws do not do enough to protect citizens. Current privacy laws have failed to prevent breaches and keep pace with advances in technology and increases in the amount of data organizations collect about individuals, the report states. “This needs to change so that any need for personal information has to be clearly justified by the organization that wants it. The law and regulatory framework needs to be simplified and, in the meantime, public authorities need to check what data they have and that it complies with the existing laws,” said Commissioner Geraldine Van Bueren. [The Inquirer] [Charles Raab: Research report 69: Protecting information privacy]

EU – Parliament Resolution on Aviation Security, Focus on Security Scanners

The European Parliament supports the use of security scanners, provided appropriate safeguards are in place, over less demanding methods that do not guarantee a similar level of security – metal detectors are less effective, particularly with regard to non-metallic objects and liquids, and full hand-searches are more likely to cause greater irritation and face greater opposition (however, people should be given an option to refuse use of a security scanner, and submit themselves to alternative screening methods that guarantee the same level of effectiveness). To ensure data protection, only stick figures should be used (to protect passengers’ identities and ensure they cannot be identified through images of any part of their body), data generated by the scanning process must not be used for purposes other than detecting prohibited objects, may only be used for the amount of time necessary for the screening process, and may not be stored (data must be destroyed immediately after each person has passed through the security control). People undergoing checks should receive comprehensive information in advance about the operation of the scanner, conditions in place to protect their rights and the option to refuse to pass through the scanner; security staff should receive special training on using security scanners in a manner that respects passengers’ fundamental rights, personal dignity and data protection. [Source]

EU – Google Given Chance to Settle Belgian Case Over Street View

A federal prosecutor from Belgium has offered Google the opportunity to pay a €150,000 fine to settle claims of illegal data collection practices stemming from its Street View project. The company now has three months to accept the offer or the case could be brought before the country’s federal court, which could declare higher fines or imprisonment. A Google representative said, “We have received an offer of extrajudicial settlement from the Belgian federal prosecutor, and we have to study it carefully.” [Bloomberg]

UK – ICO Gives Google Good Grades, Not a “Rubber Stamp”

After auditing the company’s privacy structure, the Information Commissioner’s Office (ICO) says that Google “has taken reasonable steps to improve its privacy policies” but adds that the audit “is not a rubber stamp.” The company agreed last year to let the ICO conduct the audit in light of its controversial Street View project. The ICO said that “the audit verified that Google made improvements to their internal privacy structure,” but it “needs to ensure its work in this area continues to evolve alongside new products and technologies.” Meanwhile, in a Google blog post, the company announced that it will conduct a privacy impact assessment on any additional Street View activities in New Zealand. [The Guardian] [The Telegraph] [Report]

Facts & Stats

WW – Data Protection Laws Now in 76 National Jurisdictions

In a special report for Privacy Laws & Business, Australian Professor Graham Greenleaf has identified comprehensive data protection legislation in 76 national jurisdictions around the world as of July 30, 2011. His findings are summarized in a table listing the jurisdiction, the name of the law, its dates of enactment and latest amendment, the region, information about European findings of adequacy, status as a Council of Europe member and a ratifier of Convention 108 and its optional protocol, and other international commitments. Countries of some prominence that have flown under the radar of HR Privacy Solutions include Albania, Angola, Bosnia & Herzogovina, Croatia, Kyrgyz Republic, Mauritius, Montenegro, Senegal, and Serbia. India was notably included in the list, by virtue of its new rules under Section 43A of the Information Technology Act 2008. Accompanying the table was a detailed and insightful analysis of trends and time lines revealed by the data set. Professor Greenleaf indicated his intent to make a periodically updated version of the table available on his website.

WW – Google Plus Members Value Their Privacy

According to an analysis from data-mapper Matthew Hurst, new Google+ members may be seeing very little activity from the site’s 20 million users. His analysis shows approximately 48% of Google+ users haven’t posted publicly. Hurst, whose visualization was picked up by The Next Web, showed that there is a tight cluster of public power-users on the network, with the rest of the service’s 20 million or so users chiming in less often. But, as a commenter on Hacker News pointed out, Hurst’s data appears to only contain public data. An earlier report from All Things Digital revealed that approximately two-thirds of the content on Google+ is, in some way, private. [Source]

Filtering

UK – UK Authorities Mull Internet Kill Switch

Amidst widespread calls from MPs, David Cameron has pledged to investigate the possibility of turning off social networks during times of crisis, lumping Britain in with some rather unsavory company. The U.K. has long criticized countries like China, Iran and Libya for censoring the web and clamping down on dissent, which appears incredibly hypocritical to the rest of the world if he then proceeds to do the same thing on his own turf. Opinion pieces in international newspapers have already started popping up with headlines like “what goes around, comes around.” [Source]

UK – Government Will Not Order ISPs to Block Sites Hosting Pirated Content

The UK government has scrapped plans under the Digital Economy Act thatwould allow authorities to request that the court block websites hosting pirated digital content. Internet service providers were unhappy with the provision, and the UK Office of Communications (Ofcom) reviewed the policy and found that the provisions “would not be effective.” The Motion Picture Association recently won an injunction requiring BT toblock a certain site that hosted links to pirated content; the case did not invoke the Digital Economy Act. [Source] [Source] [Source]

Finance

WW – Privacy Concerns Accompany Rise of Paperless Receipts

Consumers may soon have the choice of forgoing a printed receipt at the check-out counter, as an increasing number of retailers cut ties with the tiny slips of paper that have been issued to customers for decades. The paperless receipt is gradually creeping into the Canadian marketplace, as a variety of retailers implement new types of systems that allow customers to retrieve their receipts from email or online websites. However, because shoppers must provide an email to receive a receipt, retailers can learn a lot about a customer’s preferences and buying habits. [Source] [CTV News] and see: [Hotel Guest Files Credit Card Receipt Suit alleging that a Virginia Beach hotel breached privacy law by printing sensitive data on his checkout receipt] and [US: Federal Court OKs Personal Information on Parking Tickets]

US – Judge Rules That Bank is Not Liable for Fraudulent Transactions

A US District Court judge has approved a pending decision recommended by a magistrate stating a commercial bank which protected customers’ accounts with minimal authentication is in compliance with federal online banking security requirements. Patco Construction had sued Ocean Bank following a series of fraudulent funds transfers totaling US $588,000. Part of Patco’s argument rested on Ocean Bank’s allowing the transactions to go through without taking adequate steps to verify their legitimacy. In late May, the magistrate ruled in the bank’s favor, and on August 4, a judge made the ruling official. Patco has not decided whether it will appeal the decision. Similar suits are being tried in various federal district courts, but none qualifies as case law, which requires a ruling from an appellate court. For a decision to set a national precedent, a decision would be required from the US Supreme Court. [Source] [Source]

EU – EDPS Opinion on Credit Agreements Relating to Residential Property

The concept of responsible borrowing entails that consumers should provide relevant, complete and accurate information of their financial situation; the limited number of activities which have relevance under the EU data protection regime are mainly the consultation by creditors and credit intermediaries of the so-called “credit database” with the purpose of assessing the creditworthiness of consumers and releasing of information by the consumers to the creditors or credit intermediaries (suggested modifications to the Proposal – access to the database is permitted if there is clarification of whether only creditors or credit intermediaries who concluded a contract with a consumer, or are required by the consumer to take steps to conclude a contractual relationship with him, can have access to his or her data and if consumers are notified, in advance, that a certain creditor or credit intermediary has the intention to access his or her personal data in the database and the right to exercise all relevant data protection rights). [Source] See also: [EDPS Opinion on the Proposal for a Regulation of the European Parliament and of the Council on Energy Market Integrity and Transparency]

US – Payment Card Industry Tokenization Guidelines Released

The Payment Card Industry Security Standards Council (PCI SSC) has released guidelines on tokenization. The PCI DSS Tokenization Guidelines Information Supplement provides suggestions for “developing, evaluating or implementing a tokenization solution, including insight on how a tokenization solution may impact the scope of PCI DSS efforts,” the report states. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements,” said PCI SSC General Manager Bob Russo. [SC Magazine]

EU – CNIL Authorizes PI for Money Laundering and Terrorist Financing

Financial institutions should meet their legal and regulatory obligations in anti-money laundering and counter terrorist-financing due diligence, by processing personal data according to a risk-based approach, i.e. determining the profile of the business relationship with the client and beneficial owner by considering products purchased, transactions and client characteristics (nationality of the customer cannot be the only criterion for requiring enhanced due diligence). Additional aims of processing include identifying persons subject to additional due diligence measures as politically exposed persons (comparing the customer affairs database against a reliable reference document used to identify PEPs), triggering alerts and reports of suspicious transactions (processing that identifies transactions deemed suspicious as they involve amounts that are likely to finance terrorism or come from an offence punishable by one year imprisonment) and applying measures to freeze assets (operations based on lists of measures to freeze assets are subject to manual review to address any similarities in names). The personal data to be collected must be necessary to assess the risk posed by the client, requested operation or signed contract, and proportionate to the risk classification of the financial institution (e.g. personal data that may be collected include copies of identification documents, occupation, nature and level of income, financial transaction information including currency processed, source and destination of funds, and mandates and powers of any natural persons representing corporations); additional data may be collected directly from the person in cases that are high risk, complex, deal with an unusually large amount of money or have no apparent economic justification or lawful purpose. Within their respective powers for the purposes of fighting money laundering and terrorist financing, recipients of data include data controllers (e.g. staff in customer relations or who make determinations about whether to maintain a business relationship with a politically exposed person), authorities (e.g. financial intelligence unit Tracfin or the Treasury Department) and other financial institutions (e.g. other agencies that intervene for the same client in the same transaction). [Single Authorisation No. AU-003: Decision No. 2011-180 of 16 June 2011, Authorizing Single Processing of Personal Data Related to the Fight Against Money Laundering and Terrorist Financing | Press Release and Backgrounder] and [Individual Rights in the Digital Revolution: Information Report No. 3560 to the French National Assembly - Law Committee and the Committee of Cultural Affairs]

WW – Credit Card Data Compromised

A credit card data breach affecting approximately 92,400 Japanese Citigroup customers. Compromised data includes names, addresses, credit card account numbers, phone numbers, dates of birth and dates accounts were opened. According to the report, an individual employed by a Citigroup subcontractor sold the data to a third party. This is the second breach that has affected the company this year. [InfoSecurity]

FOI

CA – Watchdogs Demand Probe After Mounties Drop Access-to-Information Case

Three watchdog groups are asking Parliament to find out why the RCMP dropped its probe of alleged political interference in the release of government information. Newspapers Canada, the Canadian Taxpayers Federation and the B.C. Freedom of Information and Privacy Association issued a joint letter asking a House of Commons committee to investigate the case of Sebastien Togneri. In 2009, Mr. Togneri, a political aide to then-public works minister Christian Paradis, ordered a document withheld from a Canadian Press reporter who had requested it under the Access to Information Act. The document, an annual report on the government’s giant real-estate portfolio, was then retrieved from the Public Works mailroom shortly before it was to be sent out. Mr. Togneri was later required to appear before the Commons committee on access to information, privacy and ethics, where he acknowledged his order to “unrelease” the document was a “mistake.” And a year-long investigation by the Information Commissioner concluded Mr. Togneri had inappropriately interfered when he had no legal authority to do so.Suzanne Legault recommended the government send the case to the RCMP to examine whether Mr. Togneri’s actions broke Section 67.1 of the Access to Information Act, which provides for jail terms and penalties for interfering with the release of government information. The RCMP was called in, but this month dropped their probe, saying any criminal investigation was “unwarranted.” “The RCMP decision to abandon this investigation is extremely troubling,” John Hinds, president of Newspapers Canada, said in a release. “It appears to leave people most likely to interfere with [Access to Information] requests above the law, and that just cannot stand.”[Source] See also: [Wikileaks crashes in possible cyberattack] and also [Old Mug Shots Fuel Art, and a Debate on Privacy] and [Freedom of what? Sure seems it’s not information]

BR – Brazil’s Long-Awaited Freedom of Information Law is Under Threat.

Brazil’s long-awaited freedom of information law is once again under threat. Senator and disgraced ex-President Fernando Collor, who was impeached in 1992 by the very Senate he now serves, has proposed radical revisions to the freedom of information bill 41/2010. These changes constitute a clear affront to President Dilma Rousseff, who has supported passage of the measure, to the Chamber of Deputies, which approved the bill in 2010, and to the three Senate committees that have already endorsed the measure in 2011. As Chair of the Committee on Foreign Relations and National Defense, Mr. Collor holds a powerful position in the Senate. But the amendments proposed are so retrograde that Collor should hardly be taken seriously. A freedom of information law is viewed to be one of the principal pillars of transparency and social accountability needed to better combat endemic corruption in Brazil. [Source]

NZ – Value of Information Trumps Caution: Government CIO

The emphasis in opening government data is to “push the information out there and enable people to use it in whatever ways they see fit,” rather than being over-cautious in ensuring that the data is exactly right and conveniently packaged, says New Zealand government CIO Brendan Boyle. Boyle was speaking at a symposium on record-keeping organised by the Association of Local Government Information Management (Algim). He identified the factors holding back increased openness with government information and increased centralisation onto all-of-government ICT. [Source] See also: [Office of the Privacy Commissioner, New Zealand - Focusing on Solutions: Working with the Office of the Privacy Commissioner]

Genetics

US – Court Allows Suit by Man Who Wants Genetic Profile Destroyed

A Massachusetts man who voluntarily provided DNA in 2002 to police investigating a murder may pursue a privacy invasion suit seeking return of his genetic profile, a state appeals court has ruled. Keith Amato claims in his class action suit that police promised the sample and data would not be retained if his DNA didn’t match crime scene evidence, according to the opinion. The state eventually returned the DNA sample, but not the genetic profile. Amato sued for breach of contract and under two state laws governing state retention of data and invasion of privacy. The Massachusetts Appeals Court allowed all three causes of action. [Source]

US – Collecting DNA From Arrestees is Unconstitutional, California Court Says

The First District Court of Appeal in San Francisco has overturned a voter-approved proposition that requires adults charged with a felony to provide a DNA sample. The court said Proposition 69 is unconstitutional because the law allows searches of individuals without a warrant, adding it authorizes “the warrantless and suspicionless search of individuals…for evidence of a crime unrelated to that for which they have been arrested.” The court also noted, “The question this case presents, which is increasingly presented to the courts of this state and nation, is the extent to which technology can be permitted to diminish the privacy guaranteed by the Fourth Amendment.” [Wired]

Health / Medical

US – OCR Data Breach List Hits 300, Reveals Top Audit Interests

The Office for Civil Rights (OCR) has logged almost one healthcare breach every other day since it began keeping its online list in February 2010. The OCR notification website lists breaches of health information protected under HIPAA affecting 500 or more individuals and was created as part of the breach notification interim final rule. According to the report, the tally has reached 300 breaches, and of the 420 complaints claiming violations of HIPAA since October 2009, 192 have been closed after “investigation and appropriate corrective action.” The OCR also announced the top areas of interest on its HIPAA privacy and security compliance radar. Its top issue is incident detection and response. It will also focus on reviews of log access; secure wireless networks; management of user access and passwords, and theft or loss of mobile devices, among other requirements. The OCR plans to look at 150 organizations by the end of the year. [HealthLeaders Media] [Source] and [OCR Undecided on BA Inclusion in HIPAA Audits] and [EHRs Raise Liability Fears]

US – Survey: 70% of Healthcare Providers Suffered Privacy Breach in Past 12 Months

Veriphyr, a provider of Identity and Access Intelligence, announced the results of new survey on Protected Health Information (PHI) privacy breaches. According to the findings, more than 70% of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. Insiders were responsible for the majority of breaches, with 35% snooping into medical records of fellow employees and 27% accessing records of friends and relatives. The report, entitled “Veriphyr’s 2011 Survey of Patient Privacy Breaches”, summarizes the findings of a survey of compliance and privacy officers at mid to large sized hospitals and healthcare service providers. Key findings include:

  • Top breaches in the past 12 months by type: Snooping into medical records of fellow employees (35%); Snooping into records of friends and relatives (27%); Loss /theft of physical records (25%); Loss/theft of equipment holding PHI (20%)
  • When a breach occurred, it was detected in: 1-3 days (30%); 1 week (12%); 2-4 weeks (17%)
  • Once a breach was detected, it was resolved in: 1-3 days (16%); 1 week (18%); 2-4 weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI. 52% stated they did not have adequate tools for monitoring inappropriate access to PHI. [Source] See also: [Medical records strewn in abandoned Melbourne clinic] and [Ireland: ‘Unauthorized Access’ To Patient Data After Medical Transcription Lapses]

US – Florida’s ‘Drug Tests for Welfare Recipients’ Law Likely Unconstitutional

Back in June, Florida Governor Rick Scott signed into law a bill that, among other things, requires all recipients of cash welfare from the state to undergo mandatory drug testing as a condition of receiving certain forms of state aid. The first round of testing was recently completed, but the legal controversy is just beginning. As one Tampa Bay television station has reported, in the past Federal Courts have generally held that drug testing requirements for public assistance are unconstitutional: In a 1997 ruling from Georgia by the U.S. Supreme Court, Justice Ruth Bader Ginsburg wrote, “The Fourth Amendment precludes suspicionless search… the drug test diminishes personal privacy.” In 2003, a U.S. Circuit Court of Appeals ruling from Michigan backed that up saying, “Michigan law authorizing suspicionless drug testing of welfare recipients was unconstitutional.” [Source] See also: [The social network of infertility: Study examines couples’ privacy preferences]

US – AMA Discusses Prescription Data Selling Practices

American Medical Association (AMA) President Peter Carmel is refuting a New England Journal of Medicine (NEJM) article that insinuates the AMA has financial incentives to support a Supreme Court decision allowing the sale of prescription drug information to pharmaceutical companies. The NEJM article also claims the AMA has not done enough to promote its program allowing doctors to opt out of data mining. But Carmel calls the assertions “unfounded speculation” and outlines ways the AMA has promoted the opt-out program. While the AMA believes physicians should have the right to opt out, the report states, it “prefers its own approach to state laws that might be overly restrictive.” [Information Week]

US – Sexual Health Database Protects Porn Actors’ Privates and Their Privacy

The Free Speech Coalition, a trade association for the adult entertainment industry, has launched an online database that lists pornography performers who are sexually-transmitted disease-free and available for work. The database, called Adult Production Health & Safety Services, is accessible only by producers, performers and their agents. It replaces a database operated by AIM Medical Associates, which was shut down in May after the site was hacked and performers’ private medical information was leaked online. “APHSS.org does not contain any medical records and very minimal information to identify users,” said Joanne Cachapero, membership director for the Free Speech Coalition. “In the unlikely event that the database was hacked or breached, there is not much personally identifying information contained in the database.” Proponents say the new database will safeguard performers’ sexual health as well as their privacy. But critics say it promotes unsafe sex. [Source]

US – Health Data Not Covered in Breach Legislation

The Center for Democracy and Technology’s Harley Geiger writes that the data breach notification bills currently in congress would not protect health data processed by certain commercial services. The HIPAA Privacy Rule requires covered entities to notify individuals when their data is compromised, but with the influx of commercial health IT systems and applications, sensitive health data is increasingly being used by commercial products and services. As a result, neither current data breach draft legislation nor the Privacy Rule would require non-covered entities processing health data to notify individuals of a breach, which “makes it all the more important that the law evolves with technology to provide blanket privacy protection for health information in commercial contexts,” the report states. [Source]

US – AHA Wants HIPAA Access Provision Withdrawn

The American Hospital Association (AHA) says federal regulators need to “significantly alter” the access report provision in their proposed HIPAA disclosures rule. In a letter sent to the Department of Health and Human Services, the AHA says the access report provision–which would allow patients to request a history of who has accessed and disclosed their personal health records—is “misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals.” [HealthLeadersMedia]

Horror Stories

US – Health Data of 300K Californians Available on Unsecured Website

A researcher from a data loss protection company recently discovered that personal medical data for nearly 300,000 Californians were available online in an unsecured format and could be found through Internet searches. Aaron Titus – a researcher from Identity Finder – discovered the information and alerted Southern California Medical-Legal Consultants, the company that was using the data. [Source]

US – Hackers Breach Chocolate Recipe on Hersey Website

Hackers breached the security of a website operated by US confectionery giant Hershey Company and may have made off with customers’ names, birthdates, street and email addresses, and site passwords. In an email sent to customers last week, Hershey said an unauthorized individual accessed the site and changed a baking recipe for one of its products. The company said it found no evidence any other recipes on the website were affected, but it couldn’t rule out the possibility that hackers stole personal data taken when customers create accounts on the site. [Source] [Travelodge UK Admits Data Breach] [University of Wisconsin Malware May Have Exposed Student, Staff Data]

US – Fired Techie Created Virtual Chaos at Pharma Company

Logging in from a Smyrna, Georgia, McDonald’s restaurant, a former employee of a U.S. pharmaceutical company was able to wipe out most of the company’s computer infrastructure earlier this year. Jason Cornish, 37, formerly an IT staffer at the U.S. subsidiary of Japanese drug-maker Shionogi, pleaded guilty to computer intrusion charges in connection with the attack on Feb. 3, 2011. He wiped out 15 VMware host systems that were running e-mail, order tracking, financial and other services for the Florham Park, New Jersey, company. “The Feb. 3 attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail,” the U.S. Department of Justice said in court filings. Total cost to Shionogi: US$800,000. [Source] [Purdue University Warns Former Students of Breach]

UK – USB Device Found in Pub Contained Unencrypted Housing Company Data

The UK Information Commissioner’s Office (ICO) has found two organizations in violation of the Data Protection Act after a USB containing unencrypted data was left at a pub. The data storage device contained information about residents of two housing companies and included 800 records with bank account information. The USB was lost by a contractor working for one of the companies, but data from both were on the device. More than 26,000 people were affected. The USB was turned in to police. Both housing companies have agreed to encrypt portable data devices and monitor contractors’ and staff members’ data handling. There were no fines. The ICO imposes financial penalties only when there has been demonstrable damage to those whose data are compromised. [Source] [Source]

US – Citigroup Suffers Another Data Breach

Attackers have reportedly stolen and sold details of more than 92,000 payment cards belonging to Citigroup’s Citi Cards Japan (CCJ) customers. The compromised data include names, dates of birth and account numbers, but not personal code notification numbers (PINs) or CVV security codes. The data breach does not appear to have been the result of an online intrusion. Authorities have been notified and an investigation is underway. Customers have been notified as well and CCJ will re-issue cards as needed. Earlier this year, Citigroup suffered a breach that compromised card information of 360,000 accounts. [Source] [Source] [Source]

Identity Issues

CA – Most Canadians Can Be Uniquely Identified from Date of Birth and Postal Code

There are increasing pressures for health care providers to make individual-level data readily available for research and policy making. But Canadians are more likely to allow the sharing of their personal data if they believe that their privacy is protected. A new report by Dr. Khaled El Emam, the Canada Research Chair in Electronic Health Information at the University of Ottawa and the Children’s Hospital of Eastern Ontario Research Institute, suggests that Canadians can be uniquely identified from their date of birth, postal code, and gender. This means if this triad of data exists in any database, even if it has no names or other identifying information, it would be possible to determine the identity of those individuals. The report is now available in BMC Medical Informatics and Decision Making Journal. [Source]

WW – Google+ Introduces Identity-Verification Badges

Google is adding badges that certify the identity of users of its Google+ social networking site, starting with public figures and with people who have been added by many as contacts. Later on, the verification badges will be available to a bigger scope of users who aren’t famous or broadly popular on the site, Google official Wen-Ai Yu [cq] said in a Google+ post. For now the main goal is to inform users which is the official profile of a singer, actor, politician, public figure or popular Google+ account holder they may want to add to their Google+ Circles to follow their public posts. “When you visit the profile of a celebrity or public figure, you’ll see a verification badge next to their profile name. This will help you easily determine which profiles are owned by real, verified people,” she wrote. Verified Google+ accounts will feature a gray checkmark inside a lighter-gray circle next to the person’s profile name. It’s not clear from Yu’s post how many “followers” a Google+ user needs to have to qualify as someone whose account merits having a verification badge. Other social media sites feature verified accounts, including Twitter, which is used by many public figures to communicate with their fans. [Source] See also: [Judge warns about growing problem of ‘mistrial by Google’]

US – Posing as a Different Facebook User Can Constitute Identity Theft, US Court Rules

A California Court of Appeal ruled that a school pupil had committed identity theft under Californian laws when he obtained a schoolmate’s email password, used it to gain access to her Facebook account, and posted sexually suggestive messages whilst posing as the girl. Wilfully obtaining personal identifying information and using it “for an unlawful purpose” without the person’s consent is illegal under the provisions of California’s Penal Code. [Source]

UK – Council Sued for Unmasking Twitter User

The first Briton to have his Twitter identity forcibly revealed by a court is seeking to sue the council that blew his anonymity and force a judicial review of the case. A review could have implications for whistleblowing websites – and for a council that used public funds to unmask a perceived detractor. [Source] See also: [The War On Anonymity] and [The Re-Identification Risk of Canadians From Longitudinal Demographics - Khaled El Emam, BMC Medical Informatics & Decision Making 2011]

Intellectual Property

US – Future iDevices Could Work With Privacy Glasses

The U.S. Patent & Trademark Office recently published a new patent application from Apple that details the company’s designs for privacy glasses for future iDevices. It happens to a lot of us: We’re sitting at the local coffee shop minding our own business, our eyes fixed firmly onto our iPhone/iPod touch or iPad. Suddenly, you get that feeling that someone is watching you. As you turn around, it’s true: Someone is checking out your iDevice. Unfortunately, depending on what you’re working on, this stranger might have just seen something important. To assist customers in keeping private information just that, Apple is working on a privacy mode that might be included in future iDevices and MacBooks. This mode would match the glasses with specific filters. In other words, unless you have the glasses, you couldn’t see what was on the iDevice screen. [Source]

Internet / WWW

UK – U.K. Police Claim Rioters Using Blackberry Messenger

Ontario’s Research In Motion says it will work with London police after authorities said the company’s BlackBerry Messenger service is helping fuel rioting in the city. Scotland Yard has said it is tracking down any rioters inciting violence using Facebook, Twitter or BlackBerry Messenger (BBM) as the riots raged for a third night. But unlike the often public world of Twitter and Facebook, BBM is heavily encrypted and untraceable to authorities, unless they have access to RIM’s servers. It is a private network in which messages can only be accessed by those with the PIN number of those they are messaging. The service is quite popular with teens for that very reason in places with authoritative governments, such as in the United Arab Emirates or Saudi Arabia. RIM says it will “assist” authorities, prompting privacy concerns from some users, although the company has clashed with governments before on similar privacy issues. [Source] [Source]

IN – Indian Government Demanding Access to Monitor Communications

Blackberry parent company Research in Motion (RIM) is facing yet another deadline from India’s government regarding its failure to comply with requirements to make data sent over its network “intercept-friendly.” Some are guessing that RIM may be forced to set up a server in the country to give the government the ability to intercept communications. RIM’s earlier proposal to provide users’ enterprise server IP addresses and the PINs and IMEI numbers of each Blackberry device used by subscribers was deemed unacceptable by India’s government. The government also wants the department of telecommunications to “ensure effective monitoring of Twitter and Facebook.” [Source] [Source]

WW – Anonymous Says It Will Take Down Facebook On Nov. 5

Hacktivist group Anonymous said that it will target Facebook for a takedown on Nov. 5, aka Guy Fawkes Day. Those claiming to be members of the group uploaded a video to YouTube in mid-July announcing the operation, which was spotted by Rosie Gray of The Village Voice. Why is the group targeting Facebook? The video message is most critical of Facebook’s privacy policies, saying the site does not provide its users with enough choice or transparency. [Source] UPDATE: [Threat To Destroy Site May Be Hoax]

EU – European Companies Avoiding U.S. Cloud Providers

European companies are choosing not to use U.S.-based cloud service providers because of legal obligations the service providers have to the U.S. government under the USA Patriot Act. According to the U.S. legislation, data that is stored, processed or retained by a U.S.-based service provider must be made available for inspection by U.S. authorities without notification to users, which is a violation of the European Data Protection Directive. One European IT chief said, “We would never be able to use a U.S.-based provider of cloud services, even if the data is stored in a data center in the EU,” suggesting that European companies would instead use local service providers. [The Financial Times]

Law Enforcement

EU – Germany: Police Officers Riled By New ID Requirement

Berlin police must now wear personal identification on their uniforms, but many German officers say the requirement puts their lives at risk. Said one: “Even as police officers we live completely openly in our private lives … I’m afraid criminals could track me down. You deal with the same people for years and they start to hate you personally.” Although police officers in other western countries like the United States and Britain have been required to wear numbers or name tags for years, Berlin last month became the first German state to mandate their use among uniformed officers. [Source] [Source] See also: [MPs Urge Gov’t to Consult with ICO on ID-handling Plan]

US – Data From Sheriff Departments Stolen and Posted Online

A group of cyber attackers operating under the umbrella of the Anonymous collective have released a 10GB cache of data taken from US law enforcement agencies’ computer networks. The data exposure appears to be a retaliatory action for the arrests of people who were allegedly involved in earlier cyber attacks. The compromised information includes SSNs, email messages, information about stolen credit cards and informant data. The data appear to have been taken two weeks ago from servers at Brooks-Jeffrey, an Arkansas-based company that hosts sheriff association websites. [Source] [Source] [Source] [Source] See also: [60% of Toronto arrests lead to strip searches]

Location

US – Court: GPS Technology Conflicts with Legislation

Courts around the U.S. are grappling with how to balance law enforcement’s use of GPS data with an individual’s right to privacy. A district judge in Maryland recently denied a warrant requested by federal authorities who were attempting to locate a suspect via his cellphone’s GPS data. The judge said that for some, “this use of location data…would appear chillingly invasive.” Meanwhile, courts in California and Oregon have upheld warrantless GPS searches by authorities, and the U.S. Supreme Court will review a GPS privacy case, The Baltimore Sun reports. “For investigators, the cellphone has become one of the greatest tools available,” says one expert. “But certainly we want to do this the right way and protect people’s right to privacy.” [Source]

CA – Toronto Real Estate Board, Regulators Clash Over Privacy Rights in VOW Policy

The Toronto Real Estate Board says the privacy rights of consumers are at stake in a lawsuit brought against the board by Canadian regulators regarding the operation of virtual office websites (VOWs). Canada’s Competition Bureau filed suit against TREB in May, claiming the board hasn’t allowed brokers to provide consumers with access to detailed multiple listing service (MLS) data through password-protected VOWs like those operated by ZipRealty and Redfin in the U.S. In June, TREB – North America’s largest real estate board at 31,000 members – published a proposed policy that would allow members to operate VOWs. Last month, in an amended complaint, the Competition Bureau said the proposed policy restricted the display of sold and pending listings and the compensation offered to the buyer’s broker through VOWs, and alleged the policy would “entrench and perpetuate the traditional ‘bricks and mortar’ business model for providing real estate brokerage services,” and “constitute a further anti-competitive act” under Canada’s Competition Act. TREB filed a formal response to the amended complaint Friday denying that “TREB’s policies with respect to the use of and access to the TREB MLS constitutes a practice of anti-competitive acts.” The response added that TREB’s policies “have been formulated to safeguard the privacy rights of TREB’s members and TREB’s members’ customers … in their individual listings and to ensure TREB and its members are compliant with their respective statutory obligations.” [Source]

US – Groupon Shares Mobile Location Plans With Congress

Groupon Inc disclosed some details of its plan to offer location-based offers through mobile phones when the largest daily deal company responded to Congressional questions about its privacy policies. Groupon general counsel David Schellhase said the company is developing technology that will track customers’ location, even if they don’t have a Groupon app open on their phones, according to an August 10 letter to the co-chairmen of the House Bi-Partisan Privacy Caucus: Joe Barton, a Texas Republican, and Edward Markey, a Massachusetts Democrat. [Source]

US – LinkedIn Backs Off Ad Scheme Over Privacy Gaffe

LinkedIn has announced that it will no longer pursue its new form of advertising called “social ads,” which shared users’ activities and included their pictures. The company began testing the initiative in late June after announcing it to users. Complaints about user privacy followed, including a statement from the Dutch Data Protection Authority that the company’s changes may have breached Dutch privacy law. The company’s head of marketing solutions told users, however, that “The only information that (was) used in social ads is information that is already publicly available and viewable by anyone in your network.” [The Wall Street Journal] See also: [Press Release: Dutch Data Protection Authority Maintains Decision to Impose a Penalty on Google]

Offshore

IN – India Exempts Outsourcers from New Privacy Rules

Personal data sent to India by customers outsourcing work to companies in the country will not be covered under new rules governing the collection of such information, the government said, providing relief to India’s large outsourcing industry. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 introduced in April require companies or their intermediaries to take consent in writing from individuals about the use of the sensitive personal information they collect. The new rules would make it difficult for Indian outsourcers to operate if they were required to take written consent from individuals in other countries whose data they collect and process through call centers and business process outsourcing operations. [Source] [India exempts outsourcers from new privacy rules]

