Author Archives: privacynewshighlights

01-31 July 2011


US – Law Enforcement to Begin Iris Scanning Amid Privacy Concerns

New iris- and face-scanning technology could improve the speed and accuracy of police work but raises privacy and civil liberties concerns. The Mobile Offender Recognition and Information System (MORIS) scans an individual’s iris to detect unique patterns so that law enforcement can identify a suspect more quickly. The MORIS technology can also be attached to smartphones and photograph a person’s face, which then runs the image through a database to identify the individual. A representative from the technology’s manufacturer says the application will not be intrusive because “it requires a level of cooperation that makes it very overt—a person knows that you’re taking a picture for this purpose.” [Source

WW – Study: Facial Recognition Technology Powerful, Intrusive

Research conducted at Carnegie Mellon University has successfully identified approximately one-third of participants using the same facial recognition technology recently acquired by Google. Using profile data from Facebook, the study’s author could also correctly predict the first five digits of the participants’ Social Security numbers nearly 27% of the time. One law professor notes that the combination of available, “anonymous” online data and the technology makes re-identifying people possible. The study’s author says, “This paper really establishes that re-identification is much easier than experts think it’s going to be.” [The Wall Street Journal] See also: [Facebook facial-recognition feature won’t be available to Canadians] [Facial-recognition technology needs limits, privacy advocates warn] and [Ontario Commissioner: Facial Recognition With Privacy Is Possible] See also: [What Caricatures Can Teach Us About Facial Recognition] and [Barry: Cycling leads the pack in drug testing


CA – Privacy Group Fears New “Lawful Access” Laws

A group of privacy advocates is raising alarm about several government initiatives they say could have serious privacy repercussions for Canadians. Sharon Polsky, the national chairperson for the Canadian Association of Professional Access and Privacy Administrators. Polsky’s group is concerned by the Lawful Access law, slated to be introduced soon after Parliament resumes its fall session. The group says the law as proposed would make ISPs agents of the state by requiring them to monitor Internet behaviour and pass on identifiable information to law enforcement officials without the need of a warrant. The group is also concerned about an international agreement called the Anti-Counterfeiting Trade Agreement, which has been negotiated in secret by 37 different countries, including Canada. While Canada has not yet signed on, ACTA would force the government to harden its copyright rules to be in sync with those negotiated by the member countries, and could cut off Internet access for a year to those suspected of illegally downloading copyrighted songs or movies. “People are not concerned, because people don’t know about it; (ACTA) was negotiated in secret,” Polsky said. She added that she’s also concerned the proposed Lawful Access law would give law enforcement officials from other countries access to the Internet habits of Canadians, because she said police forces often share information with each other. [NIST Release] [Source] [Source] [The What and Why of NIST’s Privacy Appendix] See also: [U.S. ambassador says perimeter security deal with Canada will respect privacy] and [Adopting U.S. privacy standards could hurt Canada’s reputation: watchdog

CA – Canada’s Privacy Chief Prepares to Take On Google

The Privacy Commissioner of Canada is preparing to take on Google Inc. over concerns about how the firm collects, retains and uses personal data. In a little-noticed 46-page report, Jennifer Stoddart has outlined a year-long consultation into issues about online tracking, profiling and targeting. In her review, the commissioner found that Google and other Internet firms including Facebook and FourSquare, are collecting increasing amounts of data about users and not adequately informing people about the data collection or for what it is being used. The privacy commissioner is pushing for these companies to become more proactive in explaining how they collect user information and what they are using it for. [Source] See also: [Oshawa MPP says PC Party would slap GPS devices on sex offenders]

BC – BC Privacy Commissioner to Investigate Smart Meters

B.C.’s Information and Privacy Commissioner Elizabeth Denham will investigate BC Hydro’s Smart Meter program to ensure it complies with privacy laws. The Commissioner said she decided to launch her investigation after receiving numerous complaints that the information collected by the meters may breach personal privacy. “The privacy and security of energy consumption data is a very real issue for citizens throughout the province,” Denham is quoted as saying in the news release. “With an increase in the frequency of the information collected from smart meters comes an increased responsibility on BC Hydro to ensure that privacy and security is built into the smart grid.” BC Hydro is planning to spend $930 million to install 1.8 million smart meters across B.C. The project is due to be completed by the end of 2012. The new meters will also allow customers to log on to Hydro’s website and monitor their own electricity use in real time. [Source] See also: [Canadians deserve greater online protection: privacy commission

CA – Federal Privacy Commissioner Takes Prison Service to Court

The Office of the Privacy Commissioner (OPC) is taking the federal agency responsible for the country’s prison system to court for allegedly violating the Privacy Act. Stoddart says that on two occasions the Correctional Service of Canada has not appropriately responded to requests to provide inmates with the personal information the prison system keeps about them. The Privacy Act requires government agencies to provide personal information within 30 days of a request. The OPC’s communications director, Anne-Marie Hayden, says, “In both complaints, our investigators found that the Correctional Service of Canada had failed to give complainants timely access to their personal information.” [National Post]


WW – Consumers Willing to Pay More for Privacy

A new study has found that consumers are willing to pay more for purchases from online vendors “with clear, protective privacy policies.” The Carnegie Mellon University study found that, for example, participants in the study shopping for batteries made “significantly more purchases” from sites rated high privacy—47.4%—than from sites rated no privacy—5.6%. Additionally, consumers were willing to pay, on average, 59 cents more from sites with strong privacy protection. “Our study indicates that when privacy information is made more salient and accessible, some consumers are willing to pay a premium to purchase from privacy protective websites,” the authors noted. [ScienceBlog]


US – Florida Makes Millions Selling DMV Data

Last year, the state of Florida made more than US $60 million from selling information held by the Department of Highway Safety and Motor Vehicles. It is legal in Florida to sell the data, which include names, addresses, dates of birth and vehicles registered. The data are available to employers and insurance companies, but the state is also selling them to companies that collect personal data and sell them to others. The companies purchasing the information from the state must sign contracts promising not to use the information to harass people. The state does not sell SSNs or driver’s license numbers. Judges and law enforcement officers may request that their information not be sold. [Source] [Source

UK – DVLA Teams Up With IBM in Bid to Curb Uninsured Driver Menace

The DVLA (Driver and Vehicle Licensing Agency) and Motor Insurers’ Bureau (MIB) have introduced a new system to help identify uninsured vehicles which they claim will improve road safety and reduce the cost of uninsured driving across the UK. The new system, delivered with the support of IBM, works by comparing the Motor Insurance Database with DVLA’s vehicle database and is the foundation of the new Continuous Insurance Enforcement initiative, a collaboration between DVLA, DfT, and MIB to reduce the number of vehicles being driven on UK roads without insurance. Under the new system, which took two years to develop, if a vehicle is suspected as being uninsured, the registered keeper will receive a letter from the MIB advising them to get insurance or declare the vehicle off-road. If they fail to do this enforcement action will be taken by DVLA consisting of a fixed penalty of £100, wheel clamping or Court prosecutions. [Source] See also: [Defeated MPs called ‘childish’ for destroying documents on immigration, citizenship cases] and [‘Most open government’ has a lot of catch-up to do] and [Privacy Advocates Fear Immigration ID Database

UK – Councils Compile Databases Containing Over 9,000 ‘Troublemaking’ Residents

It has been revealed that council bureaucrats have been keeping secret databases of residents who have been involved in disputes with them. At least 9,000 people are on the lists, kept by more than 40 councils around England. The reasons for placing people on the databases vary from council to council but many of them are exceedingly trivial, such as arguing with a council official or a dustman. [Source] SEE ALSO: [Blogger Sues To See If Government Kept a File on Him] and also: [It’s All About Transparency: Without proper laws governing public disclosure of data security hacks, Canadians remain at risk] and [Toronto’s data open but almost useless]


CA – Comments Sought in Anti-Spam Regulations

The entities that will implement Canada’s Anti-Spam Legislation have each released draft regulations for comment. Industry Canada’s draft regulations define what constitutes family and personal relationships–both exceptions to obtaining user consent under the proposed legislation, which could affect “forward to a friend” marketing campaigns. The Canadian Radio-television and Telecommunications Commission draft regulations address commercial electronic message content; request for express consent requirements for sending commercial messages, and notice and consent requirements. [Hunton & Williams’ Privacy and Information Security Law Blog] [Electronic Commerce Protection Regulations - Department of Industry - Canada Gazette] [CRTC - Telecom Notice of Consultation CRTC 2011-400: Call for Comments on Draft Electronic Commerce Protection Regulations (CRTC) ]

Electronic Records

AU – Commissioner Eyes Tough E-Health Privacy Laws

Privacy Commissioner Timothy Pilgrim has proposed laws around e-health records in Australia that would tighten use and disclosure of data and penalise any privacy breaches. Pilgrim also proposed laws that would keep e-health record storage in Australia to combat data security concerns. The Privacy Commissioner made 32 recommendations in total on the operation of the Government’s planned $467 million personally-controlled electronic health record (PCEHR) system, which was to be implemented by the National E-Health Transition Authority (NEHTA). The proposed laws would regulate the permitted information flows of health records, restrict the secondary use and disclosure of records to avoid function creep, install transparent governance mechanisms and outline specific sanctions and remedies for breaches. Also sought were a set of minimum terms/rights and responsibilities for participation in the PCEHR by individuals and healthcare providers, and a mandate for uniform complaint-handling mechanisms. Lack of details and precise powers available to health users had upset key privacy organisations such as the Australian Privacy Foundation whose chair, Roger Clarke, lambasted the Health Minister Nicola Roxon over how the eHealth system would fulfil its privacy promise. [Source] See also: [Old Dominion U. professor is trying to save Internet history] and also: [Privacy concerns raised over Fiji electronic voter registration plans

US – Experts Discuss Patient Access, Privacy

The biggest factor in revolutionizing the healthcare system will be patients’ access to their healthcare data. That’s according to healthcare experts at a forum in New York earlier this month. Neil Calman, CEO and co-founder of the Institute for Family Health, said patients will soon expect records in downloadable form, and HIPAA and other regulations will be amended to meet those demands. Experts also discussed privacy and security issues in moving patient data to the cloud. As of mid-July, the U.S. Department of Health and Human Services had recorded 292 health data breaches. Although six percent were due to hacking, that number is expected to increase. [Source] See also: [HHS - Notice of Proposed Rulemaking - 42 CFR Part 401 - Availability of Medicare Data for Performance Measurement] and [IPC Ontario paper: Dispelling the Myths Surrounding De-Identification]


US – DOJ – We Can Force You to Decrypt That Laptop

The Colorado prosecution of a woman accused of a mortgage scam will test whether the government can punish you for refusing to disclose your encryption passphrase. The Obama administration has asked a federal judge to order the defendant, Ramona Fricosu, to decrypt an encrypted laptop that police found in her bedroom during a raid of her home. Because Fricosu has opposed the proposal, this could turn into a precedent-setting case. No U.S. appeals court appears to have ruled on whether such an order would be legal or not under the U.S. Constitution’s Fifth Amendment, which broadly protects Americans’ right to remain silent. [Source]

US – RSA Parent Company Spent US $66 Million in Q2 to Address Cyber Attack

RSA parent company EMC spent US $66 million in the second quarter of 2011 to deal with the cyber attack that compromised the integrity of RSA security tokens. EMC provided transaction monitoring for corporate customers concerned about the security of their tokens; the company also offered replacement tokens to companies that requested them. In a conference call regarding the company’s financial results, EMC executive VP David Goluden offered additional information about the attack, saying that customers were notified within hours after the company became aware of the breach, and that the company suspects that the intruders were targeting defense and government information, not financial information. That assumption would be borne out if the breach did, as some have suggested, lead to attempted attacks on computer systems at US defense contractors Lockheed Martin and another on L3 Communications. [Source] [Source]

EU Developments

EU – Commission Begins Action Against States

The European Commission has started legal action against 20 member states for failing to implement telecommunications rules. The commission has written to the states to inquire about why they have not implemented the so-called telecoms package, which was to have been incorporated into practice by May 25. The rules include what has been a controversial mandate for websites to obtain users’ consent before placing cookies on their systems. To date, only Britain, Denmark, Estonia, Finland, Ireland, Malta and Sweden have implemented the rules. The states in question have two months to respond. [Reuters]

EU – Article 29 WP Issues Opinion on Consent

On July 13, the Article 29 Working Party, an independent advisory body to the European Commission, issued a 38-page opinion on the definition of consent. The opinion elaborates the meaning of key terms used in describing the conditions for valid consent, such as indication, freely given, specific, unambiguous, explicit and informed, and addresses the proper timing of consent. Numerous examples of valid and invalid consent are provided in this extended analysis, which also affirms the importance of using the appropriate legal grounds for processing personal data. The opinion paper concludes with a few recommendations relating to consent that the Working Party believes should be considered during the current review of the Data Protection Directive. [Coverage] See also: [German Supreme Court on the Admissibility of Marketing Calls - Federal Court, Press Office]

EU – Article 29 WP Issues Advice Paper on Special Categories of Data (“Sensitive Data”)

The Data Protection Directive categorizes some personal data as “sensitive”, including ethnic origin, philosophical beliefs, health data and criminal convictions; challenges interpreting the categories of sensitive data include difficulty in defining “philosophical beliefs” (one court recognized “belief in climate change” as a philosophical belief), photos of individuals (such images can reveal information about an individual’s ethnicity or health status) and major differences in the degree of sensitivity (e.g. health data may range from information about a simple cold to stigmatizing information about illnesses or disabilities). Challenges have also arisen applying the exceptions to the general ban on processing of sensitive data, e.g. as sensitive data may be processed by a health professional, but it is not always clear who is considered a healthcare professional, there are no exceptions that permit processing of health information by schools (in the case of injury) or insurance companies (to conclude a health insurance contract), and the requirement to have consent may be problematic in the online environment (citizens rarely use secure electronic signatures which are required for written consent). The categories of “sensitive data” should be expanded to include genetic and biometric data, and there is some interest in revising the approach to sensitive data to increase flexibility – i.e., where the general definition of “sensitive data” takes the context for processing into account and member states are given discretion to decide upon further data categories (e.g. creation of personal profiles, minors, information about financial situation, and geolocation data). [Source]

EU – European Commission Public Consultations on ePrivacy Directive

Comments are due by September 9 to resolve questions surrounding implementation of the ePrivacy Directive’s breach notification obligations which are aimed at determining whether additional measures are required to ensure harmonised national implementations; areas where there is a risk of divergence at the national level include the threshold for notifying individuals or subscribers (notification is only required where their data or privacy will be “adversely affected”, which is open for interpretation), how the sufficiency of technological measures is assessed (notification is not required when technological measures render data sufficiently unintelligible), what is considered an “undue delay” (breach notification should be provided without “undue delay”), and the fact that the Directive does not specify the means by which notification should be provided (the means of notification should be common across the EU). Other areas that require clarification include the contents of notification (are there additional elements that should be included), how to deal with cross-border breaches (what should occur when a data controller is established in a different member state than where the breach occurred), and whether there are circumstances where communications providers would be required to provide notifications under numerous laws (e.g. the Framework Directive also includes a notification obligation for providers of public communications networks or electronic communications services). [Press Release] [Consultation Document] See also: EU – European Parliament Resolution of 6 July 2011 on a Comprehensive Approach on Personal Data Protection in the European Union (2011/2025(INI)) ]

EU – EDPS: Commission Ambiguous on Cookie Advice

The European Data Protection Supervisor (EDPS) says that the European Commission has offered “inconsistent advice to website owners on how they should obtain users’ consent to cookies.” EU Commissioner Neelie Kroes said last month that European companies had one year to create a uniform way for users to opt out of cookies and that she supported self-regulatory efforts, but EDPS Peter Hustinx says that neither a self-regulatory model nor a do-not-track model comply with EU Directive requirements. Hustinx says the directive’s requirements should be “fully respected,” and “The Commission should avoid any ambiguity” in making sure that transparency and consumer control online are delivered in the EU. [OUT-LAW News] See also: [Data Protection Commissioner, Ireland - Guidance Note on Data Protection in the Electronic Communications Sector] and [Draft Hungarian Law on the Data Breach Notification Framework and the New Cookie Consent Rule]

EU – European Data Protection Supervisor (EDPS) Issues Annual Report 2010

Consultations by the EDPS in 2010 included the request for access to the identity of an informant (the protection of whistleblowers and informants should be the same after the closure of an investigation because the vulnerability of the whistleblower’s role and risks to their privacy do not change depending on whether the investigation is opened or closed with no follow-up); the further processing of data in an existing EU institution database for the purposes of providing its travel agency with ID data was determined to be serving a different purpose incompatible with the initial purpose of collection and processing, the data protection covenant between the EU institution and the travel agency was deemed to be unclear (e.g. the reasons why and circumstances when the travel agency acts as a processor and/or controller), and proper guarantees should be in place to ensure the rights of the data subjects and secure onward transfers by the travel agency to other recipients. In regards to a financial institutions management of IT administrators’ access to personal data stored in IT systems and applications, the principle of segregation of duties must be applied, and a combined balance of organisational and technical measures should be implemented and documented. The monitoring of telephone communications above a predefined threshold could be considered a breach of the right to privacy of employees; the institution was requested to ensure that the threshold figure (that would trigger the sending of a list to management) is sufficiently high so as to avoid non justified monitoring and enables the identification only of those cases in which there is clear or repeated abuse of the system, and to reassess the proposed system in order to determine whether other less intrusive methods could be used. Main objectives for 2011 include targeted monitoring exercises where the level of compliance at specific EU institutions and bodies is a cause for concern, on-the-spot inspections in those cases where the EDPS has serious grounds to believe that the compliance mechanism is blocked (this will be viewed as the final state before formal enforcement action), and inspections and audits in the field of large-scale IT systems falling within the remit of the EDPS. [Source]

EU – EU Lawmakers Upset by Microsoft Warning on U.S. Access to EU Cloud

Members of the European Parliament are expressing concern about the conflict between the European Union’s Data Protection Directive and the U.S. Patriot Act. Last week, Microsoft admitted that it may have to disclose European users’ data, found in its new cloud service, to U.S. authorities, while keeping transfer details secret. Such disclosure would be a violation of the directive, prompting MEP Sophie in’t Veld to ask, “Does the commission consider that the U.S. Patriot Act thus effectively overrules the EU Directive on Data Protection? What will the commission do to remedy this situation and ensure that EU data protection rules can be effectively enforced and that third-country legislation does not take precedence over EU legislation?” [Computerworld]

EU – New Dutch Law to Deter Privacy Breaches

A new law expected to become effective this year will allow for the imposition of fines for data privacy violations. “People’s personal data are being used by others all the time, without their realizing it in the least,” said Dutch Data Protection Commissioner Jacob Kohnstamm, who is assisting the justice ministry in drafting the law. “The new, steep fines will make sure that people’s privacy will be respected.” Violators risk fines from 25,000 to several million euros. Kohnstamm has also announced that his office is investigating the presence of regional electronic medical records. [Radio Netherlands Worldwide] See also: [EU – EDPS Opinion on Notifications for Prior Checking]

EU – DPA Fines Agency for Employment Data Collection

The Italian Data Protection Authority (Garante) has found that collecting and processing the sensitive personal information of job applicants violates the law and has censored and fined a real estate agency for asking applicants “a disproportioned quantity” of personal questions. The Garante found the practice violated Italy’s Data Protection Code, and further investigation and sanctions may be forthcoming. “It is incredible that notwithstanding strong data protection legislation, we still experience similar shocking data processing in the employment field,” notes Rocco Panetta of Panetta & Associati,” adding that such behaviors expose organizations “to enormous risks of sanctions.” (Article in Italian)

EU – EU Mulling Plans for New Rules on Data Breach Notifications

The European Commission is considering a set of “practical rules” to govern companies’ behavior in the case of a data breach. The announcement comes in the wake of a series of high-profile data breaches, including Sony’s announcement in April that the personal information of 78 million PlayStation users was stolen. The rules, which were outlined in Brussels, would specify the procedures and format for notifications. Until the early September deadline, the European Commission is seeking input from the public and from sources including national data protection authorities and consumer organizations. According to Neelie Kroes, the EU’s digital agenda commissioner, a section of the EU’s new telecoms rules came into force in May requiring companies to notify consumers and national data protection authorities of data breaches. But additional rules could ensure consistency throughout EU member nations. [Source]

EU – New Requirements for Data Protection Officers in Germany

German companies must appoint a data protection officer (“DSB”) when they employ more than 10 employees using automated processing, more than 20 employees using non-automated processing or process data in a manner that infringes intensely on personal rights (e.g. when using video surveillance, chip cards or non-transparent procedures); even if appointment of a DPO is not required, management is still responsible for meeting the provisions of the law by taking on the DSB’s tasks and prior reporting all automated processing to data protection authorities (a DSB may be appointed simply to avoid the prior checking requirements, and companies can hire external DPOs, such as a specialized lawyer). DSBs must have knowledge of relevant data protection provisions (including constitutional protections and any sector-specific legislation), data security technology (e.g. physical security of IT infrastructure, cryptography, spyware and network security), understanding of practical data protection management (e.g. executing controls, advising management, coaching employees, providing data protection strategies and recording data protection activities), and the enterprise’s technical and organizational structure (e.g. relevant process charts and internal organization). In order to enable independence for DSBs, they must report directly to company management, not be bound by company instructions regarding data protection, and be protected from dismissal (the DSB service contract should safeguard the autonomous fulfillment of his or her legal assignment for a term of 4 years if internal, or 2 years, if external). Failures to meet the minimum DSB specifications may result in a €50,000 fine to each manager personally; companies may want to consider appointing a DSB, even where not required, as previous non-compliance issues will generally not be punished. [Source]

UK – ICO Annual Report: Volunteer to Be Audited by Us, We Might Not Bust You

The Information Commissioner’s Office (ICO) released its annual report, which states that more companies should offer themselves up for voluntary audits. Last year, there were 603 reported data breaches, and 186 occurred in the private sector. Of those businesses, 19% accepted the ICO’s offer for a free data protection audit. In the public sector, 71% agreed to the voluntary audit, the report states. “These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consentual audit should count as a badge of honor, showing that the business takes data security seriously,” said Information Commissioner Christopher Graham. [The Register] See also: [UK Information Commissioner’s Office Auditing Data Protection: a Guide to ICO Data Protection Audits | North West London Hospitals NHS Trust - Data Protection Audit Report Executive Summary] and [EU Article 29 Data Protection Working Party - Advice Paper on Practical Implementation of Article 28(6) of the Directive 95/46/EC (how Data Protection Authorities make use of their supervisory authority under Article 28(6) of the General Directive)

UK – ICO: Jail Time Needed for Privacy Violations

A recent phone hacking scandal has prompted Information Commissioner Christopher Graham to call on the British government to implement prison sentences for those who use stolen personal data. The Information Commissioner’s Office previously recommended two-year prison terms for such offenses after a 2006 investigation into the sale of stolen personal data to journalists, the report states, but the government did not implement the proposal after journalists claimed it would limit free speech. In calling for stronger laws, Graham noted, “Unless people realize they can go to prison, it seems like a victimless crime.” [Bloomberg]

UK – ICO Publishes Guidance on Fines

The Information Commissioner’s Office (ICO) has released details on how it will use its new fining powers under the Privacy and Electronic Communications Regulations (PECR). Amendments to the PECR let the ICO fine up to £500,000 for offenses, and “It is possible that a single breach may be sufficient to meet this threshold,” the ICO says in its guidance, which offers insight into potential triggers for fines. Organizations will have the chance to weigh in on the guidance before it is adopted. [OUT-LAW.COM]

Facts & Stats

AU – Thousands of Privacy Breaches Going Unreported

There has been a 27% jump in the number of incidents of stolen or lost personal information reported to the Privacy Commissioner in the past year but inadequate laws mean thousands of incidents go unreported. The Privacy Commissioner, Timothy Pilgrim, revealed his office had received 56 data breach notifications in the year to June 30 – up from 44 in the previous year. However, Pilgrim warned that this only included responsible companies that voluntarily owned up to losing personal information as the government had failed to introduce mandatory data breach notification laws. Pilgrim also revealed his office had opened 59 “own motion” investigations in the past year – usually following media reports of privacy breaches. This includes investigations into Google, Telstra, Vodafone, Dell, Sony and most recently Medvet, which inadvertently left its order system for paternity and drug tests open to be accessed via search engines. [Source

CA – Statistics Canada to Stop Tracking Marriage and Divorce Rates

Statistics Canada will no longer collect and crunch numbers on the country’s annual marriage and divorce rates, a sign both of cost cuts at the agency and the changing nature of relationships, as definitions get fuzzier and harder to track. The national statistical agency published its last national figures on marriage and divorce rates last week. It has been collecting divorce data since 1972 and marriage data since 1921. It pegs the cost of reinstating the collection at $250,000. By the numbers:

  • 43.1% – Canadian marriages that are expected to end in divorce
    before the couple reach their 50th wedding anniversary
  • 26.8% – Marriages expected to end in divorce before a couple
    in Newfoundland and Labrador reach their 50th anniversary
  • 62.6% – Percentage of marriages expected to end in divorce
    by the time a couple in the Yukon reaches their 50th anniversary
  • 44 – Median age for Canadian men at divorce in 2008
  • 41 – Median age for Canadian women at divorce in 2008 [Source]


UK – Court Orders BT to Block Site Linked to Digital Piracy

A group of film studios represented by the Motion Picture Association (MPA), the international arm of the Motion Picture Association of America (MPAA), has won a court order against British ISP BT to block the Newzbin2 filesharing website. A British High Court judge has ordered BT to block users’ access to the members-only website that offers links to movies and television programs available on Usenet boards. [Source] [Source] [Source] [Source] [Newzbin2 response]


CA – OPC Guidance on Private-Sector Anti-Money Laundering Databases

To help financial institutions conduct their due diligence around identifying “politically exposed people” (i.e. people who may abuse their position of power for private gain), private-sector anti-money laundering database providers have emerged, who will compile databases of sanctioned individuals and entities (from publicly available government and NGO lists) and scrub the financial institution’s customer lists against the database. Privacy issues with these databases emerge as a person may be removed from a government list, but remain in the database provider’s list (the individual would have difficulty determining whether or not their name had been de-listed from the database and there is no indication of an appeal process being available) and jurisdiction issues arise (it may be difficult to make a claim regarding enhanced due diligence to the OPC by a foreign national taking issue with a Canadian financial institution or a Canadian taking issue with a foreign financial institution). Private-sector anti-money laundering database providers also identify “persons of special interest” who may be at high-risk, and there appears to be no limits on what information is being collected or how it is being incorporated into a risk assessment for possible money laundering risk (the determination of who is a “high-risk” is made without any transparency, and based on information that may or may not be correct, with potential harm to the individual’s relationship with the financial institution). [Source]

CA – Best Practices in Privacy and Anti-Money Laundering/Counter-Terrorist Financing

The federal Privacy Commissioner has published recommendations for Canada’s anti-money laundering regime include providing mechanisms for the sharing of information between financial institutions to help detect patterns of money laundering (PIPEDA does not currently permit such sharing as allowed under the USA PATRIOT Act), ensuring suspicious activity reports are only filed based on reasonable grounds that the transaction is related to the commission of a money laundering or terrorist financing offence (a “report all” philosophy and reports based on crimes like tax evasion raises questions on the proportionality of Canada’s financial intelligence unit’s activities), and providing practical guidance on privacy issues for those at highest risk of privacy transgressions (e.g. point-of-sale staff in real estate, insurance, accounting, or casinos). Other recommendations include imposing operational controls on the centralization of suspicious activity reports in an organization’s head office (e.g. enterprise-wide policies on the exchange of suspicious activity reports, well-defined procedures for transmission of sensitive data, and a regular review of the effectiveness of the arrangement in terms of meeting its objectives and adherence to policies) and creating legislation to ensure the confidentiality of the source of suspicious activity reports when responding to access requests or production orders (financial institution employees will hesitate in reporting their concerns if they believe the legal safeguards are insufficient to protect them and their families). [Source]

US – Banks’ Billion-Dollar Idea: Sell Your Shopping Data

Many of the nation’s leading banks and card issuers, including Wells Fargo, Citi, USAA, Sovereign Bank and Discover, are selling information about consumers’ shopping habits – how much they spend, where they shop and what they buy – to retailers. Retailers are using the data to offer targeted discounts via text, email and online bank statements. Each time a consumer cashes in on one of those deals, the retailer pays the bank a nice commission. At a time when government regulation is forcing banks to hike fees and eliminate consumers perks, selling consumers’ shopping data is an easy way to not only generate a decent chunk of revenue but also to drum up some much-needed customer loyalty. Aite Group, an independent Boston-based research firm specializing in financial services, forecasts that these merchant-funded incentives will drive $1.7 billion in annual revenue for card issuers by 2015. [Source] See also: [Morgan Stanley warns 34,000 customers of data breach]

UK – Banks Face More Privacy Complaints from Customers than Any Other Group

Banks have attracted more customer complaints than any other group over allegations of mishandling sensitive information, the privacy watchdog reveals today. Lenders routinely lost, released or wrongly recorded personal data, the Information Commissioner warned in his annual report which detailed 603 complaints. But the true scale of privacy and data breaches could be much higher, because the private sector is not obliged to report complaints to the Information Commissioner. [Source]

US – Financial Industry Group Releases Social Media Guidance

Financial services industry group BITS, a division of the Financial Services Roundtable, has released guidance addressing social media risks and use. “Social Media Risks and Mitigation“ analyzes issues such as compliance, legal, operational and reputational risks. The report discusses three main types of social media use, including communication between an institution and its customers; employees’ personal and professional use of social media within the institution, and employees’ and vendors’ use outside of the institution. [Hogan Lovells’ Chronicle of Data Protection]

US – Little-Known Firms Tracking Data Used In Credit Scores

Atlanta entrepreneur Mike Mondelli has access to more than a billion records detailing consumers’ personal finances – and there is little they can do about it. The information collected by his company, L2C, comes from thousands of everyday transactions that many people do not realize are being tracked: auto warranties, cellphone bills and magazine subscriptions. It includes purchases of prepaid cards and visits to payday lenders and rent-to-own furniture stores. It knows whether your checks have cleared and scours public records for mentions of your name. [Source] See also: [Comments of The Electronic Privacy Information Center To The Federal Trade Commission “Public Workshop and Request for Public Comments and Participation”]

EU – EU Exploring Its Own Funds-Tracking Program

In the wake of objections by many EU officials to a program that allows the U.S. to access European financial transactions as part of efforts to fight terrorism, the European Commission has presented its own proposals for tracking finances of suspected terrorists. The plans “are aimed at ending the primary role of the United States in those efforts,” quoting Commissioner Cecilia Malmström’s statement that an EU system “would need to fully respect fundamental rights and, in particular, ensure a high level of data protection.” One of the EU’s primary goals will be to limit the amount of data sent to the U.S. [The New York Times] See also: [European Data Protection Supervisor - Opinion on the Proposal for a Regulation of the European Parliament and of the Council Establishing Technical Requirements for Credit Transfers and Direct Debits in Euros and Amending Regulation]

WW – SpyEye Trojan Can Evade Fraud-Detection Algorithms

Banks are facing more trouble from SpyEye, a piece of malicious software that steals money from people’s online bank accounts, according to new research from security vendor Trusteer. SpyEyecan harvest credentials for online accounts and also initiate transactions as a person is logged into their account. In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to try and block fraudulent transactions.[Source] See also: [Mac OSX passwords can be pilfered with new tool]


CA – Saskatoon Privacy Concerns Made Public

The province’s information and privacy commissioner and the City of Saskatoon are again at odds over the city’s handling of access to information issues and the tension seems to be on the rise. In his annual report for the 2010-11 fiscal year released last week, Gary Dickson cited four different investigations relating to problems he found with the City of Saskatoon over different issues. [Source] See also: [Modernize Saskatchewan privacy law] and [Frank Work: Time for Alberta government to deliver on promise of greater transparency] and also: [OIPC BC - Data Sharing in a Gov 2.0 World - Commissioner’s June 2011 Keynote Address to the Edmonton Access and Privacy Conference]

CA – Police Board to Reconsider Policy of Simultaneous Release of FOI Requests

The Vancouver police board will review the department’s policy of releasing information requested under the Freedom of Information and Protection of Privacy Act simultaneously to both the requester and the public, after being told by FOI advocates it is not adhering to the spirit of the law. Vincent Gogolek, the executive director of the B.C. Freedom of Information and Privacy Association, said the Vancouver police department remains the lone holdout on a questionable policy that many view as a deterrent to people asking for information under the act. In May, provincial information and privacy commissioner Elizabeth Denham slammed BC Ferries’ practice of posting FOI requests online before or as it releases a copy to the original requester. Last month, Vancouver council unanimously adopted a policy of not engaging in such practices. And on Tuesday the provincial government changed its policy to give requesters at least 72 hours with the documents before posting them online for others to see. But the police board has so far refused to accept the position of the provincial FOI commissioner or city council’s motion. [Source] See also: [OIPC BC - Balancing Privacy and Openness: Guidelines on the Electronic Publication of Decisions in Administrative Tribunals]


UK – Police to Retain DNA Profiles of Innocent People

Details of innocent people’s DNA will be retained by police despite a pledge by the government that they would be deleted, Home Office minister James Brokenshire has admitted. Rather than keeping an innocent person’s complete profile on the national DNA database, it will be retained in an anonymised form, which would leave open the possibility of linking the information with people’s names. This would mean that the profiles would be considered to have been deleted (even though the DNA profile record, minus the identification information, will still exist). Commenting on the latest developments, Daniel Hamilton, director of privacy lobby group Big Brother Watch, said: “James Brokenshire’s letter confirms that the details of more than a million innocent people will remain on the national DNA database. “This is a disgraceful U-turn on the part of the government. It represents a betrayal of an explicit commitment made in the coalition agreement and stands in contravention of a ruling by the European Court of Human Rights banning the retention of innocent people’s DNA.” [Source] [Source] See also: [Garante Per La Protezione dei Dati Personali - General Authorisation for the Processing of Genetic Data, June 24, 2011]

US – Appeals Court: OK to Check DNA of Those Arrested

A closely divided 3rd U.S. Circuit Court of Appeals has found that the collection of DNA samples from people arrested – but not yet convicted – of crimes is constitutional, in an opinion released today. In a precedent-setting ruling, the appeals court rejected U.S. District Judge David S. Cercone’s 2009 order finding that law enforcement could not collect DNA from Ruben Mitchell, who faces a federal charge of attempting to possess and distribute five kilograms or more of cocaine. Judge Cercone had found that requiring pre-trial detainees to submit DNA samples, which is done under the DNA Analysis Backlog Elimination Act of 2000, violates the 4th Amendment’s search and seizure rules. In an 8-6 ruling, the circuit judges found that people who are arrested have “a diminished expectation of privacy in their identities.” Outweighing their privacy, they found, is the importance to law enforcement of correctly identifying people who are charged with crimes, determining their criminal history, potentially linking them to unsolved crimes and promptly ruling out involvement in a crime in cases in which the DNA does not match that found at the scene. [Source]

US – FBI’s Next Gen Identification: Bigger and Faster but Much Worse for Privacy – EFF

This week, the Center for Constitutional Rights (CCR) and several other organizations released documents from a FOIA lawsuit that expose the concerted efforts of the FBI and DHS to build a massive database of personal and biometric information. This database, called “Next Generation Identification” (NGI), has been in the works for several years now. However, the documents CCR posted show for the first time how FBI has taken advantage of the DHS Secure Communities program and both DHS and the State Department’s civil biometric data collection programs to build out this $1 billion database. FBI’s NGI database will be populated with data from both FBI and DHS records. Further, NGI will be “multimodal.” This means NGI is designed to allow the collection and storage of the now-standard 10-print fingerprint scan in addition to iris scans, palm prints, and voice data. It is also designed to expand to include other biometric identifiers in the future. NGI will also allow much greater storage of photos, including crime scene security camera photos, and, with its facial recognition and sophisticated search capabilities, it will have the “increased ability to locate potentially related photos (and other records associated with the photos) that might not otherwise be discovered as quickly or efficiently, or might never be discovered at all.” The FBI does not just collect and store data from people caught up in the criminal justice system; about 1/3 of the data collected and reviewed in IAFIS is from civil sources such as attorney bar applications, federal and state employees, and people who work with children or the elderly. So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records. Once these records are combined into one database and once that database becomes multimodal, as we discussed in our 2003 white paper on biometrics, there are several additional reasons for concern. Three of the biggest are the expanded linking and tracking capabilities associated with robust and standardized biometrics collection systems and the potential for data compromise. The third reason for concern is at that once the collection of biometrics becomes standardized, it becomes much easier to locate and track someone across all aspects of their life. As we said in 2003, “EFF believes that perfect tracking is inimical to a free society. A society in which everyone’s actions are tracked is not, in principle, free. It may be a livable society, but would not be our society.” [Source: Electronic Frontier Foundation]

Health / Medical 

US – Snooping Celebrity Medical Records Cases Settled

Years after hospital employees were accused of snooping into the medical records of celebrity patients, UCLA Health System agreed to pay an $865,000 US settlement for potential violations of federal privacy laws. The settlement that UCLA reached with federal regulators did not name the stars involved and did not require the hospital system to admit liability. The investigation by the U.S. Department of Health and Human Services revealed that workers repeatedly accessed patients’ electronic health records between 2005 and 2008. The hospitals have agreed to report to a federal monitor on the implementation of its corrective plan over the next three years. In 2008, California Department of Public Health officials announced results of their own investigation into the privacy breaches and found that UCLA hospital workers inappropriately accessed records of 1,041 patients since 2003. The hospital later disciplined 165 employees through firings, suspensions and warnings. At least two former UCLA employees have faced criminal charges for medical privacy violations. The headline-grabbing breaches led California legislators to pass a bill boosting the maximum fine for privacy breaches at health facilities from $25,000 US to $250,000 US. The UCLA Health System includes Ronald Reagan UCLA Medical Center, Santa Monica-UCLA Medical Center and Orthopedic Hospital, and the UCLA Medical Group, a network of primary and specialty care satellite offices. [Source] See also: [Beth Israel Hospital Notifies Patients of Data Events] | Wake Forest Breach ] and also: [Brown v. Mortensen - 51 Cal. 4th 1052; 2011 Cal. LEXIS 6103 - Supreme Court of California]

US – Preliminary Settlement Reached in Class Action

WellPoint has reached a preliminary settlement in a class-action lawsuit involving the exposure of 600,000 health applicants’ sensitive data. The suit, filed in March 2010, alleged that the company failed to protect the privacy of those affected. The settlement would see WellPoint provide two years of credit monitoring to those involved and would entitle class members to reimbursement for instances of identity theft. The settlement will be approved or declined after a November fairness hearing. In July, the company agreed to pay a $100,000 fine in a settlement with the Indiana attorney general’s office for notification failures surrounding the incident. [American Medical News]

US – E-Health Records Still Scare Most of Us

Nearly 80% of consumers surveyed earlier this year said they’re wary of electronic health records because they’re concerned that their personal information might be stolen or lost it if were kept in an EHR system. The online survey, conducted by Harris Interactive for Xerox in February and released last week, polled 2,720 U.S. adults, the majority of whom felt that their personal information could be misused if it was stored electronically. Of those surveyed by Harris Interactive, 78% indicated they were concerned about hackers accessing EHR systems; 64% said they were worried about the threat of lost, damaged or corrupted files; and 62% cited concerns over the misuse of electronic healthcare information. 23% of the respondents said that they believe patients have the least to gain from a conversion to digital records. [Source] See also: [Will HIPAA Audit Program Become Model?] and [CA – Missing Cancer Care Ontario packages put health info of 12,000 at risk] and [Office of the Australian Information Commissioner - Submission to the Department of Health and Ageing on the Draft Concept of Operations: Relating To The Introduction Of A Personally Controlled Electronic Health Record (PCEHR) System]

US – HIPAA Audits to Begin Soon

The Department of Health and Human Services announced that it will soon begin its HIPAA compliance audits mandated under the HITECH Act with 150 onsite audits to be conducted by KPMG by the end of 2012. The scope of the audits, the selection process for being audited and whether audits will be used as an enforcement or education tool are all unknown. Due to the volume of covered entities, the likelihood of being audited is small, but organizations should review their programs and ensure they are effective and up-to-date. The report states that Booz Allen Hamilton has been contracted for “audit candidate identification.” [GovInfoSecurity]

CA – Physicians Reluctant to Share Patient Data

Even during the H1N1 pandemic in 2009, doctors in Canada were reluctant to disclose identifiable patient data to protect patient privacy, researchers say. Five focus groups with 37 family doctors from across Canada provided insights into the reasons they were reluctant to share patient data. The physicians said they were concerned about the privacy of their patients, and did not know whether the data uses would be limited to dealing with the pandemic. They did not perceive that they would get direct benefits back to them and their patients from giving data to public health and there were concerns about how the data could be used to evaluate their performance, the study says. “Patient data needs to be properly anonymized, and health care practitioners must be provided with timely and actionable feedback,” El Emam said. [Source]

US – Expert Analyzes Reported Health Data Breaches in 2011

The Mayo Clinic Center for Social Media’s Christopher Burgess reviews reported patient data breaches from January to June of this year to show how the various incidents could have been avoided. With more than 87 breach incidents affecting approximately five million patients in the first five months of this year, Burgess opines, “Sadly, being compliant is not synonymous with being secure.” Burgess breaks down the reported breaches into hardcopy, digital and identity theft incidents and provides recommendations to mitigate the risks surrounding patient data protection. [Source]

CA – Regina Doctor Responsible for ‘Largest Breach of Patient Privacy’ in History

Saskatchewan’s privacy watchdog is recommending the province consider prosecuting a Regina physician under the Health Information Protection Act (HIPA) in connection with several boxes of patient files that were discarded in a south Regina recycling bin in March. Calling it the largest breach of patient privacy the office has encountered since the act came into force in 2003, information and privacy commissioner Gary Dickson released a report that names Dr. Teik Im Ooi as the “trustee responsible for the records” that were hauled out of the blue bin. About 180,000 pieces of patient personal health information were recovered, including 2,682 patient files as well as daily activity reports from the Albert Park Family Medical Centre. [Source] [Report] [Sask. official slams doctor over major patient privacy breach] see also: [Beth Israel reports potential data breach] and [Patient alleges Tufts breached privacy]

Horror Stories

KR – Personal Data of 35 Million Hacked In Attack on South Korean Social Media Sites

The personal information of about 35 million Internet users in South Korea was stolen in an alleged hacking attack that originated in China, officials said. Hackers purportedly attacked popular Internet and social media sites Nate and Cyworld, stealing data such as user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. South Korean police said their investigation could take several months. [Source] [Source] See also: [Toshiba cops to data breach potentially affecting 7,520 US customers] and [UK: Dozens of students accessed in York Uni data breach] and [Privacy breach at Cape Breton health authority] and [South Korean Court Orders $1M Payment for Collecting iPhone Location Data Without Consent] [Korea: Apple may face class action over tracking] and [US: Post’s jobs section hacked, exposing 1.3 million user IDs, e-mail addresses] and [Toshiba Breach Could Affect 7,520 U.S. Customers]

CA – Officials: Missing Records Show EMRs Needed

Ontario’s privacy commissioner is investigating a breach that occurred when Cancer Care Ontario mailed about 12,000 cancer screening tests. Commissioner Ann Cavoukian, echoing the sentiment of Premier Dalton McGuinty, said the loss supports the case for reliable electronic medical records systems, adding, “In this day and age, how could Cancer Care Ontario decide to send hard copies of sensitive personal data of patients through the mail? How could Canada Post have lost track of the records?” Cancer Care Ontario alerted the commissioner’s office of the missing screening tests on June 27. A search for the records turned up about 5,000 in physicians’ offices. []

US – Insurer Gets Fined for Slow Breach Notification

Indiana Attorney General Greg Zoeller announced on Tuesday that an Indiana-based insurer will pay a $100,000 fine and take other steps for waiting months to notify 32,000 customers of a data breach. Wellpoint has agreed to pay the fine; provide up to two years of credit monitoring and identity theft protection to affected customers, and reimburse up to $50,000 for breach-related losses. “This case should be a teaching moment for all companies that handle consumers’ personal data,” said Zoeller. A Wellpoint spokeswoman said the company has made security changes to prevent further breaches. [Associated Press]

AU – Commissioner: Breach Due to Human Error, Investigation Closed

Privacy Commissioner Timothy Pilgrim has closed his investigation of Telstra’s data breach, saying it “was caused by a one-off human error,” and the company “adequately dealt with the matter.” According to Pilgrim, the incident breached the Privacy Act, but it was “not a result of Telstra failing to have reasonable steps in place to protect the personal information of its customers, as required by the Privacy Act.” A Telstra spokesman acknowledged the commissioner’s finding and assured that the company has put measures in place to prevent a similar breach in the future. [ZDNet] [Report] [Press Release]

Identity Issues

AU – Victoria, Western Australia Fight ID Theft With Document Checks

Victoria and Western Australia have signed up to use a document-verification service, which aims to nip identity theft in the bud by cross-referencing documents between government agencies. When a government agency receives a document that requires verification, it sends an encrypted request to the document-issuing agency, which will return a positive or negative response. The service, which forms part of the government’s National Identity Security Strategy (NISS), ensures that proof-of-identification documents can be verified in real time, and that the documents are authentic, accurate and up to date, while ensuring that the individual’s privacy is maintained. Now that the two states have joined the service, government agencies from participating states will be able to confirm the validity of Victorian and WA driver licences, and Victorian birth certificates. The announcement comes shortly after a recent survey, which found that one in six Australians are affected by ID theft. [Source]

WW – Controversial Phone App Offering Background Checks is Back

A mobile application that allows people to conduct background checks is back in the marketplace. The app was first launched for the iPhone in 2009, but was pulled by Apple due to privacy concerns. BeenVerified has relaunched the app–which searches online public records for information on a name entered into the system by the user–saying that it merely modernizes the information databases that already exist. But some privacy advocates and cybersecurity experts say the risk of stalking and identity theft outweigh the benefits of the service. “There are deep implications for privacy even if it’s not certain these tools violate the law,” says an Electronic Frontier Foundation spokesperson. [The Star-Ledger

UK – Photographer’s Parakeet Pics: Did They Breach Privacy?

An amateur photographer whose pictures of government officials ‘destroying’ parakeet nests sparked police action, is unlikely to have breached UK data protection rules, the privacy watchdog has told Amateur Photographer (AP). Hertfordshire Police has been forced to publicly apologise after officers warned bird enthusiast Simon Richardson that he faced being sued for breach of privacy if his pictures were published in the press. [Source] See also: [Online critics of former Aurora mayor can remain anonymous: judge] and [Google+ Identity Crisis: Google Revised Real Names Policy] and [Privacy not a guarantee for war criminals] and [US: Neighbour from hell jailed 18 years for cyber ‘campaign of terror’]

Intellectual Property 

US – ISPs Agree to Copyright Violator Penalty System

Major US ISPs have agreed to a system that could allow them to disrupt Internet service for habitual copyright violators. Among the providers participating are Comcast, Time Warner and Verizon. The ISPs will issue warnings at first, but after six violations, the plan calls on the providers to take steps such as reducing Internet speed or redirecting users to “educational” pages about copyright infringement. The plan does not directly call for cutting off access altogether, although the services may do that if they choose. The agreement has the backing of the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). Critics of the agreement have expressed concern that users’ Internet access could be cut off with no judicial review. [Source] [Source

US – Judge Reduces Thomas-Rasset’s File Sharing Verdict to US $54,000

Calling the original amount “appalling,” US District Court Judge Michael Davis has reduced a US $1.5 million jury verdict against Jammie Thomas-Rasset to US $54,000. This is the third trial in a case brought by the Recording Industry Association of America (RIAA) against Thomas-Rasset for sharing 24 songs over KaZaA. Thomas-Rasset is the first person the RIAA took to court over illegal filesharing. Although the RIAA maintained that judges do not have the authority to lower jury verdict cases involving the Copyright Act, Judge Davis said that his decision was made in the interest of fairness; the verdict was “so severe and oppressive as to be wholly disproportionate to the offense and obviously unreasonable.” [Source] [Source] See also: [Sony insurer says it’s not liable for breach-related costs]

Internet / WWW 

EU – More Online Surveillance Needed, Officials in Europe Say

Days after the bombing and shootings in Oslo, politicians and police around Europe say they want increased Internet monitoring. Officials from Finland, Estonia and Germany have all called for expanded monitoring powers as a possible preventive measure. In the aftermath of the tragedy, a Twitter message, a YouTube video, and a 1,500-page manifesto have been found online written by the Norwegian who has confessed to the crimes. However, at least some law enforcement agencies seem to be aware of the delicate nature of striking a balance between surveillance and security. “Freedom of speech always comes first,” said Mikko Paatero, Finland’s national police commissioner, in an interview with YLE. “Writings on the Internet have to have a clear criminal intent if the police are to get involved and contact those people,” he added. [Source] See also: [Let’s Stop Deluding Ourselves About Online Privacy

CA – Google Adds Pedal Power to Its Street View of Toronto

Google is poised to make the online view of Toronto more detailed by adding a trike to its Street View fleet. The trike, a pedal-powered three-wheeler carrying cameras and guided by GPS, will be used to reach places around the city that are not accessible by the Street View car. The trike is an addition to a Street View fleet that includes a car, a snowmobile, and a hand trolley used for building interiors like museums and galleries. [Source] See also: [Privacy, contact updates added to Google+ Social network is tweaked with new tools for contacts and an opt out for gender identification] and [Google dealing with privacy bugs in Google+] and [Former Google Employee Offers Insight into the company’s attitude on privacy and efforts toward creating a social network]

US – Groupon Changes Privacy Policy to Collect, Share More Information

Groupon has e-mailed its 83 million subscribers to announce changes to its privacy policy, including that it will begin collecting more information about its customers to share with its business partners. It will also begin using geolocation information for marketing purposes. The expanded categories of information Groupon will now collect include user habits and interests, which it will share with third parties. It now shares contact, relationship, transaction and mobile location information. The company has also released details on the ways it collects and uses such information. [Washington Post] [Groupon Privacy Issue: Does Groupon’s New Policy Compromise Users?]

WW – Cloud Storage Company Sued for Breach

A class-action lawsuit filed in a U.S. District Court in California claims that a cloud storage provider failed to secure data or notify users of a data breach. The suit claims breach of express and implied warranties, invasion of privacy and negligence, among other transgressions, alleging that a system glitch allowed logged-in Dropbox users to view others’ data. A company blog post said the breach affected fewer than 100 people, and the company will implement additional safeguards. The suit seeks an order requiring the company to better secure its site, as well as damages, costs, injunctive relief and attorney fees, states the report. [News and Insight]

Law Enforcement

EU – Anonymous Hacks Italy’s Cybercrime Police

Italy’s specialist police unit responsible for combating cybercrime suffered an embarrassing hack by members of the loosely knit Anonymous hacktivist galaxy. In a communique posted on Twitter, the hacker group claimed to have obtained more than 8 gigabytes of internal data from what it called the “Homeland Security Cyber Operation Unit in Europe” and said it would publish all the material it had obtained from its Italian branch. The group said it had “owned” the server of the National Center for Computer Crime and the Protection of Critical Infrastructure (CNAIPIC) of the Italian police and would be publishing the material via the LulzSec and Anonymous communities under its #AntiSec campaign. [Source] See also: [Attackers Were in German Police Computers for Months | Source #2 | Source #3

CA – Ontario Police to Seal Non-Criminal Mental Health Records

Ontario police chiefs are moving to seal off sensitive mental-health information from being disclosed when their forces provide background checks for job seekers or would-be volunteers. The change is part of new guidelines unveiled by the Ontario Association of Chiefs of Police to address the patchwork of procedures used by forces across the province. Police verifications are common for people applying to be security guards, truck drivers, warehouse employees or casino workers. Schools, nursing homes and other organizations dealing with vulnerable people also use police checks to screen job seekers or volunteers. While not binding, members of more than 50 forces, including the Ontario Provincial Police, have started training to use the new guidelines. Police forces in British Columbia and Manitoba are preparing similar initiatives but Ontario is the first to draft consistent, province-wide guidelines. [Source] See also: [Toronto police strip searches increasing] [Austrian atheist wins the right to be shown on his driving-licence photo wearing a pasta strainer as “religious headgear”]

UK – Big Brother Watch: Over 900 Police Staff Caught Misusing Databases

More than 900 police personnel were disciplined for unlawful data protection practices in the past three years, privacy campaigners have said. Figures released by 36 police forces in England and Wales under freedom of information (FOI) requests by Big Brother Watch (BBW) stated that 904 police officers and civilian employees were disciplined for offences under the Data Protection Act in the three years up to 1 June 2011. The figures also showed that 98 police officers and civilian staff left the force after management discovered their unlawful activity. One police officer accessed information about their neighbour, while a police sergeant passed information about his ex-wife to his solicitor, the statement said. In Dorset a police officer resigned and was referred to crown prosecutors after disclosing information about the supply of class A drugs to a third party, the statement said. [Source] [UK: Police officers and staff breach data protection act]

UK – Lancashire Police Authority in Data Protection Breach

The CEO of Lancashire Police Authority has signed an undertaking with the Information Commissioner’s Office after it was found in breach of the Data Protection Act. The breach occurred when the authority accidentally published details of an individual’s complaint website. According to the ICO, the details were disclosed “after the authority failed to redact the information, which was marked as restricted, from two documents before they were published online”. The authority failed to remove the information for four days after the complainant contacted the Police Authority about the breach in January. [Source]


US – Senate Committee Told NSA Phone Location Data Tracking is “Complex Question”

The subject of the National Security Agency (NSA) tracking US citizens through mobile-device location data arose during a hearing of the Senate Select Committee on Intelligence, which was part of the process of determining whether NSA general counsel Matthew Olsen should become head of the National Counterterrorism Center. Olsen said there could be circumstances under which the NSA would have the authority to use mobile device location data to track US citizens within the US. Olsen said the powers to do so were granted under the Patriot Act. He noted that “it is a very complex question.” A memo clarifying the issue is expected to be prepared for committee members. [Source] [Source

WW – Google Street View Cars Nabbed Locations of Wi-Fi Devices

Google Street View cars are at the center of a brand new privacy scandal after it was revealed that the search giant collected the street addresses and unique identifying information for millions of laptops, media players, and other wireless devices. And until recently, the data was available to anyone who put in the right Google search. The story emerged when the French data protection authority confirmed that its investigation had turned up the Street View cars’ questionable data collection practices. Back in March, CNIL fined Google 100,000 Euros, or $143,000, but at that time it was unclear if the issue extended to client devices. Google has been collecting this data despite an earlier public statement claiming that “we collect the publicly broadcast MAC addresses of Wi-Fi access points.” There’s no opt-out method. And as noted above, the data was available through the Google search engine until late June. [Source] See also: [Microsoft Releases Wi-Fi Data-Gathering Source Code | Source #2 ] See also: [In Re Google Street View Electronic Communications Litigation - 2011 U.S. Dist. LEXIS 71572 - United States District Court for the Northern District of California (subscription required)]

US – Proposed Alternative to Gas Tax Raises Privacy Concerns

Amid the growth of fuel efficiency and alternative fuel vehicles, governments are trying to find ways to recoup some of their gas-tax dollars by taxing mileage. Nevada residents were presented with the idea of using GPS systems to track mileage, and more than 80% opposed it, most often citing privacy concerns. Another method being tested is one in which a transponder mounted to the car tells the gas pump how many miles the car has travelled and tacks on the appropriate mileage tax to the gas price. The University of Nevada at Las Vegas is conducting the test with 25 drivers and says the transponders are not capable of tracking vehicles. [Las Vegas Sun]


HK – Hong Kong Moves Closer to New Privacy Amendment

A bill that addresses transfers of personal data for direct marketing purposes has been introduced to Hong Kong’s Legislative Council for final approval. The Personal Data (Amendment) Bill 2011 addresses concerns about recent data transfers of customer information for direct marketing without users’ consent and acts on proposals from an April public discussions report. If the bill passes the Legislative Council, it would require Hong Kong companies making data transfers for direct marketing purposes to alert data subjects of the transfer’s purpose as well as the type of data to be transferred and to whom. It would also allow the privacy commissioner to assist data subjects seeking legal redress after breaches. [InsidePrivacy] [Office of the Privacy Commissioner for Personal Data, Hong Kong - Data User Return Scheme: Consultation Document | Press Release] See also: [Outsourcers look to data security transparency for competitive advantage] Privacy as A Selling Point: Forbes reports on the continued use of privacy as a competitive differentiator in the marketplace, pointing out how some companies are asserting their privacy strengths sometimes by highlighting their competitors’ privacy weaknesses. [Forbes] [ZDNet] [Source] and [Privacy by Design: A Boon to Business] [Indian Market Embracing CPOs] [Starts-Ups Considering Privacy in Business Plans]

Online Privacy

WW – Online-Privacy Tools Fail to Prevent Tracking, Study Warns

A new study by Stanford University researchers has found many online advertising companies continue to follow people’s Web activity even after users believe they have opted out of tracking. The preliminary research has sparked renewed calls from privacy groups and Congress for a do-not-track law to allow people to opt out of tracking, like the do-not-call list that limits telemarketers. “I think industry self-regulation is a joke,” shot back U.S. Rep. Jackie Speier, D-Calif, who has proposed legislation allowing the FTC to regulate online tracking. “It’s precisely why we need the FTC to regulate them. For those who say, ‘Privacy, get over it,’ I absolutely reject that.” Stanford’s research looked at 65 online advertising companies, including big companies such as Google, Yahoo, Microsoft and AOL and smaller, lesser-known companies such as x+1, eXelate and BlueKai. It found that half the companies continued tracking even after consumers opted out. In online tracking, advertisers follow a web user’s movements to glean personal details to develop profiles and deliver targeted advertising. The study has prompted a privacy group, Consumer Watchdog, to ask the FTC to investigate whether eight online advertising companies engaged in deceptive trade practices by saying they would delete “tracking cookies” but actually left them in place. Since the study’s release, several online advertising companies have abruptly revised their privacy policies to acknowledge that they may continue to collect data even after consumers opt out at an advertising industry website, or enable “Do Not Track” features in the newest versions of Mozilla’s Firefox browser or Microsoft’s Internet Explorer 9. A group representing online advertisers, the Network Advertising Initiative, said its opt-out site is intended to allow consumers to opt out of advertising, not the data-collection it says is needed. At the site, consumers can check an opt-out box, which produces a message that says: “You have opted out of this network.” For customers who opt out, NAI and companies like Yahoo and Microsoft say these cookies are only collecting data to make sure advertising on websites works properly – not to target ads. “Online advertising companies may need to gather data to prove to advertisers that an ad has been delivered and should be paid for; to limit the number of times a user sees the same ad; or to prevent fraud,” Chuck Curran, executive director of NAI, wrote in a blog post last week. [Source] See also: [US: Under threat of regulation, tech industry takes on challenge of Internet privacy] and [US – Study Finds 12.5% of Companies Violating Own Do-Not-Track Policies] and also: [US: The special relationship between Facebook and law enforcement] and [US: Harvard Researchers Accused of Breaching Students’ Privacy] and [UK: Online advertising comes under MPs’ scrutiny over privacy concerns] and [FTC - Prepared Statement on Internet Privacy: The Views of the FTC, FCC and NTIA, before the House Subcommittee on Commerce, Manufacturing and Trade | Statement of Commissioner J. Thomas Rosch, Dissenting in Part]

WW – Yahoo Condemned Over Plans to Snoop on Emails on Behalf of Advertisers

Internet giant Yahoo has been condemned over plans to snoop on emails in a ‘blatant intrusion of privacy’. The US company provides an email service for thousands of Britons, including children, who will assume that the system is completely private. However, it has emerged that Yahoo has changed its small print terms and conditions to get permission to view and scan emails. At the same time, the firm will also be able to spy on incoming emails from individuals and businesses without permission or warning. Yahoo is pressing ahead with the change on the basis it will allow the company to identify which celebrities, subjects, sports, hobbies and products a particularly customer is interested in. In future, it would use the information to target the customer with website advertising and product information that is relevant to these areas. The Yahoo customer visiting a range of websites would then see pop-up advertisements that are relevant to keywords in outgoing and incoming emails. Yahoo said customers will receive a pop-up asking them to agree to the new terms and conditions. It said: ‘Users who choose to accept the new terms will allow Yahoo’s computer systems to identify words, links, people and subjects from their email, so that we can deliver exciting new product features. ‘In time, we will also serve relevant ads.’ The company said customers can opt out of internet-based ads by going to [Source

US – Company to Certify Ad Network Clients

Evidon, a company behind Digital Advertising Alliance (DAA) you-are-being-tracked icons, is rolling out a new program to certify some of its clients. The program, dubbed GreenLight, aims to demonstrate which networks comply with self-regulatory principles and to act as “an additional level of best practices beyond simple compliance with the DAA program.” Thus far, 10 of the more than 40 ad networks that work with Evidon are participating in GreenLight, which requires them to use Evidon exclusively or as a default and provides additional training about the privacy program. [MediaPost News] See also: [EU EASA Best Practice Recommendation on Online Behavioural Advertising

WW – Facebook Glitch Reveals Private Videos

A Facebook spokesman said a problem which allowed videos uploaded to Facebook to be viewed by anyone on their friends’ list, regardless of whether they have been given access to the clip, has been fixed after being live for one week. Videos can be more sensitive than photos, so it is important that Facebook’s privacy controls, which allow members to restrict who has access to the videos, work as promised. The glitch over the past week allowed any “Friend” to view a listing of their friends’ Facebook videos, including a name, thumbnail, description, and anyone tagged in the picture. [Source] See also: [Nordic countries grill Facebook on privacy]

WW – Zynga Makes Privacy a Game with PrivacyVille

Zynga is ditching the usual fine print of a privacy policy for, what else, a game. That game, called PrivacyVille, is launching today. And it’s not really a game as much as a tutorial on the social gaming company’s privacy policies. The reward is that players who follow along and learn about the company’s practices for protecting users’ personal information get redeemable points. Zynga cautions that the PrivacyVille game is supposed to be educational, and is “not a substitute” for the company’s official privacy policy or Privacy Center, which details how Zynga deals with your personal information. Last week, Zynga announced its plans to go public. The company is expected to raise about $1 billion through its IPO. [Source] [Source]

WW – Fitness Site Exposes Calorie Burning Activities

An online fitness tracking company, which encourages users to share calorie-burning activities through the company’s website, has reset its new-user defaults to “private” after unknowingly exposing some users’ intimate activities. Fitbit has historically made user profiles public to promote competition, but a spokesperson said the company did not intend for “the sharing of intimate information.” About 200 users’ activities were searchable online. The company has contacted search engines to remove the data, hidden all activity records on its site and removed identifiable information from user profiles. “Out of a desire to have a successful ‘social strategy,’ too many companies are choosing to publicize their users’ information as much as possible,”the report states. [Forbes]

Other Jurisdictions

RU – Russia Amends Federal Data Protection Law

In early July the upper house of Russia’s federal legislature approved amendments to the country’s federal data protection law which were subsequently approved by President Medvedev on July 26. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute’s data subject consent provisions. The amendments, to be followed by interpretive regulations, will come into force when they are published in the official newsletter. Russia’s underlying federal data protection law finally came into effect on July 1, after five years of delays. The new rules allow personal data to be transferred outside of Russia to EU member states or to nations that are approved by a Russian federal agency authorized to designate countries that can guarantee adequate protection for personal data. In addition, personal data may be transferred with the prior written consent of data subjects, or if required by Russian federal legislation or international treaties. [Russia Amends Federal Data Protection Law; Privacy Enforcement on the Rise]

US – Privacy Law Reform Revived in Australia

According to Malcolm Crompton, former Federal Privacy Commissioner, the process of reviewing and reforming the Privacy Act 1988, the main law protecting privacy in Australia, was all but stalled in recent years but now has been revived by the Minister for Privacy, Brendan O’Connor. His July 21 call for a consultation on whether to introduce a statutory cause of action for serious invasions of privacy rapidly led a renewal of interest in reforming other portions of the Act. The revival was also spurred by the late June release of a 292-page report on the exposure draft of the Australian Privacy Principles and privacy legislation by the Senate Finance and Public Administration Committee. [Senate Finance and Public Administration Legislation Committee - Exposure Drafts of Australian Privacy Amendment Legislation - Part 1: Australian Privacy Principles ]

AU – Australia Pressured on Data Breach Laws

Data breach notifications have been flagged as one of the pressing issues to be tackled under a multinational joint action plan outlined by the attorneys general of the US, UK, Canada, New Zealand and Australia last week. Australia is falling far behind with its progress on holding organizations accountable for breaches, with every other country either having implemented or close to implementing mandatory notifications. Australia currently doesn’t have any legislation to force companies to disclose breaches, even though it was recommended as part of the Law Commission’s report on privacy, released in 2008. The attorneys general also said that they would look to have internet service providers develop codes of practice to stem malware similar to Australia’s iCode, which has already attracted US interest. [Source] See also: [Government to Consider Privacy Statute] [Source] [Source] [Source] [Cybercrime Legislation Amendment Bill 2011 - Parliament of the Commonwealth of Australia | Source #2 ]

MX – Privacy Regulations Issued for Public Comment

Mexico’s secretary of economy and the Federal Institute for Access to Information and Data Protection have released privacy regulations for public comment. The rules and guidelines established by the proposed regulations are for the implementation of the country’s Federal Law on the Protection of Personal Data in the Possession of Private Parties. According to the report, the regulations cover jurisdictional issues; notice and consent details; data controller and processor relationships; data transfers and security; self regulation; data subjects’ rights; automated processing, and enforcement. [Hunton & Williams’ Privacy and Information Security Law Blog] See also: [Law on the Protection of Personal Data - Peru

AU – AGs to Discuss Parental Access, Suppression Orders

Australia’s attorneys general are looking into whether laws should be created to give parents access to their children’s social networking accounts. In spite of privacy concerns, “We need to look at the policing that occurs, who can and should do it and how do you do it,” said South Australian Attorney General John Rau. But one privacy advocate says a knee-jerk reaction could “undermine an existing law and relationships between children and parents.” Meanwhile, a study in the U.S. indicates that 55% of parents there use social media to keep an eye on their children. [The Australian] [High-Wire Act: Cyber Safety and the Young - Parliament of the Commonwealth of Australia: Full Report ]

Privacy (US)

US – New Privacy Guidelines Would Give FBI Leeway to Abuse Privacy

25 years ago, Congress passed the Federal Privacy Act. In an effort to end the abuses committed by the FBI against anti-war and civil rights activists that director J. Edgar Hoover disliked, Section (e)(7) of that Act prohibited any agency of the federal government from “maintaining records describing how any individual exercises rights guaranteed by the First Amendment… unless pursuant to and within the scope of an authorized law enforcement activity.” The FBI and the federal courts have spent the last 25 years honoring that statute in the breach; and Congress seems perfectly satisfied to let them do so. And as reported in the New York Times on June 13, the FBI is again about to amend its Domestic Investigations and Operations Guide to further thumb its nose at the privacy act. The new guidelines, according to the Times, will allow some 14,000 FBI agents more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. [Source]

US – Netflix Video Provider to Halt Social Network Launch

Video rental provider Netflix announced this week that it will delay the launch of its Facebook integration in the U.S. due to legal issues. The Facebook feature would allow Netflix subscribers to share movie-viewing information with friends online, but the Video Privacy Protection Act (VPPA) is ambigious as to “when and how a user can give permission for his or her video viewing data to be shared,” Netflix wrote in a letter to its shareholders. A proposed amendment to the VPPA intends to clarify consent requirements for sharing. Netflix faces several lawsuits for past alleged VPPA violations. [Hunton & Williams Privacy and Information Security Law Blog]

US – New Theory of Harm in Data Breach Cases

Plaintiffs in data breach claims have been unsuccessful in convincing courts that they have suffered harms as a result of a breach, but “a new theory that claims a property right in personal information has recently been tried,” writes Andrew Clearwater, CIPP, in an article for the current edition of the IAPP’s Privacy Advisor newsletter. Clearwater says that, under this theory, a data breach causes a loss of personal information property and, therefore, a concrete or particularized harm has been realized.” The approach is being tested in a case against RockYou Inc. [Source]

US – Third Suit Filed After PIN Pad Breach

A class-action lawsuit claims that Michaels Stores took almost three months to warn customers that their debit cards’ PIN numbers may have been stolen in a breach spanning 20 states. The class action, filed in New Jersey’s Passaic County Court, claims that the company “failed to take any commercially reasonable steps to safeguard its customers’ nonpublic, sensitive, personal and financial account information…making its consumers an easy target for third-party skimmers,” and that customers were harmed because of the delay in notice they received following the breach. The suit is the third class-action filed since news of the breach broke. [Courthouse News Service]

US – Obama Nominates Ohlhausen to FTC

President Barack Obama has said he plans to nominate Internet policy expert Maureen Ohlhausen to replace Commissioner William Kovacic at the FTC. Ohlhausen is currently a partner in law firm Wilkinson Barker Knauer’s privacy, data protection and cybersecurity practice. From 2004 to 2008, she served as a director in the FTC’s Office of Policy Planning. Ohlhausen worked on an Internet task force during that time, exploring issues surrounding e-commerce and marketing. [The Washington Post]

Privacy Enhancing Technologies (PETs)

US – NIST Issues Privacy Controls for Federal Information Systems

The National Institute of Standards and Technology proposed adding privacy controls to its catalog of security controls for federal information systems, by releasing a draft 34-page Privacy Appendix for public comment through September 2, 2011. The 23 controls specified in the draft provide a structured way of assessing and ensuring that privacy requirements, deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance, as well as from international standards and best practices, are satisfied in federal information systems. Examples of the controls include transparency, data minimization, use limitation, data quality, and individual access and redress. The privacy additions to the guidance would:

  • Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements.
  • Establish a linkage and relationship between privacy and security controls to enforce respective privacy and security requirements that may overlap in concept and in implementation.
  • Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls.
  • Promote closer cooperation between privacy and security officials to help achieve the objectives of top leaders in enforcing requirements.

Though the recommendations are aimed at federal agencies, NIST understands and encourages other organizations to adopt its privacy and security guidance. NIST is accepting public comment on the privacy addendum, known as SP 800-53 Appendix J, at through Sept. 2. [Source

US – Online Privacy Company Receives $5.2M for Growth

Two venture capitalist companies have invested $5.2 million in a Cambridge, MA, company that provides online privacy services to Internet users. “Privacy is the next consumer Internet frontier,” said one investor, while another touted the company, Abine, for creating a “one-stop shop for consumer online privacy.” Abine’s president, Bill Kerrigan, said, “Controlling our online privacy has become a universal issue: consumers want basic choice and control over how their personal information is tracked, collected and used.” [The Boston Globe

US – Appeals Court: TSA Can Keep, But Must Rethink Airport Body Scans

The TSA violated federal law when installing controversial full-body scanners in U.S. airports without following proper procedures, a federal appeals court ruled. The D.C. Circuit Court of Appeals in Washington, D.C., rejected arguments from the Obama administration that the TSA was exempt from laws requiring federal agencies to first notify the public and seek comments. “It is clear that by producing an image of the unclothed passenger, (a full-body) scanner intrudes upon his or her personal privacy in a way a magnetometer does not,” wrote Judge Douglas Ginsburg for the three-judge panel. Ginsburg said he would not order TSA to immediately halt the full-body screening—which resulted in a near-revolt by air travelers last fall—but instead instructed “the agency promptly to proceed in a manner consistent with this opinion.” [Source] [Source] and also: [SourceF]

US – TSA Announces Privacy-Boosting Software for Full-Body Scanners at Airports

Air travelers at Raleigh-Durham International Airport will soon be able to board their planes without images of their unclothed bodies being viewed by security personnel. The federal Transportation Security Administration said Wednesday it will upgrade its full-body scanners with new software designed to protect travelers’ privacy. The so-called Automated Target Recognition software eliminates the image of an actual passenger on the screen, replacing it with a generic outline. Passengers will be able to see the same image viewed by security officers. The software is designed to recognize items in the image that could pose a security threat. A TSA spokeswoman said it will be several months before the new software is installed in the 40 airports that have the machines.. [Source]

WW – New Strategy: Privacy by Redesign

Building privacy into an organization’s system from the start is a smart, effective solution that can yield strong results. But what about systems that already exist without privacy? A new concept called Privacy by Redesign, by Dr. Ann Cavoukian, Privacy Commissioner of Ontario, Canada, looks to bring privacy into systems that are already developed. To do so, organizations need to look at the uses of data, what is permissible and what isn’t, and create a consent management system. [Source]

WW – Cisco Issues Product Development Guidelines for Engineers & Product Managers

Summary: Application developers should use Privacy by Design as a means to ensure that privacy features and functions are essential components of any new software development (and not bolted on as an add-on); consideration should be given to reducing the amount of data collected (avoid collecting sensitive data and only collect information that is absolutely necessary for the purpose), reduce the retention period (for no longer than the time necessary to accomplish the intended business purpose or required by law), and reduce the sensitivity of the data (reduce the precision e.g. if a customer phone number is to be used for statistical analysis, retain only a subset of the digits such as the area code, and convert the form of the data, e.g. when using the customer’s IP address to determine location for statistical analysis, discard the IP address after mapping it to a city or town). When installing software on a customer’s system, provide the customer with notice (get explicit consent prior to installation of any software on a customer’s system, including automatic updates), digitally sign software with a certificate from a well-known, trusted certification authority; provide customers with a mechanism to track automatic updates that have been installed and a means to stop subsequent updates. When deploying servers, application developers must get explicit opt-in consent from an Application or System Administrator prior to transfer of data from the server over the Internet (disclose any known privacy implications for server features); provide or identify a mechanism to help an Instance Administrator prevent disclosure of user data and that allows an Application or System Administrator to manage distribution of data outside of the organization or firewall (such as a group policy) – provide the System Administrator with the ability to override decisions made by Application Administrators. [Source]


CA – ePassports Won’t Come With Anti-Skimming Sleeves

Passport Canada says it won’t be issuing protective sleeves for its new electronic passports because the high-tech made-in-Canada booklets are safe from the so-called skimming problems seen in the U.S. Ottawa-based Canadian Bank Note Company said it was awarded the contract to design and manufacture ePassports, which will be issued to Canadians sometime in 2012. A radio-frequency identification (RFID) chip will store the name, gender, date of birth, passport number and digital photo of the traveller. [Source]


WW – Is IT Remote Access Support Compromising Data?