CN – Ministry Proposes New Rule for PI

China’s Ministry of Industry and Information Technology (MIIT) is seeking comment on a draft rule regulating the processing of personal information by “Internet Information Service Providers.” defining “Internet Information Services” as “service activities for the provision of information to Internet users over the Internet.” If enacted, the rule’s provisions include requiring Internet Information Service Providers to refrain from collecting personal information (PI) without users’ consent, only collect PI as necessary to provide services, inform Internet users of how and why their PI is collected, not disclose PI to third parties without consent and “immediately take remedial measures” in the event of any breach. [Hunton & Williams Privacy and Information Security Law Blog]

Online Privacy

WW – Facebook Unveils New Settings

Facebook has unveiled new options to help users manage the amount of information they share on the site and with whom. The changes will allow users to check a box indicating which friends can see which online posts; share locations from PCs and laptops; control being “tagged” by others in posted photos, or choose to block a user entirely—disabling them from photo tags or other interactions on the site. The company wants to make the sharing options “unmistakably clear,” said a Facebook spokesman. [The Wall Street Journal]

WW – Facebook: “Anonymity on the Internet Has to Go Away”

Facebook’s marketing director Randi Zuckerberg, who also happens to be Facebook co-founder and CEO Mark Zuckerberg’s sister, wants to put an end to online anonymity. She believes that Internet users would act much more responsibly online if they were forced to use their real names at all times. During a Marie Claire round table discussion on cyberbullying and social media, Randi explained how using real names online could help curb bullying and harassment on the web, according to Huffington Post: “I think anonymity on the Internet has to go away… People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.” Zuckerberg was asked several times to name what new features Facebook will offer to better safeguard security on the social networking site. Unsurprisingly, she refused to give specific examples of forthcoming initiatives: “There’s so much more we can do. We’re actively trying to work with partners like Common Sense Media and our safety advisory committee.” Five months ago, Facebook announced new safety resources and tools for reporting issues, in conjunction with a White House summit for preventing bullying. Four months ago, the company rolled them out. [Source] see also: [Datatilsynet, Norway - Social Network Services and Privacy: A Case Study of Facebook | Source | Source]

EU – Schleswig-Holstein Commissioner Orders Site Owners to Deactivate FB Analytics

The Independent Centre for Privacy Protection (ULD)-the privacy regulator for the German state of Schleswig-Holstein-has told website owners in that state to “shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’ button” from their sites. In a press release, the ULD said that “after a thorough legal and technical analysis,” it concluded that use of such features violates the German Telemedia Act, the Federal Data Protection Act and the Data Protection Act of Schleswig-Holstein. [Source] See also: [The Next Online Privacy Battle: Powerful Supercookies] and [SurfEasy: Browsing privacy for Grandma] and [New Site: Watch Ads, Give Data, Get Prizes]

US – Company Settles Behavioral Targeting Lawsuit

Defunct ad company NebuAd has agreed to a $2.4 million settlement in a class-action privacy lawsuit based on its behavioral targeting practices. The seven Web users who filed the suit will receive $1,000 to $5,000 each. The case stemmed from NebuAd’s partnership with six ISPs to gather data about Web users’ online activities, “including search queries and activity at non-commercial sites,” the report states. The plaintiffs claimed such practices violated federal and state privacy laws. NebuAd’s insurers will reportedly fund the settlement. Lawsuits are pending against the six ISPs NebuAd partnered with before it folded in 2008. [MediaPost News] See also: [Hoofnagle: Users “Outgunned” By Marketers | Paper on SuperCookies]

US – ISP Tracking Spurs Class-Action Suit

Researchers’ have discovered that some Internet service providers (ISPs) have been rerouting users’ online traffic to provide Web search results “that can generate money for firms selected by the ISP as well as the ISP itself.” The practice has resulted in a class-action lawsuit against companies Paxfire and RCN, and Sen. Richard Blumenthal (D-CT) has said he is considering investigating the practice. Referencing past ISP tracking incidents, the report suggests the key issue is “ISPs, in their quest for revenue, are once again interfering with users without their knowledge or consent.” [Source] See also: [Statutory Instrument No. 336 of 2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations - Ireland]

US – Foursquare To Sell Tracking Abilities to Merchants

Online deals company Foursquare is looking to bring in revenue by selling its merchants software that will enable them to track–and therefore better target specials to–their customers who use the service. Traditionally, social media companies have turned to advertisers to monetize “free” services, and Foursquare’s method may end up putting them in the center of the privacy debate. “The minute you start analysis on people at specific stores, particularly smaller stores with repeat customers, consumer anonymity begins to fade,” Sherman writes. “Set the right specials, and a store owner could begin matching faces, names (especially from credit card purchases) and online identities.” [Source]

WW – Microsoft Stops Secretly Tracking Users’ Browsing Habits

Microsoft has removed code from its MSN web site that tracked its users’ browsing habits, even if those users intentionally deleted their cookies in order to preserve their privacy. Mike Hintze, associate general counsel, regulatory affairs, Microsoft, announced in a blog that the firm investigated the code once it was brought to its attention by a researcher. “According to researchers, including Jonathan Mayer at Stanford University, ‘supercookies’ are capable of re-creating users’ cookies or other identifiers after people deleted regular cookies. “We determined that the cookie behaviour he observed was occurring under certain circumstances as a result of older code that was used only on our own sites.” Hintze added that the company removed the code, and reassured users that the information potentially gleaned from the “older code” had not been shared with external organisations. [Source] See also: [‘Related’ Browser Add-On: Handy, But at Cost to Privacy] see also: [Hackers in the bloodstream: Diabetics vulnerable to attack on insulin pumps, sugar monitors]

US – Case Dismissed Against Advertisers, Not Network

A federal judge has dismissed a potential class-action lawsuit against four advertisers that allegedly acted “in concert with the ad network Interclick to use controversial ‘history-sniffing’ techniques for online tracking.” However, the judge “did not entirely dismiss the lawsuit against the ad network,” the report states. Privacy advocates have spoken out against such practices, but a paidContent report suggests the court’s actions indicate they may not be illegal. Scott Kamber, the attorney who filed the case, points out, however, that it can now move forward, saying “the judge has recognized that there is a wrong here that can be remedied.” [MediaPost News]

US – NARC To Begin Self-Regulatory Program Enforcement

The Better Business Bureau’s National Advertising Review Council (NARC) is going to enforce privacy principles for online behavioral targeting. NARC will also reach out to companies that aren’t following the program to ask that they engage. The program requires ad networks using behavioral targeting techniques to notify users about the data collection through a standard icon and allow them to opt out of receiving such ads. NARC says it will name companies that fail to follow the principles. [MediaPost]

UK – Man Reveals Secret Recipe Behind Undeletable Cookies

A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser’s privacy mode. The “ETag” technique, which worked with sites including Hulu, Spotify and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the websites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user’s browsing history across two or more different browsers. It came to light only after academic researchers published a paper late last month. [Source] [CEO Defends ETag Intent]

WW – Company Advises Against UDID

Software developers who build programs for Apple’s operating system have been asked by the company to avoid using unique device identifiers (UDID) in software for its iPhones and iPads. UDIDs make it easier for advertising networks, analytics firms and others to observe and track users’ online behavior. A deadline for the change has not been specified, but the company’s website tells developers that the tracking tool “has been superseded and may become unsupported in the future.” The Center for Democracy & Technology’s Justin Brookman said, “I want to see how this all plays out, but at first glance, this is a really good result for consumers.” [The Wall Street Journal]

WW – Flickr’s New ‘Geofence’ Settings Protect Your Geoprivacy

The popular photo sharing website Flickr has introduced a new way to geotag your photos without revealing your location to the entire web. Flickr’s new “Geofence” settings give users more granular control over their geotagged photos. Perhaps the best part of the new Geofence features are how dead simple they are to use – simply draw a circle on a map, choose a geoprivacy setting for that area, and you’re done. Your new fence will apply to any future photo uploads and Flickr will offer to update the privacy settings on any existing images that fall within your new fence. Previously, Flickr limited its geotagging options to a simple yes or no – either you shared location data with everyone or no one. Now you can share location data with only those people you trust. For example, you might leave the geodata for your vacation photos visible to everyone, but limit the location data of photos around your house to only your friends and family. In those cases where there might be overlap between two geofences Flickr will default to the more restrictive of the two. For example, if you draw a circle around your house and limit it to the most restrictive group, “Family,” and then draw a circle around your whole neighborhood and limit that to “Friends,” any areas where the two overlap will still be limited to only the Family group. [Source] SEE ALSO: [The Leaky Nature of Online Privacy]

UK – BBC Sets Out Social Network Picture Use Policy

The BBC will use pictures published on social network sites without rights holders’ consent “where there is a strong public interest” and if there are time constraints on a major story, the corporation has said. BBC social media editor Chris Hamilton outlined the policy after a BBC staff member expressed the wrong views on the use of copyrighted works in response to a viewer complaint. The complaint detailed concerns at the way the BBC credited pictures as being “from Twitter” and said the BBC should “give proper credit to photographers”. “In terms of permission and attribution, we make every effort to contact people who’ve taken photos we want to use in our coverage and ask for their permission before doing so,” Hamilton said in a BBC blog. “However, in exceptional situations, where there is a strong public interest and often time constraints, such as a major news story like the recent Norway attacks or rioting in England, we may use a photo before we’ve cleared it. We don’t make this decision lightly – a senior editor has to judge that there is indeed a strong public interest in making a photo available to a wide audience.” [Source] See also: [Ohio couple can sue company for spying on sex chat] see also: [The New York Times: On Its Own, Europe Backs Web Privacy Fights]

Other Jurisdictions

IN – Indian Gov’t Exempts Outsourcers from Consent Requirements

On August 25, in response to pressure from the $14 billion Indian BPO industry, the government clarified the new rules under Section 43A of the Information Technology Act to exempt outsourcers from the need to obtain the written consent of data subjects of information received from clients outside India. As predicted, this requirement applies only to “bodies corporate” operating within India. Both IT lobby NASSCOM and the Data Security Council of India (DCSI) welcomed the statement issued by the Ministry of Communications & Information Technology (MCIT).

PE – Details Emerge about New DP Law in Peru

An English translation of Peru’s Law for Personal Data Protection, signed into law in July, shows that a data protection authority, the National Authority for Personal Data Protection, will be established and given the ability to levy fines for violations of the law. In addition, a National Register of Personal Data Protection will be developed to record, for a fee, publicly or privately administered databases of personal information, as well as authorizations issued by the Authority pursuant to the law.

AU – Rethink Urged on Australian Cyber Bill

Privacy concerns must be balanced against any proposed increase in powers to crack online criminal networks, a parliamentary inquiry has recommended. A review of the federal government’s cybercrimes bill was tabled in the Senate on Thursday by the chairwoman of the joint select committee on cyber safety, Labor senator Catryna Bilyk. In June, Attorney-General Robert McClelland introduced legislation that amends a range of laws to enable Australia to accede to the Council of Europe Convention on Cybercrime. The Cybercrime Legislation Amendment Bill allows law-enforcement agencies to request the preservation of communications that could be sought under warrant as evidence. It also increases international cooperation between Australian and overseas cybercrime investigators and extends the scope of existing commonwealth computer offences. Senator Bilyk said the committee had tabled a unanimous report with 13 recommendations. [Source]

HU – Hungarian Ombudsman Rules Personal Data in Govt Survey Be Destroyed

Hungary’s data protection ombudsman, Andras Jori, has declared that the personal data collected from a government-issued survey has not been handled correctly, should be deleted from the records and should not be used or processed in the future. In June, Jori established that the questionnaires did not meet the country’s data protection law and ordered the data be erased, but Jori said that the agency in charge of destroying the data has not complied with his instructions, prompting him to ban the database containing the personal information. [Politics.hu] [Source]

SK – South Koreans Sue Apple Over iPhone Privacy

A group of nearly 27,000 South Koreans is suing Apple for $26 million for what they claim are privacy violations from the collection of iPhone user location information. Each person in the suit is seeking $932 in damages, said Kim Hyeong-seok, one of their attorneys. He said they are targeting Apple Inc. and its South Korean unit to “protect privacy” rights. South Korea’s communications regulator earlier this month ordered Apple’s local operation to pay a 3 million won fine for what it said were violations of the country’s location information laws. [Source]

SK – KCC Proposes Plan for Online Data Protection

In light of a recent breach affecting 35 million citizens, the Korea Communications Commission (KCC) has announced a plan that will require website operators to limit the amount of stored personal information of users and to encrypt data that is stored. Under the proposal, websites would be required to encode information such as telephone numbers and e-mail addresses and provide free security software to companies that cannot afford the required security systems upgrade but would not be able to request resident registration numbers from subscribers. The KCC will have a “detailed action plan” by December, the report states. [The Chosun Ilbo]

NZ – New Zealand Privacy Act Strengthened: Law Commission Report Highlights

The Law Commission’s proposals, released last week, to update and strengthen the Privacy Act 1993 contemplate both detailed technical changes and major departures from how data privacy is regulated. This Brief Counsel summarises the key recommendations in the final report of the Commission’s vast four-part review.

  • The Privacy Commissioner as enforcer: The most significant change recommended by the Law Commission is to grant the Privacy Commissioner enforcement powers. Currently the Privacy Commissioner has a facilitative role only in a complaints-driven process.
  • The Law Commission recommends the Privacy Commissioner be empowered to:

- determine access complaints

- issue compliance notices, and

- require agencies to undergo audits of their information privacy procedures in certain circumstances.

  • The Privacy Commissioner would have the power to require an agency to be audited where there is good reason to do so.
  • The Review recommends the Privacy Commissioner be charged with developing protocols for auditing requirements and situations.
  • The Review proposes a threshold for mandatory notification, to the individual concerned and to the Privacy Commissioner, where the breach is serious. Responsibility for determining whether a breach is “serious” would lie with the agency. Criteria for making this decision would include:

- whether or not the information disclosed is particularly sensitive

- who may have access to the information, and

- whether it is reasonably foreseeable that significant harm may result from the breach
and the scale of the breach.

The Review recommends a number of other changes, including:

  • removing the need for a threat to health and safety to be “imminent”
    in order to allow disclosure of personal information
  • creating a new exception to principle 11 to expressly permit an agency
    to report to a public sector law enforcement agency any reasonably held
    suspicion or belief than an offence has or may be committed
  • requiring the Privacy Commissioner, the Ministry of Justice and the Ombudsman
    work together to develop guidance or commentary on the maintenance of the law
    as a ground to refuse or withhold the provision of information, and
  • implementing a new information sharing framework for the sharing of
    personal information between government agencies.

To ensure that inaccurate information is not perpetuated, and to guard against the threat of misuse and a loss of trust in the government, the Law Commission has prepared a ministerial briefing (reproduced as Appendix 1 of the Review) outlining a suggested information sharing framework. With over 120 recommendations, the Commission has plenty more to say than the provisions highlighted above. Other key recommendations include:

-          express provisions clarifying that agencies sending PI offshore remain fully responsible for that information and must take reasonable steps to ensure that the information will be subject to acceptable privacy standards where the information will not be held or processed on the agency’s behalf

-          removing the exemption from the Act for information collected or held in connection with a person’s personal or domestic affairs, where the use or disclosure would be “highly offensive” (the “no posting compromising photos of your ex” prohibition), and

-          asking appropriate industry bodies to consider implementing a legally enforceable Do Not Call register, through the mechanism of the Fair Trading Act or other market regulation (supplementing the commercial electronic message unsubscribe regimes provided for under the Unsolicited Electronic Messages Act). [Source] [The New Zealand Herald]

RU – Russia Amends Federal Data Protection Law

Amendments to Russia’s federal Law on Personal Data, effective July 27, 2011, directly affect Russian companies that record the contact information of people in computer databases (e.g. medical centers, mobile operators, banks, insurance companies, pension and investment funds, hotels and travel agencies), requiring them to ensure data processed is adequate, relevant, and not excessive in relation to the purposes for which they are processed and choose methods to ensure personal data security as approved by the Federal Security Service or Federal Technical and Export Control Service. The amendments give citizens the right to demand compensation for moral damage or damages in case of leakage of personal information. Strict limitations are imposed on the use of electronic means of communication for direct marketing, including requirements to obtain express consent before sending marketing communications by SMS or e-mail (a lack of prior consent is presumed) and cease sending of marketing communications at the notice of the individual, and prohibiting the use of autodial to send SMS and e-mail marketing. [Source] [Source]

Privacy (US)

US – FTC Fines Mobile App Developer Over Children’s Privacy

The FTC has announced a $50,000 settlement with a developer of mobile applications for children. The developer had been charged with violating the Children’s Online Privacy Protection Act by collecting information from children who used the apps without their parent’s permission. The case was the commission’s first to involve mobile applications, or apps. The charges included collecting and storing children’s e-mail addresses and allowing children to post personal information on public message boards. The company, W3 Innovations, which owns Broken Thumbs Apps, created mobile games and apps for children including Emily’s Girl World, Emily’s Dress Up and Emily’s Runway High Fashion. According to the commission, the apps were downloaded more than 50,000 times by children under 13. In addition to the $50,000 penalty, the company will be required to delete the personal information it collected. [Source] [Source]

US – Privacy Lawsuit Targets ComScore

Online data tracking service comScore Inc siphons confidential information including passwords, credit card numbers and Social Security numbers from unsuspecting users, according to a lawsuit filed this week. The proposed class action lawsuit, filed on behalf of two plaintiffs who downloaded comScore software, also says comScore scans all files on users’ personal computers and modifies security settings, among other allegations. The lawsuit against comScore, one of the leading companies that measures and analyzes Internet traffic, seeks an injunction against several alleged practices, as well as damages under U.S. electronic communications privacy laws. ComScore collects data from people who get free software and chances to enter sweepstakes in exchange for their participation. It sells that information to more than 1,800 businesses around the world, including Best Buy Co, Facebook, Microsoft Corp and Yahoo Inc, according to comScore’s website. [Source] [ComScore takes users’ credit card numbers: lawsuit]

US – Company Wants Class-Action Dismissed

Consumers who filed a class-action lawsuit against Amazon haven’t sufficiently alleged that they were harmed, the company says. Amazon is asking that the lawsuit—which alleges the company used cookies to track users via a privacy policy that misrepresented its practices—be dismissed. “Plaintiffs assert attenuated theories of liability and harm, recognized by no court or law, based on Amazon’s alleged practices in setting ‘cookies’ on users’ computers,” the company says in court papers, adding that the users suffered no tangible economic harm. [MediaPost News]

US – University Receives $3.2M for Research

The University of Illinois at Chicago (UIC) is receiving $3.2 million from the National Science Foundation to conduct an electronic privacy study. UIC will receive the funding over the next five years to form an Integrative Graduate Education and Research Traineeship program. Graduate students enrolled in the program will study electronic security and privacy issues in business, engineering, legal and social science. Discussing computer viruses, cyber-attacks and identity theft, the grant’s principal investigator said, “Technological expertise is a necessity to fight these threats, but technological solutions divorced from human, social, economic and legal considerations all-too-often fail.” [Newswise]

US – In New Jersey, Rules Are Changed on Witness IDs

The New Jersey Supreme Court, acknowledging a “troubling lack of reliability in eyewitness identifications,” issued sweeping new rules making it easier for defendants to challenge such evidence in criminal cases. The court said that whenever a defendant presents evidence that a witness’s identification of a suspect was influenced, by the police, for instance, a judge must hold a hearing to consider a broad range of issues. These could include police behavior, but also factors like lighting, the time that had elapsed since the crime or whether the victim felt stress at the time of the identification. When such disputed evidence is admitted, the court said, the judge must give detailed explanations to jurors, even in the middle of a trial, on influences that could heighten the risk of misidentification. In the past, judges held hearings on such matters, but they were far more limited. The decision applies only in New Jersey, but is likely to have considerable impact nationally. [Source]

Privacy Enhancing Technologies (PETs)

WW – Start Up Allows for Privacy On the Web

A social network launched in April of this year claims to give people “real-world style, disposable interaction on the web.” In an interview, SecretSocial co-founder Zubin Wadia discusses the idea behind the company and its plans for the future, including becoming the “go-to place” for private conversations when using other online networks. All SecretSocial conversations have an expiration date set by the users involved, at which time the conversation is deleted from user browsers as well as the company’s servers. According to Wadia, one of the problems behind Internet privacy is the assumption that data needs to be retained forever. “A lot of this data analysis, complex or not, can occur in realtime,” he says. [PaidContent | Part 1: Disconnect | Part 2: Everloop ] See also: [IPC ON - Privacy By Design in Law, Policy and Practice: a White Paper for Regulators, Decision-Makers and Policy-Makers]

RFID

US – Valley Doctor Devises Microchip to Manage Implant Patient Records

Dr. Berger, in association with the University of Pittsburgh and Doctor Marlin Mickle, has created a microchip that contains the medical history of the joint and even keeps records of the movement of the knee joint. “Once an implant is put into the patient there is always a need for paper records and if the patient needs it in a hurry, the Ortho-Tag will be able to provide the information,” said Berger. “The tag keeps the history of the artificial joint and records the range of movement that will help physical therapists treat the patient. And it will act as an early warning system for infection of the joint.” [Source]

Security

EU – ENISA: A Security Analysis of Next Generation Web Standards

In order to accommodate innovations in web applications and their business models, new standards are currently being developed (including an overhaul of HTML (HTML5), cross-origin communication standards (such as CORS and XHR), standards for access to local data such as geo-location, local storage and packaged stand-alone applications); this report by the European Network and Information Security Agency (“ENISA”) identifies 51 security threats and issues – 25 identify security-relevant capabilities in the individual specifications which are not well-defined or insecure (e.g. unprotected access to sensitive information, new ways to trigger form submission to adversaries, adversary-controlled cross-domain requests, and granularity problems in specifying and enforcing least-privilege policies), 8 issues dealing with isolation properties (e.g. new ways to escape origin separation and click-jacking protection) and other identified threats related to inconsistencies and under-specification relating to permission and user-involvement. The report includes recommendations on controlling functionality (e.g. through enhanced access control policies such as the Content Security Policy specification), permission system design (e.g. a separate specification for permissions systems referenced by all related specifications), more detailed user interface requirements (e.g. permissions specifications should require certain features in user interfaces such as information about the document origin, if the permission is for one-shot or monitoring access, etc.), end-user policing (e.g. specifications should require permission awareness indicators, so the user knows when a site is using a granted permission, and users should have a way to select predefined security profiles) and restricted contexts (e.g. private browsing should be included in a specification which defines behaviours such as whether permissions should be shared outside of private browsing mode). [Source]

CA – Cyber Attacks Force Businesses to Spend More on Security

As much as 20% of Canadian businesses lost at least $274,600 as a result of cyber attacks, according to a survey by Symantec. Nearly half of Canadian businesses are hiring more technology professionals and spending a greater part of their budgets on security to deal with an ever growing amount of IT threats, according to a recent survey. As much as 45 per cent of the respondents believe that cyber security is more important today that it was just a year ago, the survey found. Apart from malware and cyber attacks, IT teams are also facing a lot of pressure from the proliferation of consumer oriented mobile devices now popping up in the workplace. [Source] See also: [Google one of many victims in SSL certificate hack]

US – Lost USB Memory Sticks Affect Bottom Line: Ponemon Study

Lost memory sticks holding sensitive data can be detrimental to a company’s bottom line. That’s according to a recent Ponemon Institute study, which surveyed more than 400 organizations and found they will lose $2.5 million because of missing memory sticks. Nearly half of organizations have lost sensitive or confidential information on USB drives in just the past two years. Many businesses don’t know – or aren’t tracking – all the places their data is stored. It could be the corporate server, desktop or portable PCs, smart phones and portable memory devices. The Ponemon Institute says more than 40% of organizations surveyed have more than 50,000 inexpensive consumer USB drives in use, with nearly 20% having more than 100,000 drives in circulation – typically with very little oversight or control, even with all those high profile data losses.On average, the companies lost 12,000 records stored on the sticks, costing about $214 per record. More than 70% of survey respondents said they are either certain or feel it was likely that data breaches were caused by missing memory sticks. A U.S. Department of Homeland Security experiment placed USB sticks in parking lots and found 60 percent of those who picked them up accessed the data. [PCWorld] [Source]

CA – Canadians Lax About Cellphone Security

Those aged 18–34 were more likely to use features such as passwords and settings to protect their privacy than older Canadians. Less than half of Canadian cellphone and tablet users put password locks on the devices or adjust settings to limit the sharing of personal information stored on the devices, a poll commissioned by Canada’s privacy commissioner has found. The survey also found that:

  • 1/3 of Canadians use public Wi-Fi at places such as coffee shops and airports where online communications are not always protected by encryption.
  • 1 in 5 users of social networking sites do not adjust privacy settings to control who can see photos and information about them online.

When asked if there were technologies they were particularly concerned about with respect to privacy issues, 40% said the internet, 15% said social networking sites and 11% said cellphone or communications technology. For a similar survey two years earlier, just 26% were concerned about the internet, 2% about social networking sites and 3% about cellphone or communications technology.

  • 85% of public Wi-Fi users were concerned about the risk it posed to their privacy.
  • 45% of social networking site users also expressed concern about the risk to their privacy.
  • 61% felt their personal information is more weakly protected than 10 years ago.
  • Only 14% felt businesses are taking their obligations to protect privacy seriously and 22% thought governments are doing so.
  • 82% opposed giving police and intelligence agencies the power to access email records and other internet usage data without a warrant from the courts.
  • 85% of survey respondents said they were somewhat or very concerned about personal information provided to airport and border crossing agents being shared with foreign authorities.

Meanwhile, a vast majority believe Canada should toughen up laws protecting personal information:

  • 97% of respondents want companies who break privacy laws to be legally required to implement privacy protections. At the moment, the Privacy Commissioner can make recommendations, but must turn to the courts for enforcement if the company refuses to comply.
  • 95% think companies who break privacy laws should be named, 91% think they should be fined, and 84% think they should be taken to court.
  • 83% think internet companies should ask their customers for permission before tracking online behaviour and internet usage. [Source] [Most of us don’t use passwords on mobile devices: Study] and [US: Why Your App Must Comply With Child Privacy Regulations]

WW – Android Malware Further Invades Privacy

New malware discovered on Android Market can record phone calls, as increased malware continues to present new problems for Google’s mobile operating system. The Android Trojan, called “Golddream.A,” infiltrates phones when people unknowingly download hacked applications and records users’ phone calls. The virus stores the recording on the phone’s SD memory card and then uploads it to remote server controlled by the hacker. The new malware, discovered by security researchers at Computer Associates, may be some of the most intrusive yet in the Android Market, but it’s certainly not the first. Reports of possible security issues with Android software began to pick up in March, when antivirus company Kaspersky identified 70 types of Android malware. The company ran the same test last September and only brought up two malware threats, suggesting viruses will continue to grow on the platform. [Source]

WW – iTunes App Store, Android Market a ‘Gold Mine’ of Personal Info

A survey of 100 apps found that many are storing a high percentage of unencrypted personal data, making mobile devices a more attractive target for identity thieves and hackers. 76% of account user names for all the apps tested were able to be recovered, along with 31% of application data, such as location check-ins, and 10% of passwords. Overall, 39% of the apps were given a fail rating by the survey, called “appWatchdog” and conducted over an eight-month period by ViaForensics, a digital forensics and security firm. The rating indicates that a variety of sensitive information, including passwords and personal identification numbers (PINs) used through apps are regularly stored and recoverable from smartphones. [Source]

US – Why Your App Must Comply With Child Privacy Regulations

The FTC announced a settlement with mobile app developer W3 Innovations, LLC. (W3) and its president, Justin Maples, over alleged children’s privacy violations. The FTC action was intended to send a message to the mobile app market that it will be closely monitoring the industry for business practices that violate consumer protection law, including privacy restrictions. [Source]

CA – Smart Home Security Service Launched by Rogers

A security system that also lets homeowners control appliances and thermostats remotely using a smartphone is being offered by Rogers Communications. Ian Pattinson, vice-president and general manager of Rogers Smart Home Monitoring, a new service that launched in Ontario this week, said his family uses the system to arm security, turn off lights, automatically shut off devices such as a curling iron and adjust the thermostat in a single step when they leave home. Further adjustments can be made using his iPhone while he is out of the house. Privacy built in, Rogers says: Ann Cavoukian, information and privacy commissioner of Ontario, said this kind of emerging smart home technology can bring “significant benefits” to people’s day-to-day lives. Privacy concerns may only surface if the personal information is sent to a central monitoring station. Pattinson said building privacy into the system was important. He noted that the central monitoring system doesn’t have access to the cameras, information about doors opening or closing, and don’t get copies of the emails and text messages with pictures. Each user has a personal four-digit code that gives certain rights to use the system, and that must be entered in addition to a Rogers password in order to control appliances or the security system. He added that the sensors, which cost $49 each, are encrypted and the company has employed “white-hat” hackers to test the system’s security. [Source]

US – Report Analyzes Advanced Persistent Threats

In its latest global threat report, Cisco has found that data breaches have been “seemingly nonstop” in 2011, with unique instances of malware more than doubling. The report discusses advanced persistent threats (APTs) and the difficulty of identifying them, saying that APTs “must enable the attacker to remotely manipulate a system while remaining virtually invisible to standard defenses.” A Cisco representative said, “If anyone attempts to sell your organization a hardware or software solution for APTs, they either don’t understand APTs, don’t really understand how computers work or are lying–or possibly all three.” [siliconrepublic]

US – Demand for Info Sec Pros Expected to Grow

According to a report from the recruitment firm Barclay Simpson, demand for information security professionals is up and will continue to grow through the end of the year. “The information security recruitment market recovered during the course of 2010,” the firm said, adding, “By the end of the year, all sectors outside of the public sector were experiencing demand similar to pre-recessionary levels.” According to the report, driving the demand is the need for risk-assessment and Payment Card Industry Data Security Standard skills. [InfoSecurity] [Source]

Smart Cards

US – Visa to Implement Chip and PIN in US

Visa has announced plans to implement an additional layer of authentication for in-person purchases by moving from magnetic strip to chip-and-PIN technology. The plan will require users to enter PINs when making purchases at terminals that are compatible with the new technology, which is already in wide use in Europe. Starting in October 2012, Visa will exempt US merchants from PCI DSS compliance standards if they conduct at least 75% of their Visa transactions with the new terminals. By April 2013, all US merchants and payment card processors will have to support chip-and-PIN technology. [Source] See also: [Organization Loses PCI Assessor Credentials] [Visa To Waive Some PCI DSS Compliance]

Surveillance

US – ACLU Seeking Information on Police Use of Mobile Device Data for Tracking

Affiliates of the American Civil Liberties Union (ACLU) in 31 states have filed 379 information requests, demanding that state and local law enforcement agencies tell how they use location information from mobile phones to track U.S. residents. Amid a growing debate over whether police or private companies should be able to track mobile-phone users, the public should know how law enforcement agencies are using mobile location data, the ACLU said. The information requests ask local and state law enforcement agencies whether they are obtaining court-approved warrants before tracking mobile-phone users, and how often they are obtaining mobile-phone location data. The ACLU groups also want to know how much money local and state police agencies are spending on mobile-phone tracking. [Source] [Source] [Source] [ACLU] See also: [U.S. plans to provide Iraq with wiretapping system]

US – US Court Order Denies Release of Historical Cell-Site Information

Court denies the government’s application to obtain from a cellphone provider (Verizon) records reflecting the historic location of a cell phone for a 113 day period (“cell site information”) as cellphone users maintain a reasonable expectation of privacy in long-term cell-site-location records (cell-site-location records sought capture enough of the user’s location information for a long enough time period to depict a sufficiently detailed and intimate picture of his movements); collection of cell-site location records effectively enables “mass” or “wholesale” electronic surveillance and raises greater Fourth Amendment concerns than a single electronically surveilled car trip. Although the cell-phone user, by choosing to carry, turn on, and make and receive communications from a cell phone voluntarily discloses information about his location to a third party (under the 3rd-party-disclosure doctrine, such a disclosure would eliminate a reasonable expectation of privacy), there should be an exception for cumulative cell-site-location records (these records implicate sufficiently serious protected privacy concerns that an exception to the third-party disclosure doctrine should apply to them to prohibit undue governmental intrusion). [Source]

UK – CCTV Puts Eyes on London Rioters

As Britons woke to scenes of devastation from riot-hit cities across the country, they were also bombarded with digital security camera images of some of the looters who caused the havoc. Scotland Yard wasted no time in trolling through film from a plethora of closed-circuit television (CCTV) security cameras to retrieve shots of the thugs and arsonists who caused the mayhem. The police are aided by the fact Britain, perhaps more than any other country in Europe, is saturated with hundreds of thousands of the cameras that monitor building lobbies, stores and streets for security, watch for traffic jams and bill motorists who drive into London’s city centre in an attempt to reduce traffic congestion. Scotland Yard released 15 photographs of riot suspects, posting the images on the Internet and asking citizens “to identify people that were engaged in criminality.” “We will be coming to arrest you over the coming days — if necessary, weeks and months,” promised Tim Godwin, the acting police commissioner. [Source]