Data breaches are more prevalent and more costly than ever. Smarter technologies seem to breed smarter hackers, making it difficult for IT to keep up. But sometimes IT unwittingly helps the bad guys by improperly using core tools, such as remote support mechanisms. According to a Verizon report which examined more than 700 data breaches from 2010, a whopping 71% of all attacks were conducted through remote access and desktop services pathways. [Source] See also: [Apple MacBook batteries found vulnerable to malware] SEE ALSO: [What the #!%*!?: The definitive guide to phone-hacking]

WW – Insiders: Primary Points of Compromise

Last week’s arrest of Gary Foster, the former Citi exec who’s been accused of embezzling more than $19 million through wire transfers, has left the industry a little dumbfounded. How could a mid-level executive in the bank’s treasury department manage to fraudulently push that much money through legitimate transfers? It all happened right under the bank’s nose, and it took almost a year to detect. “It’s such a classic case of insider fraud, how did he go so long without being caught?” When it comes to internal fraud and the damage it causes, banks and credit unions often fail in three critical areas:

  • Internal fraud is misclassified;
  • Institutions underestimate how reports of internal fraud breed mistrust among consumers; and
  • Not catching and stopping internal schemes quickly adversely affects consumers,
    who often fall victim to identity theft.

Banks and credit unions can address internal fraud by using more transaction and behavioral monitoring. But most financial institutions aren’t willing to make the investment. [Source] See also: [‘Low-risk’ border crossers in Nexus program caught smuggling goods into Canada ]

US – ‘Military Meltdown Monday’ — 90K Military Usernames, Hashes Released

Anonymous hackers have broken into a server belonging to consultancy firm Booz Allen Hamilton and published a database containing some 90,000 military e-mail addresses and hashed passwords in what they named Military Meltdown Monday. Unlike the passwords taken from government contractor IRC Federal, the passwords from the Booz Allen system have been hashed using SHA-1. This will make breaking into further systems using the released account information harder—but it’s likely that at least some of the passwords will be crackable, and so further damage could follow. Booz Allen has tweeted that it doesn’t comment on security issues. [Source]

US – Government Agency Breached, 24K Files Accessed

Deputy Defense Secretary William Lynn has announced that a foreign intelligence service accessed 24,000 Pentagon files by hacking into an unnamed government contractor in March. The disclosure came during the release of the Pentagon’s new strategy for military operations in cyberspace, which outlined a more proactive approach to cybersecurity. “Current countermeasures have not stopped this outflow of sensitive information,” Lynn said during a speech at the National Defense University. “We need to do more to guard our digital storehouses of design innovation.” [The New York Times] See also: [US – Report Details CPO, CISO Roles

WW – Carefully Thought-Out Patching Strategy Pays Off

A recently issued report underscores problems inherent in the way most organizations handle security patches. According to “The Secunia Half Year Report 2011,” organizations that implement a well-thought out patching strategy lower their vulnerability risks by as much as 80%. The number of plug-ins and other programs on endpoints makes the problem even more intractable. A company that patches all of the Windows flaws will still have more than three-quarters of their flaws unpatched. Secunia found that patching the most popular programs reduced risk by 31%, but patching the most critical programs reduced risk by 71%. “The analysis reveals that timely patching of the software portfolio of any organization is like chasing a continually moving target.” [Source] [Source] [Free online patching tool]


WW – The Biggest Privacy Risk? Your Spouse

A new Retrevo Gadgetology study shows that the level of spying among spouses and dating partners has reached new high levels. According to the study, 30% of men and 35% of women admit to having checked the email or call history of someone they’re dating without them knowing. And 32% of men and 41% of women admit to doing the same with their spouses. 17% discovered their spouse was cheating. [Source] [US: Judge rules use of GPS to track a cheating spouse is not an invasion of privacy]

Telecom / TV

UK – Britain’s Phone Hacking Inquiry Opened

An inquiry into Britain’s phone hacking scandal (a.k.a. “Voice Mail Bad Password Scandal”) has officially begun; Lord Justice Brian Leveson said that public hearings will commence in September. The inquiry was ordered by Prime Minister David Cameron. The inquiry will examine ethics and regulation not only of the British press, but of the BBC and social media as well. The breadth and depth required of such an inquiry lead some to doubt that a report will be ready in a year’s time. [Source] [Source] [Source] See also: [OIPC SK - Best Practices: Mobile Device Security]

US – Judge Grants Wiretapping Appeal

A federal judge has announced that Google has the right to appeal last month’s ruling, which stated that the company’s Street View information-gathering practices constituted illegal wiretapping. With more than a dozen combined lawsuits seeking damages from the company, U.S. District Judge James Ware said that his ruling is the first of its kind, according to the report, and that an appellate court is better equipped to decide the case. Ware said, “Thus, in light of the novelty of the issues presented, the court finds that its June 29 order involves a controlling question of law as to which there is a credible basis for a difference of opinion and also finds that certification of the June 29 order for appeal would materially advance the litigation.” [Wired] See also: [Garante Per La Protezione dei Dati Personali - Smartphones and Tables: Current Scenarios and Operational Perspectives]

US Government Programs

US – Intelligence Agency Wrestles With Phone Location Data Tracking

The National Security Agency (NSA) is considering surveilling U.S. citizens by intercepting mobile device location data. The agency is now determining whether it has the legal right to do so, according to NSA general counsel Matthew Olsen. U.S. law prevents intelligence agencies from spying on U.S. citizens within U.S. borders. But at a Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law hearing this week, Olsen said he believes there are “certain circumstances where that authority may exist.” [InformationWeek Government]

US – Government Scolded for Data Breach Notification Delays

The Treasury Inspector General for Tax Administration has criticized the IRS for not notifying taxpayers quickly enough when their personal information had been compromised. Draft cybersecurity legislation introduced by the Obama Administration would require companies to notify consumers affected by data breaches within 60 days. But in a sample of 100 incidents between July 2010 and February 2011, breach notification letters were sent out to victims 86 days after the fact in 20 percent of the cases. In five percent of the cases, victims weren’t alerted because IRS employees failed to document those affected, and 21 percent weren’t alerted because the agency didn’t believe a threat existed. [nextgov]

US – GAO Audits Gov’t Agencies’ Social Media Policies

The Government Accountability Office (GAO) has audited the social media policies and procedures of 23 government agencies and issued a 90-page report disclosing the results. The GAO’s information security director writes, “Without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information and secure federal systems and information against threats.” The audit found that 12 of the 23 agencies have social media policies and procedures in place; 12 have updated privacy policies, and seven have identified security risks [GovInfoSecurity] See also: [Vladeck Talks Social Networks, Do Not Track]

US – GAO Report: DOD Faces Challenges In Its Cyber Activities

Although the Department of Defense (DOD) may cultivate a reputation of being the best equipped of the government agencies to defend against cyber security threats, a report from the US Government Accountability Office (GAO) notes that “keeping pace with the magnitude of cyber security threats DOD faces currently and will face in the future is a daunting prospect. While the US may dominate in land, sea and air presence, the costs and technology required for adversaries to enter cyber space are far lower. The report applauds the DOD’s creation of the US Cyber Command, but says that “it is too early to tell whether this will provide the necessary leadership and guidance DOD requires to address cyber security threats.” The GAO report pointed out areas in which the DOD needs to improve coordination, illustrating the problem with a 2008 cyber infection that prompted directives from a variety of military and civilian organizations, none of which were coordinated with any of the others. [Source] [Source] [Report] [Source

US – Commission Issues Smart Grid Resolution

California’s state utility regulators have adopted a new resolution on smart grid principles. When considering implementing the smart grid, state commissions should consider privacy. That’s according to The National Association of Regulatory Utility Commissioners (NARUC) which adopted a new resolution on smart grid principles. The resolution indicated support for implementation of smart grid technology but notes the importance of consumer education and engagement. NARUC will release a best practice guide on consumer privacy, which it says is essential. State commissions should “review existing privacy policies and, if necessary, adopt or update their policies to ensure that they properly address the privacy concerns created by smart meter data collection,” the commission said, adding that third parties should also be required to comply. [Smart Meter News]

US Legislation

US – House Judiciary Committee Passes Bill with ISP Data-Retention Mandates

The House Judiciary Committee has passed HR 1981 after defeating an amendment that would have placed limits on ISPs’ requirement in the proposed law to retain IP addresses for one year and make them available to law enforcement by an administrative subpoena. If approved, the Protecting Children from Internet Pornographers Act would eliminate law enforcement’s need for court orders to access such information, prompting arguments from some that the bill grants too much power to the Justice Department and would create a robust database for hackers to potentially access. The committee has adopted amendments requiring ISP compliance with the bill’s privacy standards and encouraging breach notifications [Broadcasting & Cable] [US: Lawmakers push for children’s online privacy law] and: [Resistance to ISP Data Retention Proposal] and [OECD - The Protection of Children Online: Risks Faced by Children Online and Policies to Protect - OECD Digital Economy Papers, No. 179]

US – Two Cybersecurity Bills Introduced in Senate

Two bills focusing on data breach response have been introduced into the U.S. Senate. One bill, introduced by Sens. Thomas Carper (D-DE) and Roy Blunt (R-MO), would require financial institutions, retailers and federal agencies to protect personal information, investigate breaches and notify customers of a breach. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country,” said Carper. Meanwhile, Sen. Diane Feinstein (D-CA) has introduced the Data Breach Notification Act of 2011, which would require organizations to notify customers when their personal information is breached. “It is past time,” Feinstein said, “for congress to pass a national breach notification standard.” [TechJournal South] See also: [Don’t Foist Euro-Style Online Privacy On The U.S]

US – The SAFE Data Act: An Admirable Attempt That Needs Expansion

Some of the controversy over The SAFE Data Act, introduced by Rep. Mary Bono Mack, concerns the limited definition of “personal information” in terms of what would trigger a breach disclosure and notification. The term ‘‘personal information’’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: -Social Security number -Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity -Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account. This bill, if enacted into law, would pre-empt state laws. Consider many of the recent hacks where databases containing userIDs or usernames plus passwords were acquired and posted on the Internet. Usernames + passwords do not meet the criteria for “personal information” in the SAFE Data Act, even though such information could easily be used for unlawful conduct such as hacking email accounts or online banking accounts where the user may have reused that login information. The bill now goes to full committee. [Source]

Workplace Privacy

US – No Summer Holiday for HR Data Breaches

Nine breaches of HR data were reported in July: Washington Post (user IDs and e-mail addresses of 1.3 million users of the newspaper’s online job section compromised by hacking); Nyack Hospital (NY) (1,400 current and former employees exposed to ID theft by the theft of a computer); Estée Lauder (an undisclosed number of employees and contractors impacted by the theft of a laptop); Swedish Medical Center (WA) (personal information, including SSNs, of 20,000 current and former employees made accessible on the Internet unintentionally); TSA (dozens of TSA employees at Sky Harbor International Airport suffering loss of banking information and deposits possibly via credit card skimming); Meridian Health System (an undisclosed number of employees jeopardized by the overnight theft of computer equipment from the home of an employee in Asbury, NJ); Lumberton Independent School District (TX) (theft of a laptop from a car impacting an undisclosed number of employees); JetBlue (an undisclosed number of employees impacted by the placement of malware on a corporate system); and Pfizer (a laptop stolen from an employee’s car potentially revealing personal information of an undisclosed number of employees). SEE ALSO: [US phisher who hit 38,500 gets long prison sentence] AND ALSO: [Nothing replaces face-to-face meetings, but Rypple’s use of social media can ease evaluations for both employee and manager] and [NYT: Social Media History Becomes a New Job Hurdle] and [Could you pass a Facebook Background Check?] and, finally, [Datainspektionen, Sweden - Checklist for Employers on CCTV in the Workplace]


01-31 June 2011


CA – B.C. Insurer’s Use of Driver’s Licences to Catch Rioters Alarms Privacy Experts

Critics are asking pointed questions about a proposal by B.C.’s public insurer to use driver’s licence photos and face-recognition software to identify culprits in Vancouver’s infamous hockey riot. The Crown-owned Insurance Corporation of British Columbia is offering to take photos from Vancouver police that are the subject of active investigations and run them against its licence database. ICBC spokesman Adam Grossman said that if there is a confirmed match, ICBC will let the police know — but it will only turn over personal data if the police get a court order requiring it. It is the most high-profile example to date in this country of what Simon Fraser University communication professor Peter Chow-White calls “function creep” — using a technology or process designed for a specific purpose for other purposes. Thanks to face-recognition technology, data collected for drivers’ licences could be used for everything from naming rioters to providing police with personal data on people caught committing crimes. “The function of the ICBC database is not for law enforcement as far as I know,” said Chow-White. “They don’t tell me when I get my picture taken this could be used in a police investigation.” [Source] [Privacy commissioner to audit ICBC court proceedings into riot] [Canadian privacy lawyer questions police access to ICBC’s facial recognition technology to help identify rioters] See also: [Russian Bank Puts Lie Detector in ATM Machine] and [RU: Oh, Crap! Moscow Mulls Terrorist-Proof Toilets]

IS – Government to Establish Biometric Database

Despite concerns from privacy groups, the Knesset Science and Technology Committee has approved the ordinances necessary to establish a biometric identification database. The Knesset passed a law allowing for the database in 2009, and the Interior Ministry will begin a two-year pilot of the database in November, the report states. The project allows citizens to voluntarily choose biometric identification cards and passports that include a computer chip containing such information as photos, dates of birth and fingerprints. The Association for Civil Rights in Israel is among the groups opposing the policy due to privacy concerns. [Jerusalem Post]

US – Privacy Groups Push for U.S. Facebook Probe

Several privacy groups are asking U.S. regulators to force Facebook to halt plans for its facial recognition service. The Electronic Privacy Information Center and three other advocacy groups today filed a complaint asking the U.S. Federal Trade Commission to force Facebook to end plans for a new facial recognition service. U.S. Rep. Ed Markey (D-Mass.) quickly threw his weight behind the initiative and called for the FTC to investigate the Facebook service. “When it comes to users’ privacy, Facebook’s policy should be: ‘Ask for permission, don’t assume it,’” said Markey, co-chairman of the bi-partisan Congressional Privacy Caucus, in a statement today. “Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue.” [Source] [Facebook Turns On Facial Recognition, Prompting Concern] [Facebook facial recognition under fire]


CA – Alberta Privacy Commissioner Seeks Leave to Appeal to the Supreme Court

Alberta’s Information and Privacy Commissioner has applied for leave to appeal to the Supreme Court of Canada from the Alberta Court of Appeal’s decision in Leon’s Furniture v. The Information and Privacy Commissioner of Alberta. In the case, a majority of the Court of Appeal held that an organization’s methods of collecting personal information must only be reasonable and need not be the least intrusive method. The case arose due to Leon’s policy of collecting driver’s license and license plate information from customers who accept delivery of merchandise after they pay for it. The Privacy Commissioner held that the policy was unlawful under Alberta’s Personal Information Protection Act (PIPA) since organizations must implement the least intrusive policies possible. The Court of Appeal found the Commissioner’s interpretation of the PIPA incorrect, holding that as long as the business is being conducted reasonably, it does not matter that there might also be other less intrusive ways of conducting the business. It further stated that the “reasonableness” standard imposed under Section 11 of the PIPA only requires organizations to collect personal information to the extent it is reasonable for meeting the purposes for which the information is collected, and “[i]t is not open to the [Commissioner] to change “reasonableness” to either “necessity”, “minimal intrusion”, or “best practices”. These are not interpretations that are available given the plain wording of the statue.” The Privacy Commissioner argues that the Court of Appeal’s decision allows businesses to circumvent the PIPA. In addition, he argues that the decision is inconsistent with the laws of British Columbia and Canada, and makes Albertans a target for fraud. [Source] [Alberta’s privacy watchdog wants top court to overturn decision involving retail giant]

CA – Google May Face Third Party Audit

The office of Canada’s Privacy Commissioner, Jennifer Stoddart, is recommending Google bring in an outsider to assess internal privacy policies. The recommendation comes in the wake of an investigation which revealed the Mountain View, California company inadvertently collected unsecured personal data while creating its Street View service. Despite the fact that Google has agreed to implement several measures that will reduce the risk of future privacy violations, the Commissioner has requested an independent audit of Google’s privacy programs, to be concluded within the next year, with the findings reported back to the Commissioner’s office. It is the first time Canada’s Privacy Commissioner has made such a request, and, though Google has not officially responded, it is difficult to conceive of the tech giant complying, given that it might result in unprecedented third party access to Google’s business practices. That said, Google did announce a new initiative that will see independent auditors examine the company’s privacy policies, issuing a report card every other year on the company’s ability to safeguard user data. [Source] [Commissioner satisfied with Google’s privacy fixes] See also: [Canadian privacy commissioner Jennifer Stoddart recognized for impact] and [Commissioner Cavoukian receives International Privacy Award]

CA – Jailed Killer Wins $6K Settlement

A high-profile convict has won a $6,000 out-of-court settlement from Correctional Services of Canada after guards distributed a newspaper article about him to other prisoners. Inmate Gregory McMaster said the guards violated the prison system’s own rules and put him at risk by posting a Toronto Sun news article. [Source] See also [Careful what you say, we’re listening: Saskatchewan prisons tell inmates]

CA – Annual Report Issued: Company’s Improvements Insufficient

An audit by the privacy commissioner of canada has found that Staples Business Depot stores failed to wipe clean the hard drives of devices intended for resale, despite commitments to address such problems. Included in a report to parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today and includes information on other ongoing investigations, Commissioner Jennifer Stoddart’s audit found that the office supply store “did improve procedures and control mechanisms after our investigations,” but they were “not consistently applied nor were they always effective, leaving customers’ personal information at serious risk.” The company had said it would take corrective action following two complaints to the commissioner. The audit found that of 149 data storage devices, one-third still contained customer data. [Source]


WW – United Nations Report: Is Internet Connectivity a Human Right?

A new report for the United Nations Human Rights Council takes Internet access a step further, however, characterizing it as a human right. The report, written by Frank La Rue, the U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, took the political world by storm when it was released several weeks ago. (La Rue is also an internationally regarded human rights expert who was once nominated for the Nobel Peace Prize.) The report explored the need to ensure that citizens have Internet connectivity, and also the rules associated with that access. As a result, it was highly critical of policies that block access to content, threaten to cut off Internet access due to allegations of copyright infringement, and fail to safeguard online privacy. It notes “any restriction to the right to freedom of expression must meet the strict criteria under international human rights law. A restriction on the right of individuals to express themselves through the Internet can take various forms, from technical measures to prevent access to certain content, such as blocking and filtering, to inadequate guarantees of the right to privacy and protection of personal data, which inhibit the dissemination of opinions and information.” [Source] See also: [Wanted: Privacy Policies Written for Human Beings]

NZ – NZ Post Defends Selling Information

New Zealand Post says it was doing nothing improper in selling information garnered in a wide-ranging public survey of personal data. Privacy Commissioner Marie Shroff has criticised the state-owned enterprise for breaching the privacy of thousands of people by selling the information to marketing companies. The 2009 survey, sent to 800,000 letterboxes and via email, asked a series of questions covering areas including income. Ms Shroff commissioned two reports from privacy law and marketing experts and has concluded the survey was a systematic and large-scale breach of privacy principles. She was concerned that people were unaware that their private information was being sold. [Source]

WW – Report: Breach Victims More Susceptible to Fraud: Study

Victims of a data breach are more than four times as likely to become victims of fraud than other consumers. That’s according to the Javelin Strategy and Research annual report, which says credit card companies should be doing more to alert customers to potential dangers, such as notifications when issuing new cards or changing billing addresses. The report also notes that hackers have become more sophisticated, threatening “the current security model, resulting in a call to action for issuers to take a strong look at the processes in place for detection and prevention of fraud,” said Javelin’s Philip Blank. [Reuters]

US – Taxpayer Identity Theft Is on the Rise

A new Government Accountability Office (GAO) report indicates that taxpayer identity theft is increasing in spite of Internal Revenue Service (IRS) attempts to prevent it. The number of reported IRS identity thefts rose from 51,702 in 2008 to almost 250,000 in 2010. The report noted that employment fraud is also difficult to spot. “By the time both the victim and the IRS determine that an identity theft incident occurred,” the report states, “well over a year may have passed since the employment fraud.” The GAO said the IRS is taking additional steps to address the issue. [Source]


UK – Government to Create Market for Personal Identity Data

The government is preparing to create a marketplace for citizens’ personal data to be used for accessing online public services, according to documents that were issued to industry in preparation for the coalition’s next-generation identity scheme. The plan may prove highly controversial, as it offers only limited assurances over how much control people would have over how their data is used. The coalition intends to “create the commercial, legislative and regulatory environment” in which a private sector ID industry may thrive, it said in briefing papers sent to industry in April. The proposals would create a personal data marketplace populated by banks, phone companies, the Post Office and others that may involve government departments selling access to their own citizen databases. The government has proposed that it may join the market by selling data services to private ID companies and data agents. [Source]

AU – Taxpayer Data Being Sold Without Notice

Taxpayer assessment records—including the name, address and property value of individuals—can be purchased from town councils by businesses and other entities without individuals’ consent. Several real estate companies are using the purchased information to create databases in order to personalize marketing campaigns, the report states. Currently, there are not existing laws to prevent the sale of such information for profit. An investigation by the paper revealed that taxpayer data can be accessed through council computers without charge or registration and, though individuals can opt out, most are not aware of the process. [Adelaide Now]

UK – Privacy Group Hits Out at HMRC Spying Robot

The HM Revenue and Customs (HMRC), has decided to employ “web robot” software to help it spy on people it believes are guilty of dodging their tax duty. The government department hopes that by putting this in place it will be able to find out information about certain people and companies silently trading and evading their taxes. The moves have however been described by privacy groups as “outrageous” while security experts have said there could be a possibility of “false alarms.” The HMRC’s spies are basically pieces of code, which can be unleashed to run searches over the internet. Through this they then analyse and file information from web servers. This information is then crossed referenced with the department’s Connect computer system to find people who are trading without telling it by looking at previous tax dodgers and looking to see if there were any missing links between interest, property income and lifestyle. [Source]

US – City Database Sparks Concern

A database created to enable information sharing across city agencies has provoked privacy concerns. It contains information on four million residents, linking together “vast amounts of information gathered by city agencies that previously maintained their files separately,” the report states. Some are expressing concern about the number of city workers who will have access to it and the potential for misuse. But Deputy Mayor for Health and Human Services Linda Gibbs says controls have been built in to address such concerns. “Not everybody is allowed to see the big picture,” she said. “There are a number of doors that open and close.” [The New York Times]

US – OPM Moves Forward on Data Warehouse

The Office of Personnel Management’s (OPM) plans to build a large, centralized database despite privacy concerns. The OPM released two formal notices on the Health Claims Data Warehouse in the Federal Register this week, and work will begin on July 15. The OPM had delayed plans for the database due to privacy groups’ concerns about vulnerabilities. Revised plans for the database–which will store information including names, addresses, Social Security numbers and birth dates–include a downsized scope of the database and limits on how information from it can be used, with only de-identified data to be released beyond the OPM. [Computerworld]

CA – Federal Tory Donor Database Hacked

Hackers, not hash browns, were the cause of Prime Minister Stephen Harper’s distress in early June, as the federal Tories confirmed their website had been compromised and private information of financial supporters taken. In January, networks of both the Treasury Board of Canada and Finance Canada – the economic hubs of the government – were also penetrated, resulting in data being “exfiltrated,” according to a government memo written on the 31st and obtained by CBC. [Source] and see also [NZ: Labour says donor database use breaches privacy] [Conservative party website hacked] and also: [The International Monetary Fund (IMF) confirms it was hacked, with suggestions the attack was state sponsored]

CA – Sex Offenders Website in Ontario: Public Protection or Tool for Vigilantes?

Ontario could be the first province in Canada to create a website listing the names and addresses of its registered sex offenders — a controversial proposal that’s sparking a larger debate about whether it’s an effective tool to stop crime. Some experts say it would better protect children from predators, while others are concerned that it may lead to vigilante action or weaken a system that currently allows police to keep track of sex offenders. If it comes to pass, the election promise by the Progressive Conservatives would go further than any other program in Canada that’s designed to warn the public about high-risk offenders. Alberta is currently the only province that has a website listing the names and photos of high-risk offenders. However, it doesn’t provide their addresses for safety reasons. [Source]

CA – Open Text Launches Social Media Site for Government Policy Workers

The world is a “global village” now that social media networks are filled with conversations between people in different countries. But those who do serious government work can’t collaborate using tools such as Facebook or LinkedIn, because of concerns around security, privacy and who owns the information. Now, Waterloo software developer Open Text has joined forces with the Institute of Public Administration of Canada (IPAC) to launch Public Service Without Borders, a social media site where people working on government policies around the world can communicate and collaborate in a secure, cloud-computing setup. “The objective is global co-operation and networking,” he said. The network will be accessible over the internet or through mobile devices. Experts in areas such as information policy, governance, environmental or health care policy will share their biographies and information about polices they have helped develop and implement, as well as lessons learned. They can share documents, blog about their experiences and meet in virtual “community rooms” for discussions.The site is hosted “in the cloud,” which means IPAC doesn’t need an array of servers, Benay said. “It is using an existing infrastructure we have adapted to meet their policy and legal requirements.” It meets stringent security requirements, he added. “It is as secure as the online banking system.” [Source] See also: [Courts use Facebook to reach those who exist only online]

CA – Florida State Supreme Court Approves Privacy Rules

The Florida Supreme Court has issued new privacy rules for the state court system in order to protect personal information filed in court cases. The rules, which will temporarily not cover traffic and criminal cases, have been approved to ensure that personal information is protected before full electronic access to court cases is provided to the public. Driver’s license, credit card and Social Security numbers as well as e-mail addresses, passwords, birth dates and full names of minors will either be truncated or not included in court documents. The justices who approved the rules said that defense lawyers, prosecutors, law enforcement and others will still have access to the full information. [Wink News]

US – Kundra to Leave Federal CIO Post for Harvard Fellowship

Vivek Kundra, who was appointed the US’s first federal Chief Information Officer (CIO), will resign his position in mid-August for a fellowship at Harvard University, according to the Office of Management and Budget (OMB). A successor has not yet been named. Some have expressed concern that Kundra’s departure will hinder the projects he has begun, but others are more confident that “his legacy of defining incremental improvements and managing project teams to meeting identified goals should and likely will continue due to the momentum that he has created.” [Source] [Source] [Source]


CA – Canada’s Antispam Enforcer Ready to Fight

When Canada’s anti-spam law comes into effect, Andrea Rosen of the Canadian Radio-television and Telecommunications Commission will be charged with enforcing it. Speaking at a conference on Wednesday, Rosen stressed that the she has “the tools to find the spammers wherever they’re hiding and the power to shut down their operations.” Under Bill C-28, consumers have to give consent to receive unsolicited e-mails, and businesses could see fines of up to $10 million for serious infractions, while fines for individuals could reach $1 million. According to the report, Rosen hopes the law will come into effect this fall. [ITWorld]

Electronic Records

US – Supreme Court Strikes Down Prescription Drug Law

The U.S. Supreme Court struck down a Vermont state law today that had prohibited the use of patients’ prescription drug records for marketing purposes. In what Reuters described as “a case pitting free-speech rights against medical privacy concerns,” the court heard arguments in Sorrell v. IMS Health earlier this year, issuing its opinion this morning. The case was brought forward by pharmaceutical and data mining companies that contested a Vermont law prohibiting the sale of such information as records of which doctors prescribe specific drugs to their patients. “The high court handed a victory to data mining companies IMS Health, Verispan and Source Healthcare Analytics, a unit of Dutch publisher Wolters Kluwer, that collect and sell such information and that challenged the law,” Reuters reported following the Supreme Court’s decision this morning. In a joint media release officials from the companies hailed the decision. “Today’s ruling is clear and unmistakable–these types of laws violate the Constitution and do nothing to improve healthcare, reduce costs or protect privacy as proponents had claimed,” said Harvey Ashman of IMS Health. Prior to the 6-3 decision by the court, privacy experts weighed in with varying insights on the potential impact of the case, with some warning that for the court to rule as it did today could mean “significant implications” for patient privacy. “From the privacy perspective, the court rejected the efforts of Vermont and others to turn this case into a privacy case, and focused instead on the impact of the law as a commercial speech issue,” Kirk Nahra, CIPP, of Wiley Rein told the Daily Dashboard. “There are many current means of regulating patient privacy directly, and it would not have been useful to the overall protection of patient privacy to address these issues in an essentially unrelated context, through the back door.” [Reuters]

US – Experts React to Supreme Court Ruling on Prescription Records

In the wake of the U.S. Supreme Court’s decision in Sorrell v. IMS Health, experts have been weighing in on the implications for privacy protection. In a 6-3 ruling, the nation’s highest court struck down a Vermont statute that prohibited the use of physicians’ prescription drug records for pharmaceutical marketing and data-mining purposes. This article exclusive examines some of the immediate reactions to the ruling, which include different perspectives on the implications for privacy protection. One legislator suggests the decision is “a loss for those of us who care about privacy,” while other experts suggest the case was not about privacy at all. [Source]

CA – Ontario Health Records Proposal Would Breach Privacy, Experts Say

Ontario is proposing to create electronic health records that contain information about a patient’s education, employment, financial status, legal history, residence history, sexual orientation, spirituality and other psycho-social traits. But so comprehensive and sweeping is the proposed database that privacy and legal experts say they are “appalled” and “stunned.” The province’s plans, sketched at an e-Health conference in Toronto, Ontario earlier this month by Grant Gillis, director of ehealth standards for eHealth Ontario, would see the creation of comprehensive profiles about all Ontario patients, including their “social history.” Gillis also indicated that the information could include a category called “risk.” eHealth Ontario later indicated in an email that risk is a “general” category. Some examples found on forms provided by stakeholders during our engagement process include: Risk of falls/wandering; Risk of harm to others; (and) Risk of patient having perhaps been exposed to an infectious disease.” The aim is to create “an overall clinical information model for Ontario,” Gillis said. Information and Privacy Commissioner of Ontario Ann Cavoukian said in a statement prepared for CMAJ that she has contacted Greg Reed, CEO of eHealth Ontario, to discuss the proposed health records. “He assured me that they will be consulting with my office on possible data fields that practitioners have expressed interest in,” Cavoukian writes. “Nothing will be finalized until my office and other privacy specialists are consulted. One thing is clear — patient privacy must be directly embedded into the design of our electronic health records from the outset, not as an afterthought.” eHealth Ontario conducted public consultations on its specifications for the new health records last January and published a list of parties who responded. Those included some health institutions and technology companies but not legal, privacy or civil rights experts ( The Office of the Information Commission of Ontario was not aware of the consultations at the time, spokesman Angus Fisher says. Nor had el Eman heard of the consultations. “I would be surprised if there was a real public consultation that no legal and civil liberty groups would have responded or reacted,” he says. [Source] See also: [US: Can Privacy, Electronic Medical Records Coexist?] and [US: Proposal protects medical records]

US – Fraud Case Involved Privacy Violations

Danish pharmaceutical company Novo Nordisk Inc. has entered a $1.725 million civil settlement agreement to resolve allegations that the company accessed and misused private patient information and filed false or fraudulent Medicaid claims. The civil settlement agreement alleges the drug company’s sales representatives made payments to Rite Aid pharmacists in exchange for them recommending two diabetes drugs. The pharmacists, together with Novo Nordisk sales representatives, identified patients who were candidates for the drugs and communicated with physicians, patients and other pharmacists to encourage them to use or recommend the use of the drugs, according to the agreement. In addition to entering the civil settlement, the company, which has not admitted to engaging in the conduct, also has entered into a “corporate integrity agreement” with the Department of Health and Human Services, Office of the Inspector General. [Source]

US – Verizon Enhances Security Programs for Healthcare Organizations

Verizon has added new capabilities to two of its security programs, capabilities that should help health delivery organization strengthen security across their health systems and assess the security practices of partners they do business with. Announced this week, the company said its Verizon Security Management Program-Healthcare (SMP-H), an online dashboard that helps organizations assess and strengthen their security, will now include a new module based on the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), a widely adopted set of healthcare industry data protection guidelines. The company has also enhanced the Verizon Partner Security Program (PSP). Now, by fielding a questionnaire to business partners, healthcare organizations can assess the security compliance of these partners and their internal business units against Health Insurance Portability and Accountability Act (HIPAA) interim rules that extend data security and privacy requirements to the business associates of healthcare organizations. PSP is a platform that allows healthcare delivery organizations to conduct risk and compliance assessments and reporting tasks as well as manage their compliance and security across thousands of partners and multiple regulations. To improve HIPPA’s security rules, HHS announced this week proposed changes to the HIPAA Privacy Rule that would give people the right to get a report on who has electronically accessed their protected health information. [Source]

US – HHS Proposes Privacy Rule on Medical Records

Patients could obtain a list of everyone who has accessed their electronic medical record under a rule proposed by the U.S. Department of Health and Human Services. Healthcare providers must currently keep track of everyone who accesses private medical records, but they do not have to provide that information to patients. Under the rule, patients would be able to request an access report, which would document the identities of those who electronically viewed their protected health information. The new rule would add to regulations already in place under HIPAA, which protects patient privacy and sets security standards for electronic health records. [Source]

US – HHS Calls for More Protections, ONC Responds

The Health and Human Services (HHS) Inspector General’s Office recently released a white paper criticizing the Office of the National Coordinator for Health Information Technology (ONC) for not doing enough to protect healthcare information. ModernHealthcare reports that the inspector general called on the ONC to improve security measures for online health information with encryption and recommended it use its power to push data handlers to be more security-conscious. Joy Pritts, CPO of the ONC, says it is headed in that direction, adding that it has provided training tools and videos and is using the HHS’s data breach list to help “identify the issues where we should devote our efforts to educating people.” [Source]

US – Maine Law Allows Opt Out of EMRs

Forbes reports on a new law in Maine that will give two-thirds of its citizens the choice to opt out of the state’s electronic medical records program. The HealthInfoNet database contains citizens’ full medical records in order to enable medical providers to share data. The bill strikes a compromise between those concerned about patients being enrolled in the database without their knowledge and those who seek to expand its scope. In April, groups debated a bill to make the system opt-in; supporters said it would give patients more control over data, but opponents were concerned about getting enough patients to opt in to make the system effective. [Source]

EU – ICO: Systemic Problem in Health Data Storage

Information Commissioner Christopher Graham has said that the health service is not doing enough to keep patients’ personal information secure. “The security of data remains a systemic problem,” Graham said, pointing to the loss of up to eight million patient records at NHS North Central London and five health organizations recently found to have breached the Data Protection Act. “The health service holds some of the most sensitive personal information of any sector in the UK,” Graham said, adding that “policies and procedures may already be in place, but the fact. [Public Service]


WW – Data Encryption on the Rise

As data breaches continue to rise, U.S.-based companies are increasingly adopting encryption to secure their IT infrastructures, and their main reason is to comply with privacy and data protection regulations, a new study has found. In the past, protecting data and mitigating data breaches drove encryption adoption. This year, for the first time, regulatory compliance became the top reason for implementing encryption technologies, according to the Ponemon Institute’s annual U.S. Enterprise Encryption Trends report. [Source] See also: [Opinion: Management Lessons from Breaches]

US – Council Releases PCI Standards Guiding Document

The Payment Card Industry Security Standards Council has released a set of guidelines for companies to ensure compliance with industry standards. The 39-page document describes how each of the 12 PCI security requirements can be applied in a virtual environment, the report states, and offers recommendations on how to stay compliant in the cloud, delineating between entities’ and cloud vendors’ responsibilities. “Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider,” the document states. The guidance is the “best document that the PCI Security Standards Council has written to date,” an independent PCI consultant said. [Computerworld]

WW – RSA Faces Angry Users After Breach

Industry experts say RSA Security’s admission—after a hacking attack in March—that its SecurID tokens are vulnerable came too late. Computer security consultants “have been increasingly critical of how long it took the company to acknowledge the severity of the problem,” the report states, raising the possibility that customers will seek other technologies for their computer networks. RSA had previously stated that replacement tokens were unnecessary but now offers replacements. “They got pushed really hard by some of their customers,” said one chief technology officer, adding, “They came around, but they came around late.” [The New York Times]

EU Developments

EU – EU Banks and Other Businesses Will be Required to Report Serious Data Breaches

European Union Justice Commissioner and Vice-President of the European Commission Viviane Reding has said that financial institutions and other businesses will be compelled to disclose serious data security breaches. EU telecommunications companies and ISPs already have mandatory breach notification requirements in place. The new requirements will affect all businesses that store customer data. [Source] [Source] [Source] [Source]

EU – Germans Take a ‘Black-And-White View’ of Online Privacy

Some 30% of Germans either don’t care about online privacy or entirely avoid putting personal data online, according to a study published by the Federal Association for Information Technology, Telecommunications and New Media (BITKOM). “Many Internet users have a black-and-white view of privacy on the Internet,” said Dieter Kempf, the industry trade group’s head, in a statement, adding that need to find a balance between carelessness and overprotection. The study showed that 14% of German Internet users did not care how their personal information was collected and used online while 16% of the 1,002 people polled said privacy concerns kept them from using online banking or buying or selling goods via the Internet. [Source]

EU – EU to Web Companies: “Sort out Privacy by 2012, or Else!”

The European Commissioner for the Digital Agenda has told Web companies to come up with a do-not-track standard by mid-2012, or the Commission will have to impose new rules. Commissioner Neelie Kroes said that a failure to agree on a workable standard would have consequences for the Web industry as well as consumers. “I am worried by what we see happening: data breaches affecting thousands if not millions; social networking sites rolling out new features with very open default settings; exposure and identity theft. One target of the Digital Agenda is to have 50% of Europeans buying online by 2015. We will not reach this without reinforcing trust and confidence,” she said. [Source] SEE ALSO: [Privacy watchdog Jennifer Stoddart makes the Web a priority] [Source] [Source]

EU – Dutch Parliament Passes Legislation on Cookies Opt-In

The lower house of the Dutch parliament has passed legislation requiring websites to get visitors permission before installing tracking cookies. The controversial legislation went through various versions before passing, from requiring permission for all cookies to mandating an opt-in only for third-party cookies that collect personal information or pass that information on to third parties. In the end all cookies will be subject to the Law on the Protection of Personal Information, meaning they can be questioned by the privacy regulator CBP and in court. The final version of the law passed implements EU privacy legislation, but goes further than proposals from the European Commission by requiring that website publishers have proof they have acquired the user’s permission. The Dutch publishing industry mounted a campaign against the bill, saying it will make the internet unusable and sites such as the popular news portal could disappear. They said self-regulation was the only workable solution to manage cookies. The cookie rule was drafted by MPs from two political parties, the right-wing PVV and the labour party PvdA. The MPs say the original version was indeed too far-reaching, as it affected all cookies. However, tracking cookies that build up a general profile of a user must fall under a stricter policy, in line with regulations on collecting personal data. They said concessions were made at the industry’s request, such as allowing for a general permission from the user, rather than the need for repeated requests from a site. The cookies rule is part of a larger revision of the Telecommunications Act. While the lower house approved the amendment, it must still vote on the larger text, which it is expected to pass a vote later in the week. [Source] [Source] [Source]

EU – ICO Fines Former Telecom Employees

Two former employees of T-Mobile have been fined by the Information Commissioner’s Office (ICO) for stealing and selling customer data. The fines totaled £73,000, and for the first time, the ICO will receive part of the settlement to train investigation staff. Information Commissioner Christopher Graham hopes the case will show that his office is being tough on data theft. “Those who have access to thousands of customer details,” he added, “may think that attempts to use it for personal gain will go undetected. But this case shows there is always an audit trail, and my office will do everything in its power to uncover it.” []

UK – Privacy Committee to Grill Editors and Tech Companies

Paul Dacre, the lord chief justice, and executives from Twitter and Google are expected be asked to give evidence to the parliamentary committee looking into privacy injunctions, as work on setting up the body created by David Cameron last month finally begins to move forward. Those who are expected to sit on the committee say they want to call newspaper editors, including the Daily Mail’s Dacre, judges and technology companies to public hearings – and there is even hope that it may prove possible to ask one of the celebrities involved in the injunction battle “to add to the gaiety of proceedings”. The committee is expected to complete its work by the end of the year. [Source]

EU – Commission: Social Networks Should Better Protect Minors

A European Commission (EC) study of 14 social networks includes in its findings that just two “have default settings to make minors’ profiles accessible only to their approved list of contacts,” The Wall Street Journal reports. The study comes as the EC continues exploring Internet regulation, the report notes. Commissioner Neelie Kroes reacted by saying she is “disappointed” in the results, urging social networks “to make a clear commitment to remedy this in a revised version of the self-regulatory framework we are currently discussing.” A spokesman said the EC will be “sitting down with them over the coming months, and we want them to do more.” [Source]

EU – Commission’s Lawyers: PNR Agreement Illegal

The European Commission’s legal counsel has warned that an agreement between the EU and U.S. to store airline passenger data for 15 years is unlawful. The passenger name record (PNR) deal is now being finalized and needs the approval of the European Parliament, but the legal counsel’s May 16 document raises “grave doubts” that the agreement complies with data protection law. The legal opinion particularly lists the provisions requiring data storage for 15 years, the lack of independent oversight and proper legal recourse if data is misused. One parliamentarian said the legal advice is an indication that the commission should drop the PNR agreement and go “back to the drawing board.” [The Guardian]

EU – Parliamentary Committee Adopts Draft Resolution

The European Parliament Civil Liberties Committee has adopted a draft resolution intended to influence the revision of the EU Data Protection Directive. According to a press release, the resolution includes provisions to allow people to access and alter or delete their data online and recommends “severe and dissuasive sanctions” for misuse or abuse of consumer data. The committee is calling for a modern data protection law that will improve international data transfer processes and better protect children–especially on social networking sites. The committee has also put its support behind a requirement for organizations to appoint data protection officers. [Source]

EU – EDPS to Increase Inspections This Year

European Data Protection Supervisor (EDPS) Peter Hustinx will carry out more on-the-spot inspections this year in cases where he believes an EU institution is failing to comply with EU law. That’s according to the EDPS annual report, released yesterday. The report also says the office will focus on member states’ and the European Commission’s implementation of new legislation on border security checks and an EU-wide system on airline passenger data. The EDPS received 25 admissible complaints last year, and 11 of those were deemed privacy breaches. [European Voice]

EU – José Luis Rodríguez Álvarez Nominated Director of Spanish DPA

The Spanish Council of Ministers approved on June 17 the nomination of José Luis Rodríguez Álvarez as director of the Spanish Data Protection Agency. The lawyer and professor of constitutional rights in the Faculty of Law of the Complutense University of Madrid was nominated director of the Cabinet of the Spanish Ministry of Justice in February 2009–a role he has now given up due to the circumstances. Rodríguez Álvarez will replace outgoing director Artemi Rallo Lombarte. (Article in Spanish)

EU – Swiss Commissioner Calls for Privacy by Default

There is a need for greater transparency in the processing of personal data, according to Swiss Data Protection Commissioner Hanspeter Thϋr. In his annual report, Thϋr said changes are needed due to the “rapid pace of development in the area of communication technologies,” and that “data protection principles must be included in all projects and taken into account from the very outset.” The report notes that Thϋr handled many cases related to new technologies in the last year. An issue of particular concern is “evercookies,” reports. [Source]

EU – Associations Call on EC to Recognize CILs

Four data protection associations are appealing to the European Commission to recognize the role of the data protection officer when considering revisions to the EU Data Protection Directive. The groups–the French Association of Data Protection Correspondents, Spanish Association of Privacy Professionals, German Association for Data Protection and Data Security and the data protection association of the Netherlands—feel that the role of the data privacy controller should be strengthened. In a recent press release, they say that data protection officers are “key players in protecting the privacy of consumers, employees and citizens,” and their roles, missions and legal status should be defined and harmonized across Europe. [Source]

Facts & Stats

US – Study: Breaches More Frequent and Severe

A Ponemon Institute study has found that 90% of businesses experienced a data breach in the past year, and attacks were more severe and difficult to prevent. Network World reports that mobile devices–employee laptops, smartphones and tablets–are responsible for most breaches, while business partnerships also elevate risk. 53% of businesses reported a low level of confidence in their ability to avoid future attacks, which the authors attribute to “the fact that so many organizations are having multiple breaches.” An MSNBC report outlines ways for individuals to protect themselves in light of the recent “seemingly endless string” of data breaches, and according to the report, most aren’t made public. Meanwhile, CIO has posted an online quiz to test readers’ knowledge of data breaches. [Source] See also: [Breaches Build Federal Data Security Momentum]

WW – “Cyberinsurance” in High Demand

The “cyberinsurance” industry is experiencing an up-tick in business with recent high-profile breaches driving companies’ desire to protect themselves from spending potentially millions of dollars on breach-related costs. Companies are upgrading IT and human resources practices and training employees in order to get coverage–in some cases worth hundreds of millions of dollars. “Consensus is building” on what policies cover, but standardization remains a hurdle, says one insurance expert who predicts, “One day the industry will actually be so robust that…we’ll have the leverage to actually create standards.” A Ponemon Institute study shows the average breach cost $7.2 million last year, “But with the scale and scope of hacking attacks growing daily, some companies cannot be cautious enough,” the report states. [Source]


CA – Guelph-Based Software Censors the Internet in the Middle East

Web-filtering software developed in Canada is being used in the Middle East to censor the Internet, according to the University of Toronto’s Citizen Lab. Netsweeper Inc., a leading developer of content-filtering software based in Guelph, lists telecommunications companies in Yemen, Qatar and United Arab Emirates among its foreign clients. According to the company’s promotional material, its software blocks websites using a “list of 90+ categories to meet government rules and regulations — based on social, religious or political ideals.” Web-filtering technology was developed in the 1990s as a way to restrict access to pornography, among other things. It is commonly used to block access to specified websites in many Canadian schools, libraries and businesses. But beyond our borders that same technology is being used to quash social media-spurred uprisings in the Middle East — and the companies providing the software have come under fire for being the means through which foreign governments repress free speech online. [Source]

SY – Syria Temporarily Shuts Down Much of Internet

Internet service in Syria has been restored after the government cut off access to citizens on Friday, June 3 during some of the largest anti-government protests the country has recently seen. Following the shutdown, only Syrian government sites remained available in that country. Internet in Syria was once again available by 7AM local time the next day. Other Middle Eastern governments have severed Internet access in an attempt to quell protests. [Source] [Source] [Source]


US – FTC Levies $1.8 Million Fine for FCRA Violations

The Federal Trade Commission (FTC) has fined Teletrack Inc. $1.8 million dollars for Fair Credit Reporting Act (FCRA) violations. According to an FTC press release, Teletrack sold credit reports to marketers, which violates the federal law. “The FCRA says a credit reporting agency like Teletrack can’t sell a consumer’s sensitive credit report information for merely sales pitches,” said FTC Bureau of Consumer Protection Director David Vladeck. The settlement requires that the company pay a civil penalty of $1.8 million and only provide credit reports to those deemed permissible to receive them under FCRA. The settlement also spells out record-keeping requirements to ensure compliance with the order. [Source]

WW – Study: Hackers Outpacing Bank Security

Evidence in a recent study suggests that large credit card-issuing banks are not keeping up with the technological sophistication of hackers, TIME reports. One research firm analyzed and graded the online security practices of the financial sector’s 23 largest card-issuing institutions. Based on a 100-point scale, the average score was a 59. “The good news is issuers are doing a better job overall of resolution, but that’s the easiest thing to do,” says the study’s lead author. “Prevention is the hardest to do, but it’s got the biggest payback.” The study also noted that banks have a strong record of eliminating fraudulent charges from individuals’ bank accounts. [Source]

WW – Slammed Again as Punishment Over WikiLeaks

MasterCard’s main website was unavailable for some time as it appeared hackers were again targeting the company for its refusal to process donations for the whistle-blowing site WikiLeaks. MasterCard along with companies such as Visa, PayPal and the Swiss Bank PostFinance stopped processing payments for WikiLeaks shortly after the site began releasing portions of 250,000 secret U.S. diplomatic cables in November 2010. The hacking collective known as Anonymous spearheaded a drive to conduct distributed denial-of-service (DDOS) attacks against those sites. A DDOS attack involves sending large quantities of meaningless traffic to the website, which can knock it offline. [Source] [Anonymous, LulzSec bring bragging rights back to hacking] See also: [Reports: Sega customer database hacked]

CA – US Tax Law Poses Privacy Risks to Canadians

Ottawa’s privacy watchdog is examining whether a U.S. campaign to pursue tax cheats among the roughly one million Americans living here violates Canadian privacy laws. Jennifer Stoddart is closely monitoring privacy concerns as U.S. tax authorities prepare to force all foreign financial institutions to identify Americans and the money they have stashed in accounts around the world. Among the potential problems with the American law, slated to come into force in 2013, is that it would compel Canadian banks, brokers, insurers and mutual funds to collect U.S. Social Security number and report account balances directly to the Internal Revenue Service. Under Canadian law, customers are only required to provide identification that shows where they live – not their immigration status or citizenship. Finance Minister Jim Flaherty said last week he’s seeking an exemption for Canada, arguing that the country is not a “tax haven” and that Ottawa already cooperates extensively with tax authorities in the U.S. through a tax treaty. [Source] [Banks battle over US tax law]

US – Recent Breach Puts Spotlight on Security

Regulators are pressuring banks to improve data security measures, and some experts are forecasting a “systemic overhaul” of the industry’s practices after a recent breach exposed data on as many as 200,000 credit cardholders. The breach is drawing attention to ongoing vulnerabilities in bank security, and The New York Times reports that the prevalence of outsourcing and the “patchwork of data protection law and regulatory agencies” make matters worse, the report states. An Identity Theft Resource Center report states that in the past six years, 288 breaches at financial institutions have exposed 83 million customer records. [Source] See also: [Why it’s still too early to adopt NFC-enabled mobile payments]


CA – Ontario Must Get With The Times on Transparency, Watchdog Says

Ontario’s Ombudsman is calling on Premier Dalton McGuinty to embrace the worldwide trend toward open government by giving the public real-time access to information about programs and services. The practice of having to file a complicated access-to-information request is “literally last century,” André Marin said in his annual report, released on Tuesday. “People want information on what their government is doing, they want it to be easy to find and understand, and they want it now,” he said. Mr. Marin has been urging the McGuinty government for several years to open up the so-called MUSH sector – municipalities, universities, school boards and hospitals – to scrutiny. The government has in part responded to that pressure by making the province’s 156 hospitals part of Ontario’s Freedom of Information and Protection of Privacy Act. In his sixth annual report, Mr. Marin is going one step further by asking the government to make information available without the public having to ask for it. [Source]

CA – Vancouver Upholds Freedom of Information Release Policies

Vancouver won’t be engaging in the odious practice of “simultaneous disclosure” when it comes to responding to Freedom of Information requests. No matter what City Manager Penny Ballem might like. The city council unanimously supported a revised motion from Coun. Suzanne Anton that specifically upholds the current practice of releasing FOI materials to the requester before handing them out to others or posting them surrepticiously on a website without notification. The motion flows from a finding by the provincial Information and Privacy Commissioner Elizabeth Denham that BC Ferries’ FOI policy of simultaneous disclosure, while not illegal, violated the spirit of the FOI legislation. BC Ferries, which only recently came back under FOI jurisdiction, sought to try and discourage media from filing requests by making the results available to everyone at the same time. As a result, many journalists felt disinclined to file requests if it meant they’d see the story immediately on someone else’s website. [Source]

CA – Critics Blast Spike in Deaths Among Children in Care

Revelations that six children in provincial care died last year and 20 were hospitalized have critics demanding the removal of the secrecy around Alberta Children and Youth Services. Opposition critics urged the Alberta government to act immediately to disclose what happened to the children, whose deaths and injuries were summed up in a few lines in the ministry’s annual report. The deaths were double and the injuries more than triple the previous year when the government launched a review into the way children in care are managed. [Source]

UK – Hackers Leak Former British PM Tony Blair Data

Hackers have released what looks like personal information on former British Prime Minister Tony Blair, including the contents of his electronic address book, with contact data for members of Parliament and for what could be Blair’s dentist and his mechanic. A link to the data on the Pastebin Web site was sent out on Twitter from the account of “TeaMp0isoN” along with a message saying “Tony Blair should be locked up, he is a war criminal.” Earlier in the day, the TeaMp0isoN account had featured a tweet that said the group was targeting Blair for his support of the war in Iraq. [Source] See also: [LulzSec Denies Taking U.K. Census Data] and [US: CIA Web site hacked; group LulzSec takes credit]


AR – Court Demands DNA Samples

An Argentine court has ruled that the adult children of adoptive parents must submit to DNA testing in order to determine whether they were born to military prisoners during the country’s Dirty War from 1976 to 1983. BBC News reports that Marcela and Felipe Noble Herrera must submit blood or saliva samples. They will be compared to those of military prisoners from that period whose babies were kidnapped by the military junta. The Noble Herreras have objected to the testing, saying that it’s a violation of their privacy. A 2009 bill passed by the Argentine congress allows for the forcible extraction of DNA in certain cases. [Source]

US – Apartments Using Dog DNA to Catch Poop-Scoop Scofflaws

The Timberwood Commons in Lebanon, N.H., opened this year and already has had problems with some residents who aren’t cleaning up messes their dogs leave. So the manager is going to use commercially available DNA sampling kits to check the DNA that dogs leave behind when they go. “We’ve tried doing the warning letters. We’ve tried all sorts of things,” she said Friday. “It’s always a problem. It’s just that the majority of people are responsible pet owners and there are a few who are not.” [Source]

Health / Medical

US – Suffolk Doctor Faces Federal Privacy Law Charges

In a rare prosecution of a possible health privacy violation, a federal grand jury has indicted a Suffolk psychiatrist on charges he disclosed personal medical information. Dr. Richard Kaye, 62, a former medical director of the psychiatric unit at Sentara Obici Hospital in Suffolk, was indicted in U.S. District Court in Norfolk. According to the indictment, he treated a patient with a mental health problem PHI health information about her on three different occasions to an “agent” of the patient’s employer without authorization. The indictment from the U.S. attorney for the Eastern District of Virginia said Kaye disclosed the information under false pretenses, saying she was of “serious and imminent threat to the safety of the public.” The indictment said the doctor knew the patient was not a threat to the safety of the public. If convicted, Kaye faces a maximum of five years in prison. [Source] See also: [London Health Sciences Centre probes confidentiality breach] and [US: Alabama Woman Charged With Stealing Records of 4,500 Surgical Patients] and [Hospital Fires Employees for HIPAA Violations]

WW – Mobile Phones Being Embraced to Strengthen Health Services

Eight in 10 countries are using mobile phone technology to improve health services, from free emergency calls to appointment reminders, the World Health Organization said. The global health body found that only 19 of 114 countries surveyed had no mobile health initiative, known as mHealth. But most of those countries have several projects running. [Source]

CA – Medical Records Found In Library Book

A Red Deer library user was shocked recently to discover a list of Red Deer Regional Hospital Centre psychiatric patients and their diagnoses tucked inside a library book. What he found was a recent patient care list for 14 patients on Unit 34, one of two adult psychiatric units at the hospital. Diagnoses ranged from bipolar to depression to suicidal. Red Deer doctors were listed beside patient names. The document did not have a date. [Source] See also: [UK: Privacy fear as NHS laptops and patient records are lost]

Horror Stories

AU – Sydney University ‘Breached Student Privacy’

An investigation has found the University of Sydney failed in its obligations by not securing students’ private details on its website. A section of the university’s website was shut down in January after it was found sensitive information could be obtained by entering a student’s identification number. No password was required to access the name and address of the student, along with the subjects they were enrolled in and the fees they owed the university. The Acting New South Wales Privacy Commissioner, John McAteer, has found the university breached the Privacy Act by failing to have reasonable safeguards to protect the data. [Source]

CN – Breach of Privacy as Students’ Details for Sale Online

Beijing – Private information about elementary and secondary school students and their families is for sale online, which legal experts say constitutes an invasion of privacy. On the list, information about the capital’s 70,000 students who sat the recent college entrance examination sells for more than 1,000 yuan ($155). Information on the list includes names, cell phone numbers and home addresses of students from across the country. The information usually sells as a package for different regions and the prices for each package could be up to 1,000 yuan ($155). The buyers are generally private educational companies or training institutions, which are looking for students who failed the college entrance examination on June 8 and might be suitable for a one-year training course. Sellers leave their contact details as well as a sample of the private information online to attract buyers. The final deal is conducted face to face after negotiations with interested parties, according to an online advertisement. [Source]

US – Missing Laptop Holds Unencrypted NHS Patient Data

A laptop computer stolen from a National Health Services (NHS) subsidiary in London contains unencrypted personal health information of more than 8.6 million people, including records of 18 million hospital visits, operations and procedures. Three weeks ago, the laptop and 19 other computers were reported missing from a storeroom at the London Health Programmes medical research organization. The incident is being investigated by the UK Information Commissioner’s Office (ICO) and police. [Source] See also: [California Public Health Dept. Reports Second Breach]

IN – Groupon India Data Published on Internet, Said Researcher

The user database of Groupon’s Indian subsidiary, SoSasta, was published on the Internet and indexed by Google, according to an Australian security consultant. “I found the data via Google. Sosasta was notified ASAP,” said Daniel Grzelak in a message on Twitter. He said he had no clue as to how the database was published on the Internet. [Source] See also: [US: Arlington Cemetery Records Found in Abandoned Storage Unit, Criminal Investigation Launched]

US – Citigroup Hackers Stole $2.7 Million

Citigroup has confirmed that about $2.7 million was stolen from 3,400 customers in May following a major data breach. Citi had previously said that the data breach had exposed 360,083 bank accounts, revealing names, account numbers and email addresses of customers. Citi said other sensitive information including social security numbers, dates of birth, card expiration dates and card security codes had not been exposed. However, it now appears that customers did suffer financial losses. A Citi spokesperson said he could not comment on how the money had been stolen, but that the breach itself had not contributed any information that was sufficient to perpetrate fraud. [Source] [Source] [Source]

CA – Hackers Attack Richmond-Based Grocery Chain

T&T Supermarket Inc., a Richmond-based Asian grocery store chain, has been hit by hackers who may have stolen personal information from about 58,000 people. The company announced security breaches to its website,, that happened on June 6, 7, 11, and on June 14 through to June 17. T&T’s databases may have been accessed by “unauthorized intruders,” the company says. Stolen data could have included names, usernames, passwords, gender, email, telephone numbers and home addresses, the company says. T&T notes that it does not collect credit card information, driver’s license, dates of birth or social insurance numbers through its website. [Source]

WW – Attackers Steal Information from Acer Customer Database

Attackers claim to have stolen information from an Acer customer database. The compromised information appears to include the names, email addresses and purchase histories of about 40,000 customers. The attackers also claim to have stolen source code from the computer manufacturer. The attackers appear to have taken the information by gaining access to an Acer FTP server. [Source] [Source] [Source] [Source]

UK – Fines for Former T-Mobile Employees Who Stole and Sold Data

Two men who used to work for T-Mobile have been fined a total of GBP 73,700 (US $121,000) for stealing customer information and selling it to third parties. The action resulting in the decision was brought by the UK information Commissioner’s Office (ICO), which launched the investigation in 2008. [Source] [Source]

Identity Issues

CA – Ontario to Launch New Photo Identification Card

Ontarians without a driver’s licence to use as a quick and easy piece of identification can soon apply for a government-issue photo ID card. The new cards, to become available in late July, cost $35 and are valid for five years but are not suitable as a passport substitute on international trips, Transportation Minister Kathleen Wynne said. The wallet-sized cards are aimed at the estimated 1.5 million Ontarians over the age of 16 — including the blind and those with partial sight — who don’t have driver’s licences. Applications for the card will be taken starting next month at 20 Service Ontario centres throughout the province before the offer is expanded to every centre throughout the province next year. [Source]

CA – BC New CareCard and Our Privacy

The B.C. government is preparing to scrap the provincial CareCard and introduce a high-tech replacement. The new card will carry a photo, computer chip and anti-forgery features to combat identity theft or fraud. The $150 million changeover will be phased in. Once the card is in place, it will be renewed every five years. The existing card was introduced more than 20 years ago. It offers little by way of security. Worse still, there are an estimated nine million of these in circulation, for a population of only 4.5 million. The government doesn’t know what happened to all the excess cards, but it’s a safe bet some are in the wrong hands and being used to obtain medical services fraudulently. Unfortunately, the innovations don’t stop there. The new card will also carry a link to each person’s health file. The idea is that medical staff, perhaps in an emergency, can have access to a patient’s record of treatment, in particular drug history. You either enroll in the new system, or lose access to health services. There has been no public consultation on what is a significant shift in our approach to the privacy of medical records. [Source]

US – ID Proposal for Prepaid Phones Raises “Privacy, Access and Safety” Concerns

A measure intended to crack down on drug dealers and would-be terrorists is drawing fire over privacy, access and safety concerns. The Suffolk County Legislature is considering a requirement that buyers of prepaid cell phones provide two forms of identification before making the purchase, and that local retailers hold onto that information for at least three years. Jessica Glynn, supervising attorney for the Latino rights group SEPA Mujer, says the proposal violates a number of privacy rights, particularly for victims of domestic violence. “There are serious safety concerns when a victim’s identity is being kept by someone with no training whatsoever on domestic-violence issues, or on how to keep a record.” The measure would have major negative impacts for both documented and undocumented immigrants in the county, says Amol Sinha, director of the Suffolk chapter of the New York Civil Liberties Union. “The concern is that people who don’t have credit histories, who are low-income, generally buy prepaid cell phones – and won’t have access to those vital lifelines.” [Source]

CA – Store’s ID Checks a Privacy Invasion, Says Yukon Senior

At least one Whitehorse senior is accusing a local grocery store of invading his privacy by scanning his photo identification before selling him cigarettes. Kenyon Bennett, 76, said the Real Canadian Superstore in Whitehorse does not sell tobacco products to seniors — even if they have white hair and wrinkles — without an ID check. “They put this card of mine in a machine to verify it or to let them have a print-out on something. Seems like there’s some skullduggery going on that shouldn’t be,” Bennett told CBC News. Superstore officials say staff are required to check the photo identification and record the birthdates of everyone who buys tobacco at their stores. Yukon information and privacy commissioner Tracy-Anne McPhee said the Superstore may be close to overstepping its legal authority if it is collecting and storing personal data about customers. “Looking at a piece of ID is sufficient,” McPhee said. “Writing down information from that card — photocopying, swiping or scanning — is just not justified.” [Source]

IN – India Has Issued 9.5 Million Digital Identity Numbers

India has issued digital identities to about 9.5 million people so far, and plans to step up enrollment to 1 million a day from October, the head of the agency issuing the biometric identities said at a conference in Bangalore. The digital identities, called Unique Identity (UID) or Aadhaar numbers, will provide proof of identity to the large number of poor Indians who do not have house addresses, school certificates, birth certificates or other documents that are usually used to prove identity in India, said Nandan Nilekani, chairman of the Unique Identification Authority of India (UIDAI). The Aadhaar projects aims to issue identity numbers to 600 million people over the next three years or so, Nilekani said. Enrollment is currently voluntary. [Source] See also: [INDIA: Privacy issues come to the fore as govt plans big-ticket schemes] and [IN: Right to privacy may become fundamental right]

UK – Government Plans Next-Generation ID Scheme

The government has been coy about the pilot identity system it has been running with Mydex, the East London start-up whose trials with Brent Borough Council created in March what was dubbed “a Google moment”. Departments including HMRC, DirectGov and DWP are designing systems that will use it, but have not said what exactly they are doing. The Cabinet Office led the Mydex pilot, while Maude’s Conservative Party had made Mydex’s raison d’etre a manifesto commitment (though not by name) for the 2010 general election: “Wherever possible, personal data should be controlled by individual citizens”. The pilot came in the wake of the identity card scheme as a means for people to hold their own personal data and choose their own means of authenticating their identity. Maude assured Parliament “NO2ID and other privacy advocates” would be given an opportunity to scrutinise the plans, or at least would be “kept closely informed”. Guy Herbert, NO2ID National Organiser, told Computer Weekly the plans as they stand might not give the individual enough power over their own data. He feared both government departments and private companies were hungry alike for power over identities and personal data. [Source] See also: [US – E-Authentication Best Practices for Government]

US – DOT Sells Drivers’ Personal Information

There are about 4.5 million drivers in Wisconsin, and more than half may not know their personal information is being sold by the state Department of Transportation. There are laws but almost no oversight to how the Wisconsin DOT uses drivers’ information. In all, the state makes millions of dollars by selling drivers’ information. The entire driver record file containing information on 2.5 million drivers can be purchased for $250. “We produce a CD containing the record file and then we send that. Those funds are sent to the registration fee trust,” said the director for the DMV’s Bureau of Driver Services. In 2010, the DOT made $22,250 selling driver record files. The state of Wisconsin is making millions off of selling a second list with drivers’ personal information. The department makes more money and has more requests for full driving records. These contain the same information as the driver record file plus information on traffic crashes, tickets and withdrawals like revocation or suspensions. While the driver record file costs $250, full driving records cost between $5 and $7 per driver record. In 2010, the DOT made more than $16 million selling full driving records. [Source]

US – Court: Ohio Data Selling Practices Not In Violation

A federal appeals court has overturned a lower court decision, dismissing a 2009 lawsuit against the state of Ohio that alleged privacy violations stemming from the state’s practice of selling driver’s license data. While the lower court’s ruling allowed officials to be sued for “disclosing personal information not permitted by the Driver’s Privacy Protection Act,” the appeals court found the “rights under the law weren’t sufficiently clear.” Three Cincinnati residents filed the lawsuit, and their lawyer has said they haven’t decided if they will appeal to the U.S. Supreme Court. [The Republic] [IAPP Dashboard]

Internet / WWW

WW – OECD Communiqué Pleases Some, Nettles Others

At a high-level meeting on the Internet economy this week, the Organisation for Economic Co-operation and Development (OECD) released a Communiqué on Principles for Internet Policy-Making, which outlines the OECD’s commitment toward promoting the free flow of information; investing in high-speed networks and services; enabling cross-border delivery of services, and strengthening “consistency and effectiveness in privacy protection at a global level,” among other areas. While some have lauded the principles—U.S. NTIA Administrator Lawrence E. Strickling described it as a “major achievement that will support the continued innovation…of the global Internet economy”–others have criticized plans to make Internet service providers more responsible for policing copyright infringement, something the Civil Society Information Society Advisory Council says could “lead to network filtering.” [Source]

WW – Google Now Lets You Manage Your Online Reputation

Google has unveiled a tool to help users manage their online reputations. Called Me on the Web, it can be found on the Google dashboard, right below Account Details, when you sign on to your account. According to the Google Public Policy Blog, Me on the Web “makes it even easier” to set up Google Alerts for mentions of your name or email address as well as automatically suggesting some search terms you might want to monitor. It also “provides links to resources offering information on how to control what third-party information is posted about you on the Web.” The tips include information on how to reach out to the webmaster of a site to ask to have the information taken down as well as how to publish additional information on your own to make less relevant websites appear further down on your search results. To use the tool, you must first sign in. You’ll be asked to create a profile if you haven’t already. Then you are given a number of options on how to control your reputation, including links on how to set up notifications when your personal information appears on the Web. [Source] [Google intros ‘Me on the Web’ identity management tool]

WW – World IPv6 Day is June 8th

On Wednesday, June 8, web sites around the world will test the IPv6 standard, which will ultimately allow many more IP addresses than IPv4 with faster connectivity. Among the organizations participating in World IPv6 Day are Microsoft, Google, Yahoo and Facebook. The test runs from 8PM EST on June 7 until 7:59PM EST on June 8. The event is designed to allow network engineers to see how well the new protocol works on a large scale and to identify technical problems like misconfigured systems. The event is also aimed at raising awareness of IPv6 deployment, which is necessary because the Internet is running out of IPv4 address space. IPv6 is not compatible with IPv4, which means web sites will need to upgrade network equipment and software. [Source] See also: [IPv6 Rollout Could Necessitate Privacy Rethink]

Law Enforcement

US – F.B.I. Agents Get Leeway to Push Privacy Bounds

The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. Valerie E. Caproni, the F.B.I. general counsel, said the bureau had carefully considered each change to its operations manual. The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. [Source] See also: [Toronto Police nab first ‘upskirt’ photographer of the summer]

UK – Police Database Will Share Data on 15 Million People

Police have set up a computer system which will allow UK forces to share intelligence on 15 million people. A Police National Database was the key recommendation from the Bichard Inquiry into failings by police into the Soham murders in 2002. It found that police failed to disclose details of allegations against Ian Huntley a year before he murdered Holly Wells and Jessica Chapman, both 10. Privacy campaigners say non-criminals should not be on the system. The database, which brings together 150 separate computer systems, combines intelligence from the 43 police forces in England and Wales. It also links to the eight police forces in Scotland, the British Transport Police, the Police Service of Northern Ireland, the Child Exploitation and Online Protection centre (Ceop), the Serious and Organised Crime Agency (Soca) and the military police. Collectively the forces hold information on between 10-15m people. These include convicted criminals, suspects and victims of crimes, as well as the details of people who have been questioned by police but not charged. The database is run by the National Policing Improvement Agency (NPIA). The Bichard inquiry said police should be able automatically to access information on suspects held by another force. Privacy campaign group Big Brother Watch said it was concerned that details of members of the public could be logged on the database. Spokesman Daniel Hamilton said: “Nobody has a problem with a database of criminals but we should never build a database of innocent people and crime victims. “The risk of this data falling into the hands of criminals is too horrifying to comprehend.” [Source]


US – Court Case Raises Privacy Issues

The Advertiser reports on a Delaware Supreme Court case that “could help define personal privacy and set limits on how far police can go when using electronic surveillance in Delaware and perhaps across the U.S.” The case, Delaware v. Michael D. Holden, involves police use of GPS without a court-approved warrant to track a suspect for more than 20 days. The case was initially overturned in a lower court because the judge ruled it was an illegal search. One attorney noted the case could raise the issue of the “reasonable expectation of privacy.” [Source]

WW – Nissan Leaf Sends Location Data in RSS GET Requests

A blogger has determined that the Nissan Leaf electric automobile leaks information about the vehicle’s location, speed and destination through the car’s RSS reader. The Leaf is equipped with technology that allows drivers to select RSS feeds which are then read to them. The blogger, Casey Halverson, discovered that the GET request sent from the car for the feed contains the vehicle’s latitude, longitude, speed, direction and the latitude and longitude of the car’s destination. [Source] [Source] [Source]