CA – No Video Cameras for Seniors’ Homes

Video cameras are not the best way to protect frail seniors in nursing homes, Ontario Health Minister Deb Matthews says. “After very careful examination from many different angles, we determined that the best way to move forward was to continue to work with the long term care homes, with the families and with the people who live in long term care homes,” Matthews said. While no law prohibits families from placing video cameras in homes to monitor the care of seniors, staff will usually order them to remove it, a GAP news release says. Matthews said the ministry has consulted with the provincial information and privacy commissioner, and video cameras raise privacy issues. [Source] SEE ALSO: [Police, business and the city of Peterborough collude for more closed-circuit television cameras] and [More GPS surveillance is on the way] and [AU: Film rolls on public sex and bar fights at Reef Hotel Casino in Cairns] and also: [US: License-plate software stirs privacy debate]

Telecom / TV

US – FCC Asked to Disallow Wireless Shutdowns on Public Transit

An emergency filing sent Aug. 29, to the FCC is asking the commission to swiftly rule that local governments don’t have the authority to shut off wireless communications systems — a direct rebuke of an incident earlier this month on San Francisco’s public transit. The Electronic Frontier Foundation, the Center for Democracy and Technology in Government, and several other organizations asserted in the emergency petition that Bay Area Rapid Transit’s (BART) purposeful shutdown on Aug. 11 of wireless service used by passengers engendered public safety and infringed on citizen rights. Both the FCC and BART have already said they would investigate the circumstances and legality of the shutdown. The advocacy groups commended the FCC for initiating an inquiry. BART turned off cell service at four underground stations on Aug. 11. BART officials said the temporary shutdown was due to information they had that mobile devices would be used to organize a rush-hour protest over the shooting deaths of two men by BART police. Turning cell service off created a firestorm of freedom-of-speech claims, including from the activist group “Anonymous.” The group fired back at BART on Aug. 14, hacking the Mybart.org website and leaking the personal and login information of that website’s users. Mybart.org remains temporarily shut down by BART. [Source]

UK – Hackers Threaten Blackberry for Co-Operating With London Police

A British MP is asking that Blackberry’s instant-messaging service be suspended because of its suspected use by rioters in London and other British cities, following some of the worst riots England has seen in years. Police believe the BBM was used by the rioters because the messages are private. “This is one of the reasons why unsophisticated criminals are outfoxing an otherwise sophisticated police force,” Lammy tweeted. “BBM is different as it is encrypted and police can’t access it.” RIM released a statement Monday saying: “As in all markets around the world where BlackBerry is available, we cooperate with local telecommunications operators, law enforcement and regulatory officials.” On the same day, BlackBerry U.K. tweeted that it would be cooperating with authorities but did not specify in what way. “We feel for those impacted by the riots in London,” the tweet read. “We have engaged with the authorities to assist in any way we can.” But BlackBerry’s response has sparked a wide array of criticism on Twitter, as well as a threat from a hacking group going by the name of Team Poison. The hackers posted a warning on the company’s blog threatening Research In Motion and Blackberry. According to the Guardian, the statement reads: “You Will_NOT_assist the UK Police because if you do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason. “If you do assist the police by giving them chat logs, GPS locations, customer information and access to peoples BlackBerry Messengers you will regret it, we have access to your database which includes your employees information; e.g. – Addresses, Names, Phone Numbers etc. – now if u assist the police, we_WILL_make this information public and pass it onto rioters.” [Source] [British Government Considers Disrupting Social Networks in Attempt to Quell Riots] [Source]

US – Senator Vows to Block Surveillance Bill Over Privacy Concerns

Sen. Ron Wyden (D-Ore.) will seek to block passage of an intelligence bill that extends the government’s eavesdropping authorities because the intelligence community won’t say how many Americans are being monitored. At issue is the Foreign Intelligence Surveillance Act, which was passed in 1978 in response to revelations of political wiretapping. The law was updated in 2008 in a way that essentially legalized President George W. Bush’s “warrantless wiretapping” program aimed at stopping terrorism plots. The intelligence bill, approved by the Senate’s Select Committee on Intelligence, would extend the 2008 changes until 2015. Those changes greatly expanded the government’s surveillance authorities. “Congress passed the FISA Amendments Act in 2008 in an effort to give the government new authorities to conduct surveillance of foreigners outside the United States,” Wyden said in a statement. “The bill contained an expiration date of December 2012, and the purpose of this expiration date was to force members of Congress to come back in a few years and examine whether these new authorities had been interpreted and implemented as intended,” Wyden wrote. “I believe that Congress has not yet adequately examined this issue, and that there are important questions that need to be answered before the FISA Amendments Act is given a long-term extension.” [Source]

CA – Company Settles Over Robocalls

Canada’s minister of industry says he’s pleased with the settlement between the Canadian Radio-television and Telecommunications Commission (CRTC) and Goodlife Fitness Centres, Inc. The settlement is related to the company’s telemarketing methods using “robocalls” without members’ prior consent. Using automatic dialing-announcing devices without prior consent is forbidden under CRTC guidelines. The company has agreed to pay $300,000; publish corrective notices in newspapers and on its website; cease the robocalls, and organize a business education event with the CRTC to encourage telemarketing compliance, the report states. Minister of Industry Christian Paradis said the settlement is “good news for Canadian consumers.” [Source]

US – Company Creates DIY Privacy Policies for Apps

Privacy policies can be difficult to write and read–especially on mobile devices–prompting one company to create a tool to help mobile application developers make consumer-friendly policies. PrivacyChoice analyzed hundreds of privacy policies across the web, devising a tool that asks developers questions about their data handling practices and then formulates a policy based on the answers. “The mobile environment requires you to say things very succinctly, and it requires you to say things in layers,” says Jim Brock, founder of PrivacyChoice. One industry advocate says solving the “privacy problem” is crucial to developers, many of whom are small businesses dependent on income from selling consumer data. [The New York Times]

US Government Programs

US – Bush-Era Warrantless Wiretapping Program on Trial in Seattle

According to the court testimony of a former AT&T technician, there is a secret room—the “SG-3 Room”—In the company’s San Francisco offices that is occupied by the National Security Agency. All Internet traffic AT&T receives is filtered through high-powered NSA computers there, and the machines sort through the communications of “millions of ordinary Americans” searching for . . . something. The Electronic Frontier Foundation and the ACLU are fighting an ongoing legal battle with the government and AT&T in attempt to establish some sort of accountability for the domestic spy program. Two key appeals cases will be heard in Seattle federal court this month. The first, Jewel v. NSA, was filed by the EFF in 2006, “on behalf of AT&T customers to stop the illegal, unconstitutional, and ongoing dragnet surveillance of their communications and communications records.” The case also targets former President George W. Bush, former Vice President Dick Cheney, Cheney’s former chief of staff David Addington, and former Attorney General and White House Counsel Alberto Gonzales–the officials who authorized the NSA wiretapping. The second case, Hepting v. AT&T, covers much the same ground. Also filed in 2006, the EFF is again suing on behalf of AT&T customers, alleging that the telecommunications company violated privacy laws “by collaborating with the NSA in the massive, illegal program to wiretap and data-mine Americans’ communications.” Both cases have previously been dismissed by judges in lower courts. In the Jewel case, the Bush administration argued that the litigation would force the government to disclose “state secrets.” The Obama administration used the same argument again in 2009, and a District Court judge eventually dismissed the case on the grounds that, because millions of Americans had been spied upon, no single American had standing to sue. A federal judge nixed the Hepting case in June 2009, ruling that AT&T and other Internet service providers were not liable for being in cahoots with the NSA because of the Foreign Intelligence Surveillance Amendments Act. This law, signed by Bush in 2008, allows the Attorney General to dismiss lawsuits against telecom companies for wiretapping if the program did not occur, was legal, or was authorized by the president. (None of those steps are required to be disclosed to the public.) The AT&T/NSA program received this certification in September 2008. Both cases rely on evidence gathered by Mark Klein, a former AT&T technician who documented the existence of the “SG-3” room in San Francisco, a setup he claims exists in at least 15-20 other AT&T sites around the country. Klein’s testimony was supported by a former Senior Advisor for Internet Technology at the FCC. [Source] See also: [US: Domestic surveillance a key legacy of 9/11] and also: [AT&T Sues Individuals for Mining Data]

US – Judge Calls Location-Tracking Orwellian, While Congress Moves to Legalize It

A judge ruled this week that law enforcement authorities need a warrant to access location data on a suspect’s cell phone. But the debate on the right to privacy when it comes to technology like smartphones and GPS systems is far from over, as a similar case heads to the Supreme Court, and bills by Sen. Patrick Leahy (D-VT) and Sen. Ron Wyden (D-OR) are reviewed. “Regardless of what the courts decide,” said an attorney with the Electronic Frontier Foundation, “the right answer when it comes to the Fourth Amendment does not preclude Congress as a policy matter that it should protect location data more strongly.” [Wired]

US – New Federal CIO Named

FCC managing director and former Microsoft executive Steven VanRoekel will be the next federal chief information officer. VanRoekel will replace Vivek Kundra, who has held the position since 2009 and is leaving to take a position at Harvard. VanRoekel says he plans to further the work that Kundra began. “We’re trying to make sure that the pace of innovation in the private sector can be applied to the model that is government,” he said. For two years, VanRoekel has served as managing director of the Federal Communications Commission. Before that, he spent 15 years with Microsoft. [The New York Times]

US Legislation

US – House Panel Votes to Require ISPs to Keep Customer Records

A U.S. House of Representatives committee has voted to approve legislation that would require Internet service providers to retain customer IP data for 12 months in the name of combating child pornography. The Protecting Children From Internet Pornographers Act would require ISPs to retain all customer IP addresses so that law enforcement agents can use the information to investigate online child pornography. Law enforcement agents would gain access to the IP information with subpoenas they issue, not court-ordered warrants. The House Judiciary Committee voted 19-10 to approve the bill over the privacy concerns of several committee members. Most Republicans voted for the bill, and most Democrats voted against it. The bill is “an outrageous expansion of the power of the federal government,” said Representative Zoe Lofgren, a California Democrat. Several Democrats raised concerns that federal law enforcement agents would use the IP data for investigating a wide range of crimes, not just child pornography. Critics also suggested that the data rules would open up the customer data to subpoenas in civil lawsuits and would be a costly burden to small ISPs. [Source]

US – California Assembly Passes Cell-Phone Privacy Bill

The state Assembly unanimously approved a bill that would force law enforcement officers to secure a warrant before they can search the contents of a cell phone. The measure has changed slightly since it was approved by the state Senate last month, so the upper house must weigh in again before the bill heads to the desk of Gov. Jerry Brown. If he signs it into law, it would overturn a January state Supreme Court ruling that allowed officers to search the contents of a cell phone they take from anyone they arrest. Source]

Workplace Privacy

US – Massachusetts Data Security Regs Require More than a WISP

In its first settlement over allegations of violations of the state’s rigorous data security regulations, the Massachusetts Attorney General’s Office found that the Belmont Savings Bank’s written information security plan (WISP), while necessary, was insufficient to demonstrate compliance with the regulations. Specifically, the Bank failed to encrypt personal information on laptops and the mobile devices, failed to store and secure back-up tapes properly, and failed to train its employees in data security policies and procedures. The Bank agreed to pay a $7,500 fine and follow the provisions of its own WISP.

US – NLRB Issues Guidance on Social Media Policies in Workplace

After bringing a number of enforcement actions against employers for over-reaching social media policies, the National Labor Relations Board (NLRB) issued three advice memoranda that clarified its position on acceptable policies. According to the NLRB, an employer’s social media policy or practice only violates the National Labor Relations Act when the policy or practice is used to stop or specifically target concerted organizing activity. Employers do not have to tolerate disparaging remarks about their company, managers, employees or customers simply because an employee makes that remark on Facebook or another social media site. Separately, the U.S. Chamber of Commerce issued a comprehensive report entitled “Survey of Social Media Issues Before the NLRB“ providing a wealth of information about NLRB decisions in this area. See also: [16 Ways to Stay Safe on Facebook]

US – Seven HR Data Breaches in August

Breaches of employment-related data slowed a little in August, with only seven organizations announcing losses: Fort Dodge Correctional Facility (names, SSNs and other personal information of an undisclosed number of the Iowa prison’s employees left in an unsecured location accessible to inmates); Allianceforbiz.com (20,000 government employees and contractors impacted by the hacking of an events management company); Bay Area Rapid Transit (personal information of over 2,400 BART employees deliberately posted on the Internet as retaliation by the hacker group #Anonymous, following protests over fatal shootings by BART police); Reznick Group (an undisclosed number of employees of the top 20 national CPA firm affected by a computer security breach experienced by AssureCare Risk Management, a former service provider for the firm’s employee benefits plan); City of Pittsburgh (at least 29 police officers, public safety employees and others victimized by ID theft, with the source of the breach not known); and Lexington VA Medical Center (1,900 veteran’s warned that their personal details were made vulnerable when an employee took patient files home in violation of the Kentucky hospital’s policy).

CA – B.C. To Screen Caregivers of Children

The B.C. government is reversing course on a policy that allows caregivers of vulnerable children to avoid background security checks. Adults in more than 1,300 B.C. homes will soon face screening such as criminal-record checks to determine if they should continue to care for a relative’s children. The turnaround comes at the order of Mary McNeil, new Minister for Children and Families. Last year, the province rejected calls from its children and youth watchdog to review all the homes receiving financial aid from the Child in the Home of a Relative program. The program offers assistance to families who care for a niece, nephew or grandchild when the parents cannot do so. But an audit by the watchdog found thousands of fragile children are exposed to risk because of inadequate background checks. The program is now being phased out – replaced with a new program that includes full screening – and caregivers who enrolled after December, 2007, have been screened. Still, there are 1,800 children and youth placed in a relative’s care where the adults have not gone through background checks. [Source] See also: [US – Former WKU employee Eckhardt files complaints through civil court, EEOC] and [SaskTel too nosy over sick leave says arbitrator] and [CA – Video of bus driver violated privacy, union says] and [Addiction information used against Alberta employee]

US – Lawyers Ask Montana High Court to Protect Privacy

Two Billings attorneys are asking the Montana Supreme Court to stop workers’ compensation investigators from practices that they say violate the privacy rights of workers’ comp claimants. The Billings Gazette reports that Gene Jarussi and Michael Eiselein, along with 10 other attorneys across the state, filed the petition on Aug. 2, contending that Montana State Fund fraud investigators routinely share surveillance videos and other confidential information with doctors of workers’ comp claimants. The attorneys say the investigators commonly don’t get a court order allowing them to release the info, nor do they tell the claimants that they’re sharing the information. They’re asking the high court to stop the investigators from sharing confidential criminal justice information until the State Fund shows it’s doing so lawfully. [Source]

+++

01-31 July 2011

Biometrics 

US – Law Enforcement to Begin Iris Scanning Amid Privacy Concerns

New iris- and face-scanning technology could improve the speed and accuracy of police work but raises privacy and civil liberties concerns. The Mobile Offender Recognition and Information System (MORIS) scans an individual’s iris to detect unique patterns so that law enforcement can identify a suspect more quickly. The MORIS technology can also be attached to smartphones and photograph a person’s face, which then runs the image through a database to identify the individual. A representative from the technology’s manufacturer says the application will not be intrusive because “it requires a level of cooperation that makes it very overt—a person knows that you’re taking a picture for this purpose.” [Source

WW – Study: Facial Recognition Technology Powerful, Intrusive

Research conducted at Carnegie Mellon University has successfully identified approximately one-third of participants using the same facial recognition technology recently acquired by Google. Using profile data from Facebook, the study’s author could also correctly predict the first five digits of the participants’ Social Security numbers nearly 27% of the time. One law professor notes that the combination of available, “anonymous” online data and the technology makes re-identifying people possible. The study’s author says, “This paper really establishes that re-identification is much easier than experts think it’s going to be.” [The Wall Street Journal] See also: [Facebook facial-recognition feature won’t be available to Canadians] [Facial-recognition technology needs limits, privacy advocates warn] and [Ontario Commissioner: Facial Recognition With Privacy Is Possible] See also: [What Caricatures Can Teach Us About Facial Recognition] and [Barry: Cycling leads the pack in drug testing

Canada 

CA – Privacy Group Fears New “Lawful Access” Laws

A group of privacy advocates is raising alarm about several government initiatives they say could have serious privacy repercussions for Canadians. Sharon Polsky, the national chairperson for the Canadian Association of Professional Access and Privacy Administrators. Polsky’s group is concerned by the Lawful Access law, slated to be introduced soon after Parliament resumes its fall session. The group says the law as proposed would make ISPs agents of the state by requiring them to monitor Internet behaviour and pass on identifiable information to law enforcement officials without the need of a warrant. The group is also concerned about an international agreement called the Anti-Counterfeiting Trade Agreement, which has been negotiated in secret by 37 different countries, including Canada. While Canada has not yet signed on, ACTA would force the government to harden its copyright rules to be in sync with those negotiated by the member countries, and could cut off Internet access for a year to those suspected of illegally downloading copyrighted songs or movies. “People are not concerned, because people don’t know about it; (ACTA) was negotiated in secret,” Polsky said. She added that she’s also concerned the proposed Lawful Access law would give law enforcement officials from other countries access to the Internet habits of Canadians, because she said police forces often share information with each other. [NIST Release] [Source] [Source] [The What and Why of NIST’s Privacy Appendix] See also: [U.S. ambassador says perimeter security deal with Canada will respect privacy] and [Adopting U.S. privacy standards could hurt Canada’s reputation: watchdog

CA – Canada’s Privacy Chief Prepares to Take On Google

The Privacy Commissioner of Canada is preparing to take on Google Inc. over concerns about how the firm collects, retains and uses personal data. In a little-noticed 46-page report, Jennifer Stoddart has outlined a year-long consultation into issues about online tracking, profiling and targeting. In her review, the commissioner found that Google and other Internet firms including Facebook and FourSquare, are collecting increasing amounts of data about users and not adequately informing people about the data collection or for what it is being used. The privacy commissioner is pushing for these companies to become more proactive in explaining how they collect user information and what they are using it for. [Source] See also: [Oshawa MPP says PC Party would slap GPS devices on sex offenders]

BC – BC Privacy Commissioner to Investigate Smart Meters

B.C.’s Information and Privacy Commissioner Elizabeth Denham will investigate BC Hydro’s Smart Meter program to ensure it complies with privacy laws. The Commissioner said she decided to launch her investigation after receiving numerous complaints that the information collected by the meters may breach personal privacy. “The privacy and security of energy consumption data is a very real issue for citizens throughout the province,” Denham is quoted as saying in the news release. “With an increase in the frequency of the information collected from smart meters comes an increased responsibility on BC Hydro to ensure that privacy and security is built into the smart grid.” BC Hydro is planning to spend $930 million to install 1.8 million smart meters across B.C. The project is due to be completed by the end of 2012. The new meters will also allow customers to log on to Hydro’s website and monitor their own electricity use in real time. [Source] See also: [Canadians deserve greater online protection: privacy commission

CA – Federal Privacy Commissioner Takes Prison Service to Court

The Office of the Privacy Commissioner (OPC) is taking the federal agency responsible for the country’s prison system to court for allegedly violating the Privacy Act. Stoddart says that on two occasions the Correctional Service of Canada has not appropriately responded to requests to provide inmates with the personal information the prison system keeps about them. The Privacy Act requires government agencies to provide personal information within 30 days of a request. The OPC’s communications director, Anne-Marie Hayden, says, “In both complaints, our investigators found that the Correctional Service of Canada had failed to give complainants timely access to their personal information.” [National Post]

Consumer

WW – Consumers Willing to Pay More for Privacy

A new study has found that consumers are willing to pay more for purchases from online vendors “with clear, protective privacy policies.” The Carnegie Mellon University study found that, for example, participants in the study shopping for batteries made “significantly more purchases” from sites rated high privacy—47.4%—than from sites rated no privacy—5.6%. Additionally, consumers were willing to pay, on average, 59 cents more from sites with strong privacy protection. “Our study indicates that when privacy information is made more salient and accessible, some consumers are willing to pay a premium to purchase from privacy protective websites,” the authors noted. [ScienceBlog]

E-Government 

US – Florida Makes Millions Selling DMV Data

Last year, the state of Florida made more than US $60 million from selling information held by the Department of Highway Safety and Motor Vehicles. It is legal in Florida to sell the data, which include names, addresses, dates of birth and vehicles registered. The data are available to employers and insurance companies, but the state is also selling them to companies that collect personal data and sell them to others. The companies purchasing the information from the state must sign contracts promising not to use the information to harass people. The state does not sell SSNs or driver’s license numbers. Judges and law enforcement officers may request that their information not be sold. [Source] [Source

UK – DVLA Teams Up With IBM in Bid to Curb Uninsured Driver Menace

The DVLA (Driver and Vehicle Licensing Agency) and Motor Insurers’ Bureau (MIB) have introduced a new system to help identify uninsured vehicles which they claim will improve road safety and reduce the cost of uninsured driving across the UK. The new system, delivered with the support of IBM, works by comparing the Motor Insurance Database with DVLA’s vehicle database and is the foundation of the new Continuous Insurance Enforcement initiative, a collaboration between DVLA, DfT, and MIB to reduce the number of vehicles being driven on UK roads without insurance. Under the new system, which took two years to develop, if a vehicle is suspected as being uninsured, the registered keeper will receive a letter from the MIB advising them to get insurance or declare the vehicle off-road. If they fail to do this enforcement action will be taken by DVLA consisting of a fixed penalty of £100, wheel clamping or Court prosecutions. [Source] See also: [Defeated MPs called ‘childish’ for destroying documents on immigration, citizenship cases] and [‘Most open government’ has a lot of catch-up to do] and [Privacy Advocates Fear Immigration ID Database

UK – Councils Compile Databases Containing Over 9,000 ‘Troublemaking’ Residents

It has been revealed that council bureaucrats have been keeping secret databases of residents who have been involved in disputes with them. At least 9,000 people are on the lists, kept by more than 40 councils around England. The reasons for placing people on the databases vary from council to council but many of them are exceedingly trivial, such as arguing with a council official or a dustman. [Source] SEE ALSO: [Blogger Sues To See If Government Kept a File on Him] and also: [It’s All About Transparency: Without proper laws governing public disclosure of data security hacks, Canadians remain at risk] and [Toronto’s data open but almost useless]

E-Mail 

CA – Comments Sought in Anti-Spam Regulations

The entities that will implement Canada’s Anti-Spam Legislation have each released draft regulations for comment. Industry Canada’s draft regulations define what constitutes family and personal relationships–both exceptions to obtaining user consent under the proposed legislation, which could affect “forward to a friend” marketing campaigns. The Canadian Radio-television and Telecommunications Commission draft regulations address commercial electronic message content; request for express consent requirements for sending commercial messages, and notice and consent requirements. [Hunton & Williams’ Privacy and Information Security Law Blog] [Electronic Commerce Protection Regulations - Department of Industry - Canada Gazette] [CRTC - Telecom Notice of Consultation CRTC 2011-400: Call for Comments on Draft Electronic Commerce Protection Regulations (CRTC) ]

Electronic Records

AU – Commissioner Eyes Tough E-Health Privacy Laws

Privacy Commissioner Timothy Pilgrim has proposed laws around e-health records in Australia that would tighten use and disclosure of data and penalise any privacy breaches. Pilgrim also proposed laws that would keep e-health record storage in Australia to combat data security concerns. The Privacy Commissioner made 32 recommendations in total on the operation of the Government’s planned $467 million personally-controlled electronic health record (PCEHR) system, which was to be implemented by the National E-Health Transition Authority (NEHTA). The proposed laws would regulate the permitted information flows of health records, restrict the secondary use and disclosure of records to avoid function creep, install transparent governance mechanisms and outline specific sanctions and remedies for breaches. Also sought were a set of minimum terms/rights and responsibilities for participation in the PCEHR by individuals and healthcare providers, and a mandate for uniform complaint-handling mechanisms. Lack of details and precise powers available to health users had upset key privacy organisations such as the Australian Privacy Foundation whose chair, Roger Clarke, lambasted the Health Minister Nicola Roxon over how the eHealth system would fulfil its privacy promise. [Source] See also: [Old Dominion U. professor is trying to save Internet history] and also: [Privacy concerns raised over Fiji electronic voter registration plans

US – Experts Discuss Patient Access, Privacy

The biggest factor in revolutionizing the healthcare system will be patients’ access to their healthcare data. That’s according to healthcare experts at a forum in New York earlier this month. Neil Calman, CEO and co-founder of the Institute for Family Health, said patients will soon expect records in downloadable form, and HIPAA and other regulations will be amended to meet those demands. Experts also discussed privacy and security issues in moving patient data to the cloud. As of mid-July, the U.S. Department of Health and Human Services had recorded 292 health data breaches. Although six percent were due to hacking, that number is expected to increase. [Source] See also: [HHS - Notice of Proposed Rulemaking - 42 CFR Part 401 - Availability of Medicare Data for Performance Measurement] and [IPC Ontario paper: Dispelling the Myths Surrounding De-Identification]

Encryption

US – DOJ – We Can Force You to Decrypt That Laptop

The Colorado prosecution of a woman accused of a mortgage scam will test whether the government can punish you for refusing to disclose your encryption passphrase. The Obama administration has asked a federal judge to order the defendant, Ramona Fricosu, to decrypt an encrypted laptop that police found in her bedroom during a raid of her home. Because Fricosu has opposed the proposal, this could turn into a precedent-setting case. No U.S. appeals court appears to have ruled on whether such an order would be legal or not under the U.S. Constitution’s Fifth Amendment, which broadly protects Americans’ right to remain silent. [Source]

US – RSA Parent Company Spent US $66 Million in Q2 to Address Cyber Attack

RSA parent company EMC spent US $66 million in the second quarter of 2011 to deal with the cyber attack that compromised the integrity of RSA security tokens. EMC provided transaction monitoring for corporate customers concerned about the security of their tokens; the company also offered replacement tokens to companies that requested them. In a conference call regarding the company’s financial results, EMC executive VP David Goluden offered additional information about the attack, saying that customers were notified within hours after the company became aware of the breach, and that the company suspects that the intruders were targeting defense and government information, not financial information. That assumption would be borne out if the breach did, as some have suggested, lead to attempted attacks on computer systems at US defense contractors Lockheed Martin and another on L3 Communications. [Source] [Source]

EU Developments

EU – Commission Begins Action Against States

The European Commission has started legal action against 20 member states for failing to implement telecommunications rules. The commission has written to the states to inquire about why they have not implemented the so-called telecoms package, which was to have been incorporated into practice by May 25. The rules include what has been a controversial mandate for websites to obtain users’ consent before placing cookies on their systems. To date, only Britain, Denmark, Estonia, Finland, Ireland, Malta and Sweden have implemented the rules. The states in question have two months to respond. [Reuters]

EU – Article 29 WP Issues Opinion on Consent

On July 13, the Article 29 Working Party, an independent advisory body to the European Commission, issued a 38-page opinion on the definition of consent. The opinion elaborates the meaning of key terms used in describing the conditions for valid consent, such as indication, freely given, specific, unambiguous, explicit and informed, and addresses the proper timing of consent. Numerous examples of valid and invalid consent are provided in this extended analysis, which also affirms the importance of using the appropriate legal grounds for processing personal data. The opinion paper concludes with a few recommendations relating to consent that the Working Party believes should be considered during the current review of the Data Protection Directive. [Coverage] See also: [German Supreme Court on the Admissibility of Marketing Calls - Federal Court, Press Office]

EU – Article 29 WP Issues Advice Paper on Special Categories of Data (“Sensitive Data”)

The Data Protection Directive categorizes some personal data as “sensitive”, including ethnic origin, philosophical beliefs, health data and criminal convictions; challenges interpreting the categories of sensitive data include difficulty in defining “philosophical beliefs” (one court recognized “belief in climate change” as a philosophical belief), photos of individuals (such images can reveal information about an individual’s ethnicity or health status) and major differences in the degree of sensitivity (e.g. health data may range from information about a simple cold to stigmatizing information about illnesses or disabilities). Challenges have also arisen applying the exceptions to the general ban on processing of sensitive data, e.g. as sensitive data may be processed by a health professional, but it is not always clear who is considered a healthcare professional, there are no exceptions that permit processing of health information by schools (in the case of injury) or insurance companies (to conclude a health insurance contract), and the requirement to have consent may be problematic in the online environment (citizens rarely use secure electronic signatures which are required for written consent). The categories of “sensitive data” should be expanded to include genetic and biometric data, and there is some interest in revising the approach to sensitive data to increase flexibility – i.e., where the general definition of “sensitive data” takes the context for processing into account and member states are given discretion to decide upon further data categories (e.g. creation of personal profiles, minors, information about financial situation, and geolocation data). [Source]

EU – European Commission Public Consultations on ePrivacy Directive

Comments are due by September 9 to resolve questions surrounding implementation of the ePrivacy Directive’s breach notification obligations which are aimed at determining whether additional measures are required to ensure harmonised national implementations; areas where there is a risk of divergence at the national level include the threshold for notifying individuals or subscribers (notification is only required where their data or privacy will be “adversely affected”, which is open for interpretation), how the sufficiency of technological measures is assessed (notification is not required when technological measures render data sufficiently unintelligible), what is considered an “undue delay” (breach notification should be provided without “undue delay”), and the fact that the Directive does not specify the means by which notification should be provided (the means of notification should be common across the EU). Other areas that require clarification include the contents of notification (are there additional elements that should be included), how to deal with cross-border breaches (what should occur when a data controller is established in a different member state than where the breach occurred), and whether there are circumstances where communications providers would be required to provide notifications under numerous laws (e.g. the Framework Directive also includes a notification obligation for providers of public communications networks or electronic communications services). [Press Release] [Consultation Document] See also: EU – European Parliament Resolution of 6 July 2011 on a Comprehensive Approach on Personal Data Protection in the European Union (2011/2025(INI)) ]

EU – EDPS: Commission Ambiguous on Cookie Advice

The European Data Protection Supervisor (EDPS) says that the European Commission has offered “inconsistent advice to website owners on how they should obtain users’ consent to cookies.” EU Commissioner Neelie Kroes said last month that European companies had one year to create a uniform way for users to opt out of cookies and that she supported self-regulatory efforts, but EDPS Peter Hustinx says that neither a self-regulatory model nor a do-not-track model comply with EU Directive requirements. Hustinx says the directive’s requirements should be “fully respected,” and “The Commission should avoid any ambiguity” in making sure that transparency and consumer control online are delivered in the EU. [OUT-LAW News] See also: [Data Protection Commissioner, Ireland - Guidance Note on Data Protection in the Electronic Communications Sector] and [Draft Hungarian Law on the Data Breach Notification Framework and the New Cookie Consent Rule]

EU – European Data Protection Supervisor (EDPS) Issues Annual Report 2010

Consultations by the EDPS in 2010 included the request for access to the identity of an informant (the protection of whistleblowers and informants should be the same after the closure of an investigation because the vulnerability of the whistleblower’s role and risks to their privacy do not change depending on whether the investigation is opened or closed with no follow-up); the further processing of data in an existing EU institution database for the purposes of providing its travel agency with ID data was determined to be serving a different purpose incompatible with the initial purpose of collection and processing, the data protection covenant between the EU institution and the travel agency was deemed to be unclear (e.g. the reasons why and circumstances when the travel agency acts as a processor and/or controller), and proper guarantees should be in place to ensure the rights of the data subjects and secure onward transfers by the travel agency to other recipients. In regards to a financial institutions management of IT administrators’ access to personal data stored in IT systems and applications, the principle of segregation of duties must be applied, and a combined balance of organisational and technical measures should be implemented and documented. The monitoring of telephone communications above a predefined threshold could be considered a breach of the right to privacy of employees; the institution was requested to ensure that the threshold figure (that would trigger the sending of a list to management) is sufficiently high so as to avoid non justified monitoring and enables the identification only of those cases in which there is clear or repeated abuse of the system, and to reassess the proposed system in order to determine whether other less intrusive methods could be used. Main objectives for 2011 include targeted monitoring exercises where the level of compliance at specific EU institutions and bodies is a cause for concern, on-the-spot inspections in those cases where the EDPS has serious grounds to believe that the compliance mechanism is blocked (this will be viewed as the final state before formal enforcement action), and inspections and audits in the field of large-scale IT systems falling within the remit of the EDPS. [Source]

EU – EU Lawmakers Upset by Microsoft Warning on U.S. Access to EU Cloud

Members of the European Parliament are expressing concern about the conflict between the European Union’s Data Protection Directive and the U.S. Patriot Act. Last week, Microsoft admitted that it may have to disclose European users’ data, found in its new cloud service, to U.S. authorities, while keeping transfer details secret. Such disclosure would be a violation of the directive, prompting MEP Sophie in’t Veld to ask, “Does the commission consider that the U.S. Patriot Act thus effectively overrules the EU Directive on Data Protection? What will the commission do to remedy this situation and ensure that EU data protection rules can be effectively enforced and that third-country legislation does not take precedence over EU legislation?” [Computerworld]

EU – New Dutch Law to Deter Privacy Breaches

A new law expected to become effective this year will allow for the imposition of fines for data privacy violations. “People’s personal data are being used by others all the time, without their realizing it in the least,” said Dutch Data Protection Commissioner Jacob Kohnstamm, who is assisting the justice ministry in drafting the law. “The new, steep fines will make sure that people’s privacy will be respected.” Violators risk fines from 25,000 to several million euros. Kohnstamm has also announced that his office is investigating the presence of regional electronic medical records. [Radio Netherlands Worldwide] See also: [EU – EDPS Opinion on Notifications for Prior Checking]