WW – Free Site Helps Find Stolen Cameras

A clever experiment may make it possible for you to recover a stolen camera, find people using your photos without permission and help police catch child pornographers. The experiment is a collaboration between GadgetTrak, a software company that makes data-protection and tracking software for computers and phones, and CPUsage, a company that gets home computers to collaborate on crunching data when they aren’t in use (similar to SETI at home). The collaboration, called GadgetTrak Serial Search, works by searching the Web for information that is commonly embedded in today’s photographs. Digital cameras often stamp photos with the camera’s serial number, as well as information on exposure, shutter speed, time and date taken and in some cases, where it was taken. The free service uses the computing power of its collaborative network to search the Web for photos and then catalogs the images and associated cameras it finds. You can go to the Web site, enter a camera’s serial number and see if your photos register. It has logged more than 3 million serial numbers in a little over a week. [Source]


IN – Leaking Health Information May Land You in Prison

Leaking information on the health of an individual may earn a term in prison for six months and also a fine up to Rs 1 lakh. According to the new Privacy Bill, 2011, which is slated to be tabled in Parliament during the forthcoming session, any health information of any citizen of India collected with his consent shall be kept by the person till the time the individual wants and later it should be returned or destroyed. [Source]

IN – Right to Privacy May Become Fundamental Right

The law ministry is working on a proposal to make right to privacy a fundamental right in the Indian Constitution. Corporate lobbyist Niira Radia’s phone tapping row and new-age surveillance techniques being extensively used to crack down on economic offences are the trigger behind the move. “We are working on making right to privacy a fundamental right. It is likely to be tabled in the monsoon session of Parliament. However, it’s difficult to commit the timeframe,” law minister Veerappa Moily said. The right to privacy would include the right to confidentiality of communication, confidentiality of private or family life, protection of his honour and good name, protection from search, detention or exposure of lawful communication between individuals, privacy from surveillance, confidentiality of banking, financial, medical and legal information, protection from identity theft of various kinds, protection of use of a person’s photographs, fingerprints, DNA samples and other samples taken at police stations and other places and protection of data relating to individual. If the legislation is passed, it would address several concerns expressed by some sections of the civil society. For instance, there has been outrage over the `compromise’ of an individual’s privacy in a project like UID, where all personal data will be available at the click of a mouse. [Source]

Online Privacy

US – Most Websites Regularly Leak Sensitive, Personal Data: Survey

A team of university researchers examined more than 100 “popular” Websites and found three-quarters of the sites leaked private information or users’ identifying data to third-party tracking sites. The survey results were released shortly after Facebook came under fire for inadvertently passing user data to other parties. More than half (56%) of sites “directly leak” private information, and the number goes up to 75% if the user ID is included under private data, according to an academic paper. The researchers, Balachander Krishnamurthy of AT&T Labs, and Konstantin Naryshkin and Craig E Wills of Worchester Polytechnic Institute, found that information is leaked in various ways to third-party sites that track user behavior for advertisers. The researchers presented the report at the Web 2.0 Security and Privacy conference in Oakland, Calif., on May 26. In some cases, information was passed “deliberately” to other sites, but in others, it was included as part of routine information exchange. The researchers were unable to tell conclusively whether the inclusion was deliberate or inadvertent. Data leaks could have occurred as users were creating, viewing, editing or just logging into their accounts. They could also have occurred while navigating the site as many of them exposed search terms. “We believe it is time to move beyond what is clearly a losing battle with third-party aggregators and examine what roles the first-party sites can play in protecting the privacy of their users,” said Wills. Efforts made to date to address information leakage have been “largely ineffective,” the researchers found. Websites need to take greater responsibility for privacy protection. “Despite a number of proposals and reports put forward by researchers, government agencies and privacy advocates, the problem of privacy has worsened significantly,” Wills said. Leaked information included email addresses, physical addresses and the user’s Web browser configuration details, according to the paper. Researchers classified the user data as either identifiable or as sensitive. Health information, such as searching for an illness or physical condition, was considered highly sensitive, while name and email address was highly identifiable. They focused on sites that encourage users to register, since users often share personal and personally identifiable information, including names, physical address and email address, during the registration process. They also examined heath and travel sites, since users conduct searches on these sites that can be used to identify health issues or travel plans. The same team had previously examined 12 social-networking sites, including Facebook, MySpace and Orkut, to determine what kind of information was being leaked. Researchers noted that since users logged into Orkut using their Google account credentials, third-party firms could correlate the leaked Orkut user identifier with other activity on Google services, such as search or videos viewed on YouTube. Sites may be passing the user ID to referrer sites, such as Digg, but that information is actually being forwarded to Omniture, an analytics firm. [Source]

US – Judge Approves Flash Cookie Settlement

U.S. District Court Judge George H. Wu has approved a final class-action settlement requiring Quantcast and Clearspring to pay $2.4 million. The settlement was first announced last December but received final approval on Monday. The case stems from the companies’ use of Flash cookies to track users for targeted advertising. According to the article, the majority of the settlement will go to universities and research groups, but approximately $550,000 will go to the plaintiffs’ attorneys for fees and expenses. []

WW – Google Introduces Facebook Competitor, Emphasizing Privacy

Google took its biggest leap yet onto Facebook’s turf by introducing a social networking service called the Google+ project — which happens to look very much like Facebook. The service, which will initially be available only to a select group of Google users who will soon be able to invite others, will let people share and discuss status updates, photos and links. But the Google+ project will be different from Facebook in one significant way, which Google hopes will be enough to convince people to use yet another social networking service. It is designed for sharing with groups — like colleagues, college roommates or hiking friends — instead of with all of a user’s friends or the entire Web. It also offers group text messaging and video chat. The debut of Google+ will test whether Google can overcome its past flops in social networking, like Buzz and Orkut, and deal with one of the most pressing challenges facing the company. [Source] See also: [Protecting privacy in the digital age: two new reports by Canadian privacy commissioners] and [US: How to do a social background check the legal way]

WW – LinkedIn Privacy Changes Point to Social Ads

LinkedIn privacy policy updates hint at the introduction of “social ads” based on users’ activities. LinkedIn “appears eager” to avoid privacy issues, the report states, and will allow users to opt out of social ads. “Most importantly, we do not provide your name or image back to any advertiser when that ad is served,” one LinkedIn official noted, while another said, “This upcoming change to the privacy policy reflects the evolving ways in which our members are using the LinkedIn platform, and it allows us to explore this area should we choose.” [MediaPost News]

CA – Winnipeg School Officials Ban Posting of Student Photos Online

Manitoba’s largest school division seems to be trying to put the social-media genie back in the bottle just in time for graduation. The Winnipeg School Division has adopted stringent privacy policies — ramping up its already rigid standards — in an effort to keep photos and video of its students off the Internet. Anyone recording a public event at the school, including those held after school, off-campus or at a school in another division, may do so only for personal use, and may not post on the Internet, the division says. It’s a policy proponents say is meant to protect young children. But just how school officials can enforce it in the era of Facebook and social media remains unclear. [Source]

Other Jurisdictions

HK – Hong Kong Banks Sold Customer Data: Watchdog

Hong Kong’s privacy watchdog has scolded four banks for releasing customers’ personal data to third parties, accusing three of them of selling the information. he four banks – Citibank, ICBC, Fubon Bank and Wing Hang Bank – had all released customers’ personal data, while Citibank, ICBC and Fubon Bank also used the information for financial gain. (I am) disappointed that the banks are less than forthcoming in following good privacy practices,” Allan Chiang, the city’s privacy commissioner for personal data, told reporters after releasing the results of a probe into the firms.”We trust that the practice of naming data users will invoke the sanction and discipline of public scrutiny. In turn, it will serve to encourage compliant behaviour by data users concerned,” he added. [Source]

NZ – Privacy Commission Welcomes Cyber Security Strategy

The Privacy Commission says the Government’s new cyber security strategy is a “welcome start” towards protecting New Zealanders’ online identities, but it won’t guarantee online safety. The new cyber security strategy aims to improve the country’s protection against cyber threats and increase initiatives aimed at improving online security for individuals, businesses, infrastructure and the Government. Privacy Commissioner Marie Shroff is “very pleased” to see the launch of the cyber security strategy, and says she looks forward to learning how its implementation will support existing efforts providing information about online protection. [Source] See also: [NZ: Ministry’s fraud data found in car park]

CR – Costa Rica Privacy Legislation Moves Forward

Costa Rica’s quest for an omnibus privacy law took a major step forward on April 27, 2011, when the Supreme Court of Justice of Costa Rica gave its stamp of approval to a far-ranging piece of privacy legislation, finding that it had no constitutional defects. In March 2011, the bill, known as the law of “Protection of the Person in the Processing of His Personal Data” (Protección de la Persona Frente al Tratamiento de sus Datos Personales), survived an initial vote in the unicameral Legislative Assembly. The bill has now been returned to the Legislative Assembly. If passed in its current form, the law would impose a legal regime modeled on the European Union data protection framework and would regulate almost all processing of all personal data. It would require express written consent for many processing activities, and it would create a new data protection authority within the Ministry of Justice, the “Agency for the Protection of Citizens’ Data” (Agencia de Protección de Datos de los habitantes). This agency, also known as Prodhab, would have authority to inspect databases suspected of being mismanaged, and it could impose sanctions for noncompliance with the law. [Source]

HU – Ombudsman Voices Concern Over Citizen Survey

Hungarian Data Protection Ombudsman Andras Jori says government questionnaires sent to more than six million Hungarian citizens are not anonymous, and he’s asking for personal information to be deleted from the database. Jori last month launched an investigation into bar codes on the questionnaires that he suspected could reveal subjects’ identities. The questionnaires ask about pensions, welfare and education, and, according to Jori, the responses–and whether a citizen participates–could be interpreted as “giving a political opinion.” A spokesman for the prime minister said Jori’s office was consulted prior to sending the questionnaires and raised no personal data protection concerns. Jori has refuted that assertion. [The Budapest Times]

AU – Committee: Small Business Should Not Be Exempt

A parliamentary committee is calling on the government to scrap a provision exempting small businesses from Australia’s Privacy Act. The Australian Parliamentary Cyber-Safety Committee tabled a report raising concerns that small businesses with annual revenues of $3 million or less were exempt from the Privacy Act 1988. The committee recommends that the government drop the exemptions and undertake a review of businesses with “significant personal data holdings” since a “large proportion of the Australian private sector is not subject to any privacy laws.” The Australian Law Reform Commission said in 2008 that the exemptions were “neither necessary nor justifiable.” [Source]

AU – Australia’s New Data Retention Law

New legislation in Australia will require ISPs and other telecommunications carriers to retain data at the request of law enforcement authorities. Retention requests may be made without a warrant, but the authorities will need to obtain warrants to view the information. The legislation will “allow Australia to sign the Council of Europe Convention on Cybercrime treaty.” [Internet Storm Center] [Source] [Source]

PH – Lack of Legislation Raises Concerns

Manilla Bulletin reports on the Joint Foreign Chambers and the business processing outsourcing (BPO) industry’s warning that a lack of data privacy legislation is a growing concern for prospective investors. The country’s proposed Data Privacy Bill aims to benefit the growth of IT and BPO, while also protecting “citizens whose personal data are stored by government offices and commercial establishments,” the report states. In a statement to the Senate Committee on Science and Technology, industry leaders warn that without a law in place, there is a “real danger of losing investors to countries with a more favorable legislative framework” for privacy protection. [Source]

MY – Data Protection Office to Be Established

The Malaysian Ministry of Information, Communication and Culture plans to establish a government department to help implement the country’s new data protection law. According to Deputy Minister Datuk Joseph Salang, the office should be up and running by next year. At a press conference, Salang underscored the urgent need for personal data protection laws, saying, “Prior to the implementation of this act, personal data is only bound by contractual agreement or common law.” The Personal Data Protection Act was passed in 2010 and is expected to go into effect early next year. [Source]

PE – Personal Data Protection Law Expected in July

The Congress of the Republic of Peru has passed the Personal Data Protection Law (Ley de Protección de Datos Personales, Proyecto de Ley 4079/2009-PE), Hunton & Williams’ Privacy and Information Security Law Blog reports, noting that if it is signed into law, Peru will have “EU-style omnibus privacy legislation.” The law would include provisions establishing the National Personal Data Protection Authority within the Ministry of Justice, requiring consent for the processing of personal data, limiting communications monitoring and restricting cross-border data transfers. Peruvian President Alan García is expected to sign the law before his term ends on July 28, the report states. [Source]

Privacy (US)

US – Portion of Settlement to Establish Undergrad Privacy Program

Fourteen privacy organizations and nonprofits will split $6 million of the $8.5 million settlement approved by a federal judge in the Google Buzz case. Originally, 12 entities were to split the settlement, but U.S. District Court Judge James Ware has ruled that Markkula Center for Applied Ethics at Santa Clara University (SCU) and the Electronic Privacy Information Center should each receive $500,000, the report states. SCU’s Markkula Center says it will use the money to create an undergraduate curriculum on Internet privacy and a site that discusses users online choices about privacy. [MediaPost News]

US – Class-Action Status Sought for TCPA Violations

Lawsuits have been filed in a California federal court that claim Twitter and American Express Centurion Bank violated the Telephone Consumer Protection Act when they sent opt-out confirmation texts to the plaintiffs, Hunton & Williams’ Privacy and Information Security Law Blog reports. In each case, the defendants sent the plaintiffs a single text to confirm the requested opt-out. Both lawsuits are seeking class-action status and highlight “a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices,” the report states. [Source]

US – Supreme Court to Consider Issue of Warrantless GPS Tracking

The US Supreme Court will review the constitutionality of surreptitiously placing GPS devices on suspects’ vehicles without a warrant. The Justice Department maintains that “a person has no reasonable expectation of privacy in his movements from one place to another,” and is seeking to overturn a lower court decision that reversed the conviction and subsequent life sentence in prison for a cocaine dealer whose movements were tracked in this way. That case was decided in the US Court of Appeals for the District of Columbia Circuit; three other circuit courts of appeal have ruled that using a GPS device to track a vehicle does not require a warrant. The court will not make a decision before its next term begins in October. [Source]

US – Supreme Court to Review Privacy Harms Case

The U.S. Supreme Court has agreed to review a ruling that said an individual could sue a federal agency for emotional distress because of the release of personal information. The case, FAA vs. Cooper, 10-1024, involves a pilot who filed a lawsuit against federal agencies for disclosing his medical records during a fraud investigation, the San Francisco Chronicle reports. In February 2010, the Ninth Circuit Court of Appeals ruled in favor of the pilot, but the Obama Administration has argued that the 1974 Privacy Act does not allow damages for emotional distress. The plaintiff’s lawyer said, “More often than not, embarrassment and humiliation are the only damages…Unless these are compensable, it’s a free license to the government” to circumvent the law. [Source]

US – FTC Settles Charges Against Ad Network

The FTC has finalized its order settling charges that online ad network Chitika tracked consumers online after they’d opted out. The FTC alleged that from at least May 2008 to February 2010, Chitika’s cookies resumed tracking users 10 days after they’d opted out. Chitika said the opt-out was meant to last 10 years, but a glitch caused the error. The settlement bars Chitika from misleading consumers about the extent of its data collection and the control users have over the collection, use or sharing of their data. Additionally, every targeted ad must include a hyperlink allowing users to opt out for at least five years. [Source]

US – Vermont Law Barring Prescription Data Use for Marketing Found Unconstitutional

The US Supreme Court has struck down as unconstitutional a Vermont law that forbids the use of prescription data pharmacies collect to be used for marketing. In a 6-3 decision, the Court ruled that Vermont’s law violated the pharmaceutical industry’s First Amendment right to market their products. The Vermont law banned the use of the information collected by pharmaceutical companies for marketing purposes, but did allow the information to be used for health care research and educational purposes and could also be accessed by journalists, insurance companies and law enforcement agencies. The ruling is likely to quash the passage of similar laws in other states. [Source] [Source] [Source]

US – Committee Focuses on Do Not Track

“Consumers should not be expected to make tracking choices on a company-by-company basis,” said FTC Commissioner Julie Brill in an address on Monday at the Center for American Progress, adding that therefore, do not track should apply to mobile devices as well. The FTC published tips for consumers to protect their privacy when using mobile apps. Brill is also scheduled to testify at today’s Senate Commerce Committee hearing on privacy and data security. At the hearing, Consumers Union will present survey results indicating that 81% of Internet users favor a do-not-track mechanism, and the Commerce Department’s Cameron Kerry is expected to testify in support of consumer data privacy legislation, including do not track. [ClickZ]

Privacy Enhancing Technologies (PETs)

CA – Don’t Stop Anonymizing the Data

Two Canadian privacy experts have issued a new report that strongly backs the practice of de-identification as a key element in the protection of personal information. The joint paper from Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, and Dr. Khaled El Emam, the Canada Research Chair in Electronic Health Information at the University of Ottawa and the Children’s Hospital of Eastern Ontario Research Institute, comes as some privacy policy makers increasingly question the value of de-identification. Personal information can be routinely de-identified before it is used or disclosed for a wide range of purposes, such as research, where it is not necessary to know the identity of individuals. Recently, however, the practice of de-identification as an effective tool to protect privacy has been challenged by those who claim it is possible to re-identify individuals from seemingly anonymous data. Today’s report refutes this position, and further validates that anonymizing data is a reliable, safe and practical way to protect personal information. Launched at the University of Alberta’s National Access and Privacy Conference, the new paper entitled, “Dispelling the Myths Surrounding De-Identification: Anonymization Remains a Strong Tool for Protecting Privacy,” shows that the re-identification of properly de-identified information is not, in fact, an easy or trivial task, and rather requires concerted effort on the part of skilled technicians. De-identification is a vital first step in protecting privacy, by drastically reducing the risk that personal information will be used or disclosed for unauthorized or malicious purposes. [Source] [Ontario privacy boss slams geo-location as privacy risk] See also: [Is Anonymity on the Web Impossible?]

CA – Ontario Commissioner Calls for Privacy to be Embedded into Legacy Systems

Ontario’s privacy commissioner has released a white paper on how organizations can build privacy into legacy systems, reducing data loss risks. Replacing systems that have already been built without privacy considerations is often not an option, Commissioner Ann Cavoukian said at a Toronto event this week. Instead, organizations should create technologies that incorporate privacy as a default by limiting the amount of personal information collected, reducing the amount of time that it’s stored and encrypting retained data, among other initiatives. Cavoukian also shared concerns about WiFi systems’ ability to report users’ location data. [SC Magazine] [Source]


UK – Chips for Dinner: Edible RFID Tags Describe Your Food

A student at the Royal College of Art in London, Hannes Harms, has come up with a design for an edible RFID chip, part of a system he calls NutriSmart. The chip could send information about the food you eat to a personal computer or, conceivably, a mobile phone via a Bluetooth connection. The idea is that it could send nutritional data and ingredients for people who have allergies, or calorie-counting for those on diets, or maybe even telling your fridge when the food has gone off. It could even be used to market organic food, with a chip holding data about the origin of that tuna steak you just bought. [Source]


US – FISMA Compliance Metrics Focus on Continuous Monitoring

New Federal Information Security Management Act (FISMA) compliance metrics released by the US DHS require agencies to report on their implementation of automated continuous measurement of critical security risks. The memo stems from 2010 guidance requiring government agencies to begin moving to continuous security monitoring. [Source] [Source] [Source] [Source] [Source]

WW – Many Top iPhone, Android Apps Face Security Woes

Some of the most popular applications available for the iPhone and Android handsets suffer from serious security issues, a recent study from security firm ViaForensics has found. According to the security firm’s appWatchdog study, a slew of companies, including Foursquare, LinkedIn, Netflix, and WordPress earned a “fail” rating on storing sensitive data securely. Netflix’s Android application, for example, failed to “securely store passwords,” ViaForensics said. Surprisingly, the iPhone version of the Netflix app earned the highest “pass” rating for securely storing passwords. ViaForensics’ study is all the more concerning when one considers that mobile applications are becoming far more popular. Earlier this week, In-Stat reported that users will download 48 billion mobile applications to their smartphones in 2015. On Monday, Apple revealed that 14 billion apps had been downloaded from its App Store since 2008. Over 4.5 billion applications have been downloaded from the Android Market. [Source] [Lawsuit Alleges Smartphone Data Misuse]

US – Investigation Finds Apps Put Data at Risk

A computer security firm has found that some popular mobile applications store users’ personal data in plain text on their mobile devices. The viaForensics investigation found information such as unencrypted user names, passwords and transaction amounts on smartphones, which goes against industry best practices. “Data should not be stored on a phone,” said Andrew Hoog, chief investigative officer of viaForensics. Hoog also said that while app developers are becoming more aware of data security issues, the fact that vulnerabilities still exist indicates security is not a top priority. One app maker’s spokeswoman said that it’s necessary for some information to be stored on phones, and the practice is allowed by the PCI Security Standards Council. [The Wall Street Journal]

US – Cloud Storage Vendors Have Privacy and Security Hurdles to Leap

While off-site services may have the potential to tame the voracious storage beast, most respondents to an InformationWeek Analytics research report are skeptical when it comes to moving valued business data to a public cloud. Security, privacy and regulatory constraints lead the list of concerns; absence of a concrete business case and worries about lack of control, potential data loss, data availability and reliability/performance also factor into companies’ reluctance to store their information in the public cloud. [Source]

US – Body Scanners to Get Privacy Updates

Transportation Security Administration head John Pistole has said the agency is on track to equip half of U.S. airport body scanners with privacy filters by the end of the year. Meanwhile, in a article, Daniel Solove argues that, too often, debates about security vs. privacy employ inaccuracies to tip the scales in security’s favor. During times of crisis, Solove writes, the pendulum often swings towards greater security, with the promise that, when danger subsides, privacy provisions will again return. But, he writes, during “times of peace, the need to protect privacy is not as strong because we’re less likely to make such needles sacrifices.” [SecurityInfoWatch]

UK – British Intelligence Agency Replaces Online al Qaeda Article with Cupcake Recipes

The British intelligence agency MI6, along with GCHQ (the UK counterpart of the US National Security Agency), has broken into an online al Qaeda publication and replaced instructions for making a bomb with a series of cupcake recipes. The cyber infiltrators also removed several articles from the publication. [Source]

US – DHS Moves to Boost Security of Software

The Homeland Security Department unveiled a new system of guidance on Monday intended to help make the software behind Web sites, power grids and other services less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. The list, topped by SQL-injection vulnerabilities, is an attempt to address the “root-cause issues” behind cyberattacks, one official said. The announcement also includes a way to rate programming errors for importance in differing environments from embedded systems to web applications. The overall initiative is designed to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products. Colleges and trade schools need to take far more responsibility for ensuring their graduates who write programs can do so securely. [Source] [Source] [Source] [Source]

WW – Fifth Certificate Authority Suffers Breach

The security of a fifth certificate authority was breached earlier this month. While the attackers do not appear to have gained access to information that would allow them to issue valid certificates to themselves, the company, StartSSL, has indefinitely suspended issuing digital certificates. StartSSL says that existing certificates have not been compromised. In the past several months, several other certificate authorities have been attacked. A compromise at Comodo resulted in cyber thieves stealing valid certificates for some highly visible domains, including Google and Skype. [Source] [Internet Storm Center]

Smart Cards

US – Wireless Data Collection Suable Under Wiretap Act

A federal judge has found that Google can be sued for collecting private data from open wireless routers, saying that “plaintiffs plead facts sufficient to state a claim for violation of the Wiretap Act,” reports Wired. U.S. District Judge James Ware said, “In particular, plaintiffs plead that defendant intentionally created, approved of and installed specially-designed software and technology” used to intercept data from wireless networks. The report calls the ruling a “serious legal setback” for Google and notes that it also sets precedent for data collected through open WiFi networks in public spaces. Google maintains that the collection was a mistake and says the lawsuit is “without merit.” [Source]


CA – Civil-Rights Groups Wants Proposed ‘Spy’ Law Scrapped

Civil-rights groups are planning a summer-long campaign to raise awareness about a proposed law they say would force Internet companies to spy on their users. The law, called Lawful Access, would ask ISPs to implement technology that would intercept Internet communications of their customers. It would also require ISPs to give up basic identity information about their subscribers to law enforcement officials without a warrant. The law has been proposed in one form or another since 2002, but now it appears it will be included in an omnibus bill of tough-on-crime measures the Conservatives have pledged to table in the first 100 days of their mandate. Among those concerned by the proposed law is Canada’s privacy commissioner. “We have not yet seen a demonstrable need for the extent of access to personal information by law enforcement and national security authorities by the legislation that was introduced in the last parliament session,” said Chantal Bernier, the assistant privacy commissioner. “We believe any measure that seeks to put more personal information in the hands of government in general must be justified.” She said the office is concerned by the potential for abuse of power, especially since the proposed law doesn’t require authorities to get a warrant in order to obtain information, and has an internal control governed by the individual law enforcement bodies. The Net neutrality lobby group Open Media has embarked on a public awareness campaign about the proposed law. Labelled “stop spying,” 35,000 people have already signed a petition calling for the law to be scrapped, or at least dramatically changed. [Source] [Surveillance bill sparks privacy debate] [Bill C-51 will turn ISPs into Internet gatekeepers] and [Concealing data breaches like the Sony PlayStation hack punishable by jail under proposed US bill]

CA – Surveillance Cameras Deployed In Vancouver Despite Mayor’s Denial

The city manager’s office allowed the Vancouver Police Department to use 7 surveillance cameras downtown during the Stanley Cup playoffs to monitor crowds and guide emergency personnel. Mayor Gregor Robertson told the Courier prior to the start of the seven-game series between the Vancouver Canucks and the Boston Bruins that cameras wouldn’t be deployed. [Source] See also: [IN – Police halt Google Street View from filming in India until it gets security clearance]

CA – Cameras Keep Watch Over Sussex Drive

The town of Sussex is installing about three dozen video surveillance cameras in an attempt to safeguard its citizens and property. Six of the cameras have been installed at the community’s historic railway station. An unsolved case of arson last fall almost destroyed the structure. Town Hall also has cameras because youths have been climbing onto the roof. There are more cameras at a park that’s been repeatedly vandalized, as well as at the town arena, well houses and the reservoir. Sussex Mayor Ralph Carr said he did have some concerns about privacy. “But only people who have concerned about doing bad things have to worry. So, we find that people in general aren’t against it because they’re law-abiding citizens and they don’t mind,” he said. New Brunswick’s Privacy Commissioner is keeping an eye on the project. [Source]

US – Police Access City Cameras from Laptops and Smartphones

Officers of the Sandy Springs, Ga., Police Department will soon be able to use laptops and smartphones to browse and view video from various cameras located around the city. The project, which uses a software platform with a Google Maps interface, is part of the Police Department’s initiative to integrate technology from multiple vendors into one system. The department is currently in the process of integrating its computer-aided dispatch system, automatic vehicle locators and in-car police video cameras into the overall infrastructure. Authorized users will be able to view live and recorded footage from the city cameras by clicking on their location points on the Google map. For each camera, users will have the ability to pan, tilt and zoom, according to the department. [Source] See also: [CA – Pearson Airport worker used surveillance camera to spy on ex]

Telecom / TV

AU – Police Win Phone Data – New Laws to Invade Your Privacy

PY agencies and federal and state police will be able to order phone companies to seize customers’ personal data even before a warrant is issued under controversial changes to cyber security laws to be introduced. The cyber crackdown comes as the country’s intelligence agencies revealed they detected 250,000 cases of hacking in the past 6 months alone in which the passwords, account details and personal information of Australians had been stolen. However, authorities are being hampered from tracking evidence because phone companies are destroying personal data such as text messages often within 24 hours because of the sheer volume of data clogging their networks. Attorney-General Robert McClelland will introduce amendments to allow law enforcement and intelligence agencies to issue an immediate “non-destruction” order of cyber and phone data to phone and internet companies. It would allow them to preserve personal records of suspects before a formal warrant can be issued. Currently authorities can only order phone companies to hold data after a warrant is issued, often leading to the loss of crucial evidence in live cases. The new laws would also enable intelligence agencies to collect cyber evidence from other countries through an international treaty. The laws would apply to all electronic data including calls, texts messages, emails and computer or internet activity, and will require changes to both the cyber crimes laws and telephone intercept legislation. However, the laws would prevent agencies from actually accessing the seized information until the warrant was issued. If the warrant failed the data would be ordered destroyed. [Source]

WW – Info Retained by Smart Phones Raises Issues for Consumers

In recent months, controversy has swirled around the fact that smart phones, like Apple’s iPhone, store location information on its users, raising major privacy issues. But a leading computer forensics expert said that mobile devices store far more critical personal information on their owners – even after users think they’ve erased the data. Kris Haworth, president of The Forensics Group, one of the nation’s leading computer forensics companies, said consumers might be surprised to learn that the iPhone, iPad, Android, Blackberry and other mobile computing devices retain vital data in their memory despite attempts to delete it. “Most consumers have no idea when they trade in a smart phone or tablet computer that they’ve left a trail of very private and personal information behind – everything from private text messages and emails to their calling records, websites they’ve visited and even bank account passwords in some cases,” Haworth said. With the number of smart phones tripling in the U.S. over the past five years and many consumers regularly trading up for the latest models, the information retention could raise new privacy concerns for consumer groups – and create new opportunities for computer forensic companies. [Source]

CA – Watchdog Warns Smart Phones Lack Privacy Defaults

There are unintended consequences of having our smart phones and other wireless devices automatically collect data on our whereabouts, warns Ontario Information and Privacy Commissioner Ann Cavoukian. Privacy should be designed into cellphones and Wi-Fi systems to prevent the automatic collection and storage of personal data by the devices, which only continue to grow in popularity, Cavoukian said in a special report. There is a lot of concern about the capability of mobile systems to track our lives, without our knowledge, concludes Cavoukian’s report, “Wi-Fi Positioning Systems: Beware of Unintended Consequences,” which was jointly written with Microsoft’s former chief architect of identity, Kim Cameron. [Source]

IN – Mobile Phones in India: A Webless Social Network

India may be home to software giants, like Wipro or Infosys, which have thrived by harnessing the internet’s potential, but few of the country’s 1.2 billion people have so far embraced the web. Telecom Regulatory Authority of India reported that at the end of March the country had just 8.8m broadband connections. By contrast, it boasts some 812m mobile subscribers. According to Gartner, a market-research outfit, in 2013 Indians will send almost 192 billion text messages. [Source]

US – GroupM Takes Lead on Mobile Privacy Guidelines

GroupM has become the first agency to adopt mobile privacy guidelines. Those guidelines would limit the amount of data collected and shared from mobile devices in marketing campaigns by calling for publishers to mask UUIDs (universal unique identifiers that are on every phone) and giving users the opportunity to opt out of data collection and sharing. The guidelines are voluntary, but publishers and mobile ad networks that work with GroupM will be urged to adopt them. [Source]

US Legislation

US – Why Privacy Legislation is Hot Now (Peter Swire Op-Ed)

More than at any time in the past decade, privacy hearings and proposed legislation are spreading across Capitol Hill. Until now, you could always make money betting against a privacy law passing in Congress. Today, many experts are saying that momentum is building for major legislation, although the shape of that legislation is still unclear. This round of privacy action is driven by three historic trends, plus other factors that are coming together now. First is location data. Second is social networking. Third is online behavioral advertising. Along with these three mega-trends, Congress is seriously considering federal data-breach legislation, to harmonize state laws and address the Sony PlayStation and other high-profile recent breaches. Major cloud computing companies and civil liberties groups are supporting the Digital Due Process Coalition, which favors a judicial search warrant before law enforcement can gain access to the exabytes of data stored in the cloud. And, there is pressure on the international front, as the European Union considers tightening its own data privacy laws and as India, Mexico and other countries are in the process of putting EU-style privacy laws on the books. A flashpoint for action could be children’s privacy, where family-values Republicans and consumer-protection Democrats can most easily come together politically. Mark Zuckerberg has publicly discussed bringing under-13s directly into Facebook, but no one knows with what rules. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of the “Do Not Track Kids Act of 2011” to offer the choice not to have behavioral advertising and related tracking for those under the age of 13. And no one knows who will get to see the location information of children — parents will and stalkers won’t, but there are still-to-be-developed rules for those in-between. The biggest legislative question might be whether to go with general privacy principles or sector-specific rules. For the first time in history, the administration itself has come out in favor of broad-based privacy legislation for the private sector. The closest fit to the administration vision is the Kerry-McCain “Commercial Privacy Bill of Rights,” which notably would provide individuals with the legal right to opt out of having their information shared for marketing purposes. This sort of general legislation contrasts with sector-specific proposals, such as a recent bill by Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) that targets smartphone location information. With the convergence of all of these technical changes, the current period most resembles the late 1990s. [Source] See also: [US: Senator renews pledge to update digital-privacy law] and [US: Franken, Blumenthal introduce mobile privacy bill] and [US: Focus on Data Breaches Tops House Commerce Privacy Agenda]

US – Senate Lawmakers Call for Data Security Law, Less Certain Over Privacy

As federal officials grapple with ways to better protect the privacy and security of Internet users, participants at a Senate Commerce Committee hearing appeared to be in broad agreement over the need for data breach laws. But there was less agreement over online privacy laws, with lawmakers, regulators and companies debating “do not track” proposals and general privacy laws that consumers say they want but companies fear will hurt their bottom lines. [Source]

US – Proposed US Legislation Would Require Breach Notification Within 48 Hours

Proposed data breach legislation introduced by US Representative Mary Bono Mack (R-Calif.) would require companies to notify law enforcement authorities of data breaches within 48 hours. If the data compromised in a breach could be used to commit identity fraud, the company must notify the Federal Trade Commission within 48 hours and start contacting affected customers. The bill would also require companies to take reasonable steps to protect personal data, including collecting and storing only data they need. [Source] [Source]

US – CA Senate Again Take Up Bill on Web Privacy Info

California lawmakers took up a bill that has irked Facebook, Twitter and other social networking companies because it would require their websites to automatically set personal information to private. Senators began voting for a second time on SB242, after the bill failed a vote last week. An initial round of voting failed to generate the majority support needed. State Sen. Ellen Corbett, D-San Leandro, said her bill would protect users from identity theft and give parents better control of private information about their children. She said people often are unaware that personal information such as their home address and Social Security number can be available online for others to see. In addition to opposition from social networking sites, Internet companies such as Google, Yahoo and Skype have lobbied against the proposal, saying such regulation isn’t needed because companies already go to great lengths to protect individuals’ privacy. [Source] UPDATE: [CA Social Networking Bill Fails Again]

US – Proposed Bills Address Geo-Location Data Privacy

US legislators have introduced two bills aimed at privacy issues arising from geo-location data generated by wireless devices. Senators Al Franken (D-Minnesota) and Richard Blumenthal (D-Connecticut) have introduced the Location Privacy Protection Act, which would require companies to obtain permission from consumers before sharing geo-location data with third party entities. It would also require providers to inform users about what type of information is being collected. Senator Ron Wyden (D-Oregon) and Representative Jason Chaffetz (R-Utah) have introduced the Geolocational Privacy and Surveillance Act that would require law enforcement authorities to establish probable cause and obtain a warrant to request geolocation data. It would also prohibit sharing the data without users’ consent. [Source] [Source] [Source] [Source] [Source]

US – States Legislate Healthcare, Employee Privacy

Texas Governor Rick Perry has signed a healthcare privacy law that goes beyond HIPAA’s requirements. Rep. Lois Kolkhorst (R-District 13) says the push for electronic health records in the HITECH Act’s incentive program and the lack of federal HIPAA enforcement spurred the legislation, which will go into effect September 12 and will establish an infrastructure for state oversight and enforcement of healthcare privacy. Meanwhile, Oklahoma’s Supreme Court has upheld a lower court’s decision barring “state personnel officials from releasing the birthdates of state employees,” NewsTimes reports. The court said releasing such information could result in identity theft. [GovInfoSecurity]

US – Court: State Law Trumps HIPAA

A Michigan court case ruling could restrict the information physicians can release during legal proceedings. The decision follows a 2009 lawsuit, in which Michigan doctor Isidore Steiner alleged former colleague Marc Bonanni stole patients after leaving the practice, violating an established agreement. Steiner asked for a list of patient names Bonanni had seen at his new practice, citing the Health Insurance Portability and Accountability Act (HIPAA). But the court ruled that Michigan law, which prevents such disclosures, trumps HIPAA. A Michigan-based attorney predicts that “When entities do not want to disclose information, they’re going to use this case as their response.” [American Medical News]