EU – DPA Fines Agency for Employment Data Collection

The Italian Data Protection Authority (Garante) has found that collecting and processing the sensitive personal information of job applicants violates the law and has censored and fined a real estate agency for asking applicants “a disproportioned quantity” of personal questions. The Garante found the practice violated Italy’s Data Protection Code, and further investigation and sanctions may be forthcoming. “It is incredible that notwithstanding strong data protection legislation, we still experience similar shocking data processing in the employment field,” notes Rocco Panetta of Panetta & Associati,” adding that such behaviors expose organizations “to enormous risks of sanctions.” (Article in Italian)

EU – EU Mulling Plans for New Rules on Data Breach Notifications

The European Commission is considering a set of “practical rules” to govern companies’ behavior in the case of a data breach. The announcement comes in the wake of a series of high-profile data breaches, including Sony’s announcement in April that the personal information of 78 million PlayStation users was stolen. The rules, which were outlined in Brussels, would specify the procedures and format for notifications. Until the early September deadline, the European Commission is seeking input from the public and from sources including national data protection authorities and consumer organizations. According to Neelie Kroes, the EU’s digital agenda commissioner, a section of the EU’s new telecoms rules came into force in May requiring companies to notify consumers and national data protection authorities of data breaches. But additional rules could ensure consistency throughout EU member nations. [Source]

EU – New Requirements for Data Protection Officers in Germany

German companies must appoint a data protection officer (“DSB”) when they employ more than 10 employees using automated processing, more than 20 employees using non-automated processing or process data in a manner that infringes intensely on personal rights (e.g. when using video surveillance, chip cards or non-transparent procedures); even if appointment of a DPO is not required, management is still responsible for meeting the provisions of the law by taking on the DSB’s tasks and prior reporting all automated processing to data protection authorities (a DSB may be appointed simply to avoid the prior checking requirements, and companies can hire external DPOs, such as a specialized lawyer). DSBs must have knowledge of relevant data protection provisions (including constitutional protections and any sector-specific legislation), data security technology (e.g. physical security of IT infrastructure, cryptography, spyware and network security), understanding of practical data protection management (e.g. executing controls, advising management, coaching employees, providing data protection strategies and recording data protection activities), and the enterprise’s technical and organizational structure (e.g. relevant process charts and internal organization). In order to enable independence for DSBs, they must report directly to company management, not be bound by company instructions regarding data protection, and be protected from dismissal (the DSB service contract should safeguard the autonomous fulfillment of his or her legal assignment for a term of 4 years if internal, or 2 years, if external). Failures to meet the minimum DSB specifications may result in a €50,000 fine to each manager personally; companies may want to consider appointing a DSB, even where not required, as previous non-compliance issues will generally not be punished. [Source]

UK – ICO Annual Report: Volunteer to Be Audited by Us, We Might Not Bust You

The Information Commissioner’s Office (ICO) released its annual report, which states that more companies should offer themselves up for voluntary audits. Last year, there were 603 reported data breaches, and 186 occurred in the private sector. Of those businesses, 19% accepted the ICO’s offer for a free data protection audit. In the public sector, 71% agreed to the voluntary audit, the report states. “These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consentual audit should count as a badge of honor, showing that the business takes data security seriously,” said Information Commissioner Christopher Graham. [The Register] See also: [UK Information Commissioner’s Office Auditing Data Protection: a Guide to ICO Data Protection Audits | North West London Hospitals NHS Trust - Data Protection Audit Report Executive Summary] and [EU Article 29 Data Protection Working Party – Advice Paper on Practical Implementation of Article 28(6) of the Directive 95/46/EC (how Data Protection Authorities make use of their supervisory authority under Article 28(6) of the General Directive)

UK – ICO: Jail Time Needed for Privacy Violations

A recent phone hacking scandal has prompted Information Commissioner Christopher Graham to call on the British government to implement prison sentences for those who use stolen personal data. The Information Commissioner’s Office previously recommended two-year prison terms for such offenses after a 2006 investigation into the sale of stolen personal data to journalists, the report states, but the government did not implement the proposal after journalists claimed it would limit free speech. In calling for stronger laws, Graham noted, “Unless people realize they can go to prison, it seems like a victimless crime.” [Bloomberg]

UK – ICO Publishes Guidance on Fines

The Information Commissioner’s Office (ICO) has released details on how it will use its new fining powers under the Privacy and Electronic Communications Regulations (PECR). Amendments to the PECR let the ICO fine up to £500,000 for offenses, and “It is possible that a single breach may be sufficient to meet this threshold,” the ICO says in its guidance, which offers insight into potential triggers for fines. Organizations will have the chance to weigh in on the guidance before it is adopted. [OUT-LAW.COM]

Facts & Stats

AU – Thousands of Privacy Breaches Going Unreported

There has been a 27% jump in the number of incidents of stolen or lost personal information reported to the Privacy Commissioner in the past year but inadequate laws mean thousands of incidents go unreported. The Privacy Commissioner, Timothy Pilgrim, revealed his office had received 56 data breach notifications in the year to June 30 – up from 44 in the previous year. However, Pilgrim warned that this only included responsible companies that voluntarily owned up to losing personal information as the government had failed to introduce mandatory data breach notification laws. Pilgrim also revealed his office had opened 59 “own motion” investigations in the past year – usually following media reports of privacy breaches. This includes investigations into Google, Telstra, Vodafone, Dell, Sony and most recently Medvet, which inadvertently left its order system for paternity and drug tests open to be accessed via search engines. [Source

CA – Statistics Canada to Stop Tracking Marriage and Divorce Rates

Statistics Canada will no longer collect and crunch numbers on the country’s annual marriage and divorce rates, a sign both of cost cuts at the agency and the changing nature of relationships, as definitions get fuzzier and harder to track. The national statistical agency published its last national figures on marriage and divorce rates last week. It has been collecting divorce data since 1972 and marriage data since 1921. It pegs the cost of reinstating the collection at $250,000. By the numbers:

  • 43.1% – Canadian marriages that are expected to end in divorce
    before the couple reach their 50th wedding anniversary
  • 26.8% – Marriages expected to end in divorce before a couple
    in Newfoundland and Labrador reach their 50th anniversary
  • 62.6% – Percentage of marriages expected to end in divorce
    by the time a couple in the Yukon reaches their 50th anniversary
  • 44 – Median age for Canadian men at divorce in 2008
  • 41 – Median age for Canadian women at divorce in 2008 [Source]

Filtering 

UK – Court Orders BT to Block Site Linked to Digital Piracy

A group of film studios represented by the Motion Picture Association (MPA), the international arm of the Motion Picture Association of America (MPAA), has won a court order against British ISP BT to block the Newzbin2 filesharing website. A British High Court judge has ordered BT to block users’ access to the members-only website that offers links to movies and television programs available on Usenet boards. [Source] [Source] [Source] [Source] [Newzbin2 response]

Finance

CA – OPC Guidance on Private-Sector Anti-Money Laundering Databases

To help financial institutions conduct their due diligence around identifying “politically exposed people” (i.e. people who may abuse their position of power for private gain), private-sector anti-money laundering database providers have emerged, who will compile databases of sanctioned individuals and entities (from publicly available government and NGO lists) and scrub the financial institution’s customer lists against the database. Privacy issues with these databases emerge as a person may be removed from a government list, but remain in the database provider’s list (the individual would have difficulty determining whether or not their name had been de-listed from the database and there is no indication of an appeal process being available) and jurisdiction issues arise (it may be difficult to make a claim regarding enhanced due diligence to the OPC by a foreign national taking issue with a Canadian financial institution or a Canadian taking issue with a foreign financial institution). Private-sector anti-money laundering database providers also identify “persons of special interest” who may be at high-risk, and there appears to be no limits on what information is being collected or how it is being incorporated into a risk assessment for possible money laundering risk (the determination of who is a “high-risk” is made without any transparency, and based on information that may or may not be correct, with potential harm to the individual’s relationship with the financial institution). [Source]

CA – Best Practices in Privacy and Anti-Money Laundering/Counter-Terrorist Financing

The federal Privacy Commissioner has published recommendations for Canada’s anti-money laundering regime include providing mechanisms for the sharing of information between financial institutions to help detect patterns of money laundering (PIPEDA does not currently permit such sharing as allowed under the USA PATRIOT Act), ensuring suspicious activity reports are only filed based on reasonable grounds that the transaction is related to the commission of a money laundering or terrorist financing offence (a “report all” philosophy and reports based on crimes like tax evasion raises questions on the proportionality of Canada’s financial intelligence unit’s activities), and providing practical guidance on privacy issues for those at highest risk of privacy transgressions (e.g. point-of-sale staff in real estate, insurance, accounting, or casinos). Other recommendations include imposing operational controls on the centralization of suspicious activity reports in an organization’s head office (e.g. enterprise-wide policies on the exchange of suspicious activity reports, well-defined procedures for transmission of sensitive data, and a regular review of the effectiveness of the arrangement in terms of meeting its objectives and adherence to policies) and creating legislation to ensure the confidentiality of the source of suspicious activity reports when responding to access requests or production orders (financial institution employees will hesitate in reporting their concerns if they believe the legal safeguards are insufficient to protect them and their families). [Source]

US – Banks’ Billion-Dollar Idea: Sell Your Shopping Data

Many of the nation’s leading banks and card issuers, including Wells Fargo, Citi, USAA, Sovereign Bank and Discover, are selling information about consumers’ shopping habits – how much they spend, where they shop and what they buy – to retailers. Retailers are using the data to offer targeted discounts via text, email and online bank statements. Each time a consumer cashes in on one of those deals, the retailer pays the bank a nice commission. At a time when government regulation is forcing banks to hike fees and eliminate consumers perks, selling consumers’ shopping data is an easy way to not only generate a decent chunk of revenue but also to drum up some much-needed customer loyalty. Aite Group, an independent Boston-based research firm specializing in financial services, forecasts that these merchant-funded incentives will drive $1.7 billion in annual revenue for card issuers by 2015. [Source] See also: [Morgan Stanley warns 34,000 customers of data breach]

UK – Banks Face More Privacy Complaints from Customers than Any Other Group

Banks have attracted more customer complaints than any other group over allegations of mishandling sensitive information, the privacy watchdog reveals today. Lenders routinely lost, released or wrongly recorded personal data, the Information Commissioner warned in his annual report which detailed 603 complaints. But the true scale of privacy and data breaches could be much higher, because the private sector is not obliged to report complaints to the Information Commissioner. [Source]

US – Financial Industry Group Releases Social Media Guidance

Financial services industry group BITS, a division of the Financial Services Roundtable, has released guidance addressing social media risks and use. “Social Media Risks and Mitigation“ analyzes issues such as compliance, legal, operational and reputational risks. The report discusses three main types of social media use, including communication between an institution and its customers; employees’ personal and professional use of social media within the institution, and employees’ and vendors’ use outside of the institution. [Hogan Lovells’ Chronicle of Data Protection]

US – Little-Known Firms Tracking Data Used In Credit Scores

Atlanta entrepreneur Mike Mondelli has access to more than a billion records detailing consumers’ personal finances – and there is little they can do about it. The information collected by his company, L2C, comes from thousands of everyday transactions that many people do not realize are being tracked: auto warranties, cellphone bills and magazine subscriptions. It includes purchases of prepaid cards and visits to payday lenders and rent-to-own furniture stores. It knows whether your checks have cleared and scours public records for mentions of your name. [Source] See also: [Comments of The Electronic Privacy Information Center To The Federal Trade Commission “Public Workshop and Request for Public Comments and Participation”]

EU – EU Exploring Its Own Funds-Tracking Program

In the wake of objections by many EU officials to a program that allows the U.S. to access European financial transactions as part of efforts to fight terrorism, the European Commission has presented its own proposals for tracking finances of suspected terrorists. The plans “are aimed at ending the primary role of the United States in those efforts,” quoting Commissioner Cecilia Malmström’s statement that an EU system “would need to fully respect fundamental rights and, in particular, ensure a high level of data protection.” One of the EU’s primary goals will be to limit the amount of data sent to the U.S. [The New York Times] See also: [European Data Protection Supervisor - Opinion on the Proposal for a Regulation of the European Parliament and of the Council Establishing Technical Requirements for Credit Transfers and Direct Debits in Euros and Amending Regulation]

WW – SpyEye Trojan Can Evade Fraud-Detection Algorithms

Banks are facing more trouble from SpyEye, a piece of malicious software that steals money from people’s online bank accounts, according to new research from security vendor Trusteer. SpyEyecan harvest credentials for online accounts and also initiate transactions as a person is logged into their account. In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to try and block fraudulent transactions.[Source] See also: [Mac OSX passwords can be pilfered with new tool]

FOI

CA – Saskatoon Privacy Concerns Made Public

The province’s information and privacy commissioner and the City of Saskatoon are again at odds over the city’s handling of access to information issues and the tension seems to be on the rise. In his annual report for the 2010-11 fiscal year released last week, Gary Dickson cited four different investigations relating to problems he found with the City of Saskatoon over different issues. [Source] See also: [Modernize Saskatchewan privacy law] and [Frank Work: Time for Alberta government to deliver on promise of greater transparency] and also: [OIPC BC - Data Sharing in a Gov 2.0 World - Commissioner’s June 2011 Keynote Address to the Edmonton Access and Privacy Conference]

CA – Police Board to Reconsider Policy of Simultaneous Release of FOI Requests

The Vancouver police board will review the department’s policy of releasing information requested under the Freedom of Information and Protection of Privacy Act simultaneously to both the requester and the public, after being told by FOI advocates it is not adhering to the spirit of the law. Vincent Gogolek, the executive director of the B.C. Freedom of Information and Privacy Association, said the Vancouver police department remains the lone holdout on a questionable policy that many view as a deterrent to people asking for information under the act. In May, provincial information and privacy commissioner Elizabeth Denham slammed BC Ferries’ practice of posting FOI requests online before or as it releases a copy to the original requester. Last month, Vancouver council unanimously adopted a policy of not engaging in such practices. And on Tuesday the provincial government changed its policy to give requesters at least 72 hours with the documents before posting them online for others to see. But the police board has so far refused to accept the position of the provincial FOI commissioner or city council’s motion. [Source] See also: [OIPC BC - Balancing Privacy and Openness: Guidelines on the Electronic Publication of Decisions in Administrative Tribunals]

Genetics

UK – Police to Retain DNA Profiles of Innocent People

Details of innocent people’s DNA will be retained by police despite a pledge by the government that they would be deleted, Home Office minister James Brokenshire has admitted. Rather than keeping an innocent person’s complete profile on the national DNA database, it will be retained in an anonymised form, which would leave open the possibility of linking the information with people’s names. This would mean that the profiles would be considered to have been deleted (even though the DNA profile record, minus the identification information, will still exist). Commenting on the latest developments, Daniel Hamilton, director of privacy lobby group Big Brother Watch, said: “James Brokenshire’s letter confirms that the details of more than a million innocent people will remain on the national DNA database. “This is a disgraceful U-turn on the part of the government. It represents a betrayal of an explicit commitment made in the coalition agreement and stands in contravention of a ruling by the European Court of Human Rights banning the retention of innocent people’s DNA.” [Source] [Source] See also: [Garante Per La Protezione dei Dati Personali - General Authorisation for the Processing of Genetic Data, June 24, 2011]

US – Appeals Court: OK to Check DNA of Those Arrested

A closely divided 3rd U.S. Circuit Court of Appeals has found that the collection of DNA samples from people arrested – but not yet convicted – of crimes is constitutional, in an opinion released today. In a precedent-setting ruling, the appeals court rejected U.S. District Judge David S. Cercone’s 2009 order finding that law enforcement could not collect DNA from Ruben Mitchell, who faces a federal charge of attempting to possess and distribute five kilograms or more of cocaine. Judge Cercone had found that requiring pre-trial detainees to submit DNA samples, which is done under the DNA Analysis Backlog Elimination Act of 2000, violates the 4th Amendment’s search and seizure rules. In an 8-6 ruling, the circuit judges found that people who are arrested have “a diminished expectation of privacy in their identities.” Outweighing their privacy, they found, is the importance to law enforcement of correctly identifying people who are charged with crimes, determining their criminal history, potentially linking them to unsolved crimes and promptly ruling out involvement in a crime in cases in which the DNA does not match that found at the scene. [Source]

US – FBI’s Next Gen Identification: Bigger and Faster but Much Worse for Privacy – EFF

This week, the Center for Constitutional Rights (CCR) and several other organizations released documents from a FOIA lawsuit that expose the concerted efforts of the FBI and DHS to build a massive database of personal and biometric information. This database, called “Next Generation Identification” (NGI), has been in the works for several years now. However, the documents CCR posted show for the first time how FBI has taken advantage of the DHS Secure Communities program and both DHS and the State Department’s civil biometric data collection programs to build out this $1 billion database. FBI’s NGI database will be populated with data from both FBI and DHS records. Further, NGI will be “multimodal.” This means NGI is designed to allow the collection and storage of the now-standard 10-print fingerprint scan in addition to iris scans, palm prints, and voice data. It is also designed to expand to include other biometric identifiers in the future. NGI will also allow much greater storage of photos, including crime scene security camera photos, and, with its facial recognition and sophisticated search capabilities, it will have the “increased ability to locate potentially related photos (and other records associated with the photos) that might not otherwise be discovered as quickly or efficiently, or might never be discovered at all.” The FBI does not just collect and store data from people caught up in the criminal justice system; about 1/3 of the data collected and reviewed in IAFIS is from civil sources such as attorney bar applications, federal and state employees, and people who work with children or the elderly. So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records. Once these records are combined into one database and once that database becomes multimodal, as we discussed in our 2003 white paper on biometrics, there are several additional reasons for concern. Three of the biggest are the expanded linking and tracking capabilities associated with robust and standardized biometrics collection systems and the potential for data compromise. The third reason for concern is at that once the collection of biometrics becomes standardized, it becomes much easier to locate and track someone across all aspects of their life. As we said in 2003, “EFF believes that perfect tracking is inimical to a free society. A society in which everyone’s actions are tracked is not, in principle, free. It may be a livable society, but would not be our society.” [Source: Electronic Frontier Foundation]

Health / Medical 

US – Snooping Celebrity Medical Records Cases Settled

Years after hospital employees were accused of snooping into the medical records of celebrity patients, UCLA Health System agreed to pay an $865,000 US settlement for potential violations of federal privacy laws. The settlement that UCLA reached with federal regulators did not name the stars involved and did not require the hospital system to admit liability. The investigation by the U.S. Department of Health and Human Services revealed that workers repeatedly accessed patients’ electronic health records between 2005 and 2008. The hospitals have agreed to report to a federal monitor on the implementation of its corrective plan over the next three years. In 2008, California Department of Public Health officials announced results of their own investigation into the privacy breaches and found that UCLA hospital workers inappropriately accessed records of 1,041 patients since 2003. The hospital later disciplined 165 employees through firings, suspensions and warnings. At least two former UCLA employees have faced criminal charges for medical privacy violations. The headline-grabbing breaches led California legislators to pass a bill boosting the maximum fine for privacy breaches at health facilities from $25,000 US to $250,000 US. The UCLA Health System includes Ronald Reagan UCLA Medical Center, Santa Monica-UCLA Medical Center and Orthopedic Hospital, and the UCLA Medical Group, a network of primary and specialty care satellite offices. [Source] See also: [Beth Israel Hospital Notifies Patients of Data Events] | Wake Forest Breach ] and also: [Brown v. Mortensen - 51 Cal. 4th 1052; 2011 Cal. LEXIS 6103 - Supreme Court of California]

US – Preliminary Settlement Reached in Class Action

WellPoint has reached a preliminary settlement in a class-action lawsuit involving the exposure of 600,000 health applicants’ sensitive data. The suit, filed in March 2010, alleged that the company failed to protect the privacy of those affected. The settlement would see WellPoint provide two years of credit monitoring to those involved and would entitle class members to reimbursement for instances of identity theft. The settlement will be approved or declined after a November fairness hearing. In July, the company agreed to pay a $100,000 fine in a settlement with the Indiana attorney general’s office for notification failures surrounding the incident. [American Medical News]

US – E-Health Records Still Scare Most of Us

Nearly 80% of consumers surveyed earlier this year said they’re wary of electronic health records because they’re concerned that their personal information might be stolen or lost it if were kept in an EHR system. The online survey, conducted by Harris Interactive for Xerox in February and released last week, polled 2,720 U.S. adults, the majority of whom felt that their personal information could be misused if it was stored electronically. Of those surveyed by Harris Interactive, 78% indicated they were concerned about hackers accessing EHR systems; 64% said they were worried about the threat of lost, damaged or corrupted files; and 62% cited concerns over the misuse of electronic healthcare information. 23% of the respondents said that they believe patients have the least to gain from a conversion to digital records. [Source] See also: [Will HIPAA Audit Program Become Model?] and [CA – Missing Cancer Care Ontario packages put health info of 12,000 at risk] and [Office of the Australian Information Commissioner - Submission to the Department of Health and Ageing on the Draft Concept of Operations: Relating To The Introduction Of A Personally Controlled Electronic Health Record (PCEHR) System]

US – HIPAA Audits to Begin Soon

The Department of Health and Human Services announced that it will soon begin its HIPAA compliance audits mandated under the HITECH Act with 150 onsite audits to be conducted by KPMG by the end of 2012. The scope of the audits, the selection process for being audited and whether audits will be used as an enforcement or education tool are all unknown. Due to the volume of covered entities, the likelihood of being audited is small, but organizations should review their programs and ensure they are effective and up-to-date. The report states that Booz Allen Hamilton has been contracted for “audit candidate identification.” [GovInfoSecurity]

CA – Physicians Reluctant to Share Patient Data

Even during the H1N1 pandemic in 2009, doctors in Canada were reluctant to disclose identifiable patient data to protect patient privacy, researchers say. Five focus groups with 37 family doctors from across Canada provided insights into the reasons they were reluctant to share patient data. The physicians said they were concerned about the privacy of their patients, and did not know whether the data uses would be limited to dealing with the pandemic. They did not perceive that they would get direct benefits back to them and their patients from giving data to public health and there were concerns about how the data could be used to evaluate their performance, the study says. “Patient data needs to be properly anonymized, and health care practitioners must be provided with timely and actionable feedback,” El Emam said. [Source]

US – Expert Analyzes Reported Health Data Breaches in 2011

The Mayo Clinic Center for Social Media’s Christopher Burgess reviews reported patient data breaches from January to June of this year to show how the various incidents could have been avoided. With more than 87 breach incidents affecting approximately five million patients in the first five months of this year, Burgess opines, “Sadly, being compliant is not synonymous with being secure.” Burgess breaks down the reported breaches into hardcopy, digital and identity theft incidents and provides recommendations to mitigate the risks surrounding patient data protection. [Source]

CA – Regina Doctor Responsible for ‘Largest Breach of Patient Privacy’ in History

Saskatchewan’s privacy watchdog is recommending the province consider prosecuting a Regina physician under the Health Information Protection Act (HIPA) in connection with several boxes of patient files that were discarded in a south Regina recycling bin in March. Calling it the largest breach of patient privacy the office has encountered since the act came into force in 2003, information and privacy commissioner Gary Dickson released a report that names Dr. Teik Im Ooi as the “trustee responsible for the records” that were hauled out of the blue bin. About 180,000 pieces of patient personal health information were recovered, including 2,682 patient files as well as daily activity reports from the Albert Park Family Medical Centre. [Source] [Report] [Sask. official slams doctor over major patient privacy breach] see also: [Beth Israel reports potential data breach] and [Patient alleges Tufts breached privacy]

Horror Stories

KR – Personal Data of 35 Million Hacked In Attack on South Korean Social Media Sites

The personal information of about 35 million Internet users in South Korea was stolen in an alleged hacking attack that originated in China, officials said. Hackers purportedly attacked popular Internet and social media sites Nate and Cyworld, stealing data such as user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. South Korean police said their investigation could take several months. [Source] [Source] See also: [Toshiba cops to data breach potentially affecting 7,520 US customers] and [UK: Dozens of students accessed in York Uni data breach] and [Privacy breach at Cape Breton health authority] and [South Korean Court Orders $1M Payment for Collecting iPhone Location Data Without Consent] [Korea: Apple may face class action over tracking] and [US: Post’s jobs section hacked, exposing 1.3 million user IDs, e-mail addresses] and [Toshiba Breach Could Affect 7,520 U.S. Customers]

CA – Officials: Missing Records Show EMRs Needed

Ontario’s privacy commissioner is investigating a breach that occurred when Cancer Care Ontario mailed about 12,000 cancer screening tests. Commissioner Ann Cavoukian, echoing the sentiment of Premier Dalton McGuinty, said the loss supports the case for reliable electronic medical records systems, adding, “In this day and age, how could Cancer Care Ontario decide to send hard copies of sensitive personal data of patients through the mail? How could Canada Post have lost track of the records?” Cancer Care Ontario alerted the commissioner’s office of the missing screening tests on June 27. A search for the records turned up about 5,000 in physicians’ offices. [itbusiness.ca]

US – Insurer Gets Fined for Slow Breach Notification

Indiana Attorney General Greg Zoeller announced on Tuesday that an Indiana-based insurer will pay a $100,000 fine and take other steps for waiting months to notify 32,000 customers of a data breach. Wellpoint has agreed to pay the fine; provide up to two years of credit monitoring and identity theft protection to affected customers, and reimburse up to $50,000 for breach-related losses. “This case should be a teaching moment for all companies that handle consumers’ personal data,” said Zoeller. A Wellpoint spokeswoman said the company has made security changes to prevent further breaches. [Associated Press]

AU – Commissioner: Breach Due to Human Error, Investigation Closed

Privacy Commissioner Timothy Pilgrim has closed his investigation of Telstra’s data breach, saying it “was caused by a one-off human error,” and the company “adequately dealt with the matter.” According to Pilgrim, the incident breached the Privacy Act, but it was “not a result of Telstra failing to have reasonable steps in place to protect the personal information of its customers, as required by the Privacy Act.” A Telstra spokesman acknowledged the commissioner’s finding and assured that the company has put measures in place to prevent a similar breach in the future. [ZDNet] [Report] [Press Release]

Identity Issues

AU – Victoria, Western Australia Fight ID Theft With Document Checks

Victoria and Western Australia have signed up to use a document-verification service, which aims to nip identity theft in the bud by cross-referencing documents between government agencies. When a government agency receives a document that requires verification, it sends an encrypted request to the document-issuing agency, which will return a positive or negative response. The service, which forms part of the government’s National Identity Security Strategy (NISS), ensures that proof-of-identification documents can be verified in real time, and that the documents are authentic, accurate and up to date, while ensuring that the individual’s privacy is maintained. Now that the two states have joined the service, government agencies from participating states will be able to confirm the validity of Victorian and WA driver licences, and Victorian birth certificates. The announcement comes shortly after a recent survey, which found that one in six Australians are affected by ID theft. [Source]

WW – Controversial Phone App Offering Background Checks is Back

A mobile application that allows people to conduct background checks is back in the marketplace. The app was first launched for the iPhone in 2009, but was pulled by Apple due to privacy concerns. BeenVerified has relaunched the app–which searches online public records for information on a name entered into the system by the user–saying that it merely modernizes the information databases that already exist. But some privacy advocates and cybersecurity experts say the risk of stalking and identity theft outweigh the benefits of the service. “There are deep implications for privacy even if it’s not certain these tools violate the law,” says an Electronic Frontier Foundation spokesperson. [The Star-Ledger

UK – Photographer’s Parakeet Pics: Did They Breach Privacy?

An amateur photographer whose pictures of government officials ‘destroying’ parakeet nests sparked police action, is unlikely to have breached UK data protection rules, the privacy watchdog has told Amateur Photographer (AP). Hertfordshire Police has been forced to publicly apologise after officers warned bird enthusiast Simon Richardson that he faced being sued for breach of privacy if his pictures were published in the press. [Source] See also: [Online critics of former Aurora mayor can remain anonymous: judge] and [Google+ Identity Crisis: Google Revised Real Names Policy] and [Privacy not a guarantee for war criminals] and [US: Neighbour from hell jailed 18 years for cyber ‘campaign of terror’]

Intellectual Property 

US – ISPs Agree to Copyright Violator Penalty System

Major US ISPs have agreed to a system that could allow them to disrupt Internet service for habitual copyright violators. Among the providers participating are Comcast, Time Warner and Verizon. The ISPs will issue warnings at first, but after six violations, the plan calls on the providers to take steps such as reducing Internet speed or redirecting users to “educational” pages about copyright infringement. The plan does not directly call for cutting off access altogether, although the services may do that if they choose. The agreement has the backing of the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). Critics of the agreement have expressed concern that users’ Internet access could be cut off with no judicial review. [Source] [Source

US – Judge Reduces Thomas-Rasset’s File Sharing Verdict to US $54,000

Calling the original amount “appalling,” US District Court Judge Michael Davis has reduced a US $1.5 million jury verdict against Jammie Thomas-Rasset to US $54,000. This is the third trial in a case brought by the Recording Industry Association of America (RIAA) against Thomas-Rasset for sharing 24 songs over KaZaA. Thomas-Rasset is the first person the RIAA took to court over illegal filesharing. Although the RIAA maintained that judges do not have the authority to lower jury verdict cases involving the Copyright Act, Judge Davis said that his decision was made in the interest of fairness; the verdict was “so severe and oppressive as to be wholly disproportionate to the offense and obviously unreasonable.” [Source] [Source] See also: [Sony insurer says it’s not liable for breach-related costs]

Internet / WWW 

EU – More Online Surveillance Needed, Officials in Europe Say

Days after the bombing and shootings in Oslo, politicians and police around Europe say they want increased Internet monitoring. Officials from Finland, Estonia and Germany have all called for expanded monitoring powers as a possible preventive measure. In the aftermath of the tragedy, a Twitter message, a YouTube video, and a 1,500-page manifesto have been found online written by the Norwegian who has confessed to the crimes. However, at least some law enforcement agencies seem to be aware of the delicate nature of striking a balance between surveillance and security. “Freedom of speech always comes first,” said Mikko Paatero, Finland’s national police commissioner, in an interview with YLE. “Writings on the Internet have to have a clear criminal intent if the police are to get involved and contact those people,” he added. [Source] See also: [Let’s Stop Deluding Ourselves About Online Privacy

CA – Google Adds Pedal Power to Its Street View of Toronto

Google is poised to make the online view of Toronto more detailed by adding a trike to its Street View fleet. The trike, a pedal-powered three-wheeler carrying cameras and guided by GPS, will be used to reach places around the city that are not accessible by the Street View car. The trike is an addition to a Street View fleet that includes a car, a snowmobile, and a hand trolley used for building interiors like museums and galleries. [Source] See also: [Privacy, contact updates added to Google+ Social network is tweaked with new tools for contacts and an opt out for gender identification] and [Google dealing with privacy bugs in Google+] and [Former Google Employee Offers Insight into the company’s attitude on privacy and efforts toward creating a social network]

US – Groupon Changes Privacy Policy to Collect, Share More Information

Groupon has e-mailed its 83 million subscribers to announce changes to its privacy policy, including that it will begin collecting more information about its customers to share with its business partners. It will also begin using geolocation information for marketing purposes. The expanded categories of information Groupon will now collect include user habits and interests, which it will share with third parties. It now shares contact, relationship, transaction and mobile location information. The company has also released details on the ways it collects and uses such information. [Washington Post] [Groupon Privacy Issue: Does Groupon’s New Policy Compromise Users?]