16-31 May 2011


CA – Calgary: Technology Speeds Up Volunteer Police Checks

The Calgary police have unveiled a new digital fingerprinting process that will allow non-profit organizations to quickly run police checks on their volunteers. Calgary police process about 100,000 criminal record checks a year. The new identification system will not only help police solve crimes, but means fingerprints of potential volunteers can be checked within minutes instead of weeks or months. Of course, the system only flags people who have a conviction, said Chief Rick Hansen. Running police checks on 2,500 volunteer coaches and assistant coaches in the minor hockey system is painstaking work for Hockey Calgary. [Source]

WW – Schmidt: No Facial Recognition for Google

Google CEO Eric Schmidt, talking this week at the company’s “Big Tent” conference in the UK, said that Google is “unlikely” to create a facial recognition database, adding that the accuracy of the technology is “very concerning” and popularizing the technology may cause governments to pass broad-reaching laws with unintended consequences. Schmidt also announced Google’s new Dashboard, a service that allows users to see the information Google has collected about them and opt to delete certain data. “It is worth stressing that we can only do this with data you have shared with Google. We can’t be a vacuum cleaner for the whole Internet,” said Schmidt. [Source: No Facial Recognition for Google]


CA – Anonymity of Sperm, Egg Donors Ruled Unconstitutional

The BC Supreme Court has decided children of anonymous sperm donor fathers do have the right to learn who their dads are. Olivia Pratten has asked the courts to ensure donor records are preserved indefinitely and children can access them when they turn 19. The 28-year-old fought for years to learn the identity of her biological father, but was eventually told the doctor destroyed the records in the 1990s. The BC Supreme Court ruled it’s unconstitutional for the government to keep records secret or destroy them at any time. The government has 15 months to comply. [Source]

CA – “Lawful Access” Legislation Represents Unprecedented Invasion of Privacy

The internet is no longer simply an information revolution; it has become an integral part of our lives, and our increasing reliance on it has become a serious vulnerability. The Canadian government will soon table “lawful access” legislation, which will require internet service providers (ISPs) to record our contact information, set up a constant internet surveillance system, and report specific online exchanges upon request. This information would then be made available to law enforcement officials even if they did not have a court order or a warrant. When this legislation was initially proposed, Canadian privacy and information commissioners expressed grave concern about the implementation of such drastic measures. They noted that the range of information obtained could exceed that gleaned from a lawful wiretap, and that there were many gaps in the proposed oversight model. [Source]


CA – Court Rules Company Laptops Now Private Affair

The recent Ontario Court of Appeal decision in R v. Cole establishes that employees have a reasonable expectation of privacy in the personal use and contents of their work-provided laptop computers. The case involved a Sudbury high school teacher whose work-provided laptop was investigated by a school board computer technician after a higher than normal amount of network use was noticed. The technician accessed the content on the teacher’s laptop through the school server and found sexually explicit images of a student on the hard drive. The school obtained the laptop and turned it and two discs over to the police who searched both without a warrant and charged the teacher with possession of child pornography and unauthorized use of a computer. The Court of Appeal ruled that the teacher had a reasonable expectation of privacy in the personal use of his work laptop and in the contents of his personal files on the hard drive. Even though the laptop was owned by the school board and issued for work purposes, the court found that a reasonable expectation of privacy existed. The Court of Appeal ordered a new trial and that certain of the evidence obtained without a warrant could not be used. [Source]

WW – Groups Worry DHS Pushing EU to Weaken Privacy Protections

Privacy groups are concerned about data sharing talks between the U.S. Department of Homeland Security (DHS) and the European Commission, The Hill reports. In a letter to President Barack Obama and the Senate Foreign Relations Committee, the 11 groups said, “We fear that the United States may be pushing the Europeans to weaken their comparatively strong protections of privacy and other fundamental rights, rather than agreeing to strengthen U.S. protections and respect such principles.” The groups, which are also calling for a hearing on the topic, include the American Civil Liberties Union and the Consumer Federation of America. This week, a DHS spokesman said the belief that the “U.S. doesn’t care about privacy” is a misconception. [Source]

EU – CNIL to Increase Compliance Checks

The French data protection authority (CNIL) is warning companies and individuals that they should “exercise caution” when transferring data in and out of European countries as it plans to increase its compliance inspections. The CNIL said in an April statement that it plans to increase inspections by one third compared to last year, aiming to complete at least 400 this year. The checks, which will especially look at companies enrolled in the U.S.-EU Safe Harbor Program, will focus on telemedicine, storage of health data and consulting firms’ use of data from the Program of Medicalization of Information Systems, the report states. The CNIL has the ability to impose sanctions for violations of French data privacy law. [Source]


CA – Police Site to List People Charged With Drunk Driving

A Northern Ontario police department is launching a highly unusual program to publicize the names of all motorists charged with impaired driving, raising concerns it will stigmatize suspects before any guilt has been determined. The impaired drivers list, which will be released every Tuesday on the force’s website, starting on June 7, is meant to “detect, deter, and prevent the commission of impaired driving.” Many Canadian police forces regularly release lists of a range of charges laid against people -everything from murder to robbery to assault. But what appears to make Sudbury different is the intention to issue a specific list of just those charged with impaired driving, and make that information easily available. This is not the first time that police departments in Canada have tried similar tactics. In a number of jurisdictions police have released the names of “johns” as a way to discourage prostitutes and shame customers. Two years ago, a public list of accused johns was proposed by police in Lethbridge, Alta., and in 2004, Winnipeg police began posting clips of men soliciting sex on the Web but with faces and automobile licences blurred. The most daring attempt to shame potential criminals came in Cornwall, Ont., in 2009 when police began posting lawn signs in front of homes in which drug warrants had been executed and charges laid. The province’s privacy commissioner ultimately ordered the practice stopped. [Source]


EU – DPAs Release FAQs on Breach Requirements

Two German data protection authorities (DPAs) have issued a paper that addresses the data breach notification requirements under Section 42a of the German Federal Data Protection Act. The paper includes frequently asked questions that address breach notification procedures that private organizations and some public entities must follow to achieve compliance. The paper contains “practical guidelines” to help organizations identify when notification is required and appropriately comply with notification obligations. [Hunton & Williams’ Privacy and Information Security Law Blog]


US – Complaint Filed Against File-Sharing Service

A complaint was filed with the Federal Trade Commission last week alleging that a file-sharing service has been misleading customers about their privacy. Dropbox, a file synchronization and online backup service with more than 25 million customers, stated in its terms of service that all files were encrypted. However, security and privacy researcher Christopher Soghoian, who lodged the complaint, says the service uses a technique called “deduplication,” which usually results in poorer security and has “significant flaws,” and suggests Dropbox instead assign users individual encryption keys. A spokeswoman for the company said the complaint is “without merit,” and the issues were addressed in a company blog post in April. [InformationWeek]

EU Developments

UK – Websites Given 12 Months to Abide Cookie Law

Organisations and business that run websites aimed at UK consumers have been given up to 12 months to take action before enforcement of the new EU-conceived rules on cookies begins. The Information Commissioner’s Office, tasked with enforcing the stricter requirements for website owners, said the Privacy and Electronic Communications regulations do not contain a transitional period. But as the necessary technological changes to browsers to allow users more control over cookies “aren’t there yet,” the requirement that their “explicit consent” is given for the files to be used will not be enforced straight away. “So we’re giving businesses and organisations up to one year to get their house in order, “the ICO explained, releasing fresh guidance for website owners and consumers alike. [Source] See also: [Almost entire EU now violating Brussels cookie privacy law]

EU – EDPS Condemns Data Retention Directive

European Data Protection Supervisor Peter Hustinx said Tuesday that the 2006 directive on data retention does not adequately meet privacy and data protection requirements, Deutsche Welle reports. The directive has “failed to meet its main purpose,” Hustinx said in his 16-page opinion, adding that the need for data retention “as provided for in the Data Retention Directive has not been sufficiently demonstrated.” Hustinx is calling on the European Commission to consider repealing the directive for a more “targeted EU measure.” Cecilia Malmström, commissioner for home affairs, recently said the five countries that have not yet implemented the directive would face legal action, though she noted the directive’s “serious shortcomings.” [Source]

EU – European Commission Vows to Simplify Data Protection

The European Commission has vowed to simplify rules on data protection and is considering establishing a voluntary register for companies in non-E.U. countries that agree to abide by the region’s data protection standards. “The current lack of harmonization on data protection at European Union level comes at a huge cost and is detrimental to everyone, companies and citizens alike,” said Justice Commissioner Viviane Reding, adding that she plans to harmonize rules across the E.U. and clarify which law applies to a company active in several member states. This is good news for businesses. She also vowed to cut “excessively bureaucratic, unnecessary and ineffective” notification requirements, while at the same time saying she wants to introduce a mandatory data breach notification requirement, for all sectors: banking data, data collected by social networks or by providers of online video games. Echoing an opinion taken by the Article 29 Working Group (an independent data watchdog) earlier this week, the Commissioner also agreed to designate geolocation information as private data. “Movements of citizens should not be tracked without their explicit consent. Storing location data may lead to betraying the location of users,” said Reding. [Source]

EU – Breaches, CCTV Use Examined in Irish DPA Annual Report

Data Protection Commissioner Billy Hawkes released his annual report, and among the findings was a “dramatic increase in the number and significance of organizations that have lost personal data,” he said, up from 119 reports in 2009 to 410 in 2010. The report points to increased demands in a new code of practice as the reason, “rather than an increase in the absolute number of data breaches.” The report also looks at specific issues related to the use of biometrics and closed-circuit television (CCTV), highlighting one case where a school was required to remove CCTV cameras from its restrooms. The annual report also includes details on recent investigations. [Source

Facts & Stats

EU – Increase in Reported Data Breaches Likely Due to Code of Practice

The number of data breaches reported to Ireland’s Data Protection Commissioner (DPC) rose 350% in 2010. In 2009, the DPC received reports of 119 breaches, while in 2010, 410 breaches were reported. In a report, the DPC attributed the increase to “the more exacting demands placed on organizations by the code of practice rather than an increase in the absolute number of data breaches.” Data breaches from compromised websites have increased, while data breaches from lost or stolen laptops have declined. [Source] [Link to the DPC and the Code of practice]

CA – Execs Break Their Own Rules When it Comes to Mobile Policy

As awareness of the security risks around corporate mobile devices grow, the number of Canadian companies employing mobile device management (MDM) tools has jumped. However, a recent survey indicates that the leading violators of mobile security policies are company executives. In an online survey of 500 information security professionals from all industry sectors across Canada, Telus Corp. found that 45% of the respondents are willing to invest in MDM products. Revenue growth in the space, according to Telus, actually jumped from 13% in 2010 to 24% in this year. The telecom company also found that flouting company mobile security rules appears to more prevalent at the top of the corporate ladder. Executives are most likely to bring personal mobile devices into the company network. The breach of security policies by execs is partly attributed to their need to boost their productivity. BlackBerry seen as most secure smartphone. The loss of a mobile device containing corporate data for instance, he said, was identified as the number one concern among survey respondents in the government, private and public sectors who were asked to rank security issues on a scale of one to six. The use of another device to access the company network was a close second. Respondents in the private and public sector marked it as number two while respondents in the government sector gave it a three. Interestingly, the use of “untrusted application ecosystems” or third party apps ranked low. Respondents in the government gave apps a six, those in the private sector marked apps as five and the public sector said four. One Canadian security expert said that a two-tiered security policy is common place in both small and large companies. “Executives and managers are the very first ones to sign off on security policies and unfortunately the very first to break them,” said Claudiu Popa, president of security and privacy firm Informatica in Toronto. Companies need to take steps to protect company resources and data using steps such as:

  • Restricting what type of data and resources can be accessed using personal devices
  • Restricting access to data and resources through role-based rules
  • Encrypting company data and employing complex passwords
  • Using technology that remotely wipes data from lost or stolen devices
  • Employing web-based virtual desktop services such as Citirx and VMWare [Source]


AU – Aussie Banks Cancel 10,000 Credit Cards

The Australian banking system has been rocked by a mystery security breach which caused the immediate cancellation of over 10,000 cards. The Commonwealth Bank and the St George Bank initiated the alert via SMS to customers notifying them that their cards would be cancelled as part of precautionary measures. [Source]

NZ – Commissioner Proposes Changes to Credit Reporting

Privacy Commissioner Marie Shroff has proposed several changes to New Zealand’s Credit Reporting Privacy Code. A press release issued by the privacy commissioner noted that Amendment No. 5 will introduce a style of credit reporting similar to the system employed in the U.S. The new amendment will include ongoing reporting of repayment history, give credit reporters additional tools to assess creditworthiness and allow victims of identity theft to exercise a “credit freeze.” Supporters of the changes claim they will help New Zealand “climb” out of the recession, whereas skeptics are “very suspicious,” saying it is not a “transparent system.” Shroff noted, “There is no doubt that this would be a more intrusive regime, but I have tried to ensure that there will be benefits to individuals and the community as well as to business members.” [Source] [Report and Recommendations


US – Open Government Sites Scrapped Due to Budget Cuts

Budget cuts are forcing the White House to abandon plans for two new Web sites tied to President Obama’s ambitious open government efforts. Officials with the Office of Management and Budget said they’re scrapping a site that would have allowed federal employees to swap work tips and information and another that would have provided information on the quality of federal services to the general public. The cuts come after budget negotiators last month slashed the Electronic Government Fund from a requested $35 million to just $8 million. The fund helps finance government sites that track federal data, government contracting, government information technology and overall performance (respectively,,, the IT Dashboard and Those sites will continue at current levels, but “several projects will experience a sharp decline given the limited amount of funding,” White House Chief Information Officer Vivek Kundra said in a letter to Sen. Thomas R. Carper (D-Del.) Tuesday. “No project will go unaffected.” [Source]

US – Hacktivists Scorch PBS in Retaliation for WikiLeaks Documentary

A hacker group unhappy with PBS Frontline’s hour-long documentary on WikiLeaks has hit back at the Public Broadcasting System by cracking its servers, posting thousands of stolen passwords, and adding a fake news story to a blog belonging to the august PBS Newshour that was indexed by Google News, and spread rapidly through Facebook and Twitter, even after PBS pulled it down. In addition to the fake news story Sunday, the group tweeted links to pastebins of the internal IP addresses and names of PBS servers, a top-level view of PBS’ website database, and large caches of e-mail addresses and passwords, including those for 200 PBS affiliates around the country, dozens of PBS bloggers, and 1,500 third-party newspaper and media reporters who’d signed up for access to PBS’s “pressroom” of photos, clips and press releases. [Source] See also: [Mayor Nenshi releases names of visitors


CA – Youth DNA Collection a Burning Issue

There’s a good chance that an Ontario Court of Appeal ruling deeming automatic DNA collection for certain youth criminals to be constitutional will go all the way to the Supreme Court of Canada. David Rose believes the appeal court erred in its decision because society treats youth differently than adults in court. The appeal court released its decision in April in the cases of three convicted youths, K.M., J.B., and D.R. It followed arguments last November in a constitutional challenge of the mandatory collection of DNA from youth convicted of certain crimes such as robbery and assault causing bodily harm. The court ruled the practice is constitutional and thereby overthrew a decision by Justice Marion Cohen of the Ontario Court of Justice in 2009 in which she, after lengthy court proceedings, eventually ruled it infringes the privacy and security rights of youth. Cohen refused to make DNA collection orders in respect to the convicted youth. Cohen “said it was unconstitutional when it comes to young persons because young persons have certain statutory rights and enhanced privacy rights different from adults,” says David Rose, who represented the Canadian Civil Liberties Association in the appeal. [Source

Health / Medical

US – Report: Electronic Health Record Security Lacking

The Department of Health and Human Services Office of the Inspector General (OIG) has released two reports that offer “harsh” critiques of the department’s efforts to protect electronic health records. One report asks the Office for Civil Rights (OCR) to “ramp up” its compliance review efforts in order to make sure appropriate security controls are in place in healthcare facilities. The OIG found “a lack of general (information technology) security controls during prior audits at Medicare contractors, state Medicaid agencies and hospitals.” The OCR has noted the federal final rule covering changes to HIPAA will not mandate encryption. The second report, which addressed the HITECH Act electronic health record incentive program, concluded that the program did not adequately meet several security issues. One expert notes this is a “wake-up call to the healthcare industry.” [HealthcareInfoSecurity] See also: [CA – E-health Raises Issues of Data Management, Privacy: Panel]

US – HHS Proposes Changes to HIPAA Privacy Rule

The US Department of Health and Human Services has proposed changes to HIPAA that would allow patients to see the names of every person who accesses their electronic health records. Paper records would be exempt from the new rule. HIPAA currently gives consumers the right to know when their health information has been shared with 3rd parties, but patients must request that information. [Source] [Source] [Source] [Text of Proposed Rule]

US – HHS Releases Notice of Proposed Rulemaking

The Department of Health and Human Services has released its notice of proposed rulemaking on the HIPAA accounting for disclosures rule. The rulemaking would modify the HIPAA Privacy Rule “to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment and healthcare operations if such disclosures are through an electronic health record.” Said Wiley Rein partner Kirk Nahra, “This is a very worrisome and burdensome proposal that goes well beyond the approach identified by the statute. Companies across the healthcare industry and their business associates should be considering appropriate comments to address these burdens and complications.” [Source

Horror Stories

WW – 35m Google Profiles Dumped Into Private Database

Proving that information posted online is indelible and trivial to mine, an academic researcher has dumped names, email addresses and biographical information made available in 35 million Google Profiles into a massive database that took just one month to assemble. University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled the database as an experiment to see how easy it would be for private detectives, spear phishers and others to mine the vast amount of personal information stored in Google Profiles. The verdict: It wasn’t hard at all. Unlike Facebook policies that strictly forbid the practice, the permissions file for the Google Profiles URL makes no prohibitions against indexing the list. What’s more, Google engineers didn’t impose any technical limitations in accessing the data, which is made available in an extensible markup language file called profiles-sitemap.xml. The code he used for the data-mining proof of concept is available here. “I wrote a small bash script to download all the sitemap-NNN(N).txt files mentioned in that file and attempted to download 10k, then 100k, than 1M and then, utterly surprised that my connection wasn’t blocked or throttled or CAPTCHA’d, the rest of them,” Koot wrote. In an accompanying blog post he said the exercise was part of a research project he’s doing on online privacy. “I’m curious about whether there are any implications to the fact that it is completely trivial for a single individual to do this – possibly there aren’t,” he wrote. “That’s something worth knowing too. I’m curious whether Google will apply some measures to protect against mass downloading of profile data, or that this is a non-issue for them too.” The database compiled by Koot contains names, educational backgrounds, work histories, Twitter conversations, links to Picasa photo albums, and other details made available in 35 million Google Profiles. It comprises the usernames of 11 million of the profile holders, making their Gmail addresses easy to deduce. The 35 GB of data excludes the full-text indexes and profile photos of the users. [Source]

CA – Honda Canada Facing Class Action Lawsuit Following Breach

Lawyers representing Honda Canada customers have filed a class action lawsuit against the automobile company over a data security breach that compromised information belonging to 283,000 customers. The breach occurred in March 2011, but Honda Canada did not start notifying customers until May. The compromised information included names, addresses, vehicle identification numbers (VINs) and Honda Financial Services account numbers stored on personalized web pages. Some customers who never entered the information are affected by the breach because the company pre-populated pages with customer data before asking them to customize their own pages. [Source] [Source] See also: [Sony reports new online security breach in Canada] and [Privacy concerns haunt Sony] and [Sony, Epsilon To Testify Before Congress] OTHER REPORTED BREACHES: [Banks on alert after merchant data breach] and [4,000 Employees’ Personal Data Compromised] and [Michaels Stores: PIN Pads Tampered

Identity Issues

WW – Facebook Adds Security Feature

Facebook has introduced an added layer of security to prevent account hijacking. Users must opt-in to the two-factor authentication feature, called Login Approvals, which requires supplying Facebook with a mobile phone number to which a one-time security authentication code will be sent when users try to login to Facebook from new devices. A new code will be required every time users attempt to login from a device that they have not designated as safe. [Source] See also: [AU – Journalist arrested after exposing Facebook security flaw]

US – Senator: Facebook Needs to Protect Children’s Privacy

During last week’s senate hearing on consumer privacy, Sen. Jay Rockefeller (D-WV) criticized Facebook’s efforts to protect children’s privacy. To ensure children under the age of 13 are not using the site, the company tasks 100 employees to monitor the posts of about 600 million users–a policy that Rockefeller said is “completely indefensible.” The publisher of Consumer Reports has written a letter asking Facebook CEO Mark Zuckerberg to strengthen efforts to protect children’s privacy. At a recent event, Zuckerberg said that he wants children under the age of 13 to use Facebook and that restrictions mandated under COPPA should be changed. “That will be a fight we take on at some point,” Zuckerberg said. Meanwhile, a bill in the California state legislature, SB 242, calls for social networking sites to have comprehensive controls to protect children and guidelines for privacy policies. [Source] [Facebook should allow under 13s says Mark Zuckerberg

Internet / WWW

WW – Hit Spammers at their Payment Processors

Nearly all financial transactions arising from spam operations are handled by just three banks, according to a paper from 15 researchers from the University of California at Berkeley, the University of California at San Diego, the International Computer Science Institute and the Budapest University of Technology and Economics. The paper, which “follows the money” from spam around the world, is scheduled to be delivered next week at the IEEE Symposium on Security and Privacy 2011. The researchers gathered real spam data and made more than 100 purchases from the sites the messages led to. The three banks are Azerigazbank in Azerbaijan, DnB NOR in Latvia, and St. Kitts-Nevis-Anguilla National Bank in the Caribbean. As potential solutions, the researchers recommend that issuing banks in the US refuse to conduct “card not present” transactions for known spammers. [Source] [Source]

WW – G8 Leaders Agree to ‘Key Principles’ on Digital Policy

G8 leaders agreed to “key principles” concerning freedom, privacy, intellectual property, crime and cyber-security in a communiqué last week following their meeting in Deauville, France. For the first time, an e-G8 summit—which featured prominent executives from Google Inc., Facebook Inc. and dozens of other leading companies—was held in Paris ahead of the leaders’ meeting May 26-27. The communiqué calls the Internet “the public arena of our time” as well as “a lever of economic development and an instrument for political liberty and emancipation.” “Freedom of opinion, expression, information, assembly and association must be safeguarded on the Internet as elsewhere,” it states, while “arbitrary or indiscriminate censorship” are contrary to international obligations and damaging to social and economic growth. However, the leaders also called for “national laws and frameworks for improved enforcement” to protect intellectual property, including international cooperation involving private sector. The communiqué calls for a stronger commitment “to ensuring effective action against violations of intellectual property rights in the digital arena, including action that addresses present and future infringements.” It says the G8 leaders support “the multi-stakeholder model of Internet governance” and called for “flexibility and transparency” to keep up with the fast pace of technological change. Also last week, U.S. President Barack Obama appointed Twitter CEO Dick Costolo to an advisory committee on national security and telecommunications [Source]

US – Privacy: Users Aren’t Turning on Do Not Track Browser Features

Last year, the FTC suggested that consumers needed a way to tell online advertisers to bug off and not to follow their every online move. And Microsoft and Mozilla built Do Not Track tools into Internet Explorer 9 and Firefox 4, respectively. The problem? Very few online surfers are using those privacy features. At a recent privacy conference, Alex Fowler, Mozilla’s Global Privacy and Public Policy Leader, said only 1 to 2% of folks are using the new Do Not Track feature in Firefox 4. Part of the reason may be that the feature is difficult to find within Firefox’s setup options. Future versions of the Firefox browser-including the new Firefox 5 for smart phones just entering public beta testing now-will have the Do Not Track function “much more prominently displayed,” Fowler said at the conference. Making privacy protection tools easier to see and use could be a good step toward wider adoption among consumers. In Consumer Reports’ latest State of the Net survey, we found that one in five of respondents who are active on Facebook aren’t using the social network’s revamped privacy tools. Nearly two-thirds of those users don’t even know the privacy tools exist. Increased attention from federal lawmakers and regulators will help raise awareness of online privacy tools and issues as well. [Source]

EU – EU Commission May Publish Standardised Cloud Computing Terms

The European Commission (EC) has released a proposal that considers standardizing terms and conditions for using cloud computing services, how to address cloud security and who is responsible for data protection in the cloud. The commission is looking to businesses and public organizations for feedback on its consultation on “data protection and liability questions, in particular in cross-border situations.” The consultation looks at the existing legal framework for data protection in the cloud and asks respondents for specific updates that could be applied to the EU Data Protection Directive. Neelie Kroes, EC vice president for the digital agenda, said businesses can benefit from lower costs, improved services and new opportunities that come with cloud computing, adding, “We need a well-defined cloud computing strategy to ensure that we make the best use of this potential.” [OUT-LAW News] [The European Commission cloud computing consultation] [The European Commission press release

Law Enforcement

US – Buzz Settlement Approved; EPIC Gets Portion of Funds

A U.S. District Court judge has approved a settlement reached in a class-action suit over Google’s Buzz social networking feature. The settlement will see more than $6 million in funds distributed to privacy advocacy groups and mandates that the company undergo independent privacy audits for the next two decades. In approving the settlement, Judge James Ware also awarded the Electronic Privacy Information Center (EPIC) $500,000 in settlement funds, saying that “EPIC has demonstrated that it is a well-established and respected organization within the field of Internet privacy.” [Source


EU – EU Demands Explicit Geo-Location Permissions

The hopes of companies planning to use geo-location data to push products and services to mobile device users have taken a beating in the European Union, following a pronouncement from the European Data Protection Supervisor (EDPS) Peter Hustinx. His opinion that geo-location data should be considered private has been approved by the Article 29 Working Group. This means that mobile service providers will have to gain the user’s explicit permission to collect or relay location data. Implicit Permission Is Not Good Enough: The opinion document released by the working party states: “If telecom operators want to use base station data in order to supply a value-added service to a customer, according to the revised e-privacy directive they must obtain his or her prior consent. They must also make sure the customer is informed about the terms of such processing.” When it comes to phones and tablets using satellite geo-location, the situation is much the same. The report points out that processing location data and seeking patterns in a user’s daily travels is a sensitive area. Here too, prior “informed” consent should be sought, the group said. This position also applies when the device belongs to a company and is issued to a staff member. A company has to make a case that expresses why it is “demonstrably necessary” to geo-locate the user and this must be weighed against the fundamental rights and freedoms of the employee. [Source


SK – Comprehensive Data Protection Law Passed

On March 29, Korea passed the Personal Information Protection Act (PIPA), which will go into effect September 30. The law broadly restricts the collection, use and retention of personal data and puts limits on the use of closed-circuit television, while also providing for internal controls and litigation of data protection disputes. PIPA applies broad definitions to “personal information” and “data handlers” and will overlap the two data protection laws covering telecom service providers and entities handling credit information, respectively. It also requires data handlers to publish personal data handling policies and appoint an individual to be responsible for the data. [Source

Online Privacy

WW – Firefox Extension Collects Surfing Habit Data

A popular Firefox add-on has been found to collect data about every website the user visits through that browser. The extension, called Ant Video Downloader and Player, has been downloaded more than 7 million times. The tracking occurs even when users have turned on the browser’s private browsing mode or are using anonymity services. A Mozilla spokesperson said that the company vets every non-experimental public extension against a list of criteria. She acknowledged that Ant Video Player collects “information about websites users visit in order to power its ranking feature … and also includes a unique identifier in this communication.” She added that the practice was not disclosed in the extension’s description and that Mozilla has contacted that company and asked them to amend the description. [Source

Other Jurisdictions

WW – G8 leaders Agree to ‘Key Principles’ on Digital Policy

G8 leaders agreed to “key principles” concerning freedom, privacy, intellectual property, crime and cyber-security in a communiqué last week following their meeting in Deauville, France. For the first time, an e-G8 summit—which featured prominent executives from Google Inc., Facebook Inc. and dozens of other leading companies—was held in Paris ahead of the leaders’ meeting May 26-27. The communiqué calls the Internet “the public arena of our time” as well as “a lever of economic development and an instrument for political liberty and emancipation.” “Freedom of opinion, expression, information, assembly and association must be safeguarded on the Internet as elsewhere,” it states, while “arbitrary or indiscriminate censorship” are contrary to international obligations and damaging to social and economic growth. However, the leaders also called for “national laws and frameworks for improved enforcement” to protect intellectual property, including international cooperation involving private sector. The communiqué calls for a stronger commitment “to ensuring effective action against violations of intellectual property rights in the digital arena, including action that addresses present and future infringements.” It says the G8 leaders support “the multi-stakeholder model of Internet governance” and called for “flexibility and transparency” to keep up with the fast pace of technological change. Also last week, U.S. President Barack Obama appointed Twitter CEO Dick Costolo to an advisory committee on national security and telecommunications. [Source]

SV – Slovakia: Anonymity of Census Data Questioned

Some citizens are refusing to fill out census forms or are returning completed forms without their numerical identifier, arguing that the procedures of the 2011 census violate their right to privacy. Critics also charge that residents are poorly informed about the census procedures. These were at least some of the reasons why 40 census-takers in Bratislava’s Old Town district resigned from their jobs mid-way through the census while another 100 were reported to have quit in the Petrzalka district of the capital. Concerns about anonymity seem to be the biggest source of controversy in the Slovakia’s census. [Source

Privacy (US)

US – Senators Want Laws to Address Smartphone Data Privacy

US legislators are calling for laws that protect smartphone users from having their location tracked. Senators Jay Rockefeller (D-WVa.) and John Kerry (D-Mass.) told the Senate Commerce, Science and Transportation Committee Subcommittee on Consumer Protection that there needs to be legislation that gives consumers control of their location information on smartphones and personal data on the Internet. They also said that the smartphone app market needs to be regulated; because this particular sector of the market is expanding so rapidly, “many consumers do not understand the privacy implications of their actions.” [Source] [Source] See also: [FCC steps into privacy debate over location-based data, announcing forum]

WW – Google Introduces TRUSTe Seal in App Marketplace

In response to concerns about the data handling practices of Web apps, Google has introduced a TRUSTe certification in its Apps Marketplace–the online store offering business-oriented Android applications, reports InformationWeek. The certification applies to installable applications and aims to clarify the makers’ privacy practices. To get certified, app makers need to answer a series of questions about data sharing and security. Certified apps will display the green TRUSTe seal. The report stresses, however, that the certification is “not a guarantee of security or proper data handling; it’s merely an assessment of whether a particular vendor’s self-reported practices fall within industry norms.” [Source]

US – Proposed Update to Electronic Surveillance Law Addresses Cloud Privacy

US Senator Patrick Leahy (D-Vermont) has introduced legislation that would reform electronic surveillance law. The Electronic Communications Privacy Act Amendments Act would require US law enforcement agencies to obtain probable cause warrants prior to accessing data stored with third-party providers, an increasingly timely issue with the growing popularity of cloud services. The ECPA, enacted in 1986, allows law enforcement agencies to access certain email and files stored in the cloud for more than 180 days with a subpoena. The proposed legislation would also require warrants when law enforcement agencies want to obtain geolocation information of mobile phone users. [Source] [Source] [Source] See also: [Editorial: Why Privacy Matters Even if You Have ‘Nothing to Hide’ by Daniel J. Solove ]

US – Does Sale of SAT, ACT Student Questions Violate Privacy?