WW – Cloud Storage Company Sued for Breach

A class-action lawsuit filed in a U.S. District Court in California claims that a cloud storage provider failed to secure data or notify users of a data breach. The suit claims breach of express and implied warranties, invasion of privacy and negligence, among other transgressions, alleging that a system glitch allowed logged-in Dropbox users to view others’ data. A company blog post said the breach affected fewer than 100 people, and the company will implement additional safeguards. The suit seeks an order requiring the company to better secure its site, as well as damages, costs, injunctive relief and attorney fees, states the report. [News and Insight]

Law Enforcement

EU – Anonymous Hacks Italy’s Cybercrime Police

Italy’s specialist police unit responsible for combating cybercrime suffered an embarrassing hack by members of the loosely knit Anonymous hacktivist galaxy. In a communique posted on Twitter, the hacker group claimed to have obtained more than 8 gigabytes of internal data from what it called the “Homeland Security Cyber Operation Unit in Europe” and said it would publish all the material it had obtained from its Italian branch. The group said it had “owned” the server of the National Center for Computer Crime and the Protection of Critical Infrastructure (CNAIPIC) of the Italian police and would be publishing the material via the LulzSec and Anonymous communities under its #AntiSec campaign. [Source] See also: [Attackers Were in German Police Computers for Months | Source #2 | Source #3

CA – Ontario Police to Seal Non-Criminal Mental Health Records

Ontario police chiefs are moving to seal off sensitive mental-health information from being disclosed when their forces provide background checks for job seekers or would-be volunteers. The change is part of new guidelines unveiled by the Ontario Association of Chiefs of Police to address the patchwork of procedures used by forces across the province. Police verifications are common for people applying to be security guards, truck drivers, warehouse employees or casino workers. Schools, nursing homes and other organizations dealing with vulnerable people also use police checks to screen job seekers or volunteers. While not binding, members of more than 50 forces, including the Ontario Provincial Police, have started training to use the new guidelines. Police forces in British Columbia and Manitoba are preparing similar initiatives but Ontario is the first to draft consistent, province-wide guidelines. [Source] See also: [Toronto police strip searches increasing] [Austrian atheist wins the right to be shown on his driving-licence photo wearing a pasta strainer as “religious headgear”]

UK – Big Brother Watch: Over 900 Police Staff Caught Misusing Databases

More than 900 police personnel were disciplined for unlawful data protection practices in the past three years, privacy campaigners have said. Figures released by 36 police forces in England and Wales under freedom of information (FOI) requests by Big Brother Watch (BBW) stated that 904 police officers and civilian employees were disciplined for offences under the Data Protection Act in the three years up to 1 June 2011. The figures also showed that 98 police officers and civilian staff left the force after management discovered their unlawful activity. One police officer accessed information about their neighbour, while a police sergeant passed information about his ex-wife to his solicitor, the statement said. In Dorset a police officer resigned and was referred to crown prosecutors after disclosing information about the supply of class A drugs to a third party, the statement said. [Source] [UK: Police officers and staff breach data protection act]

UK – Lancashire Police Authority in Data Protection Breach

The CEO of Lancashire Police Authority has signed an undertaking with the Information Commissioner’s Office after it was found in breach of the Data Protection Act. The breach occurred when the authority accidentally published details of an individual’s complaint website. According to the ICO, the details were disclosed “after the authority failed to redact the information, which was marked as restricted, from two documents before they were published online”. The authority failed to remove the information for four days after the complainant contacted the Police Authority about the breach in January. [Source]

Location

US – Senate Committee Told NSA Phone Location Data Tracking is “Complex Question”

The subject of the National Security Agency (NSA) tracking US citizens through mobile-device location data arose during a hearing of the Senate Select Committee on Intelligence, which was part of the process of determining whether NSA general counsel Matthew Olsen should become head of the National Counterterrorism Center. Olsen said there could be circumstances under which the NSA would have the authority to use mobile device location data to track US citizens within the US. Olsen said the powers to do so were granted under the Patriot Act. He noted that “it is a very complex question.” A memo clarifying the issue is expected to be prepared for committee members. [Source] [Source

WW – Google Street View Cars Nabbed Locations of Wi-Fi Devices

Google Street View cars are at the center of a brand new privacy scandal after it was revealed that the search giant collected the street addresses and unique identifying information for millions of laptops, media players, and other wireless devices. And until recently, the data was available to anyone who put in the right Google search. The story emerged when the French data protection authority confirmed that its investigation had turned up the Street View cars’ questionable data collection practices. Back in March, CNIL fined Google 100,000 Euros, or $143,000, but at that time it was unclear if the issue extended to client devices. Google has been collecting this data despite an earlier public statement claiming that “we collect the publicly broadcast MAC addresses of Wi-Fi access points.” There’s no opt-out method. And as noted above, the data was available through the Google search engine until late June. [Source] See also: [Microsoft Releases Wi-Fi Data-Gathering Source Code | Source #2 ] See also: [In Re Google Street View Electronic Communications Litigation - 2011 U.S. Dist. LEXIS 71572 - United States District Court for the Northern District of California (subscription required)]

US – Proposed Alternative to Gas Tax Raises Privacy Concerns

Amid the growth of fuel efficiency and alternative fuel vehicles, governments are trying to find ways to recoup some of their gas-tax dollars by taxing mileage. Nevada residents were presented with the idea of using GPS systems to track mileage, and more than 80% opposed it, most often citing privacy concerns. Another method being tested is one in which a transponder mounted to the car tells the gas pump how many miles the car has travelled and tacks on the appropriate mileage tax to the gas price. The University of Nevada at Las Vegas is conducting the test with 25 drivers and says the transponders are not capable of tracking vehicles. [Las Vegas Sun]

Offshore

HK – Hong Kong Moves Closer to New Privacy Amendment

A bill that addresses transfers of personal data for direct marketing purposes has been introduced to Hong Kong’s Legislative Council for final approval. The Personal Data (Amendment) Bill 2011 addresses concerns about recent data transfers of customer information for direct marketing without users’ consent and acts on proposals from an April public discussions report. If the bill passes the Legislative Council, it would require Hong Kong companies making data transfers for direct marketing purposes to alert data subjects of the transfer’s purpose as well as the type of data to be transferred and to whom. It would also allow the privacy commissioner to assist data subjects seeking legal redress after breaches. [InsidePrivacy] [Office of the Privacy Commissioner for Personal Data, Hong Kong - Data User Return Scheme: Consultation Document | Press Release] See also: [Outsourcers look to data security transparency for competitive advantage] Privacy as A Selling Point: Forbes reports on the continued use of privacy as a competitive differentiator in the marketplace, pointing out how some companies are asserting their privacy strengths sometimes by highlighting their competitors’ privacy weaknesses. [Forbes] [ZDNet] [Source] and [Privacy by Design: A Boon to Business] [Indian Market Embracing CPOs] [Starts-Ups Considering Privacy in Business Plans]

Online Privacy

WW – Online-Privacy Tools Fail to Prevent Tracking, Study Warns

A new study by Stanford University researchers has found many online advertising companies continue to follow people’s Web activity even after users believe they have opted out of tracking. The preliminary research has sparked renewed calls from privacy groups and Congress for a do-not-track law to allow people to opt out of tracking, like the do-not-call list that limits telemarketers. “I think industry self-regulation is a joke,” shot back U.S. Rep. Jackie Speier, D-Calif, who has proposed legislation allowing the FTC to regulate online tracking. “It’s precisely why we need the FTC to regulate them. For those who say, ‘Privacy, get over it,’ I absolutely reject that.” Stanford’s research looked at 65 online advertising companies, including big companies such as Google, Yahoo, Microsoft and AOL and smaller, lesser-known companies such as x+1, eXelate and BlueKai. It found that half the companies continued tracking even after consumers opted out. In online tracking, advertisers follow a web user’s movements to glean personal details to develop profiles and deliver targeted advertising. The study has prompted a privacy group, Consumer Watchdog, to ask the FTC to investigate whether eight online advertising companies engaged in deceptive trade practices by saying they would delete “tracking cookies” but actually left them in place. Since the study’s release, several online advertising companies have abruptly revised their privacy policies to acknowledge that they may continue to collect data even after consumers opt out at an advertising industry website, or enable “Do Not Track” features in the newest versions of Mozilla’s Firefox browser or Microsoft’s Internet Explorer 9. A group representing online advertisers, the Network Advertising Initiative, said its opt-out site is intended to allow consumers to opt out of advertising, not the data-collection it says is needed. At the site, consumers can check an opt-out box, which produces a message that says: “You have opted out of this network.” For customers who opt out, NAI and companies like Yahoo and Microsoft say these cookies are only collecting data to make sure advertising on websites works properly – not to target ads. “Online advertising companies may need to gather data to prove to advertisers that an ad has been delivered and should be paid for; to limit the number of times a user sees the same ad; or to prevent fraud,” Chuck Curran, executive director of NAI, wrote in a blog post last week. [Source] See also: [US: Under threat of regulation, tech industry takes on challenge of Internet privacy] and [US – Study Finds 12.5% of Companies Violating Own Do-Not-Track Policies] and also: [US: The special relationship between Facebook and law enforcement] and [US: Harvard Researchers Accused of Breaching Students’ Privacy] and [UK: Online advertising comes under MPs’ scrutiny over privacy concerns] and [FTC - Prepared Statement on Internet Privacy: The Views of the FTC, FCC and NTIA, before the House Subcommittee on Commerce, Manufacturing and Trade | Statement of Commissioner J. Thomas Rosch, Dissenting in Part]

WW – Yahoo Condemned Over Plans to Snoop on Emails on Behalf of Advertisers

Internet giant Yahoo has been condemned over plans to snoop on emails in a ‘blatant intrusion of privacy’. The US company provides an email service for thousands of Britons, including children, who will assume that the system is completely private. However, it has emerged that Yahoo has changed its small print terms and conditions to get permission to view and scan emails. At the same time, the firm will also be able to spy on incoming emails from individuals and businesses without permission or warning. Yahoo is pressing ahead with the change on the basis it will allow the company to identify which celebrities, subjects, sports, hobbies and products a particularly customer is interested in. In future, it would use the information to target the customer with website advertising and product information that is relevant to these areas. The Yahoo customer visiting a range of websites would then see pop-up advertisements that are relevant to keywords in outgoing and incoming emails. Yahoo said customers will receive a pop-up asking them to agree to the new terms and conditions. It said: ‘Users who choose to accept the new terms will allow Yahoo’s computer systems to identify words, links, people and subjects from their email, so that we can deliver exciting new product features. ‘In time, we will also serve relevant ads.’ The company said customers can opt out of internet-based ads by going to http://info.yahoo.com/privacy/uk/yahoo/ [Source

US – Company to Certify Ad Network Clients

Evidon, a company behind Digital Advertising Alliance (DAA) you-are-being-tracked icons, is rolling out a new program to certify some of its clients. The program, dubbed GreenLight, aims to demonstrate which networks comply with self-regulatory principles and to act as “an additional level of best practices beyond simple compliance with the DAA program.” Thus far, 10 of the more than 40 ad networks that work with Evidon are participating in GreenLight, which requires them to use Evidon exclusively or as a default and provides additional training about the privacy program. [MediaPost News] See also: [EU EASA Best Practice Recommendation on Online Behavioural Advertising

WW – Facebook Glitch Reveals Private Videos

A Facebook spokesman said a problem which allowed videos uploaded to Facebook to be viewed by anyone on their friends’ list, regardless of whether they have been given access to the clip, has been fixed after being live for one week. Videos can be more sensitive than photos, so it is important that Facebook’s privacy controls, which allow members to restrict who has access to the videos, work as promised. The glitch over the past week allowed any “Friend” to view a listing of their friends’ Facebook videos, including a name, thumbnail, description, and anyone tagged in the picture. [Source] See also: [Nordic countries grill Facebook on privacy]

WW – Zynga Makes Privacy a Game with PrivacyVille

Zynga is ditching the usual fine print of a privacy policy for, what else, a game. That game, called PrivacyVille, is launching today. And it’s not really a game as much as a tutorial on the social gaming company’s privacy policies. The reward is that players who follow along and learn about the company’s practices for protecting users’ personal information get redeemable points. Zynga cautions that the PrivacyVille game is supposed to be educational, and is “not a substitute” for the company’s official privacy policy or Privacy Center, which details how Zynga deals with your personal information. Last week, Zynga announced its plans to go public. The company is expected to raise about $1 billion through its IPO. [Source] [Source]

WW – Fitness Site Exposes Calorie Burning Activities

An online fitness tracking company, which encourages users to share calorie-burning activities through the company’s website, has reset its new-user defaults to “private” after unknowingly exposing some users’ intimate activities. Fitbit has historically made user profiles public to promote competition, but a spokesperson said the company did not intend for “the sharing of intimate information.” About 200 users’ activities were searchable online. The company has contacted search engines to remove the data, hidden all activity records on its site and removed identifiable information from user profiles. “Out of a desire to have a successful ‘social strategy,’ too many companies are choosing to publicize their users’ information as much as possible,”the report states. [Forbes]

Other Jurisdictions

RU – Russia Amends Federal Data Protection Law

In early July the upper house of Russia’s federal legislature approved amendments to the country’s federal data protection law which were subsequently approved by President Medvedev on July 26. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute’s data subject consent provisions. The amendments, to be followed by interpretive regulations, will come into force when they are published in the official newsletter. Russia’s underlying federal data protection law finally came into effect on July 1, after five years of delays. The new rules allow personal data to be transferred outside of Russia to EU member states or to nations that are approved by a Russian federal agency authorized to designate countries that can guarantee adequate protection for personal data. In addition, personal data may be transferred with the prior written consent of data subjects, or if required by Russian federal legislation or international treaties. [Russia Amends Federal Data Protection Law; Privacy Enforcement on the Rise]

US – Privacy Law Reform Revived in Australia

According to Malcolm Crompton, former Federal Privacy Commissioner, the process of reviewing and reforming the Privacy Act 1988, the main law protecting privacy in Australia, was all but stalled in recent years but now has been revived by the Minister for Privacy, Brendan O’Connor. His July 21 call for a consultation on whether to introduce a statutory cause of action for serious invasions of privacy rapidly led a renewal of interest in reforming other portions of the Act. The revival was also spurred by the late June release of a 292-page report on the exposure draft of the Australian Privacy Principles and privacy legislation by the Senate Finance and Public Administration Committee. [Senate Finance and Public Administration Legislation Committee - Exposure Drafts of Australian Privacy Amendment Legislation - Part 1: Australian Privacy Principles ]

AU – Australia Pressured on Data Breach Laws

Data breach notifications have been flagged as one of the pressing issues to be tackled under a multinational joint action plan outlined by the attorneys general of the US, UK, Canada, New Zealand and Australia last week. Australia is falling far behind with its progress on holding organizations accountable for breaches, with every other country either having implemented or close to implementing mandatory notifications. Australia currently doesn’t have any legislation to force companies to disclose breaches, even though it was recommended as part of the Law Commission’s report on privacy, released in 2008. The attorneys general also said that they would look to have internet service providers develop codes of practice to stem malware similar to Australia’s iCode, which has already attracted US interest. [Source] See also: [Government to Consider Privacy Statute] [Source] [Source] [Source] [Cybercrime Legislation Amendment Bill 2011 - Parliament of the Commonwealth of Australia | Source #2 ]

MX – Privacy Regulations Issued for Public Comment

Mexico’s secretary of economy and the Federal Institute for Access to Information and Data Protection have released privacy regulations for public comment. The rules and guidelines established by the proposed regulations are for the implementation of the country’s Federal Law on the Protection of Personal Data in the Possession of Private Parties. According to the report, the regulations cover jurisdictional issues; notice and consent details; data controller and processor relationships; data transfers and security; self regulation; data subjects’ rights; automated processing, and enforcement. [Hunton & Williams’ Privacy and Information Security Law Blog] See also: [Law on the Protection of Personal Data - Peru

AU – AGs to Discuss Parental Access, Suppression Orders

Australia’s attorneys general are looking into whether laws should be created to give parents access to their children’s social networking accounts. In spite of privacy concerns, “We need to look at the policing that occurs, who can and should do it and how do you do it,” said South Australian Attorney General John Rau. But one privacy advocate says a knee-jerk reaction could “undermine an existing law and relationships between children and parents.” Meanwhile, a study in the U.S. indicates that 55% of parents there use social media to keep an eye on their children. [The Australian] [High-Wire Act: Cyber Safety and the Young - Parliament of the Commonwealth of Australia: Full Report ]

Privacy (US)

US – New Privacy Guidelines Would Give FBI Leeway to Abuse Privacy

25 years ago, Congress passed the Federal Privacy Act. In an effort to end the abuses committed by the FBI against anti-war and civil rights activists that director J. Edgar Hoover disliked, Section (e)(7) of that Act prohibited any agency of the federal government from “maintaining records describing how any individual exercises rights guaranteed by the First Amendment… unless pursuant to and within the scope of an authorized law enforcement activity.” The FBI and the federal courts have spent the last 25 years honoring that statute in the breach; and Congress seems perfectly satisfied to let them do so. And as reported in the New York Times on June 13, the FBI is again about to amend its Domestic Investigations and Operations Guide to further thumb its nose at the privacy act. The new guidelines, according to the Times, will allow some 14,000 FBI agents more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. [Source]

US – Netflix Video Provider to Halt Social Network Launch

Video rental provider Netflix announced this week that it will delay the launch of its Facebook integration in the U.S. due to legal issues. The Facebook feature would allow Netflix subscribers to share movie-viewing information with friends online, but the Video Privacy Protection Act (VPPA) is ambigious as to “when and how a user can give permission for his or her video viewing data to be shared,” Netflix wrote in a letter to its shareholders. A proposed amendment to the VPPA intends to clarify consent requirements for sharing. Netflix faces several lawsuits for past alleged VPPA violations. [Hunton & Williams Privacy and Information Security Law Blog]

US – New Theory of Harm in Data Breach Cases

Plaintiffs in data breach claims have been unsuccessful in convincing courts that they have suffered harms as a result of a breach, but “a new theory that claims a property right in personal information has recently been tried,” writes Andrew Clearwater, CIPP, in an article for the current edition of the IAPP’s Privacy Advisor newsletter. Clearwater says that, under this theory, a data breach causes a loss of personal information property and, therefore, a concrete or particularized harm has been realized.” The approach is being tested in a case against RockYou Inc. [Source]

US – Third Suit Filed After PIN Pad Breach

A class-action lawsuit claims that Michaels Stores took almost three months to warn customers that their debit cards’ PIN numbers may have been stolen in a breach spanning 20 states. The class action, filed in New Jersey’s Passaic County Court, claims that the company “failed to take any commercially reasonable steps to safeguard its customers’ nonpublic, sensitive, personal and financial account information…making its consumers an easy target for third-party skimmers,” and that customers were harmed because of the delay in notice they received following the breach. The suit is the third class-action filed since news of the breach broke. [Courthouse News Service]

US – Obama Nominates Ohlhausen to FTC

President Barack Obama has said he plans to nominate Internet policy expert Maureen Ohlhausen to replace Commissioner William Kovacic at the FTC. Ohlhausen is currently a partner in law firm Wilkinson Barker Knauer’s privacy, data protection and cybersecurity practice. From 2004 to 2008, she served as a director in the FTC’s Office of Policy Planning. Ohlhausen worked on an Internet task force during that time, exploring issues surrounding e-commerce and marketing. [The Washington Post]

Privacy Enhancing Technologies (PETs)

US – NIST Issues Privacy Controls for Federal Information Systems

The National Institute of Standards and Technology proposed adding privacy controls to its catalog of security controls for federal information systems, by releasing a draft 34-page Privacy Appendix for public comment through September 2, 2011. The 23 controls specified in the draft provide a structured way of assessing and ensuring that privacy requirements, deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance, as well as from international standards and best practices, are satisfied in federal information systems. Examples of the controls include transparency, data minimization, use limitation, data quality, and individual access and redress. The privacy additions to the guidance would:

  • Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements.
  • Establish a linkage and relationship between privacy and security controls to enforce respective privacy and security requirements that may overlap in concept and in implementation.
  • Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls.
  • Promote closer cooperation between privacy and security officials to help achieve the objectives of top leaders in enforcing requirements.

Though the recommendations are aimed at federal agencies, NIST understands and encourages other organizations to adopt its privacy and security guidance. NIST is accepting public comment on the privacy addendum, known as SP 800-53 Appendix J, at sec-cert@nist.gov through Sept. 2. [Source

US – Online Privacy Company Receives $5.2M for Growth

Two venture capitalist companies have invested $5.2 million in a Cambridge, MA, company that provides online privacy services to Internet users. “Privacy is the next consumer Internet frontier,” said one investor, while another touted the company, Abine, for creating a “one-stop shop for consumer online privacy.” Abine’s president, Bill Kerrigan, said, “Controlling our online privacy has become a universal issue: consumers want basic choice and control over how their personal information is tracked, collected and used.” [The Boston Globe

US – Appeals Court: TSA Can Keep, But Must Rethink Airport Body Scans

The TSA violated federal law when installing controversial full-body scanners in U.S. airports without following proper procedures, a federal appeals court ruled. The D.C. Circuit Court of Appeals in Washington, D.C., rejected arguments from the Obama administration that the TSA was exempt from laws requiring federal agencies to first notify the public and seek comments. “It is clear that by producing an image of the unclothed passenger, (a full-body) scanner intrudes upon his or her personal privacy in a way a magnetometer does not,” wrote Judge Douglas Ginsburg for the three-judge panel. Ginsburg said he would not order TSA to immediately halt the full-body screening—which resulted in a near-revolt by air travelers last fall—but instead instructed “the agency promptly to proceed in a manner consistent with this opinion.” [Source] [Source] and also: [SourceF]

US – TSA Announces Privacy-Boosting Software for Full-Body Scanners at Airports

Air travelers at Raleigh-Durham International Airport will soon be able to board their planes without images of their unclothed bodies being viewed by security personnel. The federal Transportation Security Administration said Wednesday it will upgrade its full-body scanners with new software designed to protect travelers’ privacy. The so-called Automated Target Recognition software eliminates the image of an actual passenger on the screen, replacing it with a generic outline. Passengers will be able to see the same image viewed by security officers. The software is designed to recognize items in the image that could pose a security threat. A TSA spokeswoman said it will be several months before the new software is installed in the 40 airports that have the machines.. [Source]

WW – New Strategy: Privacy by Redesign

Building privacy into an organization’s system from the start is a smart, effective solution that can yield strong results. But what about systems that already exist without privacy? A new concept called Privacy by Redesign, by Dr. Ann Cavoukian, Privacy Commissioner of Ontario, Canada, looks to bring privacy into systems that are already developed. To do so, organizations need to look at the uses of data, what is permissible and what isn’t, and create a consent management system. [Source]

WW – Cisco Issues Product Development Guidelines for Engineers & Product Managers

Summary: Application developers should use Privacy by Design as a means to ensure that privacy features and functions are essential components of any new software development (and not bolted on as an add-on); consideration should be given to reducing the amount of data collected (avoid collecting sensitive data and only collect information that is absolutely necessary for the purpose), reduce the retention period (for no longer than the time necessary to accomplish the intended business purpose or required by law), and reduce the sensitivity of the data (reduce the precision e.g. if a customer phone number is to be used for statistical analysis, retain only a subset of the digits such as the area code, and convert the form of the data, e.g. when using the customer’s IP address to determine location for statistical analysis, discard the IP address after mapping it to a city or town). When installing software on a customer’s system, provide the customer with notice (get explicit consent prior to installation of any software on a customer’s system, including automatic updates), digitally sign software with a certificate from a well-known, trusted certification authority; provide customers with a mechanism to track automatic updates that have been installed and a means to stop subsequent updates. When deploying servers, application developers must get explicit opt-in consent from an Application or System Administrator prior to transfer of data from the server over the Internet (disclose any known privacy implications for server features); provide or identify a mechanism to help an Instance Administrator prevent disclosure of user data and that allows an Application or System Administrator to manage distribution of data outside of the organization or firewall (such as a group policy) – provide the System Administrator with the ability to override decisions made by Application Administrators. [Source]

RFID 

CA – ePassports Won’t Come With Anti-Skimming Sleeves

Passport Canada says it won’t be issuing protective sleeves for its new electronic passports because the high-tech made-in-Canada booklets are safe from the so-called skimming problems seen in the U.S. Ottawa-based Canadian Bank Note Company said it was awarded the contract to design and manufacture ePassports, which will be issued to Canadians sometime in 2012. A radio-frequency identification (RFID) chip will store the name, gender, date of birth, passport number and digital photo of the traveller. [Source]

Security

WW – Is IT Remote Access Support Compromising Data?

Data breaches are more prevalent and more costly than ever. Smarter technologies seem to breed smarter hackers, making it difficult for IT to keep up. But sometimes IT unwittingly helps the bad guys by improperly using core tools, such as remote support mechanisms. According to a Verizon report which examined more than 700 data breaches from 2010, a whopping 71% of all attacks were conducted through remote access and desktop services pathways. [Source] See also: [Apple MacBook batteries found vulnerable to malware] SEE ALSO: [What the #!%*!?: The definitive guide to phone-hacking]

WW – Insiders: Primary Points of Compromise

Last week’s arrest of Gary Foster, the former Citi exec who’s been accused of embezzling more than $19 million through wire transfers, has left the industry a little dumbfounded. How could a mid-level executive in the bank’s treasury department manage to fraudulently push that much money through legitimate transfers? It all happened right under the bank’s nose, and it took almost a year to detect. “It’s such a classic case of insider fraud, how did he go so long without being caught?” When it comes to internal fraud and the damage it causes, banks and credit unions often fail in three critical areas:

  • Internal fraud is misclassified;
  • Institutions underestimate how reports of internal fraud breed mistrust among consumers; and
  • Not catching and stopping internal schemes quickly adversely affects consumers,
    who often fall victim to identity theft.

Banks and credit unions can address internal fraud by using more transaction and behavioral monitoring. But most financial institutions aren’t willing to make the investment. [Source] See also: [‘Low-risk’ border crossers in Nexus program caught smuggling goods into Canada ]

US – ‘Military Meltdown Monday’ — 90K Military Usernames, Hashes Released

Anonymous hackers have broken into a server belonging to consultancy firm Booz Allen Hamilton and published a database containing some 90,000 military e-mail addresses and hashed passwords in what they named Military Meltdown Monday. Unlike the passwords taken from government contractor IRC Federal, the passwords from the Booz Allen system have been hashed using SHA-1. This will make breaking into further systems using the released account information harder—but it’s likely that at least some of the passwords will be crackable, and so further damage could follow. Booz Allen has tweeted that it doesn’t comment on security issues. [Source]

US – Government Agency Breached, 24K Files Accessed

Deputy Defense Secretary William Lynn has announced that a foreign intelligence service accessed 24,000 Pentagon files by hacking into an unnamed government contractor in March. The disclosure came during the release of the Pentagon’s new strategy for military operations in cyberspace, which outlined a more proactive approach to cybersecurity. “Current countermeasures have not stopped this outflow of sensitive information,” Lynn said during a speech at the National Defense University. “We need to do more to guard our digital storehouses of design innovation.” [The New York Times] See also: [US – Report Details CPO, CISO Roles

WW – Carefully Thought-Out Patching Strategy Pays Off

A recently issued report underscores problems inherent in the way most organizations handle security patches. According to “The Secunia Half Year Report 2011,” organizations that implement a well-thought out patching strategy lower their vulnerability risks by as much as 80%. The number of plug-ins and other programs on endpoints makes the problem even more intractable. A company that patches all of the Windows flaws will still have more than three-quarters of their flaws unpatched. Secunia found that patching the most popular programs reduced risk by 31%, but patching the most critical programs reduced risk by 71%. “The analysis reveals that timely patching of the software portfolio of any organization is like chasing a continually moving target.” [Source] [Source] [Free online patching tool]

Surveillance 

WW – The Biggest Privacy Risk? Your Spouse

A new Retrevo Gadgetology study shows that the level of spying among spouses and dating partners has reached new high levels. According to the study, 30% of men and 35% of women admit to having checked the email or call history of someone they’re dating without them knowing. And 32% of men and 41% of women admit to doing the same with their spouses. 17% discovered their spouse was cheating. [Source] [US: Judge rules use of GPS to track a cheating spouse is not an invasion of privacy]

Telecom / TV

UK – Britain’s Phone Hacking Inquiry Opened

An inquiry into Britain’s phone hacking scandal (a.k.a. “Voice Mail Bad Password Scandal”) has officially begun; Lord Justice Brian Leveson said that public hearings will commence in September. The inquiry was ordered by Prime Minister David Cameron. The inquiry will examine ethics and regulation not only of the British press, but of the BBC and social media as well. The breadth and depth required of such an inquiry lead some to doubt that a report will be ready in a year’s time. [Source] [Source] [Source] See also: [OIPC SK - Best Practices: Mobile Device Security]

US – Judge Grants Wiretapping Appeal

A federal judge has announced that Google has the right to appeal last month’s ruling, which stated that the company’s Street View information-gathering practices constituted illegal wiretapping. With more than a dozen combined lawsuits seeking damages from the company, U.S. District Judge James Ware said that his ruling is the first of its kind, according to the report, and that an appellate court is better equipped to decide the case. Ware said, “Thus, in light of the novelty of the issues presented, the court finds that its June 29 order involves a controlling question of law as to which there is a credible basis for a difference of opinion and also finds that certification of the June 29 order for appeal would materially advance the litigation.” [Wired] See also: [Garante Per La Protezione dei Dati Personali - Smartphones and Tables: Current Scenarios and Operational Perspectives]

US Government Programs

US – Intelligence Agency Wrestles With Phone Location Data Tracking

The National Security Agency (NSA) is considering surveilling U.S. citizens by intercepting mobile device location data. The agency is now determining whether it has the legal right to do so, according to NSA general counsel Matthew Olsen. U.S. law prevents intelligence agencies from spying on U.S. citizens within U.S. borders. But at a Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law hearing this week, Olsen said he believes there are “certain circumstances where that authority may exist.” [InformationWeek Government]

US – Government Scolded for Data Breach Notification Delays

The Treasury Inspector General for Tax Administration has criticized the IRS for not notifying taxpayers quickly enough when their personal information had been compromised. Draft cybersecurity legislation introduced by the Obama Administration would require companies to notify consumers affected by data breaches within 60 days. But in a sample of 100 incidents between July 2010 and February 2011, breach notification letters were sent out to victims 86 days after the fact in 20 percent of the cases. In five percent of the cases, victims weren’t alerted because IRS employees failed to document those affected, and 21 percent weren’t alerted because the agency didn’t believe a threat existed. [nextgov]

US – GAO Audits Gov’t Agencies’ Social Media Policies

The Government Accountability Office (GAO) has audited the social media policies and procedures of 23 government agencies and issued a 90-page report disclosing the results. The GAO’s information security director writes, “Without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information and secure federal systems and information against threats.” The audit found that 12 of the 23 agencies have social media policies and procedures in place; 12 have updated privacy policies, and seven have identified security risks [GovInfoSecurity] See also: [Vladeck Talks Social Networks, Do Not Track]

US – GAO Report: DOD Faces Challenges In Its Cyber Activities

Although the Department of Defense (DOD) may cultivate a reputation of being the best equipped of the government agencies to defend against cyber security threats, a report from the US Government Accountability Office (GAO) notes that “keeping pace with the magnitude of cyber security threats DOD faces currently and will face in the future is a daunting prospect. While the US may dominate in land, sea and air presence, the costs and technology required for adversaries to enter cyber space are far lower. The report applauds the DOD’s creation of the US Cyber Command, but says that “it is too early to tell whether this will provide the necessary leadership and guidance DOD requires to address cyber security threats.” The GAO report pointed out areas in which the DOD needs to improve coordination, illustrating the problem with a 2008 cyber infection that prompted directives from a variety of military and civilian organizations, none of which were coordinated with any of the others. [Source] [Source] [Report] [Source

US – Commission Issues Smart Grid Resolution

California’s state utility regulators have adopted a new resolution on smart grid principles. When considering implementing the smart grid, state commissions should consider privacy. That’s according to The National Association of Regulatory Utility Commissioners (NARUC) which adopted a new resolution on smart grid principles. The resolution indicated support for implementation of smart grid technology but notes the importance of consumer education and engagement. NARUC will release a best practice guide on consumer privacy, which it says is essential. State commissions should “review existing privacy policies and, if necessary, adopt or update their policies to ensure that they properly address the privacy concerns created by smart meter data collection,” the commission said, adding that third parties should also be required to comply. [Smart Meter News]

US Legislation

US – House Judiciary Committee Passes Bill with ISP Data-Retention Mandates

The House Judiciary Committee has passed HR 1981 after defeating an amendment that would have placed limits on ISPs’ requirement in the proposed law to retain IP addresses for one year and make them available to law enforcement by an administrative subpoena. If approved, the Protecting Children from Internet Pornographers Act would eliminate law enforcement’s need for court orders to access such information, prompting arguments from some that the bill grants too much power to the Justice Department and would create a robust database for hackers to potentially access. The committee has adopted amendments requiring ISP compliance with the bill’s privacy standards and encouraging breach notifications [Broadcasting & Cable] [US: Lawmakers push for children’s online privacy law] and: [Resistance to ISP Data Retention Proposal] and [OECD - The Protection of Children Online: Risks Faced by Children Online and Policies to Protect - OECD Digital Economy Papers, No. 179]

US – Two Cybersecurity Bills Introduced in Senate

Two bills focusing on data breach response have been introduced into the U.S. Senate. One bill, introduced by Sens. Thomas Carper (D-DE) and Roy Blunt (R-MO), would require financial institutions, retailers and federal agencies to protect personal information, investigate breaches and notify customers of a breach. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country,” said Carper. Meanwhile, Sen. Diane Feinstein (D-CA) has introduced the Data Breach Notification Act of 2011, which would require organizations to notify customers when their personal information is breached. “It is past time,” Feinstein said, “for congress to pass a national breach notification standard.” [TechJournal South] See also: [Don’t Foist Euro-Style Online Privacy On The U.S]

US – The SAFE Data Act: An Admirable Attempt That Needs Expansion

Some of the controversy over The SAFE Data Act, introduced by Rep. Mary Bono Mack, concerns the limited definition of “personal information” in terms of what would trigger a breach disclosure and notification. The term ‘‘personal information’’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: -Social Security number -Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity -Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account. This bill, if enacted into law, would pre-empt state laws. Consider many of the recent hacks where databases containing userIDs or usernames plus passwords were acquired and posted on the Internet. Usernames + passwords do not meet the criteria for “personal information” in the SAFE Data Act, even though such information could easily be used for unlawful conduct such as hacking email accounts or online banking accounts where the user may have reused that login information. The bill now goes to full committee. [Source]

Workplace Privacy

US – No Summer Holiday for HR Data Breaches

Nine breaches of HR data were reported in July: Washington Post (user IDs and e-mail addresses of 1.3 million users of the newspaper’s online job section compromised by hacking); Nyack Hospital (NY) (1,400 current and former employees exposed to ID theft by the theft of a computer); Estée Lauder (an undisclosed number of employees and contractors impacted by the theft of a laptop); Swedish Medical Center (WA) (personal information, including SSNs, of 20,000 current and former employees made accessible on the Internet unintentionally); TSA (dozens of TSA employees at Sky Harbor International Airport suffering loss of banking information and deposits possibly via credit card skimming); Meridian Health System (an undisclosed number of employees jeopardized by the overnight theft of computer equipment from the home of an employee in Asbury, NJ); Lumberton Independent School District (TX) (theft of a laptop from a car impacting an undisclosed number of employees); JetBlue (an undisclosed number of employees impacted by the placement of malware on a corporate system); and Pfizer (a laptop stolen from an employee’s car potentially revealing personal information of an undisclosed number of employees). SEE ALSO: [US phisher who hit 38,500 gets long prison sentence] AND ALSO: [Nothing replaces face-to-face meetings, but Rypple’s use of social media can ease evaluations for both employee and manager] and [NYT: Social Media History Becomes a New Job Hurdle] and [Could you pass a Facebook Background Check?] and, finally, [Datainspektionen, Sweden - Checklist for Employers on CCTV in the Workplace]

+++

01-31 June 2011

Biometrics

CA – B.C. Insurer’s Use of Driver’s Licences to Catch Rioters Alarms Privacy Experts

Critics are asking pointed questions about a proposal by B.C.’s public insurer to use driver’s licence photos and face-recognition software to identify culprits in Vancouver’s infamous hockey riot. The Crown-owned Insurance Corporation of British Columbia is offering to take photos from Vancouver police that are the subject of active investigations and run them against its licence database. ICBC spokesman Adam Grossman said that if there is a confirmed match, ICBC will let the police know — but it will only turn over personal data if the police get a court order requiring it. It is the most high-profile example to date in this country of what Simon Fraser University communication professor Peter Chow-White calls “function creep” — using a technology or process designed for a specific purpose for other purposes. Thanks to face-recognition technology, data collected for drivers’ licences could be used for everything from naming rioters to providing police with personal data on people caught committing crimes. “The function of the ICBC database is not for law enforcement as far as I know,” said Chow-White. “They don’t tell me when I get my picture taken this could be used in a police investigation.” [Source] [Privacy commissioner to audit ICBC court proceedings into riot] [Canadian privacy lawyer questions police access to ICBC’s facial recognition technology to help identify rioters] See also: [Russian Bank Puts Lie Detector in ATM Machine] and [RU: Oh, Crap! Moscow Mulls Terrorist-Proof Toilets]

IS – Government to Establish Biometric Database

Despite concerns from privacy groups, the Knesset Science and Technology Committee has approved the ordinances necessary to establish a biometric identification database. The Knesset passed a law allowing for the database in 2009, and the Interior Ministry will begin a two-year pilot of the database in November, the report states. The project allows citizens to voluntarily choose biometric identification cards and passports that include a computer chip containing such information as photos, dates of birth and fingerprints. The Association for Civil Rights in Israel is among the groups opposing the policy due to privacy concerns. [Jerusalem Post]

US – Privacy Groups Push for U.S. Facebook Probe

Several privacy groups are asking U.S. regulators to force Facebook to halt plans for its facial recognition service. The Electronic Privacy Information Center and three other advocacy groups today filed a complaint asking the U.S. Federal Trade Commission to force Facebook to end plans for a new facial recognition service. U.S. Rep. Ed Markey (D-Mass.) quickly threw his weight behind the initiative and called for the FTC to investigate the Facebook service. “When it comes to users’ privacy, Facebook’s policy should be: ‘Ask for permission, don’t assume it,’” said Markey, co-chairman of the bi-partisan Congressional Privacy Caucus, in a statement today. “Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue.” [Source] [Facebook Turns On Facial Recognition, Prompting Concern] [Facebook facial recognition under fire]

Canada

CA – Alberta Privacy Commissioner Seeks Leave to Appeal to the Supreme Court

Alberta’s Information and Privacy Commissioner has applied for leave to appeal to the Supreme Court of Canada from the Alberta Court of Appeal’s decision in Leon’s Furniture v. The Information and Privacy Commissioner of Alberta. In the case, a majority of the Court of Appeal held that an organization’s methods of collecting personal information must only be reasonable and need not be the least intrusive method. The case arose due to Leon’s policy of collecting driver’s license and license plate information from customers who accept delivery of merchandise after they pay for it. The Privacy Commissioner held that the policy was unlawful under Alberta’s Personal Information Protection Act (PIPA) since organizations must implement the least intrusive policies possible. The Court of Appeal found the Commissioner’s interpretation of the PIPA incorrect, holding that as long as the business is being conducted reasonably, it does not matter that there might also be other less intrusive ways of conducting the business. It further stated that the “reasonableness” standard imposed under Section 11 of the PIPA only requires organizations to collect personal information to the extent it is reasonable for meeting the purposes for which the information is collected, and “[i]t is not open to the [Commissioner] to change “reasonableness” to either “necessity”, “minimal intrusion”, or “best practices”. These are not interpretations that are available given the plain wording of the statue.” The Privacy Commissioner argues that the Court of Appeal’s decision allows businesses to circumvent the PIPA. In addition, he argues that the decision is inconsistent with the laws of British Columbia and Canada, and makes Albertans a target for fraud. [Source] [Alberta’s privacy watchdog wants top court to overturn decision involving retail giant]

CA – Google May Face Third Party Audit

The office of Canada’s Privacy Commissioner, Jennifer Stoddart, is recommending Google bring in an outsider to assess internal privacy policies. The recommendation comes in the wake of an investigation which revealed the Mountain View, California company inadvertently collected unsecured personal data while creating its Street View service. Despite the fact that Google has agreed to implement several measures that will reduce the risk of future privacy violations, the Commissioner has requested an independent audit of Google’s privacy programs, to be concluded within the next year, with the findings reported back to the Commissioner’s office. It is the first time Canada’s Privacy Commissioner has made such a request, and, though Google has not officially responded, it is difficult to conceive of the tech giant complying, given that it might result in unprecedented third party access to Google’s business practices. That said, Google did announce a new initiative that will see independent auditors examine the company’s privacy policies, issuing a report card every other year on the company’s ability to safeguard user data. [Source] [Commissioner satisfied with Google’s privacy fixes] See also: [Canadian privacy commissioner Jennifer Stoddart recognized for impact] and [Commissioner Cavoukian receives International Privacy Award]

CA – Jailed Killer Wins $6K Settlement

A high-profile convict has won a $6,000 out-of-court settlement from Correctional Services of Canada after guards distributed a newspaper article about him to other prisoners. Inmate Gregory McMaster said the guards violated the prison system’s own rules and put him at risk by posting a Toronto Sun news article. [Source] See also [Careful what you say, we’re listening: Saskatchewan prisons tell inmates]

CA – Annual Report Issued: Company’s Improvements Insufficient

An audit by the privacy commissioner of canada has found that Staples Business Depot stores failed to wipe clean the hard drives of devices intended for resale, despite commitments to address such problems. Included in a report to parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today and includes information on other ongoing investigations, Commissioner Jennifer Stoddart’s audit found that the office supply store “did improve procedures and control mechanisms after our investigations,” but they were “not consistently applied nor were they always effective, leaving customers’ personal information at serious risk.” The company had said it would take corrective action following two complaints to the commissioner. The audit found that of 149 data storage devices, one-third still contained customer data. [Source]

Consumer

WW – United Nations Report: Is Internet Connectivity a Human Right?

A new report for the United Nations Human Rights Council takes Internet access a step further, however, characterizing it as a human right. The report, written by Frank La Rue, the U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, took the political world by storm when it was released several weeks ago. (La Rue is also an internationally regarded human rights expert who was once nominated for the Nobel Peace Prize.) The report explored the need to ensure that citizens have Internet connectivity, and also the rules associated with that access. As a result, it was highly critical of policies that block access to content, threaten to cut off Internet access due to allegations of copyright infringement, and fail to safeguard online privacy. It notes “any restriction to the right to freedom of expression must meet the strict criteria under international human rights law. A restriction on the right of individuals to express themselves through the Internet can take various forms, from technical measures to prevent access to certain content, such as blocking and filtering, to inadequate guarantees of the right to privacy and protection of personal data, which inhibit the dissemination of opinions and information.” [Source] See also: [Wanted: Privacy Policies Written for Human Beings]

NZ – NZ Post Defends Selling Information

New Zealand Post says it was doing nothing improper in selling information garnered in a wide-ranging public survey of personal data. Privacy Commissioner Marie Shroff has criticised the state-owned enterprise for breaching the privacy of thousands of people by selling the information to marketing companies. The 2009 survey, sent to 800,000 letterboxes and via email, asked a series of questions covering areas including income. Ms Shroff commissioned two reports from privacy law and marketing experts and has concluded the survey was a systematic and large-scale breach of privacy principles. She was concerned that people were unaware that their private information was being sold. [Source]

WW – Report: Breach Victims More Susceptible to Fraud: Study

Victims of a data breach are more than four times as likely to become victims of fraud than other consumers. That’s according to the Javelin Strategy and Research annual report, which says credit card companies should be doing more to alert customers to potential dangers, such as notifications when issuing new cards or changing billing addresses. The report also notes that hackers have become more sophisticated, threatening “the current security model, resulting in a call to action for issuers to take a strong look at the processes in place for detection and prevention of fraud,” said Javelin’s Philip Blank. [Reuters]

US – Taxpayer Identity Theft Is on the Rise

A new Government Accountability Office (GAO) report indicates that taxpayer identity theft is increasing in spite of Internal Revenue Service (IRS) attempts to prevent it. The number of reported IRS identity thefts rose from 51,702 in 2008 to almost 250,000 in 2010. The report noted that employment fraud is also difficult to spot. “By the time both the victim and the IRS determine that an identity theft incident occurred,” the report states, “well over a year may have passed since the employment fraud.” The GAO said the IRS is taking additional steps to address the issue. [Source]

E-Government

UK – Government to Create Market for Personal Identity Data

The government is preparing to create a marketplace for citizens’ personal data to be used for accessing online public services, according to documents that were issued to industry in preparation for the coalition’s next-generation identity scheme. The plan may prove highly controversial, as it offers only limited assurances over how much control people would have over how their data is used. The coalition intends to “create the commercial, legislative and regulatory environment” in which a private sector ID industry may thrive, it said in briefing papers sent to industry in April. The proposals would create a personal data marketplace populated by banks, phone companies, the Post Office and others that may involve government departments selling access to their own citizen databases. The government has proposed that it may join the market by selling data services to private ID companies and data agents. [Source]

AU – Taxpayer Data Being Sold Without Notice

Taxpayer assessment records—including the name, address and property value of individuals—can be purchased from town councils by businesses and other entities without individuals’ consent. Several real estate companies are using the purchased information to create databases in order to personalize marketing campaigns, the report states. Currently, there are not existing laws to prevent the sale of such information for profit. An investigation by the paper revealed that taxpayer data can be accessed through council computers without charge or registration and, though individuals can opt out, most are not aware of the process. [Adelaide Now]

UK – Privacy Group Hits Out at HMRC Spying Robot

The HM Revenue and Customs (HMRC), has decided to employ “web robot” software to help it spy on people it believes are guilty of dodging their tax duty. The government department hopes that by putting this in place it will be able to find out information about certain people and companies silently trading and evading their taxes. The moves have however been described by privacy groups as “outrageous” while security experts have said there could be a possibility of “false alarms.” The HMRC’s spies are basically pieces of code, which can be unleashed to run searches over the internet. Through this they then analyse and file information from web servers. This information is then crossed referenced with the department’s Connect computer system to find people who are trading without telling it by looking at previous tax dodgers and looking to see if there were any missing links between interest, property income and lifestyle. [Source]

US – City Database Sparks Concern

A database created to enable information sharing across city agencies has provoked privacy concerns. It contains information on four million residents, linking together “vast amounts of information gathered by city agencies that previously maintained their files separately,” the report states. Some are expressing concern about the number of city workers who will have access to it and the potential for misuse. But Deputy Mayor for Health and Human Services Linda Gibbs says controls have been built in to address such concerns. “Not everybody is allowed to see the big picture,” she said. “There are a number of doors that open and close.” [The New York Times]

US – OPM Moves Forward on Data Warehouse

The Office of Personnel Management’s (OPM) plans to build a large, centralized database despite privacy concerns. The OPM released two formal notices on the Health Claims Data Warehouse in the Federal Register this week, and work will begin on July 15. The OPM had delayed plans for the database due to privacy groups’ concerns about vulnerabilities. Revised plans for the database–which will store information including names, addresses, Social Security numbers and birth dates–include a downsized scope of the database and limits on how information from it can be used, with only de-identified data to be released beyond the OPM. [Computerworld]

CA – Federal Tory Donor Database Hacked

Hackers, not hash browns, were the cause of Prime Minister Stephen Harper’s distress in early June, as the federal Tories confirmed their website had been compromised and private information of financial supporters taken. In January, networks of both the Treasury Board of Canada and Finance Canada – the economic hubs of the government – were also penetrated, resulting in data being “exfiltrated,” according to a government memo written on the 31st and obtained by CBC. [Source] and see also [NZ: Labour says donor database use breaches privacy] [Conservative party website hacked] and also: [The International Monetary Fund (IMF) confirms it was hacked, with suggestions the attack was state sponsored]

CA – Sex Offenders Website in Ontario: Public Protection or Tool for Vigilantes?

Ontario could be the first province in Canada to create a website listing the names and addresses of its registered sex offenders — a controversial proposal that’s sparking a larger debate about whether it’s an effective tool to stop crime. Some experts say it would better protect children from predators, while others are concerned that it may lead to vigilante action or weaken a system that currently allows police to keep track of sex offenders. If it comes to pass, the election promise by the Progressive Conservatives would go further than any other program in Canada that’s designed to warn the public about high-risk offenders. Alberta is currently the only province that has a website listing the names and photos of high-risk offenders. However, it doesn’t provide their addresses for safety reasons. [Source]

CA – Open Text Launches Social Media Site for Government Policy Workers

The world is a “global village” now that social media networks are filled with conversations between people in different countries. But those who do serious government work can’t collaborate using tools such as Facebook or LinkedIn, because of concerns around security, privacy and who owns the information. Now, Waterloo software developer Open Text has joined forces with the Institute of Public Administration of Canada (IPAC) to launch Public Service Without Borders, a social media site where people working on government policies around the world can communicate and collaborate in a secure, cloud-computing setup. “The objective is global co-operation and networking,” he said. The network will be accessible over the internet or through mobile devices. Experts in areas such as information policy, governance, environmental or health care policy will share their biographies and information about polices they have helped develop and implement, as well as lessons learned. They can share documents, blog about their experiences and meet in virtual “community rooms” for discussions.The site is hosted “in the cloud,” which means IPAC doesn’t need an array of servers, Benay said. “It is using an existing infrastructure we have adapted to meet their policy and legal requirements.” It meets stringent security requirements, he added. “It is as secure as the online banking system.” [Source] See also: [Courts use Facebook to reach those who exist only online]

CA – Florida State Supreme Court Approves Privacy Rules

The Florida Supreme Court has issued new privacy rules for the state court system in order to protect personal information filed in court cases. The rules, which will temporarily not cover traffic and criminal cases, have been approved to ensure that personal information is protected before full electronic access to court cases is provided to the public. Driver’s license, credit card and Social Security numbers as well as e-mail addresses, passwords, birth dates and full names of minors will either be truncated or not included in court documents. The justices who approved the rules said that defense lawyers, prosecutors, law enforcement and others will still have access to the full information. [Wink News]

US – Kundra to Leave Federal CIO Post for Harvard Fellowship

Vivek Kundra, who was appointed the US’s first federal Chief Information Officer (CIO), will resign his position in mid-August for a fellowship at Harvard University, according to the Office of Management and Budget (OMB). A successor has not yet been named. Some have expressed concern that Kundra’s departure will hinder the projects he has begun, but others are more confident that “his legacy of defining incremental improvements and managing project teams to meeting identified goals should and likely will continue due to the momentum that he has created.” [Source] [Source] [Source]

E-Mail

CA – Canada’s Antispam Enforcer Ready to Fight

When Canada’s anti-spam law comes into effect, Andrea Rosen of the Canadian Radio-television and Telecommunications Commission will be charged with enforcing it. Speaking at a conference on Wednesday, Rosen stressed that the she has “the tools to find the spammers wherever they’re hiding and the power to shut down their operations.” Under Bill C-28, consumers have to give consent to receive unsolicited e-mails, and businesses could see fines of up to $10 million for serious infractions, while fines for individuals could reach $1 million. According to the report, Rosen hopes the law will come into effect this fall. [ITWorld]

Electronic Records

US – Supreme Court Strikes Down Prescription Drug Law

The U.S. Supreme Court struck down a Vermont state law today that had prohibited the use of patients’ prescription drug records for marketing purposes. In what Reuters described as “a case pitting free-speech rights against medical privacy concerns,” the court heard arguments in Sorrell v. IMS Health earlier this year, issuing its opinion this morning. The case was brought forward by pharmaceutical and data mining companies that contested a Vermont law prohibiting the sale of such information as records of which doctors prescribe specific drugs to their patients. “The high court handed a victory to data mining companies IMS Health, Verispan and Source Healthcare Analytics, a unit of Dutch publisher Wolters Kluwer, that collect and sell such information and that challenged the law,” Reuters reported following the Supreme Court’s decision this morning. In a joint media release officials from the companies hailed the decision. “Today’s ruling is clear and unmistakable–these types of laws violate the Constitution and do nothing to improve healthcare, reduce costs or protect privacy as proponents had claimed,” said Harvey Ashman of IMS Health. Prior to the 6-3 decision by the court, privacy experts weighed in with varying insights on the potential impact of the case, with some warning that for the court to rule as it did today could mean “significant implications” for patient privacy. “From the privacy perspective, the court rejected the efforts of Vermont and others to turn this case into a privacy case, and focused instead on the impact of the law as a commercial speech issue,” Kirk Nahra, CIPP, of Wiley Rein told the Daily Dashboard. “There are many current means of regulating patient privacy directly, and it would not have been useful to the overall protection of patient privacy to address these issues in an essentially unrelated context, through the back door.” [Reuters]

US – Experts React to Supreme Court Ruling on Prescription Records

In the wake of the U.S. Supreme Court’s decision in Sorrell v. IMS Health, experts have been weighing in on the implications for privacy protection. In a 6-3 ruling, the nation’s highest court struck down a Vermont statute that prohibited the use of physicians’ prescription drug records for pharmaceutical marketing and data-mining purposes. This article exclusive examines some of the immediate reactions to the ruling, which include different perspectives on the implications for privacy protection. One legislator suggests the decision is “a loss for those of us who care about privacy,” while other experts suggest the case was not about privacy at all. [Source]

CA – Ontario Health Records Proposal Would Breach Privacy, Experts Say

Ontario is proposing to create electronic health records that contain information about a patient’s education, employment, financial status, legal history, residence history, sexual orientation, spirituality and other psycho-social traits. But so comprehensive and sweeping is the proposed database that privacy and legal experts say they are “appalled” and “stunned.” The province’s plans, sketched at an e-Health conference in Toronto, Ontario earlier this month by Grant Gillis, director of ehealth standards for eHealth Ontario, would see the creation of comprehensive profiles about all Ontario patients, including their “social history.” Gillis also indicated that the information could include a category called “risk.” eHealth Ontario later indicated in an email that risk is a “general” category. Some examples found on forms provided by stakeholders during our engagement process include: Risk of falls/wandering; Risk of harm to others; (and) Risk of patient having perhaps been exposed to an infectious disease.” The aim is to create “an overall clinical information model for Ontario,” Gillis said. Information and Privacy Commissioner of Ontario Ann Cavoukian said in a statement prepared for CMAJ that she has contacted Greg Reed, CEO of eHealth Ontario, to discuss the proposed health records. “He assured me that they will be consulting with my office on possible data fields that practitioners have expressed interest in,” Cavoukian writes. “Nothing will be finalized until my office and other privacy specialists are consulted. One thing is clear — patient privacy must be directly embedded into the design of our electronic health records from the outset, not as an afterthought.” eHealth Ontario conducted public consultations on its specifications for the new health records last January and published a list of parties who responded. Those included some health institutions and technology companies but not legal, privacy or civil rights experts (www.ehealthontario.on.ca/programs/clinicalDocument.asp). The Office of the Information Commission of Ontario was not aware of the consultations at the time, spokesman Angus Fisher says. Nor had el Eman heard of the consultations. “I would be surprised if there was a real public consultation that no legal and civil liberty groups would have responded or reacted,” he says. [Source] See also: [US: Can Privacy, Electronic Medical Records Coexist?] and [US: Proposal protects medical records]

US – Fraud Case Involved Privacy Violations

Danish pharmaceutical company Novo Nordisk Inc. has entered a $1.725 million civil settlement agreement to resolve allegations that the company accessed and misused private patient information and filed false or fraudulent Medicaid claims. The civil settlement agreement alleges the drug company’s sales representatives made payments to Rite Aid pharmacists in exchange for them recommending two diabetes drugs. The pharmacists, together with Novo Nordisk sales representatives, identified patients who were candidates for the drugs and communicated with physicians, patients and other pharmacists to encourage them to use or recommend the use of the drugs, according to the agreement. In addition to entering the civil settlement, the company, which has not admitted to engaging in the conduct, also has entered into a “corporate integrity agreement” with the Department of Health and Human Services, Office of the Inspector General. [Source]

US – Verizon Enhances Security Programs for Healthcare Organizations

Verizon has added new capabilities to two of its security programs, capabilities that should help health delivery organization strengthen security across their health systems and assess the security practices of partners they do business with. Announced this week, the company said its Verizon Security Management Program-Healthcare (SMP-H), an online dashboard that helps organizations assess and strengthen their security, will now include a new module based on the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), a widely adopted set of healthcare industry data protection guidelines. The company has also enhanced the Verizon Partner Security Program (PSP). Now, by fielding a questionnaire to business partners, healthcare organizations can assess the security compliance of these partners and their internal business units against Health Insurance Portability and Accountability Act (HIPAA) interim rules that extend data security and privacy requirements to the business associates of healthcare organizations. PSP is a platform that allows healthcare delivery organizations to conduct risk and compliance assessments and reporting tasks as well as manage their compliance and security across thousands of partners and multiple regulations. To improve HIPPA’s security rules, HHS announced this week proposed changes to the HIPAA Privacy Rule that would give people the right to get a report on who has electronically accessed their protected health information. [Source]

US – HHS Proposes Privacy Rule on Medical Records

Patients could obtain a list of everyone who has accessed their electronic medical record under a rule proposed by the U.S. Department of Health and Human Services. Healthcare providers must currently keep track of everyone who accesses private medical records, but they do not have to provide that information to patients. Under the rule, patients would be able to request an access report, which would document the identities of those who electronically viewed their protected health information. The new rule would add to regulations already in place under HIPAA, which protects patient privacy and sets security standards for electronic health records. [Source]

US – HHS Calls for More Protections, ONC Responds

The Health and Human Services (HHS) Inspector General’s Office recently released a white paper criticizing the Office of the National Coordinator for Health Information Technology (ONC) for not doing enough to protect healthcare information. ModernHealthcare reports that the inspector general called on the ONC to improve security measures for online health information with encryption and recommended it use its power to push data handlers to be more security-conscious. Joy Pritts, CPO of the ONC, says it is headed in that direction, adding that it has provided training tools and videos and is using the HHS’s data breach list to help “identify the issues where we should devote our efforts to educating people.” [Source]

US – Maine Law Allows Opt Out of EMRs

Forbes reports on a new law in Maine that will give two-thirds of its citizens the choice to opt out of the state’s electronic medical records program. The HealthInfoNet database contains citizens’ full medical records in order to enable medical providers to share data. The bill strikes a compromise between those concerned about patients being enrolled in the database without their knowledge and those who seek to expand its scope. In April, groups debated a bill to make the system opt-in; supporters said it would give patients more control over data, but opponents were concerned about getting enough patients to opt in to make the system effective. [Source]

EU – ICO: Systemic Problem in Health Data Storage

Information Commissioner Christopher Graham has said that the health service is not doing enough to keep patients’ personal information secure. “The security of data remains a systemic problem,” Graham said, pointing to the loss of up to eight million patient records at NHS North Central London and five health organizations recently found to have breached the Data Protection Act. “The health service holds some of the most sensitive personal information of any sector in the UK,” Graham said, adding that “policies and procedures may already be in place, but the fact. [Public Service]

Encryption

WW – Data Encryption on the Rise

As data breaches continue to rise, U.S.-based companies are increasingly adopting encryption to secure their IT infrastructures, and their main reason is to comply with privacy and data protection regulations, a new study has found. In the past, protecting data and mitigating data breaches drove encryption adoption. This year, for the first time, regulatory compliance became the top reason for implementing encryption technologies, according to the Ponemon Institute’s annual U.S. Enterprise Encryption Trends report. [Source] See also: [Opinion: Management Lessons from Breaches]

US – Council Releases PCI Standards Guiding Document

The Payment Card Industry Security Standards Council has released a set of guidelines for companies to ensure compliance with industry standards. The 39-page document describes how each of the 12 PCI security requirements can be applied in a virtual environment, the report states, and offers recommendations on how to stay compliant in the cloud, delineating between entities’ and cloud vendors’ responsibilities. “Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider,” the document states. The guidance is the “best document that the PCI Security Standards Council has written to date,” an independent PCI consultant said. [Computerworld]

WW – RSA Faces Angry Users After Breach

Industry experts say RSA Security’s admission—after a hacking attack in March—that its SecurID tokens are vulnerable came too late. Computer security consultants “have been increasingly critical of how long it took the company to acknowledge the severity of the problem,” the report states, raising the possibility that customers will seek other technologies for their computer networks. RSA had previously stated that replacement tokens were unnecessary but now offers replacements. “They got pushed really hard by some of their customers,” said one chief technology officer, adding, “They came around, but they came around late.” [The New York Times]

EU Developments

EU – EU Banks and Other Businesses Will be Required to Report Serious Data Breaches

European Union Justice Commissioner and Vice-President of the European Commission Viviane Reding has said that financial institutions and other businesses will be compelled to disclose serious data security breaches. EU telecommunications companies and ISPs already have mandatory breach notification requirements in place. The new requirements will affect all businesses that store customer data. [Source] [Source] [Source] [Source]

EU – Germans Take a ‘Black-And-White View’ of Online Privacy

Some 30% of Germans either don’t care about online privacy or entirely avoid putting personal data online, according to a study published by the Federal Association for Information Technology, Telecommunications and New Media (BITKOM). “Many Internet users have a black-and-white view of privacy on the Internet,” said Dieter Kempf, the industry trade group’s head, in a statement, adding that need to find a balance between carelessness and overprotection. The study showed that 14% of German Internet users did not care how their personal information was collected and used online while 16% of the 1,002 people polled said privacy concerns kept them from using online banking or buying or selling goods via the Internet. [Source]

EU – EU to Web Companies: “Sort out Privacy by 2012, or Else!”

The European Commissioner for the Digital Agenda has told Web companies to come up with a do-not-track standard by mid-2012, or the Commission will have to impose new rules. Commissioner Neelie Kroes said that a failure to agree on a workable standard would have consequences for the Web industry as well as consumers. “I am worried by what we see happening: data breaches affecting thousands if not millions; social networking sites rolling out new features with very open default settings; exposure and identity theft. One target of the Digital Agenda is to have 50% of Europeans buying online by 2015. We will not reach this without reinforcing trust and confidence,” she said. [Source] SEE ALSO: [Privacy watchdog Jennifer Stoddart makes the Web a priority] [Source] [Source]

EU – Dutch Parliament Passes Legislation on Cookies Opt-In

The lower house of the Dutch parliament has passed legislation requiring websites to get visitors permission before installing tracking cookies. The controversial legislation went through various versions before passing, from requiring permission for all cookies to mandating an opt-in only for third-party cookies that collect personal information or pass that information on to third parties. In the end all cookies will be subject to the Law on the Protection of Personal Information, meaning they can be questioned by the privacy regulator CBP and in court. The final version of the law passed implements EU privacy legislation, but goes further than proposals from the European Commission by requiring that website publishers have proof they have acquired the user’s permission. The Dutch publishing industry mounted a campaign against the bill, saying it will make the internet unusable and sites such as the popular news portal Nu.nl could disappear. They said self-regulation was the only workable solution to manage cookies. The cookie rule was drafted by MPs from two political parties, the right-wing PVV and the labour party PvdA. The MPs say the original version was indeed too far-reaching, as it affected all cookies. However, tracking cookies that build up a general profile of a user must fall under a stricter policy, in line with regulations on collecting personal data. They said concessions were made at the industry’s request, such as allowing for a general permission from the user, rather than the need for repeated requests from a site. The cookies rule is part of a larger revision of the Telecommunications Act. While the lower house approved the amendment, it must still vote on the larger text, which it is expected to pass a vote later in the week. [Source] [Source] [Source]

EU – ICO Fines Former Telecom Employees

Two former employees of T-Mobile have been fined by the Information Commissioner’s Office (ICO) for stealing and selling customer data. The fines totaled £73,000, and for the first time, the ICO will receive part of the settlement to train investigation staff. Information Commissioner Christopher Graham hopes the case will show that his office is being tough on data theft. “Those who have access to thousands of customer details,” he added, “may think that attempts to use it for personal gain will go undetected. But this case shows there is always an audit trail, and my office will do everything in its power to uncover it.” [V3.co.uk]

UK – Privacy Committee to Grill Editors and Tech Companies

Paul Dacre, the lord chief justice, and executives from Twitter and Google are expected be asked to give evidence to the parliamentary committee looking into privacy injunctions, as work on setting up the body created by David Cameron last month finally begins to move forward. Those who are expected to sit on the committee say they want to call newspaper editors, including the Daily Mail’s Dacre, judges and technology companies to public hearings – and there is even hope that it may prove possible to ask one of the celebrities involved in the injunction battle “to add to the gaiety of proceedings”. The committee is expected to complete its work by the end of the year. [Source]

EU – Commission: Social Networks Should Better Protect Minors

A European Commission (EC) study of 14 social networks includes in its findings that just two “have default settings to make minors’ profiles accessible only to their approved list of contacts,” The Wall Street Journal reports. The study comes as the EC continues exploring Internet regulation, the report notes. Commissioner Neelie Kroes reacted by saying she is “disappointed” in the results, urging social networks “to make a clear commitment to remedy this in a revised version of the self-regulatory framework we are currently discussing.” A spokesman said the EC will be “sitting down with them over the coming months, and we want them to do more.” [Source]

EU – Commission’s Lawyers: PNR Agreement Illegal

The European Commission’s legal counsel has warned that an agreement between the EU and U.S. to store airline passenger data for 15 years is unlawful. The passenger name record (PNR) deal is now being finalized and needs the approval of the European Parliament, but the legal counsel’s May 16 document raises “grave doubts” that the agreement complies with data protection law. The legal opinion particularly lists the provisions requiring data storage for 15 years, the lack of independent oversight and proper legal recourse if data is misused. One parliamentarian said the legal advice is an indication that the commission should drop the PNR agreement and go “back to the drawing board.” [The Guardian]

EU – Parliamentary Committee Adopts Draft Resolution

The European Parliament Civil Liberties Committee has adopted a draft resolution intended to influence the revision of the EU Data Protection Directive. According to a press release, the resolution includes provisions to allow people to access and alter or delete their data online and recommends “severe and dissuasive sanctions” for misuse or abuse of consumer data. The committee is calling for a modern data protection law that will improve international data transfer processes and better protect children–especially on social networking sites. The committee has also put its support behind a requirement for organizations to appoint data protection officers. [Source]

EU – EDPS to Increase Inspections This Year

European Data Protection Supervisor (EDPS) Peter Hustinx will carry out more on-the-spot inspections this year in cases where he believes an EU institution is failing to comply with EU law. That’s according to the EDPS annual report, released yesterday. The report also says the office will focus on member states’ and the European Commission’s implementation of new legislation on border security checks and an EU-wide system on airline passenger data. The EDPS received 25 admissible complaints last year, and 11 of those were deemed privacy breaches. [European Voice]

EU – José Luis Rodríguez Álvarez Nominated Director of Spanish DPA

The Spanish Council of Ministers approved on June 17 the nomination of José Luis Rodríguez Álvarez as director of the Spanish Data Protection Agency. The lawyer and professor of constitutional rights in the Faculty of Law of the Complutense University of Madrid was nominated director of the Cabinet of the Spanish Ministry of Justice in February 2009–a role he has now given up due to the circumstances. Rodríguez Álvarez will replace outgoing director Artemi Rallo Lombarte. (Article in Spanish)