U.S. representatives Ed Markey and Joe Barton will ask the College Board, owner of the SAT college entrance exam, for details on how it collects and stores data from students as the government seeks to bolster teen privacy laws. Markey, a Massachusetts Democrat, and Barton, a Republican from Texas, will request the same information from College Board competitor ACT Inc., including disclosure and privacy policies, in letters to the nonprofit organizations. Both companies collect data from millions of teenagers annually as they register for SAT and ACT tests, and then sell their names and personal information to colleges, which use them in direct marketing to potential applicants. While Markey and Barton introduced a bill this month to expand a children’s online privacy law to teenagers, the proposal doesn’t cover nonprofit companies, such as the College Board and ACT. “There should be some kind of regulatory control over what even a nonprofit can be culling from students,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group in California. [Source]

US – Report: Device Searches Need Probable Cause

A U.S. think tank released a report recommending that the U.S. Department of Homeland Security (DHS) have probable cause before searching electronic devices at its borders. “Technology is developing so much more quickly, and the law needs to catch up,” an expert said. By carrying electronic devices, travelers “are unknowingly subjecting volumes of personal information to involuntary search and review by federal law enforcement authorities,” the report said, and the “problem is compounded” because the devices often contain “personal and business-related information.” [The Globe & Mail] [Press Release] [Suspicionless Border Searches of Electronic Devices: Legal and Privacy Concerns with The Department of Homeland Security’s Policy]

US – California Proposes Smart Grid Data Privacy Standards

The California Public Utility Commission has issued a proposal on security and privacy requirements for smart meter data. The proposal would implement Fair Information Practices, requiring the state’s three utility companies and other smart meter operators to minimize collected data, use it only for the intended purpose unless consent is acquired for other uses and take reasonable steps to protect it. The commission’s report said, “access to detailed, disaggregated data on energy consumption can reveal some information that people may consider private.” An attorney at Hogan Lovells said the commission’s decision “represents a significant step towards a set of smart grid privacy rules in the United States” and noted Europe’s recently released guidelines. [Source] [Report

Privacy Enhancing Technologies (PETs)

US – Future of Privacy Forum Launches App Privacy Site

With hundreds of thousands of online and mobile applications already in use and more being developed, the Future of Privacy Forum (FPF) launched a new website to help application developers provide users with privacy protections. Supported by app developers, platforms and tech companies, is the only hub of its kind containing emerging standards, best practices, privacy guidelines, platform and application store requirements, as well as relevant laws and regulatory guidance. A recent survey by FPF found that 22 out of the 30 most popular mobile apps lacked even a basic privacy policy where consumers could learn about what data is collected or exchanged when they download the app. A recent study estimated that by 2016 the worldwide mobile app industry could achieve 44 billion downloads, and according to Facebook, people install 20 million applications every day on their site. Christopher Wolf, FPF’s founder and co-chair noted the importance of educating app developers on key data protection principles. “Apps often provide valuable services using people’s contacts, location and profile information. But unless users trust that their privacy will be protected, the use of Apps will decline and that would be unfortunate, as Apps provide innovative ways to interact over the Internet and contribute to the Internet economy.” FPF’s director and co-chair Jules Polonetsky emphasized the need to educate more developers about the importance of responsible data practices, “App developers with limited staff or resources can end up being responsible for the data of millions of users. Platforms and operating systems have roles to play, but app developers themselves need to be responsible for their own practices. We hope that will provide a one-stop shop for the one person start-up or the large scale company.” Facebook & AT&T will also be promoting the site to developers to help them navigate the development process. FPF’s leaders are urging other companies to do the same to help provide developers with this information. The site will also have an active presence on Facebook and on Twitter, using the handle @AppPrivacy. [Source


US – Attack on Lockheed Martin Network Linked to RSA SecurID Breach

Lockheed Martin has acknowledged that it was the target of a “significant and tenacious” cyber attack earlier this month. The US defense company’s security team detected the threat “almost immediately” and took action. Lockheed Martin released a statement saying that “our systems remain secure; no customer, program or employee personal data has been compromised.” The company suspended remote access to email and corporate applications after detecting the attack. The breach involved the use of RSA SecurID tokens to gain access to accounts, suggesting that the incident is linked to the security breach at RSA in March, in which cyber intruders broke into an RSA network and stole information related to SecurID. RSA has not said what information the intruders took. The Pentagon and the Department of Homeland Security (DHS) are helping Lockheed with the investigation into the incident. [Source] [Source] [Source] [Source] [Source] [Source]

WW – Microsoft Safety Scanner Finds Evidence of Attack or Infection on 5% of PCs

According to information compiled from Microsoft’s Safety Scanner, nearly five percent of PCs running Windows are infected with malware. The free malware scanning and scrubbing tool was launched on May 12; since then, it has been downloaded 420,000 times and removed malware or evidence of previous attacks from more than 20,000 machines. Seven of the top ten threats found by the tool were Java-based exploits. [Source]

WW – Windows Users Falling Prey to Social Engineering Tactics

About one out of every 14 programs downloaded by Windows users turns out to be malicious, Microsoft said. And even though Microsoft has a feature in its Internet Explorer browser designed to steer users away from unknown and potentially untrustworthy software, about 5% of users ignore the warnings and download malicious Trojan horse programs anyway. Increasingly, instead of hacking the browsers themselves, the bad guys try to hack the people using them. It’s called social engineering, and it’s a big problem these days. [Source

Smart Cards

CA – B.C. Privacy Watchdog Fears Smart CareCards

A B.C. privacy watchdog says he plans to investigate the introduction of smart B.C. CareCards by the province’s Ministry of Health. Darrell Evans — program director for the BC Freedom of Information and Privacy Association — says he’s concerned the smart cards will open the door to more sharing of sensitive personal information. The enhanced CareCards — with a photo and a security chip — will help reduce fraud, according to B.C. Health Minister Mike de Jong. De Jong said that, ideally, the smart cards could also be upgraded to include other government services. “I think the notion of having a card that allows citizens to access a broader suite of services from government, from the state, is an obvious next step,” the minister said. “But we’re going to do this one step at a time.” That rationale is just what worries Evans. “This card isn’t for empowering citizens,” he said. “This card is for empowering others to have access to data.” [Source]

US – Real ID-Compliant Drivers’ Licenses Adopted by Connecticut, New Jersey

New Jersey and Connecticut are the latest states to modernize their drivers’ licenses to comply with Real ID, the 2005 federal legislation that bolstered security and issuance requirements for drivers’ licenses and ID cards in response to the 9/11 terrorist attacks. New Jersey’s Enhanced Digital Driver License was adopted by all 39 Motor Vehicle Commission (MVC) agencies on May 11. “The new license, while similar in appearance to the old license, features more than 25 covert and overt features designed to reduce fraud and abuse through updated technology and enhanced security features that are known only to the MVC and its law enforcement partners,” according to an announcement from state officials. Connecticut is taking a different approach to the issuance of its Real ID-compliant drivers. Connecticut’s program, called SelectCT ID, will be phased in during the next six years in an effort beginning this fall, state officials announced last month. For those who are renewing their licenses, the Real-ID license appears to be optional. Those who wish to present original documents such as a birth certificate or U.S. passport will receive a gold star on their license or ID card that indicates it complies with Real ID. Those who decline the additional identity verification will receive a card marked “Not for Federal Identification.” [Source


US – White House Cyber Security Proposal Met With Criticism From Legislators

Critics of a White House cyber security legislation proposal say that it would allow government broader access to private information. The proposal calls for private organizations to share cyber attack data with DHS. It would take precedence over other laws’ limits on government access to private information. Companies sharing cyber attack information with the government would be immune from prosecution, harking back to the controversial immunity granted to telecommunications companies participating in the government’s warrantless wiretapping following the September 11 attacks. [Source] [Source

Telecom / TV

US – Senator Calls for Privacy Policies on Location-Aware Apps

In a letter to Apple and Google executives, Senator Al Franken (D-Minn.) has asked that the companies require privacy policies for “location-aware” apps sold for their products. Computerworld cites a recent study by TRUSTe and Harris Interactive that found less than 20% of the most popular free apps available through mobile devices are linked to privacy policies. Franken would like to see apps that track location data have straightforward privacy policies that clarify exactly what information is collected, how the data are collected and with what parties they are shared. [Source] [Source]

WW – Google Pulls Apps from Chrome Web Store Over Privacy Issues

Google has removed at least two games from its Chrome Web Store after learning that they were able to access all browsing history, website data and bookmarks on users’ computers. Google was alerted to the problem by a blogger who dug down into layers of links in the fine print to find a page that read, “This item can read every page that you visit… Besides seeing all your pages, this item could use your credentials (cookies) to request data from websites.” The broad permissions are the default installation setting for the extension. [Source] [Source] [Source]

WW – Mobile Phones are Great for Phishers, Researchers Find

Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them. Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim’s user name and password on websites such as Facebook or Twitter. The problem is that mobile users are being trained to enter their passwords and user names into mobile apps. In tests, researchers have shown that it’s almost impossible for mobile-phone users to distinguish real websites from fakes, thanks to the small screens on mobile phones. The Berkeley researchers said it would be easy for a criminal to develop a malicious program that could either spy on users as they typed in their passwords, or direct them to a phishing site that looked exactly like the real thing. [Source

US Government Programs

CA – Opposition Slams ‘Flawed’ Consultations on Border Security

The Harper government is pressing ahead with plans to develop a joint Canada-U.S. border agreement on “perimeter security” and is giving Canadians until the end of this week to offer their views on the matter. But critics are calling the public consultations a sham because they involve a four-question online questionnaire most Canadians don’t even know about. “The process is entirely flawed when you have a closed-door consultation,” said the NDP foreign affairs critic Paul Dewar. The broad outlines of the border agreement were contained in a declaration released in February by Prime Minister Stephen Harper and U.S. President Barack Obama. Since then, officials from the two countries have been working behind the scenes on the details. The purpose of the negotiations is to establish an “action plan” on border security aimed at tightening protection against terrorists and easing the flow of cross-border traffic. On security, Harper and Obama want their governments to share more intelligence to disrupt threats early. There could be changes to passenger screening and improvements to verify identities of travellers. The countries could share more information about when someone has entered or exited the border. Parliament has been shut out of the picture and MPs have very little information about what is on the negotiation table. In Canada, the government has established a website — — which allows people to provide their “thoughts on initiatives that would improve security while supporting economic competitiveness, job creation and prosperity.” The deadline for submissions is June 3. [Source] See also: [US: One Brain, Hundreds of Eyes: Darpa Plots Manhunt Master Controller]

US – Pentagon to Release Cyber Warfare Strategy

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. One idea gaining momentum at the Pentagon is the notion of “equivalence.” If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a “use of force” consideration, which could merit retaliation. The Pentagon will release a plan that can serve as a warning and deterrent to would-be attackers. [Source] [Source] [Source] [Source] [Source] [Source] [Source]

US – NHTSA To Require Automotive Black Boxes

Next month, the National Highway Traffic Safety Administration is expected to declare that all vehicles must contain an event data recorder, known more commonly as a “black box.” The device, similar to those found in aircraft, records vehicle inputs and, in the event of a crash, provides a snapshot of the final moments before impact. That snapshot could be viewed by law enforcement, insurance companies and automakers. The device cannot be turned off, and you’ll probably know little more about it than the legal disclosure you’ll find in the owner’s manual. The pending mandate looks to some like a gross overreach of government authority, or perhaps an effort by Uncle Sam, the insurance industry and even the automakers to keep tabs on what drivers are doing. But if you’re driving a car with airbags, chances are there’s already one of these devices under your hood. [Source

US Legislation

US – Proposed Legislation Would Reform Digital Privacy Law

A bill introduced in the U.S. Senate would update a 25-year-old digital privacy law to require authorities to obtain a court-issued search warrant before retrieving a person’s email and other content stored in the cloud. The proposed legislation, introduced by Sen. Patrick Leahy, D-Vt., would amend a law enacted in 1986 called the Electronic Communications Privacy Act (ECPA), which set standards for government surveillance of telephone conversations and other electronic communications. “This law is significantly outdated and outpaced by rapid changes in technology,” Leahy said in a statement. He authored both the 1986 law and the proposed bill to amend it. The newly introduced ECPA Amendments Act would require authorities to obtain a search warrant based on probable cause before obtaining customer information from electronics communications, cloud computing or other technology service providers. Under current law, law enforcement does not need to acquire a search warrant to obtain email communications that have been stored for longer than 180 days. The proposed legislation would eliminate this rule and require a search warrant regardless of how old an email is. It would also implement new protections for geolocation information that is collected, used or stored by smartphones or other mobile technologies. If enacted, the bill would mandate a warrant to access or use an individual’s smartphone or other electronic communications device to obtain geolocation information. Leahy’s measure, however, does not do away with the FBI’s authority, under the national security letters, to obtain digital information about a person, without a court order, if authorities consider it relevant to a terrorism or national intelligence case. [Source]

US – Wyden Blocks Anti-Piracy Bill

US Senator Ron Wyden (D-Oregon) has put a hold on a bill unanimously approved by the Senate Judiciary Committee that would expand the government’s power to block and shut down web sites “dedicated to infringing activities.” The Protect IP Act (PIPA) would give the government the authority to bring lawsuits against the sites and get court orders that would require search engines to cease providing links to the sites. In a statement, Wyden said, “By ceding control of the Internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the Internet, PIPA represents a threat to our economic future and to our international objectives.” Wyden put a hold on similar legislation last year. [Source] [Source]

US – California’s Privacy Legislation Prompts Opposition

Dozens of companies—Including Facebook and Google—are teaming up to curtail two privacy bills that have been introduced in California’s state legislature. SB 761 proposes an online do-not-track mechanism, and SB 242 would require social networking sites to implement stronger privacy policies for users. In a letter opposing SB 761, the companies wrote, “Prohibiting the collection and use of this data would severely harm future innovation,” and in a separate letter opposing SB 242, the companies argued the bill is “unnecessary and would be difficult to implement,” The Wall Street Journal reports. A spokesman for one of the bill’s sponsors said, “We’ve had favorable feedback on the bill from constituents and the general public.” [Source]

US – Tennessee Law Prohibits Sharing Login Credentials

Tennessee’s governor has signed into law a bill that makes it illegal to share login information – usernames and passwords – with anyone, including family members. The law takes effect July 1 and applies only within the borders of that state. The bill is an expansion of laws that allow prosecution of people for stealing cable service or not paying for restaurant meals. People convicted under the law of stealing up to US $500 worth of entertainment could face a year in jail and a fine of up to US $2,500. For those convicted of stealing more than US $500 of content, penalties are greater. [Source] See also: [RI Senate Passes SSN Bill]

US – California Social Networking Bill Fails in Senate

A California bill aimed at protecting the privacy of online social network users was voted down in the state senate last week. The bill, by Sen. Ellen Corbett (D-San Leandro), would change social networking sites’ practices to set privacy defaults to “private” and allow users to customize privacy settings upon registering—before their information goes public. Opponents of the bill—which include some CA-based Internet giants—say the bill will hurt technology companies and ignores “the extraordinary lengths” online companies are going to protect consumer privacy. Corbett says she will reintroduce the bill for another vote this week. [San Francisco Chronicle]

Workplace Privacy

US – NLRB Takes Enforcement Action re: Facebook Firings

Organizations planning to fire employees based on comments they’ve made using social media may want to know about three recent enforcement actions taken by the National Labor Relations Board (NLRB). In an Info Law Group blog post, partner Boris Segalis provides details on the actions, the latest of which, he says, “makes a strong statement about the agency’s view on the scope of employee social media protection, including the discussion topics the agency views as protected. The action item for employers is to carefully review and, as appropriate, revise their social media and employee conduct policies to ensure consistency with the NLRB guidance.” [Source] See also: [Can Workplace Surveillance Tapes Be Used as Evidence in Canada?]


01-15 May 2011


CA – Alberta’s Privacy Commissioner Stepping Down

The province’s Information and Privacy Commissioner Frank Work has decided to step down when his term expires at the end of the year. Work has been with the office for all 16 years of its existence, including the last nine years as commissioner. Among the highlights of his career was a major expansion of the office when the Health Information Act was passed in 2001 and the Personal Information Protection Act was passed in 2004. “I am particularly proud of Alberta for being one of four jurisdictions in Canada to pass a private sector privacy act,” Work said in a statement released Wednesday. “I am proud of the fact we were instrumental in making Alberta the only jurisdiction in Canada to have mandatory breach notification across the private sector. Ensuring that Alberta Netcare is as secure and accurate as possible is another source of pride.” The province is expected to strike a special committee to conduct a search for a new commissioner. [Source

CA – Privacy Commissioners Unveil Tool to Strengthen Personal Data Security

The federal, Alberta and British Columbia Privacy Commissioners launched a new online tool that will help businesses better safeguard the personal information of customers and employees. The new Securing Personal Information: A Self-Assessment Tool for Organizations is a detailed online questionnaire and analysis tool that helps organizations gauge how well they are protecting personal information, in keeping with the applicable private-sector privacy law. Developed jointly by the federal, Alberta and British Columbia privacy commissioners’ offices, the tool can be used by any private-sector organization, particularly small and medium-sized businesses. The tool is comprehensive and detailed, but also offers users the flexibility of focusing on areas most relevant to their own enterprise. The self-assessment and analysis process results in a framework that organizations can use to systematically evaluate and improve their data-security practices. The Securing Personal Information Self-Assessment Tool is available via the commissioners’ websites:;; and [Source

CA – Clement Open to Large Fines for Massive Data Breaches

Industry Minister Tony Clement said he’s open to the idea proposed by Canada’s privacy watchdog to give her the power to slap corporations with huge fines if they don’t protect the personal information of their customers. Earlier this week, Privacy Commissioner Jennifer Stoddart said the federal government should update the country’s private-sector privacy law to include fines, given the “alarming trend toward ever-bigger” data breaches. The Conservative government’s most recent proposal to update the law – which died when the federal election was called – did not include any powers to impose fines. But the proposal stated a company would have to report a “material” data breach to the privacy commissioner if the company concluded that the breach indicated a systemic problem. [Source] [Data breach fines sought by privacy watchdog] SEE ALSO: [Geist: Tory majority gives Ottawa a crack at breaking the digital logjam] [Geist: Web surveillance legislation requires study, not speed] and [The Lawful Access Legislation: Does it Really Criminalize Linking & Anonymity?

CA – Ontario Appeal Court to Consider Privacy Tort

The Ontario Court of Appeal will soon have an opportunity to decide the vexing question of whether the common law recognizes the existence of a tort for invasion of privacy. Because PIPEDA doesn’t apply to individuals, the defendant will go free in the absence of a common law tort. The opportunity comes on an appeal from the December 2010 judgment of Superior Court Justice Kevin Whitaker in Jones v. Tsige. Christopher Du Vernet of Du Vernet Stewart in Mississauga, Ont., who represents plaintiff Sandra Jones, says the case has been making waves in legal circles. [Source]


WW – Study: Consumers Define Do-Not-Track More Broadly Than Web Companies

Initial results of a study of 200 Web users reveal that consumers might define the term “do not track” differently than Web companies. Preceding last week’s World Wide Web Consortium workshop, researcher Aleecia McDonald asked Internet users what kind of data would be collected after activating a do-not-track option. Nearly 40% of respondents felt that “nothing at all” would be collected. 51% of those polled indicated that they would not be surprised if nothing changed after they activated a do-not-track option. 81% said it was the first time they had heard the phrase do not track. [Source

CA – Most Canadians Unaware of Online Tracking: Privacy Watchdog

Canada’s privacy watchdog said many Canadians don’t know how closely companies are tracking their online activities — much less are they providing informed consent. “We have some serious concerns about online tracking, profiling and targeting — and the fact that many Canadians don’t know what’s happening behind their computer screens, let alone agree to it. Children — who are going online at younger and younger ages — are even less likely to understand,” Jennifer Stoddart told a privacy symposium in Toronto, where she released the final report of public consultations held last year on privacy issues in the online world. Stoddart looked at the rich trail of data scooped up by companies and marketers when people browse the Internet, use social networking site or use geo-location functions of their mobile devices. In addition to calling companies to be more upfront with their customers about their practices, her report also flags issues with the growing popularity of “cloud computing.” By storing information and services on shared remote computers and accessed via the Internet or the “cloud,” companies can reduce their storage requirements and costs. Noting that even small- and medium-sized enterprises are embracing cloud computing with varying levels of technological security, the Office of the Privacy Commissioner’s report calls for the development of strong standards to ensure the security of personal information stored or processed on cloud services. The findings in the final report were drawn from the consultations, which included public events in Toronto, Montreal and Calgary, as well as 44 written submissions from industry, academics and advocates. Many of the participants highlighted a specific challenge with obtaining meaningful consent, especially involving children. [Source

CA – Online Canadians Trust Information from Media More than Other Sources: Report

A survey suggests Canadian web users may not want to pay for news, but they still trust content from the mainstream media over other sources. The latest report from the Canadian Media Research Consortium states that about 90% of wired Canadians consider the information they get from newspapers, television, radio and online news sites to be reliable. The percentages were a few points lower among those aged 18 to 34. Only 26% believed information from social networks is reliable – although the trust rating jumped to 40% among daily social media users – and 65% said they thought news from family and friends was reliable. When asked how much they trusted information from governments or major corporations, only 42% and 38% respectively found them very trustworthy or trustworthy. [Source] See also: [US: Customers stay despite high-profile data breaches]


CA – Online Election Voting Approved by Vancouver

Vancouver city council has approved online voting in November’s municipal election — pending approval by the provincial government. If the pilot project gets the green light, eligible voters would have the option of voting in advance polls by home or mobile computer. Councillor Andrea Reimer believes the technological shift could improve voter participation, which has dipped to about 30% in Vancouver. Council voted 10-1 for the project, with the opposing vote coming from Councillor Suzanne Anton. Anton said she was concerned about the potential for voter fraud and wanted more public consultation. Voters would be given a personal identification number to pre-register and then would be given another PIN, in a process designed to minimize voter fraud, according to city staff. [Source]


UK – Information Commissioner Gets New Powers to Fine for Spam Emails

Organisations that make unwanted marketing phone calls or send spam emails to consumers could face fines of up to £500,000, the Government has warned. Increased financial penalties will come into force later this month as part of amendments to the UK’s Privacy and Electronic Communications Regulations (PECR). Data protection watchdog the Information Commissioner’s Office (ICO will also be given greater investigatory and auditory powers). The changes to PECR will allow the ICO to fine businesses and other organisations for serious breaches of the regulations, including sending unwanted marketing emails and texts as well as making live and automated marketing phone calls. It can already administer fines of up to £500,000 for data protection offences. The ICO’s increased investigatory powers will allow the Commissioner to demand information from telecommunications companies and internet service providers (ISPs), to help with investigations into breaches of the regulations. Telecommunications companies and ISPs will also have to notify the ICO and their customers in certain circumstances if a personal data breach occurs. The ICO will be able to audit these companies and ISPs to ensure they comply with this requirement. Information Commissioner Christopher Graham welcomed the new powers and said guidance on the changes would be issued soon. The amended laws are being implemented to ensure the UK comes into line with new European data privacy laws. Under the EU’s Electronic Communications Framework, the ICO will also enforce new rules surrounding cookies and similar technologies which can be used to track user activity online. The Government indicated the plans as part of its response to the consultation around the Electronic Communications Framework, published last month. [ICO Statement] [Guidance] [Source] [Confusion Surrounds U.K. Cookie Guidelines] and [Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 - S.I. 2011 No. 1208 - United Kingdom]

Electronic Records 

UK – Scotland Awards £1.1m Privacy Breach Software Contract

Health boards in Scotland will get access to an IT system which aims to enhance the protection of their patient records. The Scottish government has awarded a £1.1m contract for privacy breach protection software to Northgate Managed Services, for use by all health boards in the country. It advertised the contract last October. “It is important that the procured service or product has been proved to be capable of interfacing and is compatible with all major electronic clinical systems used within NHS Scotland,” said NHS National Services Scotland in a notice published in the Official Journal of the European Union. It adds that the service or product provided by Northgate should be able to “interrogate” data provided in the form of audit logs from existing clinical systems and highlight areas where potential privacy breaches have occurred. The software will also be expected to have an extensive reporting capability, including reports that contain information based on access date, demographic data and system user ID. [Source

US – Allina Fires 32 Employees Over Patient Privacy Violations

Nearly three dozen employees of Allina Hospitals and clinics were fired after allegedly violating the privacy of patients involved in a recent mass overdose incident. Allina confirms that 32 employees were dismissed for what they termed “a HIPAA violation.” 28 of them were from Unity Hospital, and four worked at Mercy Hospital. The employees are accused of looking up electronic medical records of patients treated at Mercy and Unity hospitals after a mass drug overdose in Blaine last March. 11 people were hospitalized and one died. Allina says those employees did not have legitimate patient care reasons to look up the information.[Source]

EU Developments 

EU – Websites Should Notify European Users About Privacy Breaches

Europe-wide laws which require telecommunications companies to notify users if their data is at risk should be extended, the European justice commissioner has said. Privacy rules created under the EU’s Electronic Communications Framework should be extended to cover online banking, video games, shopping and social media, Viviane Reding said in a speech. Current rules, which are being implemented in the UK as part of amendments to the Privacy and Electronic Communications Regulations, require telecommunications companies and internet service providers to notify their customers and national regulators of personal data breaches immediately. “I think it is important that users are notified if someone has unlawful access to their data,” Reding said. “It is essential for consumer confidence that they know what happens to their data.” Reding said that in the upcoming review of data protection laws in Europe she would investigate the extension of the data breach notification process to more than just telecoms companies. [Source

UK – Law Attorney Fined for Violation of Data Protection Laws

The UK Information Commissioner’s Office (ICO) has fined ACS:Law £1,000 for failing to adhere to data protection laws. The company gained notoriety for accusing people of illegal filesharing based on their IP addresses. None of the cases ever came to court, and some questioned whether or not ACS:Law had the authority to bring the lawsuits in the first place. The company has ceased operations and would have been fined considerably more, but the judge in the case chose to fine Andrew Crossley as an individual rather than the company. The fine is being imposed because of a breach that was an after-effect of a distributed denial-of-service attack launched against the firm’s website. [The Register] [BBC

UK – ICO Launches Code for Sharing Personal Data

The Information Commissioner’s Office has launched a code of practice aimed at guiding private- and public-sector companies on data protection when it comes to legally sharing personal information. The code of practice, which incorporates input solicited during the consultation period, can be applied in all sectors, said Information Commissioner Christopher Graham. “…We can be confident that it not only makes sense on paper but will work in the real world,” he said. “I would encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.” []


UK – Judge Issues Gag Order for Twitter

A British judge has banned Twitter users from identifying a brain-damaged woman in one of the first attempts to prevent the messaging website from revealing sensitive information. The ruling follows the publication on Twitter of a list of celebrities alleged to have tried to cover up sexual indiscretions by obtaining court gag orders. The injunction, dated May 12 and seen by Reuters, includes Twitter and Facebook in the list of media prohibited from disclosing the information. It was issued in the Court of Protection in the case of a mother who wants to withdraw life support from her brain-damaged daughter. It prevents the identification of the woman and those caring for her. [Source] [Tweets spark media storm

UK – Ex-Formula One Chief Loses Newspaper Privacy Case

Max Mosley, the former head of Formula One, has lost a high profile case at the European Court of Human Rights that would have required newspapers to warn people in advance before publishing details of their private lives. Mr. Mosley, who won an earlier landmark privacy case in the English courts against the News of the World newspaper, said the UK failed to impose a legal duty on newspapers to notify subjects in advance of a story appearing. Pre-notification would allow subjects to then obtain a court injunction preventing publication, he argued. However, the ECHR in Strasbourg ruled unanimously that there had been no violation of the European Convention on Human Rights, and that to introduce a pre-notification requirement would have a “chilling effect” on journalism. [Source]


CA – Insurers Must Inform Consumers that Credit Scores Will Be Used for Underwriting

B.C.’s Office of the Information and Privacy Commissioner has ruled that Economical Mutual Insurance Company must stop collecting and using credit scores until it provides customers with appropriate notification as required by the Personal Information Protection Act (PIPA). The May 6 order notes that The Economical did include a valid disclosure statement in its 2003 CSIO insurance application form but this was not adequate notice of the purposes of collection of credit information within the meaning of PIPA. “The consent statement on the complainant’s application form did not expressly say that credit information might be obtained for the purpose of underwriting,” the order reads. “In order to satisfy the notice requirements in ss. 7(1) and 10(1)(a) of PIPA, individuals must be informed that their credit information may be collected for the purpose of assessing future risk of loss in underwriting the policy. “Without this information, it is not reasonable to expect that a consumer would understand how Economical actually uses this information and therefore could not meaningfully consent to its collection for this purpose.” “Consumers are generally unaware of the use of credit scoring in risk assessment in the insurance industry,” B.C. Information and Privacy Commissioner Elizabeth Denham said in a statement. “This order underscores the need for organizations to obtain informed consent from their customers for the collection of their personal information.” [Full Order] [Source

US – Visa Pitches ‘Digital Wallet’

Visa is launching a centralized electronic payment system designed to make online shopping as easy as pulling out a wallet. Visa hopes its “digital wallet,” set to launch this fall in the U.S. and Canada, will make it possible for consumers to pay with any of their credit or debit cards using a single click or a tap of their cellphone and a single password, the company announced. “What that comes with is a place for customers to be able to centralize their credit, debit and pre-paid card information in a single secure location,” said Mike Bradley, head of products for Visa Canada. A customer could add any card they choose to the wallet, including competing cards. Unlike an old-fashioned wallet, Visa’s system won’t hold identification such as driver’s licences or health cards or photos of your loved ones – it’s not much more than a central customer account stored in Visa’s network that contains information about the customer’s payment card accounts. Merchants can sign up to link into an electronic system through their website so they can accept payment from the wallet. Bradley would not say what kind of fees would be involved for merchants, consumers or the institutions that issue cards placed in the wallet. If the merchant accepts both the digital wallet and the payment card that the customer wishes to use, the customer enters an email address or username and a password to pay. There is no need to enter a billing address and payment information. [Source] See also: [Stop ID thieves from stealing your kid’s credit]


CA – Top Court Says PM, Ministers Not Subject to Info Law

The public does not have a right to access all documents in the offices of cabinet ministers or the prime minister, the Supreme Court of Canada ruled in a unanimous decision. The top court upheld a Federal Court of Appeal decision, and sided with the federal government in a decade-old legal battle with the information commissioner. Had the federal government lost its case Friday, it could have vastly expanded the scope of Canada’s access-to-information law. The case involved a number of legal issues related to the access-to-information law that stipulates what government documents can and cannot be made public. The Supreme Court rejected four different appeals from the information commissioner. But the decision does not mean that all records within the Prime Minister’s Office and the offices of ministers are off-limits to the public. Some records can be accessed if they are determined to be under the control of the government institutions that are led by the prime minister or a minister. What “control” means, however, is not defined in the access-to-information legislation. A lower court judge in this case developed a test to use when interpreting the meaning of the word and whether the access-to-information law would therefore apply. The Supreme Court, in its decision, accepted that test and slightly modified it. Physically locating a document in a minister’s office or the PMO does not provide protection for it, according to the courts. The first step in the test is to determine whether the record relates to a departmental matter. If it does, Step 2 then asks whether a senior staff member in the department, such as a deputy minister, should reasonably be able obtain a copy of the record. If the answer is yes, the record should be disclosed to anyone who requests it. [Source] See also: [Provincial NDP grills Grits over access]

Health / Medical 

US – Large PHI Data Breach Incidents Now at 265

The number of large health data breaches reported to the Office for Civil Rights (OCR) is now at 265. As a provision to the HITECH Act, the OCR now posts entities who have reported a breach of personal health information that affects more than 500 individuals. The single largest reported breach affected 1.9 million individuals. In the 15 months since the OCR began posting the breaches, there has been an average of nearly 18 per month, or slightly more than one every other day, the report states. [HealthLeaders Media]

Horror Stories 

US – Michaels Breach Affects Customers Across the Country

Craft store chain Michaels now says that point of sale terminals at stores across the country have been tampered with, compromising customers’ financial information. The thieves appear to have been after payment card data. The issue first arose in the Chicago area, but the company now says that compromised payment terminals have been found at stores across the US. Michaels discovered the situation after they were informed by authorities that fraudulent payment card transactions had been traced to cards used at certain of its stores. An official statement from Michaels says that fewer than 90 PIN pads were found to have been affected. [Krebs] [Press Release

WW – X Factor Contestants Warned After 250,000 Data Breach

Would-be contestants of Simon Cowell’s US X Factor might have got more public exposure than they bargained for with the news that the details of 250,000 of them have been lost after an attack on the TV show’s database. The records were stolen from TV network Fox Broadcasting and included personal information such as names, addresses, phone numbers and dates of birth, but not credit card details, said UK tabloid, the Daily Star, which broke the news. “This week, we learned that computer hackers illegally accessed information you and others submitted to us to receive information about The X Factor auditions,” read an email sent to those affected by the attack. The worry now is that criminals will use the data to mask social engineering or identity attacks.[Source] SEE ALSO: [Proposed class action suit filed against Sony] [Suit Seeks $1 Billion in Damages] [Sony May Offer Reward in PSN Attack | Source] [Sony PlayStation Network (PSN) Hack | Summarized] [Sony PlayStation Network Relaunch Delayed | Source | Source] [New York AG Subpoenas Sony Regarding How it Represented Site Security] [Sony Calls in Forensic Experts | Source | Source] [SOE Intrusion Discovered During PSN Breach Investigation] [Sony Declines to Testify at House Subcommittee Hearing on Breach | Source | Source | Source | Source | Sony’s Letter]

Identity Issues 

EU – ENISA Issues Report on Managing Multiple Electronic Identities

The risks to managing multiple identities (“IDs”) include an identity’s lifecycle (e.g. the longer the lifespan, the greater the challenge in keeping that ID secret), ensuring that policies agreed with an initial ID provider are respected by subsequent recipients of any ID data (e.g. when a company holding data is purchased by another company), revocation (e.g. failure to revoke means that defunct ID data makes it unclear which record relates to a particular subject, and increases the potential for a system to be compromised because it will continue to allow access), and attacks that rely on multiple IDs (e.g. whitewashing involves the creation of a new ID intended to subvert the system when an existing reputation falls below a tolerable level, and a sybil attack involves the creation of multiple IDs (sybils) to distort ratings within a reputation-based system). Priorities should include making digital IDs portable (so the user can choose both the ways in which they present themselves and the type of device on which their data is held), using partial IDs to protect privacy by respecting the principle of minimal disclosure (e.g. select attributes from a subject’s full collection of IDs that can be combined according to particular needs), using renewals (different IDs may need to be renewed or replaced several times throughout an individual’s lifetime due to changes in appearance or new types of attacks), clarifying the legal position (e.g. regarding anonymous data and revocation), and sufficient enforcement powers and increased penalties for deterrence on the part of data protection authorities. [Source] See also [Facebook restores other Mark Zuckerberg’s profile]

WW – Anonymous IDs on iPhones, iPads Can Reveal Your Identity

Security researcher Aldo Cortesi last week published his discovery of a flaw in the unique device identifier (UDID) stored on each iPhone, iPad and iPod Touch. While this device identifier is well-known, it’s not supposed to be connected to a person’s actual identity. But Cortesi discovered that some apps can link the identifier to the phone owner’s Facebook profile, which effectively puts a face behind that string of numbers and letters. “It’s like a permanent, unalterable tracking cookie that can’t be changed and that the user is not aware of,” Cortesi told “The UDID idea has got such deep flaws because it literally identifies the device.” Apple and iOS app programmers use the 40-character string of letters and numbers as a method to identify each device uniquely, and presumably anonymously. The UDID is permanently tagged to the device, and it can’t be erased or changed. [Source

US – California DMV Online Identity Service More Popular Than Expected

Some California drivers may cringe at the thought of going to a Department of Motor Vehicles field office to take care car or license issues. Now they can avoid that step with an on online tool at their disposal – the option to establish identities through the DMV website to access more Web-based services. Last fall, DMV set up an identity and access management system with its partner IBM to allow users to set up a user name and password on its website. Since then, more than 1 million users have created online identities. The rapid popularity is a surprise to the DMV, which didn’t anticipate the quick response. Once users create an identity for the site, they can access services such as driver record, vehicle registration information and registration renewal reminders. In the future, the DMV is slated to roll out more applications accessible through an online user identity. The California Employment Development Department (EDD) is in the process of developing a similar identification access management system. In the future, the DMV and the EDD will integrate their systems so that users can access services from both departments by using one identity, Soriano said. [Source

CA – Lac Carling: Belgian IT Ministry Shows Off Electronic IDs

Belgium is using electronic identity cards (eIDs) to manage all kinds of public services, from birth registration to getting beer out of a vending machine. FEDICT, which stands for Federal Government Information and Communications Technology Service connects’ citizen data to the relevant ministries through a fibre optic network called FEDMAN, with a federated service bus that governs who accesses information. The eID card is the common key. Belgium attempts to keep version control and security n part by not replicating databases, Leyman said, and those in the public service can only access the information for which they have clearance, which limits the potential for misuse. While some citizens may balk at the idea of having to swipe an eID card on a routine basis, Leyman said the government offers a simple online tool called, which keeps a record of all the information Belgium has collected about citizens through the card, and which civil servants have accessed specific pieces of information. Citizens can then inquire why certain personal details were accessed. “Almost nobody goes there,” he admitted, “but this stupid little Web site does a tremendous amount towards generating trust from our citizens.” FIDECT is also in talks with other EU countries about extending the functionality of the eIDS so they can be used outside of Belgium, Leyman said. [Source]

Intellectual Property 

US – Proposed Anti-Piracy Bill Increases Government Authority

Legislation introduced in the US Senate would increase the government’s authority to disrupt the availability of and close down websites that are “dedicated to [copyright] infringing activities.” The Protect IP Act, sponsored by 11 senators, would grant the government the power to bring lawsuits against the websites and obtain court orders prohibiting search engines from returning the sites in their results. [Source] [Source]

Internet / WWW 

WW – Google to Appeal in Swiss Street View Privacy Battle

Google said that it will appeal to Switzerland’s highest court against a ruling ordering the Internet giant to ensure that all people and cars pictured on Street View are unrecognisable. The official Swiss data protection watchdog took Google to court in November 2009 after complaining on several occasions that the service’s coverage of Switzerland flouted privacy rules, following similar complaints elsewhere in Europe. Google warned that it might be forced to shut down the facility for Switzerland even though it was used by what it said was “half of the Swiss population.” Google’s global privacy counsel, Peter Fleischer said: “Ninety-nine percent of people are not identifiable.” “The decision of the Federal Administrative Tribunal requires us to guarantee that 100% of faces and licence plate are not identifiable. We simply cannot comply with that. [Source

WW – Google Services Prompt Questions, Investigation

The Center for Digital Democracy (CDD) is asking the FTC to require Google to remove statements in its privacy policy that its behavioral advertising program does not collect PII. Asking the FTC to include behavioral targeting restrictions in its proposed Buzz settlement, the CDD wrote, “the commission should require Google to revise its policies to reflect the inherently personal nature of cookies and related data targeting and collection applications.” Meanwhile, police in South Korea are investigating Google’s privacy policies over what one official said are concerns that the company’s “AdMob collected personal location information without consent or approval from the Korean Communication Commission.” [MediaPost] [South Korean police raid Google

US – White House Reveals Cyber Security Plan

A cyber security plan proposed by the Obama administration aims to protect individual privacy, federal computer networks and elements of national critical infrastructure. The proposal includes more stringent penalties for cyber criminals; mandatory data breach reporting for organizations; placing the responsibility for defending federal agency networks from attack in the hands of the Department of Homeland Security (DHS); and improving protection for elements of the country’s critical infrastructure. It also would establish guidelines for the government to help companies that suffer cyber incidents, and for information sharing about threats among businesses and state and local governments. [Source] [Source] [Source] [Source] [Whitehouse Fact Sheet]

Law Enforcement 

UK – Police Buy Software to Map Suspects’ Digital Movements

Britain’s largest police force is using software that can map nearly every move suspects and their associates make in the digital world, prompting an outcry from civil liberties groups. The Metropolitan police has bought Geotime, a security programme used by the US military, which shows an individual’s movements and communications with other people on a three-dimensional graphic. It can be used to collate information gathered from social networking sites, satellite navigation equipment, mobile phones, financial transactions and IP network logs. Police have confirmed its purchase and declined to rule out its use in investigating public order disturbances. Campaigners and lawyers have expressed concern at how the software could be used to monitor innocent parties such as protesters in breach of data protection legislation. Alex Hanff, the campaigns manager at Privacy International, called on the police to explain who will decide how this software will be used in future. [Source

CA – Alberta Police Access to Missing Persons’ Info Broadens

Alberta police can now access financial records to help locate missing people in the province. The Missing Persons Act, passed May 10 in the Alberta Legislature, allows officers to access personal information, including telephone and banking records, to help locate missing people, even if police determine a crime has not been committed. Previously, this information was only accessible if officers determined a crime had been committed. On average, Edmonton has 1,800 missing persons cases each year, many of which are youth, people with Alzheimer’s or people with mental disabilities. Sgt. Rod Appelt with the Missing Persons Unit says the new legislation eliminates some red tape associated with accessing vital information. “If it’s a youth or someone who we believe may be in trouble, we certainly would like to access their cell phone records, or banking records as quickly as possible,” says Appelt. Officers used to have to prove a crime had been committed to obtain a search warrant from a judge. Now no crime is needed to search for the necessary personal information. In the coming weeks, Olson says, ministry staff will be working in tandem with Alberta police forces to hammer out exactly how the act will be implemented. [Source]