EU – Swiss Commissioner Calls for Privacy by Default

There is a need for greater transparency in the processing of personal data, according to Swiss Data Protection Commissioner Hanspeter Thϋr. In his annual report, Thϋr said changes are needed due to the “rapid pace of development in the area of communication technologies,” and that “data protection principles must be included in all projects and taken into account from the very outset.” The report notes that Thϋr handled many cases related to new technologies in the last year. An issue of particular concern is “evercookies,” Swissinfo.ch reports. [Source]

EU – Associations Call on EC to Recognize CILs

Four data protection associations are appealing to the European Commission to recognize the role of the data protection officer when considering revisions to the EU Data Protection Directive. The groups–the French Association of Data Protection Correspondents, Spanish Association of Privacy Professionals, German Association for Data Protection and Data Security and the data protection association of the Netherlands—feel that the role of the data privacy controller should be strengthened. In a recent press release, they say that data protection officers are “key players in protecting the privacy of consumers, employees and citizens,” and their roles, missions and legal status should be defined and harmonized across Europe. [Source]

Facts & Stats

US – Study: Breaches More Frequent and Severe

A Ponemon Institute study has found that 90% of businesses experienced a data breach in the past year, and attacks were more severe and difficult to prevent. Network World reports that mobile devices–employee laptops, smartphones and tablets–are responsible for most breaches, while business partnerships also elevate risk. 53% of businesses reported a low level of confidence in their ability to avoid future attacks, which the authors attribute to “the fact that so many organizations are having multiple breaches.” An MSNBC report outlines ways for individuals to protect themselves in light of the recent “seemingly endless string” of data breaches, and according to the report, most aren’t made public. Meanwhile, CIO has posted an online quiz to test readers’ knowledge of data breaches. [Source] See also: [Breaches Build Federal Data Security Momentum]

WW – “Cyberinsurance” in High Demand

The “cyberinsurance” industry is experiencing an up-tick in business with recent high-profile breaches driving companies’ desire to protect themselves from spending potentially millions of dollars on breach-related costs. Companies are upgrading IT and human resources practices and training employees in order to get coverage–in some cases worth hundreds of millions of dollars. “Consensus is building” on what policies cover, but standardization remains a hurdle, says one insurance expert who predicts, “One day the industry will actually be so robust that…we’ll have the leverage to actually create standards.” A Ponemon Institute study shows the average breach cost $7.2 million last year, “But with the scale and scope of hacking attacks growing daily, some companies cannot be cautious enough,” the report states. [Source]

Filtering

CA – Guelph-Based Software Censors the Internet in the Middle East

Web-filtering software developed in Canada is being used in the Middle East to censor the Internet, according to the University of Toronto’s Citizen Lab. Netsweeper Inc., a leading developer of content-filtering software based in Guelph, lists telecommunications companies in Yemen, Qatar and United Arab Emirates among its foreign clients. According to the company’s promotional material, its software blocks websites using a “list of 90+ categories to meet government rules and regulations — based on social, religious or political ideals.” Web-filtering technology was developed in the 1990s as a way to restrict access to pornography, among other things. It is commonly used to block access to specified websites in many Canadian schools, libraries and businesses. But beyond our borders that same technology is being used to quash social media-spurred uprisings in the Middle East — and the companies providing the software have come under fire for being the means through which foreign governments repress free speech online. [Source]

SY – Syria Temporarily Shuts Down Much of Internet

Internet service in Syria has been restored after the government cut off access to citizens on Friday, June 3 during some of the largest anti-government protests the country has recently seen. Following the shutdown, only Syrian government sites remained available in that country. Internet in Syria was once again available by 7AM local time the next day. Other Middle Eastern governments have severed Internet access in an attempt to quell protests. [Source] [Source] [Source]

Finance

US – FTC Levies $1.8 Million Fine for FCRA Violations

The Federal Trade Commission (FTC) has fined Teletrack Inc. $1.8 million dollars for Fair Credit Reporting Act (FCRA) violations. According to an FTC press release, Teletrack sold credit reports to marketers, which violates the federal law. “The FCRA says a credit reporting agency like Teletrack can’t sell a consumer’s sensitive credit report information for merely sales pitches,” said FTC Bureau of Consumer Protection Director David Vladeck. The settlement requires that the company pay a civil penalty of $1.8 million and only provide credit reports to those deemed permissible to receive them under FCRA. The settlement also spells out record-keeping requirements to ensure compliance with the order. [Source]

WW – Study: Hackers Outpacing Bank Security

Evidence in a recent study suggests that large credit card-issuing banks are not keeping up with the technological sophistication of hackers, TIME reports. One research firm analyzed and graded the online security practices of the financial sector’s 23 largest card-issuing institutions. Based on a 100-point scale, the average score was a 59. “The good news is issuers are doing a better job overall of resolution, but that’s the easiest thing to do,” says the study’s lead author. “Prevention is the hardest to do, but it’s got the biggest payback.” The study also noted that banks have a strong record of eliminating fraudulent charges from individuals’ bank accounts. [Source]

WW – Mastercard.com Slammed Again as Punishment Over WikiLeaks

MasterCard’s main website was unavailable for some time as it appeared hackers were again targeting the company for its refusal to process donations for the whistle-blowing site WikiLeaks. MasterCard along with companies such as Visa, PayPal and the Swiss Bank PostFinance stopped processing payments for WikiLeaks shortly after the site began releasing portions of 250,000 secret U.S. diplomatic cables in November 2010. The hacking collective known as Anonymous spearheaded a drive to conduct distributed denial-of-service (DDOS) attacks against those sites. A DDOS attack involves sending large quantities of meaningless traffic to the website, which can knock it offline. [Source] [Anonymous, LulzSec bring bragging rights back to hacking] See also: [Reports: Sega customer database hacked]

CA – US Tax Law Poses Privacy Risks to Canadians

Ottawa’s privacy watchdog is examining whether a U.S. campaign to pursue tax cheats among the roughly one million Americans living here violates Canadian privacy laws. Jennifer Stoddart is closely monitoring privacy concerns as U.S. tax authorities prepare to force all foreign financial institutions to identify Americans and the money they have stashed in accounts around the world. Among the potential problems with the American law, slated to come into force in 2013, is that it would compel Canadian banks, brokers, insurers and mutual funds to collect U.S. Social Security number and report account balances directly to the Internal Revenue Service. Under Canadian law, customers are only required to provide identification that shows where they live – not their immigration status or citizenship. Finance Minister Jim Flaherty said last week he’s seeking an exemption for Canada, arguing that the country is not a “tax haven” and that Ottawa already cooperates extensively with tax authorities in the U.S. through a tax treaty. [Source] [Banks battle over US tax law]

US – Recent Breach Puts Spotlight on Security

Regulators are pressuring banks to improve data security measures, and some experts are forecasting a “systemic overhaul” of the industry’s practices after a recent breach exposed data on as many as 200,000 credit cardholders. The breach is drawing attention to ongoing vulnerabilities in bank security, and The New York Times reports that the prevalence of outsourcing and the “patchwork of data protection law and regulatory agencies” make matters worse, the report states. An Identity Theft Resource Center report states that in the past six years, 288 breaches at financial institutions have exposed 83 million customer records. [Source] See also: [Why it’s still too early to adopt NFC-enabled mobile payments]

FOI

CA – Ontario Must Get With The Times on Transparency, Watchdog Says

Ontario’s Ombudsman is calling on Premier Dalton McGuinty to embrace the worldwide trend toward open government by giving the public real-time access to information about programs and services. The practice of having to file a complicated access-to-information request is “literally last century,” André Marin said in his annual report, released on Tuesday. “People want information on what their government is doing, they want it to be easy to find and understand, and they want it now,” he said. Mr. Marin has been urging the McGuinty government for several years to open up the so-called MUSH sector – municipalities, universities, school boards and hospitals – to scrutiny. The government has in part responded to that pressure by making the province’s 156 hospitals part of Ontario’s Freedom of Information and Protection of Privacy Act. In his sixth annual report, Mr. Marin is going one step further by asking the government to make information available without the public having to ask for it. [Source]

CA – Vancouver Upholds Freedom of Information Release Policies

Vancouver won’t be engaging in the odious practice of “simultaneous disclosure” when it comes to responding to Freedom of Information requests. No matter what City Manager Penny Ballem might like. The city council unanimously supported a revised motion from Coun. Suzanne Anton that specifically upholds the current practice of releasing FOI materials to the requester before handing them out to others or posting them surrepticiously on a website without notification. The motion flows from a finding by the provincial Information and Privacy Commissioner Elizabeth Denham that BC Ferries’ FOI policy of simultaneous disclosure, while not illegal, violated the spirit of the FOI legislation. BC Ferries, which only recently came back under FOI jurisdiction, sought to try and discourage media from filing requests by making the results available to everyone at the same time. As a result, many journalists felt disinclined to file requests if it meant they’d see the story immediately on someone else’s website. [Source]

CA – Critics Blast Spike in Deaths Among Children in Care

Revelations that six children in provincial care died last year and 20 were hospitalized have critics demanding the removal of the secrecy around Alberta Children and Youth Services. Opposition critics urged the Alberta government to act immediately to disclose what happened to the children, whose deaths and injuries were summed up in a few lines in the ministry’s annual report. The deaths were double and the injuries more than triple the previous year when the government launched a review into the way children in care are managed. [Source]

UK – Hackers Leak Former British PM Tony Blair Data

Hackers have released what looks like personal information on former British Prime Minister Tony Blair, including the contents of his electronic address book, with contact data for members of Parliament and for what could be Blair’s dentist and his mechanic. A link to the data on the Pastebin Web site was sent out on Twitter from the account of “TeaMp0isoN” along with a message saying “Tony Blair should be locked up, he is a war criminal.” Earlier in the day, the TeaMp0isoN account had featured a tweet that said the group was targeting Blair for his support of the war in Iraq. [Source] See also: [LulzSec Denies Taking U.K. Census Data] and [US: CIA Web site hacked; group LulzSec takes credit]

Genetics

AR – Court Demands DNA Samples

An Argentine court has ruled that the adult children of adoptive parents must submit to DNA testing in order to determine whether they were born to military prisoners during the country’s Dirty War from 1976 to 1983. BBC News reports that Marcela and Felipe Noble Herrera must submit blood or saliva samples. They will be compared to those of military prisoners from that period whose babies were kidnapped by the military junta. The Noble Herreras have objected to the testing, saying that it’s a violation of their privacy. A 2009 bill passed by the Argentine congress allows for the forcible extraction of DNA in certain cases. [Source]

US – Apartments Using Dog DNA to Catch Poop-Scoop Scofflaws

The Timberwood Commons in Lebanon, N.H., opened this year and already has had problems with some residents who aren’t cleaning up messes their dogs leave. So the manager is going to use commercially available DNA sampling kits to check the DNA that dogs leave behind when they go. “We’ve tried doing the warning letters. We’ve tried all sorts of things,” she said Friday. “It’s always a problem. It’s just that the majority of people are responsible pet owners and there are a few who are not.” [Source]

Health / Medical

US – Suffolk Doctor Faces Federal Privacy Law Charges

In a rare prosecution of a possible health privacy violation, a federal grand jury has indicted a Suffolk psychiatrist on charges he disclosed personal medical information. Dr. Richard Kaye, 62, a former medical director of the psychiatric unit at Sentara Obici Hospital in Suffolk, was indicted in U.S. District Court in Norfolk. According to the indictment, he treated a patient with a mental health problem PHI health information about her on three different occasions to an “agent” of the patient’s employer without authorization. The indictment from the U.S. attorney for the Eastern District of Virginia said Kaye disclosed the information under false pretenses, saying she was of “serious and imminent threat to the safety of the public.” The indictment said the doctor knew the patient was not a threat to the safety of the public. If convicted, Kaye faces a maximum of five years in prison. [Source] See also: [London Health Sciences Centre probes confidentiality breach] and [US: Alabama Woman Charged With Stealing Records of 4,500 Surgical Patients] and [Hospital Fires Employees for HIPAA Violations]

WW – Mobile Phones Being Embraced to Strengthen Health Services

Eight in 10 countries are using mobile phone technology to improve health services, from free emergency calls to appointment reminders, the World Health Organization said. The global health body found that only 19 of 114 countries surveyed had no mobile health initiative, known as mHealth. But most of those countries have several projects running. [Source]

CA – Medical Records Found In Library Book

A Red Deer library user was shocked recently to discover a list of Red Deer Regional Hospital Centre psychiatric patients and their diagnoses tucked inside a library book. What he found was a recent patient care list for 14 patients on Unit 34, one of two adult psychiatric units at the hospital. Diagnoses ranged from bipolar to depression to suicidal. Red Deer doctors were listed beside patient names. The document did not have a date. [Source] See also: [UK: Privacy fear as NHS laptops and patient records are lost]

Horror Stories

AU – Sydney University ‘Breached Student Privacy’

An investigation has found the University of Sydney failed in its obligations by not securing students’ private details on its website. A section of the university’s website was shut down in January after it was found sensitive information could be obtained by entering a student’s identification number. No password was required to access the name and address of the student, along with the subjects they were enrolled in and the fees they owed the university. The Acting New South Wales Privacy Commissioner, John McAteer, has found the university breached the Privacy Act by failing to have reasonable safeguards to protect the data. [Source]

CN – Breach of Privacy as Students’ Details for Sale Online

Beijing – Private information about elementary and secondary school students and their families is for sale online, which legal experts say constitutes an invasion of privacy. On the list, information about the capital’s 70,000 students who sat the recent college entrance examination sells for more than 1,000 yuan ($155). Information on the list includes names, cell phone numbers and home addresses of students from across the country. The information usually sells as a package for different regions and the prices for each package could be up to 1,000 yuan ($155). The buyers are generally private educational companies or training institutions, which are looking for students who failed the college entrance examination on June 8 and might be suitable for a one-year training course. Sellers leave their contact details as well as a sample of the private information online to attract buyers. The final deal is conducted face to face after negotiations with interested parties, according to an online advertisement. [Source]

US – Missing Laptop Holds Unencrypted NHS Patient Data

A laptop computer stolen from a National Health Services (NHS) subsidiary in London contains unencrypted personal health information of more than 8.6 million people, including records of 18 million hospital visits, operations and procedures. Three weeks ago, the laptop and 19 other computers were reported missing from a storeroom at the London Health Programmes medical research organization. The incident is being investigated by the UK Information Commissioner’s Office (ICO) and police. [Source] See also: [California Public Health Dept. Reports Second Breach]

IN – Groupon India Data Published on Internet, Said Researcher

The user database of Groupon’s Indian subsidiary, SoSasta, was published on the Internet and indexed by Google, according to an Australian security consultant. “I found the data via Google. Sosasta was notified ASAP,” said Daniel Grzelak in a message on Twitter. He said he had no clue as to how the database was published on the Internet. [Source] See also: [US: Arlington Cemetery Records Found in Abandoned Storage Unit, Criminal Investigation Launched]

US – Citigroup Hackers Stole $2.7 Million

Citigroup has confirmed that about $2.7 million was stolen from 3,400 customers in May following a major data breach. Citi had previously said that the data breach had exposed 360,083 bank accounts, revealing names, account numbers and email addresses of customers. Citi said other sensitive information including social security numbers, dates of birth, card expiration dates and card security codes had not been exposed. However, it now appears that customers did suffer financial losses. A Citi spokesperson said he could not comment on how the money had been stolen, but that the breach itself had not contributed any information that was sufficient to perpetrate fraud. [Source] [Source] [Source]

CA – Hackers Attack Richmond-Based Grocery Chain

T&T Supermarket Inc., a Richmond-based Asian grocery store chain, has been hit by hackers who may have stolen personal information from about 58,000 people. The company announced security breaches to its website, http://www.tnt-supermarket.com, that happened on June 6, 7, 11, and on June 14 through to June 17. T&T’s databases may have been accessed by “unauthorized intruders,” the company says. Stolen data could have included names, usernames, passwords, gender, email, telephone numbers and home addresses, the company says. T&T notes that it does not collect credit card information, driver’s license, dates of birth or social insurance numbers through its website. [Source]

WW – Attackers Steal Information from Acer Customer Database

Attackers claim to have stolen information from an Acer customer database. The compromised information appears to include the names, email addresses and purchase histories of about 40,000 customers. The attackers also claim to have stolen source code from the computer manufacturer. The attackers appear to have taken the information by gaining access to an Acer FTP server. [Source] [Source] [Source] [Source]

UK – Fines for Former T-Mobile Employees Who Stole and Sold Data

Two men who used to work for T-Mobile have been fined a total of GBP 73,700 (US $121,000) for stealing customer information and selling it to third parties. The action resulting in the decision was brought by the UK information Commissioner’s Office (ICO), which launched the investigation in 2008. [Source] [Source]

Identity Issues

CA – Ontario to Launch New Photo Identification Card

Ontarians without a driver’s licence to use as a quick and easy piece of identification can soon apply for a government-issue photo ID card. The new cards, to become available in late July, cost $35 and are valid for five years but are not suitable as a passport substitute on international trips, Transportation Minister Kathleen Wynne said. The wallet-sized cards are aimed at the estimated 1.5 million Ontarians over the age of 16 — including the blind and those with partial sight — who don’t have driver’s licences. Applications for the card will be taken starting next month at 20 Service Ontario centres throughout the province before the offer is expanded to every centre throughout the province next year. [Source]

CA – BC New CareCard and Our Privacy

The B.C. government is preparing to scrap the provincial CareCard and introduce a high-tech replacement. The new card will carry a photo, computer chip and anti-forgery features to combat identity theft or fraud. The $150 million changeover will be phased in. Once the card is in place, it will be renewed every five years. The existing card was introduced more than 20 years ago. It offers little by way of security. Worse still, there are an estimated nine million of these in circulation, for a population of only 4.5 million. The government doesn’t know what happened to all the excess cards, but it’s a safe bet some are in the wrong hands and being used to obtain medical services fraudulently. Unfortunately, the innovations don’t stop there. The new card will also carry a link to each person’s health file. The idea is that medical staff, perhaps in an emergency, can have access to a patient’s record of treatment, in particular drug history. You either enroll in the new system, or lose access to health services. There has been no public consultation on what is a significant shift in our approach to the privacy of medical records. [Source]

US – ID Proposal for Prepaid Phones Raises “Privacy, Access and Safety” Concerns

A measure intended to crack down on drug dealers and would-be terrorists is drawing fire over privacy, access and safety concerns. The Suffolk County Legislature is considering a requirement that buyers of prepaid cell phones provide two forms of identification before making the purchase, and that local retailers hold onto that information for at least three years. Jessica Glynn, supervising attorney for the Latino rights group SEPA Mujer, says the proposal violates a number of privacy rights, particularly for victims of domestic violence. “There are serious safety concerns when a victim’s identity is being kept by someone with no training whatsoever on domestic-violence issues, or on how to keep a record.” The measure would have major negative impacts for both documented and undocumented immigrants in the county, says Amol Sinha, director of the Suffolk chapter of the New York Civil Liberties Union. “The concern is that people who don’t have credit histories, who are low-income, generally buy prepaid cell phones – and won’t have access to those vital lifelines.” [Source]

CA – Store’s ID Checks a Privacy Invasion, Says Yukon Senior

At least one Whitehorse senior is accusing a local grocery store of invading his privacy by scanning his photo identification before selling him cigarettes. Kenyon Bennett, 76, said the Real Canadian Superstore in Whitehorse does not sell tobacco products to seniors — even if they have white hair and wrinkles — without an ID check. “They put this card of mine in a machine to verify it or to let them have a print-out on something. Seems like there’s some skullduggery going on that shouldn’t be,” Bennett told CBC News. Superstore officials say staff are required to check the photo identification and record the birthdates of everyone who buys tobacco at their stores. Yukon information and privacy commissioner Tracy-Anne McPhee said the Superstore may be close to overstepping its legal authority if it is collecting and storing personal data about customers. “Looking at a piece of ID is sufficient,” McPhee said. “Writing down information from that card — photocopying, swiping or scanning — is just not justified.” [Source]

IN – India Has Issued 9.5 Million Digital Identity Numbers

India has issued digital identities to about 9.5 million people so far, and plans to step up enrollment to 1 million a day from October, the head of the agency issuing the biometric identities said at a conference in Bangalore. The digital identities, called Unique Identity (UID) or Aadhaar numbers, will provide proof of identity to the large number of poor Indians who do not have house addresses, school certificates, birth certificates or other documents that are usually used to prove identity in India, said Nandan Nilekani, chairman of the Unique Identification Authority of India (UIDAI). The Aadhaar projects aims to issue identity numbers to 600 million people over the next three years or so, Nilekani said. Enrollment is currently voluntary. [Source] See also: [INDIA: Privacy issues come to the fore as govt plans big-ticket schemes] and [IN: Right to privacy may become fundamental right]

UK – Government Plans Next-Generation ID Scheme

The government has been coy about the pilot identity system it has been running with Mydex, the East London start-up whose trials with Brent Borough Council created in March what was dubbed “a Google moment”. Departments including HMRC, DirectGov and DWP are designing systems that will use it, but have not said what exactly they are doing. The Cabinet Office led the Mydex pilot, while Maude’s Conservative Party had made Mydex’s raison d’etre a manifesto commitment (though not by name) for the 2010 general election: “Wherever possible, personal data should be controlled by individual citizens”. The pilot came in the wake of the identity card scheme as a means for people to hold their own personal data and choose their own means of authenticating their identity. Maude assured Parliament “NO2ID and other privacy advocates” would be given an opportunity to scrutinise the plans, or at least would be “kept closely informed”. Guy Herbert, NO2ID National Organiser, told Computer Weekly the plans as they stand might not give the individual enough power over their own data. He feared both government departments and private companies were hungry alike for power over identities and personal data. [Source] See also: [US – E-Authentication Best Practices for Government]

US – DOT Sells Drivers’ Personal Information

There are about 4.5 million drivers in Wisconsin, and more than half may not know their personal information is being sold by the state Department of Transportation. There are laws but almost no oversight to how the Wisconsin DOT uses drivers’ information. In all, the state makes millions of dollars by selling drivers’ information. The entire driver record file containing information on 2.5 million drivers can be purchased for $250. “We produce a CD containing the record file and then we send that. Those funds are sent to the registration fee trust,” said the director for the DMV’s Bureau of Driver Services. In 2010, the DOT made $22,250 selling driver record files. The state of Wisconsin is making millions off of selling a second list with drivers’ personal information. The department makes more money and has more requests for full driving records. These contain the same information as the driver record file plus information on traffic crashes, tickets and withdrawals like revocation or suspensions. While the driver record file costs $250, full driving records cost between $5 and $7 per driver record. In 2010, the DOT made more than $16 million selling full driving records. [Source]

US – Court: Ohio Data Selling Practices Not In Violation

A federal appeals court has overturned a lower court decision, dismissing a 2009 lawsuit against the state of Ohio that alleged privacy violations stemming from the state’s practice of selling driver’s license data. While the lower court’s ruling allowed officials to be sued for “disclosing personal information not permitted by the Driver’s Privacy Protection Act,” the appeals court found the “rights under the law weren’t sufficiently clear.” Three Cincinnati residents filed the lawsuit, and their lawyer has said they haven’t decided if they will appeal to the U.S. Supreme Court. [The Republic] [IAPP Dashboard]

Internet / WWW

WW – OECD Communiqué Pleases Some, Nettles Others

At a high-level meeting on the Internet economy this week, the Organisation for Economic Co-operation and Development (OECD) released a Communiqué on Principles for Internet Policy-Making, which outlines the OECD’s commitment toward promoting the free flow of information; investing in high-speed networks and services; enabling cross-border delivery of services, and strengthening “consistency and effectiveness in privacy protection at a global level,” among other areas. While some have lauded the principles—U.S. NTIA Administrator Lawrence E. Strickling described it as a “major achievement that will support the continued innovation…of the global Internet economy”–others have criticized plans to make Internet service providers more responsible for policing copyright infringement, something the Civil Society Information Society Advisory Council says could “lead to network filtering.” [Source]

WW – Google Now Lets You Manage Your Online Reputation

Google has unveiled a tool to help users manage their online reputations. Called Me on the Web, it can be found on the Google dashboard, right below Account Details, when you sign on to your account. According to the Google Public Policy Blog, Me on the Web “makes it even easier” to set up Google Alerts for mentions of your name or email address as well as automatically suggesting some search terms you might want to monitor. It also “provides links to resources offering information on how to control what third-party information is posted about you on the Web.” The tips include information on how to reach out to the webmaster of a site to ask to have the information taken down as well as how to publish additional information on your own to make less relevant websites appear further down on your search results. To use the tool, you must first sign in. You’ll be asked to create a profile if you haven’t already. Then you are given a number of options on how to control your reputation, including links on how to set up notifications when your personal information appears on the Web. [Source] [Google intros ‘Me on the Web’ identity management tool]

WW – World IPv6 Day is June 8th

On Wednesday, June 8, web sites around the world will test the IPv6 standard, which will ultimately allow many more IP addresses than IPv4 with faster connectivity. Among the organizations participating in World IPv6 Day are Microsoft, Google, Yahoo and Facebook. The test runs from 8PM EST on June 7 until 7:59PM EST on June 8. The event is designed to allow network engineers to see how well the new protocol works on a large scale and to identify technical problems like misconfigured systems. The event is also aimed at raising awareness of IPv6 deployment, which is necessary because the Internet is running out of IPv4 address space. IPv6 is not compatible with IPv4, which means web sites will need to upgrade network equipment and software. [Source] See also: [IPv6 Rollout Could Necessitate Privacy Rethink]

Law Enforcement

US – F.B.I. Agents Get Leeway to Push Privacy Bounds

The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. Valerie E. Caproni, the F.B.I. general counsel, said the bureau had carefully considered each change to its operations manual. The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. [Source] See also: [Toronto Police nab first ‘upskirt’ photographer of the summer]

UK – Police Database Will Share Data on 15 Million People

Police have set up a computer system which will allow UK forces to share intelligence on 15 million people. A Police National Database was the key recommendation from the Bichard Inquiry into failings by police into the Soham murders in 2002. It found that police failed to disclose details of allegations against Ian Huntley a year before he murdered Holly Wells and Jessica Chapman, both 10. Privacy campaigners say non-criminals should not be on the system. The database, which brings together 150 separate computer systems, combines intelligence from the 43 police forces in England and Wales. It also links to the eight police forces in Scotland, the British Transport Police, the Police Service of Northern Ireland, the Child Exploitation and Online Protection centre (Ceop), the Serious and Organised Crime Agency (Soca) and the military police. Collectively the forces hold information on between 10-15m people. These include convicted criminals, suspects and victims of crimes, as well as the details of people who have been questioned by police but not charged. The database is run by the National Policing Improvement Agency (NPIA). The Bichard inquiry said police should be able automatically to access information on suspects held by another force. Privacy campaign group Big Brother Watch said it was concerned that details of members of the public could be logged on the database. Spokesman Daniel Hamilton said: “Nobody has a problem with a database of criminals but we should never build a database of innocent people and crime victims. “The risk of this data falling into the hands of criminals is too horrifying to comprehend.” [Source]

Location

US – Court Case Raises Privacy Issues

The Advertiser reports on a Delaware Supreme Court case that “could help define personal privacy and set limits on how far police can go when using electronic surveillance in Delaware and perhaps across the U.S.” The case, Delaware v. Michael D. Holden, involves police use of GPS without a court-approved warrant to track a suspect for more than 20 days. The case was initially overturned in a lower court because the judge ruled it was an illegal search. One attorney noted the case could raise the issue of the “reasonable expectation of privacy.” [Source]

WW – Nissan Leaf Sends Location Data in RSS GET Requests

A blogger has determined that the Nissan Leaf electric automobile leaks information about the vehicle’s location, speed and destination through the car’s RSS reader. The Leaf is equipped with technology that allows drivers to select RSS feeds which are then read to them. The blogger, Casey Halverson, discovered that the GET request sent from the car for the feed contains the vehicle’s latitude, longitude, speed, direction and the latitude and longitude of the car’s destination. [Source] [Source] [Source]

WW – Free Site Helps Find Stolen Cameras

A clever experiment may make it possible for you to recover a stolen camera, find people using your photos without permission and help police catch child pornographers. The experiment is a collaboration between GadgetTrak, a software company that makes data-protection and tracking software for computers and phones, and CPUsage, a company that gets home computers to collaborate on crunching data when they aren’t in use (similar to SETI at home). The collaboration, called GadgetTrak Serial Search, works by searching the Web for information that is commonly embedded in today’s photographs. Digital cameras often stamp photos with the camera’s serial number, as well as information on exposure, shutter speed, time and date taken and in some cases, where it was taken. The free service uses the computing power of its collaborative network to search the Web for photos and then catalogs the images and associated cameras it finds. You can go to the Web site, enter a camera’s serial number and see if your photos register. It has logged more than 3 million serial numbers in a little over a week. [Source]

Offshore

IN – Leaking Health Information May Land You in Prison

Leaking information on the health of an individual may earn a term in prison for six months and also a fine up to Rs 1 lakh. According to the new Privacy Bill, 2011, which is slated to be tabled in Parliament during the forthcoming session, any health information of any citizen of India collected with his consent shall be kept by the person till the time the individual wants and later it should be returned or destroyed. [Source]

IN – Right to Privacy May Become Fundamental Right

The law ministry is working on a proposal to make right to privacy a fundamental right in the Indian Constitution. Corporate lobbyist Niira Radia’s phone tapping row and new-age surveillance techniques being extensively used to crack down on economic offences are the trigger behind the move. “We are working on making right to privacy a fundamental right. It is likely to be tabled in the monsoon session of Parliament. However, it’s difficult to commit the timeframe,” law minister Veerappa Moily said. The right to privacy would include the right to confidentiality of communication, confidentiality of private or family life, protection of his honour and good name, protection from search, detention or exposure of lawful communication between individuals, privacy from surveillance, confidentiality of banking, financial, medical and legal information, protection from identity theft of various kinds, protection of use of a person’s photographs, fingerprints, DNA samples and other samples taken at police stations and other places and protection of data relating to individual. If the legislation is passed, it would address several concerns expressed by some sections of the civil society. For instance, there has been outrage over the `compromise’ of an individual’s privacy in a project like UID, where all personal data will be available at the click of a mouse. [Source]

Online Privacy

US – Most Websites Regularly Leak Sensitive, Personal Data: Survey

A team of university researchers examined more than 100 “popular” Websites and found three-quarters of the sites leaked private information or users’ identifying data to third-party tracking sites. The survey results were released shortly after Facebook came under fire for inadvertently passing user data to other parties. More than half (56%) of sites “directly leak” private information, and the number goes up to 75% if the user ID is included under private data, according to an academic paper. The researchers, Balachander Krishnamurthy of AT&T Labs, and Konstantin Naryshkin and Craig E Wills of Worchester Polytechnic Institute, found that information is leaked in various ways to third-party sites that track user behavior for advertisers. The researchers presented the report at the Web 2.0 Security and Privacy conference in Oakland, Calif., on May 26. In some cases, information was passed “deliberately” to other sites, but in others, it was included as part of routine information exchange. The researchers were unable to tell conclusively whether the inclusion was deliberate or inadvertent. Data leaks could have occurred as users were creating, viewing, editing or just logging into their accounts. They could also have occurred while navigating the site as many of them exposed search terms. “We believe it is time to move beyond what is clearly a losing battle with third-party aggregators and examine what roles the first-party sites can play in protecting the privacy of their users,” said Wills. Efforts made to date to address information leakage have been “largely ineffective,” the researchers found. Websites need to take greater responsibility for privacy protection. “Despite a number of proposals and reports put forward by researchers, government agencies and privacy advocates, the problem of privacy has worsened significantly,” Wills said. Leaked information included email addresses, physical addresses and the user’s Web browser configuration details, according to the paper. Researchers classified the user data as either identifiable or as sensitive. Health information, such as searching for an illness or physical condition, was considered highly sensitive, while name and email address was highly identifiable. They focused on sites that encourage users to register, since users often share personal and personally identifiable information, including names, physical address and email address, during the registration process. They also examined heath and travel sites, since users conduct searches on these sites that can be used to identify health issues or travel plans. The same team had previously examined 12 social-networking sites, including Facebook, MySpace and Orkut, to determine what kind of information was being leaked. Researchers noted that since users logged into Orkut using their Google account credentials, third-party firms could correlate the leaked Orkut user identifier with other activity on Google services, such as search or videos viewed on YouTube. Sites may be passing the user ID to referrer sites, such as Digg, but that information is actually being forwarded to Omniture, an analytics firm. [Source]

US – Judge Approves Flash Cookie Settlement

U.S. District Court Judge George H. Wu has approved a final class-action settlement requiring Quantcast and Clearspring to pay $2.4 million. The settlement was first announced last December but received final approval on Monday. The case stems from the companies’ use of Flash cookies to track users for targeted advertising. According to the article, the majority of the settlement will go to universities and research groups, but approximately $550,000 will go to the plaintiffs’ attorneys for fees and expenses. [paidContent.org]

WW – Google Introduces Facebook Competitor, Emphasizing Privacy

Google took its biggest leap yet onto Facebook’s turf by introducing a social networking service called the Google+ project — which happens to look very much like Facebook. The service, which will initially be available only to a select group of Google users who will soon be able to invite others, will let people share and discuss status updates, photos and links. But the Google+ project will be different from Facebook in one significant way, which Google hopes will be enough to convince people to use yet another social networking service. It is designed for sharing with groups — like colleagues, college roommates or hiking friends — instead of with all of a user’s friends or the entire Web. It also offers group text messaging and video chat. The debut of Google+ will test whether Google can overcome its past flops in social networking, like Buzz and Orkut, and deal with one of the most pressing challenges facing the company. [Source] See also: [Protecting privacy in the digital age: two new reports by Canadian privacy commissioners] and [US: How to do a social background check the legal way]

WW – LinkedIn Privacy Changes Point to Social Ads

LinkedIn privacy policy updates hint at the introduction of “social ads” based on users’ activities. LinkedIn “appears eager” to avoid privacy issues, the report states, and will allow users to opt out of social ads. “Most importantly, we do not provide your name or image back to any advertiser when that ad is served,” one LinkedIn official noted, while another said, “This upcoming change to the privacy policy reflects the evolving ways in which our members are using the LinkedIn platform, and it allows us to explore this area should we choose.” [MediaPost News]

CA – Winnipeg School Officials Ban Posting of Student Photos Online

Manitoba’s largest school division seems to be trying to put the social-media genie back in the bottle just in time for graduation. The Winnipeg School Division has adopted stringent privacy policies — ramping up its already rigid standards — in an effort to keep photos and video of its students off the Internet. Anyone recording a public event at the school, including those held after school, off-campus or at a school in another division, may do so only for personal use, and may not post on the Internet, the division says. It’s a policy proponents say is meant to protect young children. But just how school officials can enforce it in the era of Facebook and social media remains unclear. [Source]

Other Jurisdictions

HK – Hong Kong Banks Sold Customer Data: Watchdog

Hong Kong’s privacy watchdog has scolded four banks for releasing customers’ personal data to third parties, accusing three of them of selling the information. he four banks – Citibank, ICBC, Fubon Bank and Wing Hang Bank – had all released customers’ personal data, while Citibank, ICBC and Fubon Bank also used the information for financial gain. (I am) disappointed that the banks are less than forthcoming in following good privacy practices,” Allan Chiang, the city’s privacy commissioner for personal data, told reporters after releasing the results of a probe into the firms.”We trust that the practice of naming data users will invoke the sanction and discipline of public scrutiny. In turn, it will serve to encourage compliant behaviour by data users concerned,” he added. [Source]

NZ – Privacy Commission Welcomes Cyber Security Strategy

The Privacy Commission says the Government’s new cyber security strategy is a “welcome start” towards protecting New Zealanders’ online identities, but it won’t guarantee online safety. The new cyber security strategy aims to improve the country’s protection against cyber threats and increase initiatives aimed at improving online security for individuals, businesses, infrastructure and the Government. Privacy Commissioner Marie Shroff is “very pleased” to see the launch of the cyber security strategy, and says she looks forward to learning how its implementation will support existing efforts providing information about online protection. [Source] See also: [NZ: Ministry’s fraud data found in car park]

CR – Costa Rica Privacy Legislation Moves Forward

Costa Rica’s quest for an omnibus privacy law took a major step forward on April 27, 2011, when the Supreme Court of Justice of Costa Rica gave its stamp of approval to a far-ranging piece of privacy legislation, finding that it had no constitutional defects. In March 2011, the bill, known as the law of “Protection of the Person in the Processing of His Personal Data” (Protección de la Persona Frente al Tratamiento de sus Datos Personales), survived an initial vote in the unicameral Legislative Assembly. The bill has now been returned to the Legislative Assembly. If passed in its current form, the law would impose a legal regime modeled on the European Union data protection framework and would regulate almost all processing of all personal data. It would require express written consent for many processing activities, and it would create a new data protection authority within the Ministry of Justice, the “Agency for the Protection of Citizens’ Data” (Agencia de Protección de Datos de los habitantes). This agency, also known as Prodhab, would have authority to inspect databases suspected of being mismanaged, and it could impose sanctions for noncompliance with the law. [Source]

HU – Ombudsman Voices Concern Over Citizen Survey

Hungarian Data Protection Ombudsman Andras Jori says government questionnaires sent to more than six million Hungarian citizens are not anonymous, and he’s asking for personal information to be deleted from the database. Jori last month launched an investigation into bar codes on the questionnaires that he suspected could reveal subjects’ identities. The questionnaires ask about pensions, welfare and education, and, according to Jori, the responses–and whether a citizen participates–could be interpreted as “giving a political opinion.” A spokesman for the prime minister said Jori’s office was consulted prior to sending the questionnaires and raised no personal data protection concerns. Jori has refuted that assertion. [The Budapest Times]

AU – Committee: Small Business Should Not Be Exempt

A parliamentary committee is calling on the government to scrap a provision exempting small businesses from Australia’s Privacy Act. The Australian Parliamentary Cyber-Safety Committee tabled a report raising concerns that small businesses with annual revenues of $3 million or less were exempt from the Privacy Act 1988. The committee recommends that the government drop the exemptions and undertake a review of businesses with “significant personal data holdings” since a “large proportion of the Australian private sector is not subject to any privacy laws.” The Australian Law Reform Commission said in 2008 that the exemptions were “neither necessary nor justifiable.” [Source]

AU – Australia’s New Data Retention Law

New legislation in Australia will require ISPs and other telecommunications carriers to retain data at the request of law enforcement authorities. Retention requests may be made without a warrant, but the authorities will need to obtain warrants to view the information. The legislation will “allow Australia to sign the Council of Europe Convention on Cybercrime treaty.” [Internet Storm Center] [Source] [Source]

PH – Lack of Legislation Raises Concerns

Manilla Bulletin reports on the Joint Foreign Chambers and the business processing outsourcing (BPO) industry’s warning that a lack of data privacy legislation is a growing concern for prospective investors. The country’s proposed Data Privacy Bill aims to benefit the growth of IT and BPO, while also protecting “citizens whose personal data are stored by government offices and commercial establishments,” the report states. In a statement to the Senate Committee on Science and Technology, industry leaders warn that without a law in place, there is a “real danger of losing investors to countries with a more favorable legislative framework” for privacy protection. [Source]

MY – Data Protection Office to Be Established

The Malaysian Ministry of Information, Communication and Culture plans to establish a government department to help implement the country’s new data protection law. According to Deputy Minister Datuk Joseph Salang, the office should be up and running by next year. At a press conference, Salang underscored the urgent need for personal data protection laws, saying, “Prior to the implementation of this act, personal data is only bound by contractual agreement or common law.” The Personal Data Protection Act was passed in 2010 and is expected to go into effect early next year. [Source]

PE – Personal Data Protection Law Expected in July

The Congress of the Republic of Peru has passed the Personal Data Protection Law (Ley de Protección de Datos Personales, Proyecto de Ley 4079/2009-PE), Hunton & Williams’ Privacy and Information Security Law Blog reports, noting that if it is signed into law, Peru will have “EU-style omnibus privacy legislation.” The law would include provisions establishing the National Personal Data Protection Authority within the Ministry of Justice, requiring consent for the processing of personal data, limiting communications monitoring and restricting cross-border data transfers. Peruvian President Alan García is expected to sign the law before his term ends on July 28, the report states. [Source]

Privacy (US)

US – Portion of Settlement to Establish Undergrad Privacy Program

Fourteen privacy organizations and nonprofits will split $6 million of the $8.5 million settlement approved by a federal judge in the Google Buzz case. Originally, 12 entities were to split the settlement, but U.S. District Court Judge James Ware has ruled that Markkula Center for Applied Ethics at Santa Clara University (SCU) and the Electronic Privacy Information Center should each receive $500,000, the report states. SCU’s Markkula Center says it will use the money to create an undergraduate curriculum on Internet privacy and a site that discusses users online choices about privacy. [MediaPost News]

US – Class-Action Status Sought for TCPA Violations

Lawsuits have been filed in a California federal court that claim Twitter and American Express Centurion Bank violated the Telephone Consumer Protection Act when they sent opt-out confirmation texts to the plaintiffs, Hunton & Williams’ Privacy and Information Security Law Blog reports. In each case, the defendants sent the plaintiffs a single text to confirm the requested opt-out. Both lawsuits are seeking class-action status and highlight “a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices,” the report states. [Source]

US – Supreme Court to Consider Issue of Warrantless GPS Tracking

The US Supreme Court will review the constitutionality of surreptitiously placing GPS devices on suspects’ vehicles without a warrant. The Justice Department maintains that “a person has no reasonable expectation of privacy in his movements from one place to another,” and is seeking to overturn a lower court decision that reversed the conviction and subsequent life sentence in prison for a cocaine dealer whose movements were tracked in this way. That case was decided in the US Court of Appeals for the District of Columbia Circuit; three other circuit courts of appeal have ruled that using a GPS device to track a vehicle does not require a warrant. The court will not make a decision before its next term begins in October. [Source]

US – Supreme Court to Review Privacy Harms Case

The U.S. Supreme Court has agreed to review a ruling that said an individual could sue a federal agency for emotional distress because of the release of personal information. The case, FAA vs. Cooper, 10-1024, involves a pilot who filed a lawsuit against federal agencies for disclosing his medical records during a fraud investigation, the San Francisco Chronicle reports. In February 2010, the Ninth Circuit Court of Appeals ruled in favor of the pilot, but the Obama Administration has argued that the 1974 Privacy Act does not allow damages for emotional distress. The plaintiff’s lawyer said, “More often than not, embarrassment and humiliation are the only damages…Unless these are compensable, it’s a free license to the government” to circumvent the law. [Source]

US – FTC Settles Charges Against Ad Network

The FTC has finalized its order settling charges that online ad network Chitika tracked consumers online after they’d opted out. The FTC alleged that from at least May 2008 to February 2010, Chitika’s cookies resumed tracking users 10 days after they’d opted out. Chitika said the opt-out was meant to last 10 years, but a glitch caused the error. The settlement bars Chitika from misleading consumers about the extent of its data collection and the control users have over the collection, use or sharing of their data. Additionally, every targeted ad must include a hyperlink allowing users to opt out for at least five years. [Source]

US – Vermont Law Barring Prescription Data Use for Marketing Found Unconstitutional

The US Supreme Court has struck down as unconstitutional a Vermont law that forbids the use of prescription data pharmacies collect to be used for marketing. In a 6-3 decision, the Court ruled that Vermont’s law violated the pharmaceutical industry’s First Amendment right to market their products. The Vermont law banned the use of the information collected by pharmaceutical companies for marketing purposes, but did allow the information to be used for health care research and educational purposes and could also be accessed by journalists, insurance companies and law enforcement agencies. The ruling is likely to quash the passage of similar laws in other states. [Source] [Source] [Source]

US – Committee Focuses on Do Not Track

“Consumers should not be expected to make tracking choices on a company-by-company basis,” said FTC Commissioner Julie Brill in an address on Monday at the Center for American Progress, adding that therefore, do not track should apply to mobile devices as well. The FTC published tips for consumers to protect their privacy when using mobile apps. Brill is also scheduled to testify at today’s Senate Commerce Committee hearing on privacy and data security. At the hearing, Consumers Union will present survey results indicating that 81% of Internet users favor a do-not-track mechanism, and the Commerce Department’s Cameron Kerry is expected to testify in support of consumer data privacy legislation, including do not track. [ClickZ]

Privacy Enhancing Technologies (PETs)

CA – Don’t Stop Anonymizing the Data

Two Canadian privacy experts have issued a new report that strongly backs the practice of de-identification as a key element in the protection of personal information. The joint paper from Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, and Dr. Khaled El Emam, the Canada Research Chair in Electronic Health Information at the University of Ottawa and the Children’s Hospital of Eastern Ontario Research Institute, comes as some privacy policy makers increasingly question the value of de-identification. Personal information can be routinely de-identified before it is used or disclosed for a wide range of purposes, such as research, where it is not necessary to know the identity of individuals. Recently, however, the practice of de-identification as an effective tool to protect privacy has been challenged by those who claim it is possible to re-identify individuals from seemingly anonymous data. Today’s report refutes this position, and further validates that anonymizing data is a reliable, safe and practical way to protect personal information. Launched at the University of Alberta’s National Access and Privacy Conference, the new paper entitled, “Dispelling the Myths Surrounding De-Identification: Anonymization Remains a Strong Tool for Protecting Privacy,” shows that the re-identification of properly de-identified information is not, in fact, an easy or trivial task, and rather requires concerted effort on the part of skilled technicians. De-identification is a vital first step in protecting privacy, by drastically reducing the risk that personal information will be used or disclosed for unauthorized or malicious purposes. [Source] [Ontario privacy boss slams geo-location as privacy risk] See also: [Is Anonymity on the Web Impossible?]

CA – Ontario Commissioner Calls for Privacy to be Embedded into Legacy Systems

Ontario’s privacy commissioner has released a white paper on how organizations can build privacy into legacy systems, reducing data loss risks. Replacing systems that have already been built without privacy considerations is often not an option, Commissioner Ann Cavoukian said at a Toronto event this week. Instead, organizations should create technologies that incorporate privacy as a default by limiting the amount of personal information collected, reducing the amount of time that it’s stored and encrypting retained data, among other initiatives. Cavoukian also shared concerns about WiFi systems’ ability to report users’ location data. [SC Magazine] [Source]

RFID

UK – Chips for Dinner: Edible RFID Tags Describe Your Food

A student at the Royal College of Art in London, Hannes Harms, has come up with a design for an edible RFID chip, part of a system he calls NutriSmart. The chip could send information about the food you eat to a personal computer or, conceivably, a mobile phone via a Bluetooth connection. The idea is that it could send nutritional data and ingredients for people who have allergies, or calorie-counting for those on diets, or maybe even telling your fridge when the food has gone off. It could even be used to market organic food, with a chip holding data about the origin of that tuna steak you just bought. [Source]

Security

US – FISMA Compliance Metrics Focus on Continuous Monitoring

New Federal Information Security Management Act (FISMA) compliance metrics released by the US DHS require agencies to report on their implementation of automated continuous measurement of critical security risks. The memo stems from 2010 guidance requiring government agencies to begin moving to continuous security monitoring. [Source] [Source] [Source] [Source] [Source]

WW – Many Top iPhone, Android Apps Face Security Woes

Some of the most popular applications available for the iPhone and Android handsets suffer from serious security issues, a recent study from security firm ViaForensics has found. According to the security firm’s appWatchdog study, a slew of companies, including Foursquare, LinkedIn, Netflix, and WordPress earned a “fail” rating on storing sensitive data securely. Netflix’s Android application, for example, failed to “securely store passwords,” ViaForensics said. Surprisingly, the iPhone version of the Netflix app earned the highest “pass” rating for securely storing passwords. ViaForensics’ study is all the more concerning when one considers that mobile applications are becoming far more popular. Earlier this week, In-Stat reported that users will download 48 billion mobile applications to their smartphones in 2015. On Monday, Apple revealed that 14 billion apps had been downloaded from its App Store since 2008. Over 4.5 billion applications have been downloaded from the Android Market. [Source] [Lawsuit Alleges Smartphone Data Misuse]

US – Investigation Finds Apps Put Data at Risk

A computer security firm has found that some popular mobile applications store users’ personal data in plain text on their mobile devices. The viaForensics investigation found information such as unencrypted user names, passwords and transaction amounts on smartphones, which goes against industry best practices. “Data should not be stored on a phone,” said Andrew Hoog, chief investigative officer of viaForensics. Hoog also said that while app developers are becoming more aware of data security issues, the fact that vulnerabilities still exist indicates security is not a top priority. One app maker’s spokeswoman said that it’s necessary for some information to be stored on phones, and the practice is allowed by the PCI Security Standards Council. [The Wall Street Journal]

US – Cloud Storage Vendors Have Privacy and Security Hurdles to Leap

While off-site services may have the potential to tame the voracious storage beast, most respondents to an InformationWeek Analytics research report are skeptical when it comes to moving valued business data to a public cloud. Security, privacy and regulatory constraints lead the list of concerns; absence of a concrete business case and worries about lack of control, potential data loss, data availability and reliability/performance also factor into companies’ reluctance to store their information in the public cloud. [Source]

US – Body Scanners to Get Privacy Updates

Transportation Security Administration head John Pistole has said the agency is on track to equip half of U.S. airport body scanners with privacy filters by the end of the year. Meanwhile, in a Salon.com article, Daniel Solove argues that, too often, debates about security vs. privacy employ inaccuracies to tip the scales in security’s favor. During times of crisis, Solove writes, the pendulum often swings towards greater security, with the promise that, when danger subsides, privacy provisions will again return. But, he writes, during “times of peace, the need to protect privacy is not as strong because we’re less likely to make such needles sacrifices.” [SecurityInfoWatch]

UK – British Intelligence Agency Replaces Online al Qaeda Article with Cupcake Recipes

The British intelligence agency MI6, along with GCHQ (the UK counterpart of the US National Security Agency), has broken into an online al Qaeda publication and replaced instructions for making a bomb with a series of cupcake recipes. The cyber infiltrators also removed several articles from the publication. [Source]

US – DHS Moves to Boost Security of Software

The Homeland Security Department unveiled a new system of guidance on Monday intended to help make the software behind Web sites, power grids and other services less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. The list, topped by SQL-injection vulnerabilities, is an attempt to address the “root-cause issues” behind cyberattacks, one official said. The announcement also includes a way to rate programming errors for importance in differing environments from embedded systems to web applications. The overall initiative is designed to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products. Colleges and trade schools need to take far more responsibility for ensuring their graduates who write programs can do so securely. [Source] [Source] [Source] [Source]

WW – Fifth Certificate Authority Suffers Breach

The security of a fifth certificate authority was breached earlier this month. While the attackers do not appear to have gained access to information that would allow them to issue valid certificates to themselves, the company, StartSSL, has indefinitely suspended issuing digital certificates. StartSSL says that existing certificates have not been compromised. In the past several months, several other certificate authorities have been attacked. A compromise at Comodo resulted in cyber thieves stealing valid certificates for some highly visible domains, including Google and Skype. [Source] [Internet Storm Center]

Smart Cards

US – Wireless Data Collection Suable Under Wiretap Act

A federal judge has found that Google can be sued for collecting private data from open wireless routers, saying that “plaintiffs plead facts sufficient to state a claim for violation of the Wiretap Act,” reports Wired. U.S. District Judge James Ware said, “In particular, plaintiffs plead that defendant intentionally created, approved of and installed specially-designed software and technology” used to intercept data from wireless networks. The report calls the ruling a “serious legal setback” for Google and notes that it also sets precedent for data collected through open WiFi networks in public spaces. Google maintains that the collection was a mistake and says the lawsuit is “without merit.” [Source]

Surveillance

CA – Civil-Rights Groups Wants Proposed ‘Spy’ Law Scrapped

Civil-rights groups are planning a summer-long campaign to raise awareness about a proposed law they say would force Internet companies to spy on their users. The law, called Lawful Access, would ask ISPs to implement technology that would intercept Internet communications of their customers. It would also require ISPs to give up basic identity information about their subscribers to law enforcement officials without a warrant. The law has been proposed in one form or another since 2002, but now it appears it will be included in an omnibus bill of tough-on-crime measures the Conservatives have pledged to table in the first 100 days of their mandate. Among those concerned by the proposed law is Canada’s privacy commissioner. “We have not yet seen a demonstrable need for the extent of access to personal information by law enforcement and national security authorities by the legislation that was introduced in the last parliament session,” said Chantal Bernier, the assistant privacy commissioner. “We believe any measure that seeks to put more personal information in the hands of government in general must be justified.” She said the office is concerned by the potential for abuse of power, especially since the proposed law doesn’t require authorities to get a warrant in order to obtain information, and has an internal control governed by the individual law enforcement bodies. The Net neutrality lobby group Open Media has embarked on a public awareness campaign about the proposed law. Labelled “stop spying,” 35,000 people have already signed a petition calling for the law to be scrapped, or at least dramatically changed. [Source] [Surveillance bill sparks privacy debate] [Bill C-51 will turn ISPs into Internet gatekeepers] and [Concealing data breaches like the Sony PlayStation hack punishable by jail under proposed US bill]

CA – Surveillance Cameras Deployed In Vancouver Despite Mayor’s Denial

The city manager’s office allowed the Vancouver Police Department to use 7 surveillance cameras downtown during the Stanley Cup playoffs to monitor crowds and guide emergency personnel. Mayor Gregor Robertson told the Courier prior to the start of the seven-game series between the Vancouver Canucks and the Boston Bruins that cameras wouldn’t be deployed. [Source] See also: [IN – Police halt Google Street View from filming in India until it gets security clearance]

CA – Cameras Keep Watch Over Sussex Drive

The town of Sussex is installing about three dozen video surveillance cameras in an attempt to safeguard its citizens and property. Six of the cameras have been installed at the community’s historic railway station. An unsolved case of arson last fall almost destroyed the structure. Town Hall also has cameras because youths have been climbing onto the roof. There are more cameras at a park that’s been repeatedly vandalized, as well as at the town arena, well houses and the reservoir. Sussex Mayor Ralph Carr said he did have some concerns about privacy. “But only people who have concerned about doing bad things have to worry. So, we find that people in general aren’t against it because they’re law-abiding citizens and they don’t mind,” he said. New Brunswick’s Privacy Commissioner is keeping an eye on the project. [Source]

US – Police Access City Cameras from Laptops and Smartphones

Officers of the Sandy Springs, Ga., Police Department will soon be able to use laptops and smartphones to browse and view video from various cameras located around the city. The project, which uses a software platform with a Google Maps interface, is part of the Police Department’s initiative to integrate technology from multiple vendors into one system. The department is currently in the process of integrating its computer-aided dispatch system, automatic vehicle locators and in-car police video cameras into the overall infrastructure. Authorized users will be able to view live and recorded footage from the city cameras by clicking on their location points on the Google map. For each camera, users will have the ability to pan, tilt and zoom, according to the department. [Source] See also: [CA – Pearson Airport worker used surveillance camera to spy on ex]

Telecom / TV

AU – Police Win Phone Data – New Laws to Invade Your Privacy

PY agencies and federal and state police will be able to order phone companies to seize customers’ personal data even before a warrant is issued under controversial changes to cyber security laws to be introduced. The cyber crackdown comes as the country’s intelligence agencies revealed they detected 250,000 cases of hacking in the past 6 months alone in which the passwords, account details and personal information of Australians had been stolen. However, authorities are being hampered from tracking evidence because phone companies are destroying personal data such as text messages often within 24 hours because of the sheer volume of data clogging their networks. Attorney-General Robert McClelland will introduce amendments to allow law enforcement and intelligence agencies to issue an immediate “non-destruction” order of cyber and phone data to phone and internet companies. It would allow them to preserve personal records of suspects before a formal warrant can be issued. Currently authorities can only order phone companies to hold data after a warrant is issued, often leading to the loss of crucial evidence in live cases. The new laws would also enable intelligence agencies to collect cyber evidence from other countries through an international treaty. The laws would apply to all electronic data including calls, texts messages, emails and computer or internet activity, and will require changes to both the cyber crimes laws and telephone intercept legislation. However, the laws would prevent agencies from actually accessing the seized information until the warrant was issued. If the warrant failed the data would be ordered destroyed. [Source]

WW – Info Retained by Smart Phones Raises Issues for Consumers

In recent months, controversy has swirled around the fact that smart phones, like Apple’s iPhone, store location information on its users, raising major privacy issues. But a leading computer forensics expert said that mobile devices store far more critical personal information on their owners – even after users think they’ve erased the data. Kris Haworth, president of The Forensics Group, one of the nation’s leading computer forensics companies, said consumers might be surprised to learn that the iPhone, iPad, Android, Blackberry and other mobile computing devices retain vital data in their memory despite attempts to delete it. “Most consumers have no idea when they trade in a smart phone or tablet computer that they’ve left a trail of very private and personal information behind – everything from private text messages and emails to their calling records, websites they’ve visited and even bank account passwords in some cases,” Haworth said. With the number of smart phones tripling in the U.S. over the past five years and many consumers regularly trading up for the latest models, the information retention could raise new privacy concerns for consumer groups – and create new opportunities for computer forensic companies. [Source]

CA – Watchdog Warns Smart Phones Lack Privacy Defaults

There are unintended consequences of having our smart phones and other wireless devices automatically collect data on our whereabouts, warns Ontario Information and Privacy Commissioner Ann Cavoukian. Privacy should be designed into cellphones and Wi-Fi systems to prevent the automatic collection and storage of personal data by the devices, which only continue to grow in popularity, Cavoukian said in a special report. There is a lot of concern about the capability of mobile systems to track our lives, without our knowledge, concludes Cavoukian’s report, “Wi-Fi Positioning Systems: Beware of Unintended Consequences,” which was jointly written with Microsoft’s former chief architect of identity, Kim Cameron. [Source]

IN – Mobile Phones in India: A Webless Social Network

India may be home to software giants, like Wipro or Infosys, which have thrived by harnessing the internet’s potential, but few of the country’s 1.2 billion people have so far embraced the web. Telecom Regulatory Authority of India reported that at the end of March the country had just 8.8m broadband connections. By contrast, it boasts some 812m mobile subscribers. According to Gartner, a market-research outfit, in 2013 Indians will send almost 192 billion text messages. [Source]

US – GroupM Takes Lead on Mobile Privacy Guidelines

GroupM has become the first agency to adopt mobile privacy guidelines. Those guidelines would limit the amount of data collected and shared from mobile devices in marketing campaigns by calling for publishers to mask UUIDs (universal unique identifiers that are on every phone) and giving users the opportunity to opt out of data collection and sharing. The guidelines are voluntary, but publishers and mobile ad networks that work with GroupM will be urged to adopt them. [Source]

US Legislation

US – Why Privacy Legislation is Hot Now (Peter Swire Op-Ed)

More than at any time in the past decade, privacy hearings and proposed legislation are spreading across Capitol Hill. Until now, you could always make money betting against a privacy law passing in Congress. Today, many experts are saying that momentum is building for major legislation, although the shape of that legislation is still unclear. This round of privacy action is driven by three historic trends, plus other factors that are coming together now. First is location data. Second is social networking. Third is online behavioral advertising. Along with these three mega-trends, Congress is seriously considering federal data-breach legislation, to harmonize state laws and address the Sony PlayStation and other high-profile recent breaches. Major cloud computing companies and civil liberties groups are supporting the Digital Due Process Coalition, which favors a judicial search warrant before law enforcement can gain access to the exabytes of data stored in the cloud. And, there is pressure on the international front, as the European Union considers tightening its own data privacy laws and as India, Mexico and other countries are in the process of putting EU-style privacy laws on the books. A flashpoint for action could be children’s privacy, where family-values Republicans and consumer-protection Democrats can most easily come together politically. Mark Zuckerberg has publicly discussed bringing under-13s directly into Facebook, but no one knows with what rules. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of the “Do Not Track Kids Act of 2011” to offer the choice not to have behavioral advertising and related tracking for those under the age of 13. And no one knows who will get to see the location information of children — parents will and stalkers won’t, but there are still-to-be-developed rules for those in-between. The biggest legislative question might be whether to go with general privacy principles or sector-specific rules. For the first time in history, the administration itself has come out in favor of broad-based privacy legislation for the private sector. The closest fit to the administration vision is the Kerry-McCain “Commercial Privacy Bill of Rights,” which notably would provide individuals with the legal right to opt out of having their information shared for marketing purposes. This sort of general legislation contrasts with sector-specific proposals, such as a recent bill by Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) that targets smartphone location information. With the convergence of all of these technical changes, the current period most resembles the late 1990s. [Source] See also: [US: Senator renews pledge to update digital-privacy law] and [US: Franken, Blumenthal introduce mobile privacy bill] and [US: Focus on Data Breaches Tops House Commerce Privacy Agenda]

US – Senate Lawmakers Call for Data Security Law, Less Certain Over Privacy

As federal officials grapple with ways to better protect the privacy and security of Internet users, participants at a Senate Commerce Committee hearing appeared to be in broad agreement over the need for data breach laws. But there was less agreement over online privacy laws, with lawmakers, regulators and companies debating “do not track” proposals and general privacy laws that consumers say they want but companies fear will hurt their bottom lines. [Source]

US – Proposed US Legislation Would Require Breach Notification Within 48 Hours

Proposed data breach legislation introduced by US Representative Mary Bono Mack (R-Calif.) would require companies to notify law enforcement authorities of data breaches within 48 hours. If the data compromised in a breach could be used to commit identity fraud, the company must notify the Federal Trade Commission within 48 hours and start contacting affected customers. The bill would also require companies to take reasonable steps to protect personal data, including collecting and storing only data they need. [Source] [Source]

US – CA Senate Again Take Up Bill on Web Privacy Info

California lawmakers took up a bill that has irked Facebook, Twitter and other social networking companies because it would require their websites to automatically set personal information to private. Senators began voting for a second time on SB242, after the bill failed a vote last week. An initial round of voting failed to generate the majority support needed. State Sen. Ellen Corbett, D-San Leandro, said her bill would protect users from identity theft and give parents better control of private information about their children. She said people often are unaware that personal information such as their home address and Social Security number can be available online for others to see. In addition to opposition from social networking sites, Internet companies such as Google, Yahoo and Skype have lobbied against the proposal, saying such regulation isn’t needed because companies already go to great lengths to protect individuals’ privacy. [Source] UPDATE: [CA Social Networking Bill Fails Again]

US – Proposed Bills Address Geo-Location Data Privacy

US legislators have introduced two bills aimed at privacy issues arising from geo-location data generated by wireless devices. Senators Al Franken (D-Minnesota) and Richard Blumenthal (D-Connecticut) have introduced the Location Privacy Protection Act, which would require companies to obtain permission from consumers before sharing geo-location data with third party entities. It would also require providers to inform users about what type of information is being collected. Senator Ron Wyden (D-Oregon) and Representative Jason Chaffetz (R-Utah) have introduced the Geolocational Privacy and Surveillance Act that would require law enforcement authorities to establish probable cause and obtain a warrant to request geolocation data. It would also prohibit sharing the data without users’ consent. [Source] [Source] [Source] [Source] [Source]

US – States Legislate Healthcare, Employee Privacy

Texas Governor Rick Perry has signed a healthcare privacy law that goes beyond HIPAA’s requirements. Rep. Lois Kolkhorst (R-District 13) says the push for electronic health records in the HITECH Act’s incentive program and the lack of federal HIPAA enforcement spurred the legislation, which will go into effect September 12 and will establish an infrastructure for state oversight and enforcement of healthcare privacy. Meanwhile, Oklahoma’s Supreme Court has upheld a lower court’s decision barring “state personnel officials from releasing the birthdates of state employees,” NewsTimes reports. The court said releasing such information could result in identity theft. [GovInfoSecurity]

US – Court: State Law Trumps HIPAA

A Michigan court case ruling could restrict the information physicians can release during legal proceedings. The decision follows a 2009 lawsuit, in which Michigan doctor Isidore Steiner alleged former colleague Marc Bonanni stole patients after leaving the practice, violating an established agreement. Steiner asked for a list of patient names Bonanni had seen at his new practice, citing the Health Insurance Portability and Accountability Act (HIPAA). But the court ruled that Michigan law, which prevents such disclosures, trumps HIPAA. A Michigan-based attorney predicts that “When entities do not want to disclose information, they’re going to use this case as their response.” [American Medical News]

+++

16-31 May 2011

Biometrics

CA – Calgary: Technology Speeds Up Volunteer Police Checks

The Calgary police have unveiled a new digital fingerprinting process that will allow non-profit organizations to quickly run police checks on their volunteers. Calgary police process about 100,000 criminal record checks a year. The new identification system will not only help police solve crimes, but means fingerprints of potential volunteers can be checked within minutes instead of weeks or months. Of course, the system only flags people who have a conviction, said Chief Rick Hansen. Running police checks on 2,500 volunteer coaches and assistant coaches in the minor hockey system is painstaking work for Hockey Calgary. [Source]

WW – Schmidt: No Facial Recognition for Google

Google CEO Eric Schmidt, talking this week at the company’s “Big Tent” conference in the UK, said that Google is “unlikely” to create a facial recognition database, adding that the accuracy of the technology is “very concerning” and popularizing the technology may cause governments to pass broad-reaching laws with unintended consequences. Schmidt also announced Google’s new Dashboard, a service that allows users to see the information Google has collected about them and opt to delete certain data. “It is worth stressing that we can only do this with data you have shared with Google. We can’t be a vacuum cleaner for the whole Internet,” said Schmidt. [Source: No Facial Recognition for Google]

Canada

CA – Anonymity of Sperm, Egg Donors Ruled Unconstitutional

The BC Supreme Court has decided children of anonymous sperm donor fathers do have the right to learn who their dads are. Olivia Pratten has asked the courts to ensure donor records are preserved indefinitely and children can access them when they turn 19. The 28-year-old fought for years to learn the identity of her biological father, but was eventually told the doctor destroyed the records in the 1990s. The BC Supreme Court ruled it’s unconstitutional for the government to keep records secret or destroy them at any time. The government has 15 months to comply. [Source]

CA – “Lawful