US – DoJ Wants Providers to Store Location Data

The US Department of Justice wants wireless carriers to retain location data to be used in criminal investigations where that information would be crucial to solving the crime. Deputy Assistant Attorney General for the criminal division Jason Weinstein made the request at a hearing of the Senate Judiciary Committee Subcommittee of Privacy, Technology and the Law, which was called over concerns about iPhones storing location data without users’ permission. [InformationWeek] [CNET

US – Verizon to Put Location Warning Sticker on iPhones

Expect to peel off one more warning sticker when you buy an iPhone from Verizon Wireless. In a letter dated April 19, 2011, and addressed to U.S. congressmen Ed Markey and Joe Barton, Verizon detailed the processes it uses to protect customer privacy and revealed plans to begin adhering the warning sticker pictured here to any new device capable of tracking its owner’s location. [Source

WW – TomTom Announces Plan to Sell Data

Shortly after getting heat in the Netherlands for selling data that was used by police to set speed traps, TomTom Australia has announced plans to sell user data to third parties. The company’s vice president of marketing says they’ll have to figure out how to ensure the data won’t be used for speed traps but gave assurances that it cannot be tracked back to an individual. Australia Privacy Commissioner Timothy Pilgrim said companies that provide GPS devices should be clear about their practices, adding that he has concerns about data aggregation, “where pieces of individual data can be put together to build up a profile.” [The Sydney Morning Herald

WW – Apple iOS Update Addresses Location Data Issues

Apple has released iOS 4.3.3 to address three flaws associated with location information in iPhones, iPads and iPods. The update reduces the amount of location stored to one week’s worth. It also alters the operating system so that it will not back up the cache to computers while synching devices. Finally, the update deletes the cache from devices when users disable Location Services in iOS Settings. The update was released just a week after Apple said it would fix the problems. Apple says that the next major update for iOS will include encryption for location information on devices running the operating system. [BBC] [ComputerWorld] [The Register

EU – EU Advisory Board to Issue Geolocation Opinion

The Article 29 Working Party will publish an opinion this month announcing that location-based data must be handled like names, birthdays and other personal data. Mobile phone and Internet companies would likely have to get consent prior to data collection, delete the information in a timely manner and keep the information anonymous. The opinion will not be binding, but, the article suggests it would likely be used as a guiding principle by several national regulators. “Geolocation data has to be considered as personal data,” said an EU official. “The rules on personal data apply to them.” [The Wall Street Journal]


IN – New Indian Privacy Regulations Stricter Than EU, U.S. Provisions

In a client alert, Morrison & Foerster reports on a “dramatic transformation” in the privacy landscape for India with the issuing of final regulations for the protection of personal information. The Information Technology Rules 2011 “apply to all organizations that collect and use personal data and information in India,” the report notes, and represent the implementation of parts of the Information Technology Act. The rules include a provision for prior written consent for the collection and use of sensitive personal information in what the report’s authors, Miriam Wugmeister and Cynthia Rich, describe as much stricter provisions than current laws in the EU and U.S. As a result, “U.S. and European multinational businesses…may have to adjust their personal data collection practices to conform to Indian data protection rules,” the report states. Among the provisions in the regulations, organizations will be required to provide privacy policies and give individuals notice when information is collected, grant data subjects access and put in place the right to correct any personal data that has been collected. Information must also be secured, and a dispute resolution process must be put in place, the report states. “Given the scope of the Privacy Rules, it appears that every company in India and every company that sends data to a service provider in India will be affected by these new rules,” Wugmeister said. [Source] [Source]

Online Privacy 

WW – Facebook Apps Possibly Leaked User Information (Again)

Security researchers at Symantec reported that hundreds of thousands of Facebook apps have been inadvertently leaking user data to third party developers for years due to a programming error. Facebook acknowledged the issue, but claimed that information was never accessible thanks to contracts the social networking giant has with third parties and assured worried Facebook users that they had no evidence of information being used in ways that violated company policies. According to the Symantec report, a faulty API was accidentally transmitting access tokens to third parties like advertisers. This error allowed third parties access to users’ accounts, including profiles, chats, and pictures, as well as enabled the parties to mine personal data and even post messages on users’ walls. “We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.” Symantec offered some assurances, though, saying that they have worked with Facebook to fix the error since its discovery and that many of the third parties likely had no idea they had access to this information. They did advise users to change their passwords just in case, however, since this will lock out any third party who may have access to this information. Given that there is no way of knowing just how many access tokens were leaked since Facebook started releasing apps back in 2007 and there is a chance that the tokens are still being used by advertisers or available in log files in third party servers, all Facebook users should strongly considering changing their passwords in the near future. [Source] [ Congressmen Press Facebook on Privacy Security Flaw (Again) | letter

WW – Study: Most Apps Lack Policies

A Future of Privacy Forum (FPF) study examined some of the most popular mobile applications available for major platforms and found that 22 of the top 30 have no policy stating how the app treats personal data. “Without a privacy policy to review, consumers may not have the ability to understand and control the use of their personal data by the apps,” the FPF said in a blog post. The FPF is currently working with the Center for Democracy and Technology to come up with privacy improvements for app developers. The study comes on the heels of a senate hearing on mobile privacy challenges. [MediaPost News] [FPF Blog post

US – Facebook, Google, Yahoo Fight “Do Not Track” Privacy Measures

There’s a growing social and legal momentum behind the “do not track” initiative to protect online privacy, but now Facebook and Google are opposing the legislation, hinting that job losses and profit cuts could be the result. Are there slightly dirty tricks afoot? Californian legislators are slowly pushing ahead with a Do Not Track law introduced by Senator Alan Lowenthal, which would force Net companies to allow consumers to easily and effectively opt out of personal data being collected online–violators could face civil legal action. Lowenthal has noted that in his opinion legislation “is consistent with California’s long history of championing privacy issues.” But now Facebook, Google, Yahoo and other companies have written to Lowenthal to state their specific objections. “The measure would negatively affect consumers who have come to expect rich content and free services through the Internet” is one of their counter-arguments, along with an allegation that a no-track law would make the public “more vulnerable to security threats.” Also, forcing the law through would “prove costly to the state” and also “cumbersome for the Attorney General to figure out how to regulate under the bill and to enforce the law.” Essentially the letter’s signatories say the proposed law would deplete user experience of online services (and potentially stifle innovation), put them at risk from Net criminals in ill-determined ways (an allegation that could scare users), be expensive to enforce, and potentially spawn extra work and maybe legal cases at a governmental level. Oh, and as an extra point the firms note that Net-related businesses are the fastest growing source of jobs in California. Putting this at risk, they argue, would damage the state’s potential employment figures. That’s a broad list of reasons–each of which, by itself, could really affect the current model for how websites make money from users, or force lawmakers to reconsider. If they’re true. [Source] See also: [Facebook Busted in Clumsy Smear on Google

UK – ICO Publishes Advice on Cookie Law

Businesses should gain user consent for cookies that collect statistical information or remember user preferences, according to the UK privacy authority. The advice was included in the Information Commissioner’s Office’s (ICO) cookie law guidance, published this week. Businesses cannot yet rely on consent via browser settings, so must find alternative ways of gaining consent for cookies that store information on users’ machines, the advice stated. The cookie guidance is for compliance with UK regulations that will come into force on 26 May. The law will not be enforced right away, but businesses need to take steps now to ensure future compliance, the ICO said. [Source

US – Flash Cookie Lawsuit Against Specific Media Dismissed

A judge has dismissed a lawsuit alleging an ad network used Flash cookies to track users online. The seven users who filed the suit did not “adequately allege” economic losses, ruled U.S. District Court Judge George Wu. The plaintiffs alleged that their data has value, that they were not compensated when ad company Specific Media used it and that their privacy was violated when they were tracked. Specific Media has denied using Flash cookies, the report states. Last year, two companies paid a $2.4 million settlement in a similar case. [MediaPost News

WW – Flash Update Allows Simpler Management of Flash Cookies

Adobe has released an update for Flash Player to address a number of security issues and give users a more manageable way to control web tracking. Flash Player 10.3 allows users to manage Flash cookies either through a new control panel or in browser privacy settings. Flash cookies, also known as Local Stored Objects, have made the news several times in the last few years when researchers noted that they were being used to track users’ online behavior and that they have been difficult to remove. The use of persistent Flash cookies, however, may be waning. Adobe pointed to a January 2011 report from Carnegie Mellon University, commissioned by Adobe, which found that only two of the top 100 websites were using Flash cookies. [Internet Storm Center] [ComputerWorld] [InformationWeek] [Adobe blog post

CA – OPC Publishes Fact Sheet on Web Tracking with Cookies

Data about a user’s browsing habits are collected through methods such as third party cookies (used by advertising companies to build detailed profiles for targeted advertising), Flash cookies (often used to track preferences and websites visited), super cookies (e.g. HTML 5 technology that can store data permanently) and web bugs (small, invisible images placed on a web page or hidden in an e-mail message); third party cookies involve unknown third parties and data are often collected without the user’s knowledge or consent, Flash cookies are more hidden than traditional web cookies, are often not mentioned in privacy policy disclosures, and are not impacted by web cookie opt-outs, and where super cookies are used, users are often unaware that they exist and are not provided with tools to control the information that is stored. Web privacy tools include “private browsing mode”, and add-on applications (e.g. BetterPrivacy, NoScript and Targeted Advertising Cookie Opt-Out (“TACO”)) which clear all the different forms of web cookies and web storage programs. [Fact Sheet] [FAQs

US – Judge Rules Against IP Address Linkage

A U.S. judge has ruled that a copyright holder may not force Internet service providers to hand over subscribers’ personal details. Federal Judge Harold Baker said Canadian adult entertainment provider VPR Internationale cannot seek the personal information of illegal file sharers because an IP address–which, when linked with subscriber information, can identify the owner of the Internet connection line–could falsely identify the illegal file sharer, who could be a subscriber’s family member, friend or anyone using the subscriber’s IP address. The judge described trying to identify file-sharers by IP addresses as a “fishing expedition,” which he said wouldn’t be allowed for the “purpose and intention of class actions.” [OUT-LAW News]

Other Jurisdictions 

AU – Victoria Privacy Commissioner Issues Cloud Computing Guidelines

Victoria’s Privacy Commissioner Helen Versey has warned that the cost of addressing privacy and security issues may outweigh expected capital and operational savings for agencies wanting to shift to cloud computing. Ms Versey told state government organisations they should only use cloud service providers that agree to comply with Victoria’s information privacy laws, and preferably have locally-based data centres. “Where the provider is located offshore, or even outside of Victoria, taking reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure may be difficult or even impossible,” she said in a statement. “By using a cloud service, the government agency is relinquishing some — if not all — control over their data. “This includes being able to control security measures, and can present problems if something goes wrong.” There was a real problem of enforceability or remedying a breach if it occurred where data was stored in an offshore server, she concludes in an information sheet on cloud computing released today to guide agency decision-making on adopting cloud solutions. [Source

NZ – Commissioner Shroff Rolls Out Toolkit for Awareness Week

Privacy Commissioner Marie Shroff has released a toolkit for healthcare providers and consumers as part of Privacy Awareness Week. The kit contains brochures and fact sheets for consumers as well as an updated privacy reference guide, case notes and a training presentation for providers. Shroff said the patient-provider relationship is “based on confidentiality and trust,” and while providers do their best, it’s important for consumers to know their rights. “Consumers need the chance to participate in the conversation about how their health information can be appropriately managed. They need some control. And they can only do this if they know what’s going on,” she said. [Source

NZ – Survey: Organizations Need Guidance for Offshore Data Storage

Results from a survey conducted by New Zealand Privacy Commissioner Marie Shroff indicate that the public and private sectors need more guidance for the offshore storage of personal information. “The International Disclosures and Overseas ICT Survey” queried 50 businesses and government agencies about where they stored personal information; reasons for its use and storage overseas, and how it was protected. The article suggests that many organizations have controls for data in transit but no controls for information once it’s sent overseas. “If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer,” said Shroff, “it is imperative that privacy issues are tackled and got right.” [Source

AU – Australian Privacy Commissioner Calls For Online Security Laws

Privacy Commissioner Timothy Pilgrim is calling on companies to make sure their data protection efforts are “world standard.” Citing the breach notification laws in 40 U.S. states, the commissioner said the Australian Law Reform Commission is recommending similar regulations. Pilgrim says that while the onus is on companies to protect information online, users can do more by setting privacy settings to the strongest level. For those who feel their privacy has been breached, the commissioner will hear complaints, but, the report states, the Law Reform Commission is also asking for an “explicit right to privacy” so people can bring lawsuits. [ABC Sydney]

Privacy (US) 

US – Federal Court Endorses Warrantless GPS Tracking

The US Court of Appeals for the Seventh Circuit ruled in favor of police officers who attach GPS tracking devices to vehicles without first obtaining a warrant. The three-judge panel insisted searches of this sort do not violate the Fourth Amendment after considering the case of Juan Cuevas-Perez. On February 6, 2009, Phoenix, Arizona detective Matthew Shay attached a tracking device to Cuevas-Perez’s Jeep Laredo while it was parked on the street. He did not bother to ask a judge for a warrant. By February 8, the device had tracked the Jeep driving through Missouri. After sixty hours of use the GPS battery died so Shay had other law enforcement agencies track the Jeep to its ultimate destination in Illinois. After following Cuevas-Perez for forty miles, an Illinois State Police pulled him over for “remaining in the left-hand passing lane,” a violation almost never enforced by the department. A subsequent drug dog search uncovered nine packages of heroin. Seventh Circuit already ruled in a 2007 case that secretly installing a GPS device on a vehicle did not constitute a search because the unit provided the same information that could be had from an officer physically following the car. In light of the November US v. Maynard decision from the DC Circuit striking down GPS searches lacking judicial approval (view ruling), the Seventh Circuit judges re-examined the issue. The judges concluded that the twenty-eight-day surveillance in DC could not be compared to the sixty-hour tracking in the present case. “Unlike in Maynard, the surveillance here was not lengthy and did not expose, or risk exposing, the twists and turns of Cuevas-Perez’s life, including possible criminal activities, for a long period,” Judge Richard D. Cudahy wrote for the majority. “As the Maynard court noted, the chances that the whole of Cuevas-Perez’s movements for a month would actually be observed is effectively nil — but that is not necessarily true of movements for a much shorter period.” Lawyers for Cuevas-Perez also argued that the tracking device in this case was far more advanced than those used in prior precedents. The device was capable of sending real-time location updates every minute, whereas the systems in previous cases required physical retrieval of stored information. “We do not consider this particular advancement to be significant for Fourth Amendment purposes in general: real-time information is exactly the kind of information that drivers make available by traversing public roads,” Cudahy wrote. “The historical data gathered and stored on comparatively primitive GPS devices is actually less akin to the publicly-exposed information on which the Fourth Amendment permissibility of GPS tracking is based.” Judge Diane P. Wood disagreed with the majority’s interpretation, arguing it leaves open the possibility of mass surveillance restrained only by the financial resources of the police department. [Source

US – Spyware is Forever

Documents obtained from the FBI by the Electronic Frontier Foundation (EFF) under a Freedom of Information Act (FOIA) request say that software placed on suspects’ computers by the FBI to assist in gathering evidence in cyber crimes gathers information whenever the target’s computer is turned on. The documents obtained indicate that government officials are unclear as to the legal procedures for requesting permission to use the Computer and Internet Protocol Address Verifier software. EFF staff attorney Jennifer Lynch says the tool has proven valuable in identifying and capturing serious criminals and that in that regard “it’s an important tool to use [but] we need to get on the FBI about … using the proper authority” for installing the tool and for deactivating it once the investigation is complete. [NextGov] [US – As terrorism tips spike, collection of data raises privacy concerns

US – Google Supports Opposition to California Do Not Track Bill

Google has joined a number of other groups in opposing proposed legislation in California that would grant consumers the right to prevent companies from tracking, retaining or selling data about their online activity. The Bill passed the State Senate Judiciary Committee; it now goes before the Appropriations Committee before moving to the Senate and State Assembly. Those opposing the legislation say it places undue burden on businesses conducting online commerce. [PC World] [The Register

US – Two Companies Settle FTC Charges

The US Federal Trade Commission (FTC) said that two companies have settled changes the Commission brought against them for failing to implement adequate security controls to protect sensitive information. Ceridian, a payroll services provider, and Lookout Services, which provides immigration services software, both falsely claimed to offer adequate protection. Both companies experienced breaches that exposed sensitive personal information of consumers. The settlement agreements call for the companies to obtain third-party security audits every two years for the next 20 years. [InformationWeek

US – FTC Reaches $3 Million Settlement with Game Sites

The operator of 20 online gaming sites has agreed to a $3 million settlement with the FTC for violating the Children’s Online Privacy Protection Act (COPPA). The Playdom, Inc., settlement is the largest to date for a COPPA violation. The FTC complaint alleged that the defendants, Playdom, Inc., and its executive, Howard Marks, violated COPPA when, without notifying parents or receiving parental consent, they “collected children’s ages and e-mail addresses during registration and then enabled children to publicly post their full names, e-mail addresses, instant messenger IDs and location, among other information.” COPPA requires websites directed at children to obtain parental consent before collecting and using children’s personal information. FTC Chairman Jon Leibowitz said of the ruling, “Let’s be clear: Whether you are a virtual world, a social network or any other interactive site that appeals to kids, you owe it to parents and their children to provide proper notice and get proper consent. It’s the law, it’s the right thing to do and, as today’s settlement demonstrates, violating COPPA will not come cheap.” [Source]


US – N.J. Unveils Enhanced Driver’s License

With the backdrop of airline passengers presenting driver’s licenses at security checkpoints to board airplanes, state officials unveiled the new Enhanced Digital Driver’s License that they say puts New Jersey among the top 10 states with the most secure document. The new license will once again allow drivers to renew their licenses by mail or online once during an eight-year renewal cycle, instead of having to do it in person at a Motor Vehicle agency. But that convenience will not be at the expense of security. Many of the security enhancements meet federal requirements and are undetectable by drivers, but can be spotted by law enforcement and other trained people, including Transportation Security Administration officers at airports, he said. The new license, which will be issued to drivers at their next license renewal, is now being implemented at the MVC’s 39 agencies through a computer upgrade and the MVC’s ability to use facial-recognition technology to fight fraud. It is the end result of a $19 million program to upgrade the MVC’s computer systems, agency hardware and software in order to roll out the new license. The new technology will be used to scan the MVC’s 16 million records for any duplicate licenses a person may hold and to detect fraud. Martinez said the new license meets federal standards and is considered in the top 10 for secure documents. Motorists will still need to present six pieces of identification when the apply for a license, but once those documents are in the database, a driver won’t need to present them at the next renewal. The new licenses are almost identical in appearance to the state’s original digital driver’s license, which was implemented in 2004. Dow said the enhanced license is a key tool to fight crime ranging from identity fraud to terrorism and gang activities because a valid driver’s license is a gateway document for identification and other purposes. [Source]


US – White House Issues International Cyberspace Strategy

The White House has released the text of its International Strategy for Cyberspace. Last week, the administration sent Congress a proposal for a reworking of securing domestic networks. The International Strategy says “The United States will pursue an international cyberspace policy that empowers the innovation that drives our economy and improves lives here and abroad. In all this work, we are grounded in principles essential not just to American foreign policy, but to the future of the Internet itself.” [NextGov] []


US – FBI Reluctant to Identify ISPs Participating in Surveillance Programs

The FBI says it does not want to divulge the names of telecommunications and internet service providers that help US law enforcement agencies by supplying user information without warrants because customers would become angry with the companies and cancel their service or even file lawsuits. A top FBI official made the statement in a court declaration arguing against having to provide the information under a Freedom of Information Act (FOIA) request from the ACLU. The official also noted that the companies might also be upset if they were identified. [Source] [ACLU] [ACLU] [ACLU

US – PC Rental Company Used Webcam to Take Pictures of Customers Remotely

A Wyoming couple has filed a lawsuit against a store through which they had a rent-to-own computer agreement. The suit alleges that the store spied on them. Crystal and Brian Bird discovered that someone at the store had used remotely activated software to take a picture of Brian when a store employee came to their home and attempted to repossess the computer. The lawsuit also names the company that developed the software allegedly used to take the picture. Evidently a picture was taken each time the couple received a pop-up reminder to register their software. The Byrds are seeking class action status for their lawsuit. [Source] [Source] [Source

AU – Taxi Plan to Record Conversations to Boost Security Alarms Civil Libertarians

Every word uttered in a cab could soon be recorded and stored under proposed State Government changes to the operation of taxi security cameras. Simply opening the door or starting the meter would activate the recording of trips in an industry that claims to transport 90 million passengers in Queensland each year. The move has alarmed civil libertarians, the state Opposition and even concerned some members of the taxi industry. Queensland’s Privacy Commissioner Linda Matthews, who was not consulted about the proposal detailed in a Transport and Main Roads’ discussion paper, said there would be no such thing as “an anonymous taxi ride” once audio recordings were introduced. “The public would want to be reassured the record is used for genuine law enforcement purpose and the protections that are in place should be sufficient. I guess time will tell,” she said. [Source

KE – Kenya: NCIC Snooping on Your Text Messages

The Kenyan National Cohesion and Integration Commission (NCIC) has revealed that it has been snooping on Kenyans’ text messages for the past one year, looking out for hate speech. NCIC Commissioner Halakhe Waqo said the move was aimed at sustaining harmonious relationships among Kenyans as well preventing tribal conflicts in the future. He argued that the overriding need to facilitate integration in the country superseded the right to an individual’s privacy as it risked threatening national security. “Yes, we do recognise that privacy is very important for an individual but public security and safety is much more important. We want to pin down that breach in public safety and security,” he said. Commissioner Waqo further explained that NCIC had been partnering with mobile service providers as well as security agents in the country to facilitate the scrutiny. He added that the NCIC would also broaden its partnerships with other like-minded institutions in order to promote harmony. The NCIC further said that it would soon release a detailed report of its findings on the SMS survey. [Source

CA – Street Cams Get Committee’s Nod

Ten police cameras are on track to become permanent in Winnipeg’s core. Winnipeg police Chief Keith McCaskill told council’s protection and community services committee the closed-circuit television cameras have helped officers investigate serious crimes, including one homicide. Winnipeg police installed 10 closed-circuit television cameras in six high-crime locations downtown in January 2009 as part of a $440,000 pilot project to deter crime, collect video evidence and increase public safety. McCaskill said “it’s debatable” whether the cameras deter crime, but he noted they have been a valuable tool when officers need to collect video evidence. During the project, officers requested video for 39 events, and of those, 22 videos were downloaded and used as evidence in court. That’s just a fraction of the total number of violent-crime incidents, according to a report released last week that found 1,843 incidents were reported within 250 metres of cameras during the project. Council’s protection and community services committee voted in favour of making the closed-circuit cameras permanent and gave the Winnipeg Police Service the go-ahead to hire a technologist to maintain the equipment. Police will absorb the $129,898 cost of the technologist in their existing budget this year, but will request the additional amount on an ongoing basis, starting next year. Executive policy committee and city council still need to vote on the plan. [Source]

Telecom / TV 

US – Senate Panel Grills Apple, Google on Location Data

Executives from Apple and Google told lawmakers that users have control over information used to pinpoint the location of iPhones and smart phones running Google’s Android software. The hearing by the Senate Judiciary Subcommittee on Privacy, Technology and the Law follows Apple’s recent admission that its popular iPhone stores data used to help the device locate itself for up to a year. Apple also said that a software bug has caused iPhones to continue to send anonymous location data to the company’s servers even when location services on the device were turned off. Sen. Al Franken, D-Minn., who chairs the Senate Judiciary Subcommittee, challenged executives from both companies to require all outside apps developers that make programs for their mobile platforms to adopt formal privacy policies. Tribble said Apple believes that privacy policies alone are not enough. He explained that privacy needs to be baked into products — for instance, in the form of clear on-screen disclosures that notify users how their personal data is collected and tools to control that data collection. Davidson said he would bring the suggestion back to Google’s top executives. [Source] See also: [Google destroys Aussie Wi-Fi data

US – FTC Statement on Protecting Mobile Privacy

Several cases brought by the FTC demonstrate the applicability of section 5 of the FTC rules to the mobile area, e.g. a company was charged with deceptively endorsing mobile gaming applications by posting positive reviews of the apps and giving the impression that the reviews came from disinterested users (when in fact they came from the company itself), and the sender of over 5 million unsolicited text messages was found to have engaged in deceptive and unfair practices; the FTC has also brought allegations against companies for having deceptive privacy notices (e.g. a company collected information from mobile users to generate its social networking site and made associations with the users’ frequent email contacts, all without the users’ consent) and insufficient technical safeguards (e.g. a social networking site failed to secure its users data, allowing hackers to obtain unauthorized administrative control of the site and access to users’ mobile phone numbers). Mobile devices can facilitate data collection among many entities and allow companies to collect users’ data over time to reveal habits and patterns; to protect the privacy and security of users’ data on mobile phones, companies should provide stream-lined privacy choices (these should be readable and accessible on a mobile phone’s screen), and not collect or retain more data than needed to provide a requested service or transaction. [Source]

EU – Telecom KPN Denies Violating Privacy Rules By Using DPI

On Friday, Dutch telecommunications provider KPN denied it violated the terms and conditions of its contracts when it used deep packet inspections (DPI) to view the Internet activity of its customers. The company “came under fire” on Thursday after it revealed it uses DPI to find out if customers use instant messaging applications. A spokesman for a civil rights organization said it is “theoretically possible” to read the mail’s content when using DPI. KPN said an internal investigation “found no wrongdoing,” but the company would cooperate with an external investigation. [The Wall Street Journal]

US Government Programs 

US – California Utility Commission Proposes SmartMeter Privacy Rules

A proposed ruling by the California Public Utilities Commission would impose privacy rules on home device platforms that automatically use smart meter data. The ruling would require the state’s three big utilities to impose tariffs on third parties that request certain customer utility data, the report states, and would require them to impose CPUC’s privacy guidelines on those parties. Utilities using home device platforms that don’t automatically transfer utility data to a third party would be required to provide those customers with information on potential uses of their data. The utilities have three months to establish tariffs. [Source: GigaOM] See also: [European Commission - Communication From The Commission To The European Parliament, The Council, The European Economic And Social Committee And The Committee Of The Regions - Smart Grids: From Innovation To Deployment]

US Legislation 

US – Obama Offers Breach Notification Bill

The Obama administration has proposed adoption of a federal data breach notification policy that would supersede the divergent laws now in effect in most states. The policy is a component of a comprehensive cybersecurity legislative agenda that the White House unveiled this week. The proposed policy would not apply to healthcare organizations and their business associates that already must comply with the HITECH Act breach notification rule, which has similar requirements. Otherwise, the policy would apply to for-profit and not-for-profit business entities that engage or affect interstate commerce and use, access, transmit, store, dispose of or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period. The policy would require the reporting of security breaches to the FTC, and the individuals affected, within 60 days unless there is no reasonable risk of harm or fraud. The FTC can grant a business entity an extension of up to 30 days to allow time for the entity to conduct further investigation. The proposal defines a breach as a “compromise of the security, confidentiality or integrity of, or the loss of, computerized data” that results in “unauthorized acquisition of sensitive personally identifiable information or access to that information that is for an unauthorized purpose.” The proposed policy would include two major exemptions, or safe harbors. A business would be exempt from the notification requirements if it conducted a risk assessment that concluded that there is no reasonable risk that a security breach has harmed individuals whose sensitive personally identifiable information was subject to the breach. Also, a breach would not have to be reported if the data were rendered unusable, unreadable or indecipherable through a security technology or methods generally accepted by IT security experts. The FTC would be responsible for enforcement, along with state attorneys general, who could take civil action against violators. Civil penalties would total up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct is found to be intentional. Besides notifying the FTC and individuals affected, businesses would have to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For these larger breaches, businesses also would have to notify national credit reporting agencies. [Source] See also: [New Zealand Row brewing over privacy ‘crime’ ] [HHS - Office of the National Coordinator for Health Information Technology - Federal Health Information Technology Strategic Plan 2011-2015

US – Sen. Rockefeller Announces Anti-Online-Tracking Bill

The head of the Senate’s powerful commerce committee said he’ll introduce a bill that forces online advertising and tracking companies to let users easily opt out of online tracking. Chairman Jay Rockefeller (D-West Virginia) said the bill, to be introduced next week, will create a “universal obligation for all online companies” to not track people who set a browser flag or cookie saying they don’t want to be tracked. Rockefeller’s move complements a recent privacy bill introduced by Sens. John Kerry (D-Massachusetts) and John McCain (R-Arizona) that would enshrine a consumer bill on online rights, though it does not explicitly say that companies must obey the so-called ‘Do Not Track’ flag. According to Rockefeller, the bill will empower the FTC to go after companies that disobey the flag. Companies can collect info needed for their service to work from users who set the flag, but must destroy it or anonymize it once it’s no longer needed. While Rockefeller promises the bill will be universal, it’s not clear how any such legislation could apply to companies outside the United States. Critics of the Do Not Track idea argue that it’s still unclear what counts as tracking and that mass adoption of the setting will harm innovation on the web, as many services and publications rely on the higher payouts of targeted ads to provide free information and services to users. [Source] See also: [Innovation in online advertising: Mad Men are watching you

US – Do-Not-Track Bill Gets State Senate Hearing

California Sen. Alan Lowenthal (D-Long Beach) gave testimony to the Senate Judiciary Committee on his proposed do-not-track bill, SB 761. If passed, the bill would enable Internet users to opt out of being tracked by websites; require businesses to disclose how tracked data is being used, and subject violators to civil action for damages. Lowenthal was joined by three witnesses in support of the legislation, but several witnesses were present to oppose it, saying it would hurt business and the job market. [Source

US – Lawmakers Propose Expansion to COPPA

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have presented a draft of their Do Not Track Kids Online Bill that proposes to ban behavioral targeting to minors–users under 18—and limit the collection of teens’ information to those companies that adhere to Fair Information Practice Principles. The bill would also broaden the definition of personal information under the Children’s Online Privacy Protection Act (COPPA) to include “unique identifiers, IP addresses and anything that permits the identification of a computer.” A recent study by Carnegie Mellon researchers found that only 22 ad networks out of 58 that belong to the self-regulatory group Network Advertising Initiative stopped collecting tracking data after users opted out. [MediaPost News

US – Texas Bill Bans Patient Record Sales

Privacy advocates say that State Rep. Lois Kolkhorst’s (R-District 13) bill aiming to protect Texans’ healthcare privacy is a vast improvement over federal law. The bill would ban the sale of Texans’ healthcare records and notify them when their electronic health records have been transferred, the report states. Penalties for noncompliance would carry fines of up to $3,000 per violation with up to $1.5 million in legal damages. Opponents say the bill will stifle business. Kolkhorst says the bill, which will see a final vote in the house this week, “is to protect your health records as we move into the electronic age.” [The Texas Tribune

US – Calif. Bill Protects Customers’ Reading Records

Government agencies would have to get a warrant or court order to obtain customers’ reading records from bookstores and online booksellers, under a bill approved by the California Senate. The legislation by Sen. Leland Yee is patterned after similar privacy protections that currently are in place for library records. The bill, SB602, passed the Senate unanimously and without debate Monday. It now goes to the Assembly. Yee, a Democrat from San Francisco, says digital book services can collect details about the books readers browse, even the notes they write in the margins. His bill is supported by the American Civil Liberties Union, Electronic Frontier Foundation and Google, among others. There was no registered opposition. [Source]



16-31 April 2011


EU – EU Parliament Issues Report on Biometrics and Human Rights

The broad scope of biometrics and member states’ rapid deployment of the technology for multiple purposes (e.g. immigration control, crime fighting and access control) requires that member states immediately address any legal issues relating to biometrics and increases the need for clarity in the existing European legal framework (e.g. there is no generally accepted definition of “biometric data” and “second generation” biometrics such as heart rate measurements, brain activity patterns and pupil dilation cloud the general understanding of “personal data”); two of the biggest challenges are the risk of falsification (e.g. due to technical imperfections, lighting conditions, insufficient training of operators, bodily growth or change) and security issues (e.g. identity theft, unauthorised modification, tampering, improper disclosure). Primary concerns include unnecessary collection, collection without the data subject’s consent, and scope creep (e.g. the opening of databases that would allow government monitoring of individuals; biometric technology is capable of revealing a person’s racial origin, medical status (e.g. iris scans can reveal diseases unknown to the individual), or identity (e.g. gender change), which can impact job opportunities or insurance coverage. [Source: Council of Europe Parliamentary Assembly - Report of the Committee on Legal Affairs and Human Rights - The Need for a Global Consideration of the Human Rights Implications of Biometrics

EU – French CNIL Approves Fingerprint Use on Computers

This single authorisation for fingerprint readers on notebook or laptop workstations enables companies who use such readers (with the same categories of data and recipients) to indicate a commitment to comply with the authorisation, rather than seeking an individual permit from the CNIL before processing the biometric data. The template shall be exclusively stored on the computer notebook workstation owned by that user and whose content cannot be read without his knowledge (the fingerprint can only be used for access control, and not to control working time of the user). Technical requirements include only storing an encrypted template of the fingerprint that cannot be retraced to the original biometric (an image or photograph of the fingerprint cannot be stored), only allow enrolment on the user’s workstation, never allowing the template to flow over a network, and systematic erasing of the templates during notebook maintenance operations. Only persons in the computer security department can receive personal data in the course of their responsibilities (personal data is limited to user ID, password and template), and the fingerprint template can only be retained for the duration of time that the user is entitled to access his workstation (other data can be kept for a maximum of 5 years after the user’s departure). [Source: Commission Nationale de L’informatique et des Libertes - Single Authorisation No. AU-027 - Decision No. 2011-074 of 10 March 2011 Authorizing Unique Implementation of Biometric Devices Based on Recognition of Fingerprints

US – NY Mayor: Put Fingerprints on Social Security ID

Mayor Michael Bloomberg says he’s in favor of putting people’s fingerprints on Social Security cards. Bloomberg says such biometric identification cards would make it easier for employers to judge whether someone has legal permission to work in the U.S. He says it would reduce the supply of work to illegal immigrants, leading fewer to enter the country. Critics have said that such a system would raise cost and privacy concerns. Bloomberg was one of several politicians who discussed immigration issues this week with President Barack Obama. Bloomberg’s immigration reform group, the Partnership for a New American Economy, supports bringing more immigrant workers and entrepreneurs into the country. [Source: Wall Street Journal]


US – Recent Govt. Data Breaches Pose Privacy Risk

The Social Security Administration continued making public the full names and SSNs of tens of thousands of people three years after it first learned it was putting citizens’ privacy at risk, according to a new report by the agency’s inspector general. The information, which also included the ZIP codes and dates of birth of 63, 587 living people, was erroneously included in the agency’s Death Master File (DMF). Nevertheless, the agency continued selling the file to the public. The agency “continued to publish the DMF with the knowledge its contents included the PII of living numberholders,” the report found. The inspector general recommended that the SSA take additional precautions to limit such privacy breaches in the future, but “the agency disagreed with both recommendations,” according to the office’s report. The report does not mention what those recommendations were because the version made available to the public was merely a summary. The full version was given to authorized officials only. [Source]

Electronic Records 

US – HHS Told to Standardize Consent, Privacy in E-Health Record Exchanges

A group of healthcare CIOs have said the Health and Human Services (HHS) Department’s plan for health IT “doesn’t go far enough in standardizing the ways in which patient consent for release of personal health information would be managed.” The college of Healthcare Information Management Executives has submitted a letter asking for “greater uniformity in healthcare data privacy laws from state to state” and standards for healthcare privacy to apply nationally. HHS released its Federal Health IT Strategic Plan in March. It calls for meaningful use of e-health record systems. Meanwhile, two Maine legislators recently proposed a bill to make Maine’s electronic records system opt-in. [Source] See also: [Is health care security in intensive care?] [US – Chicagoland Hospitals Plan Big Health Information Exchange]


WW – Hiding Files on Hard Drives Without Encryption

Researchers have devised a method of hiding data on hard drives without using encryption. The technique allows a 20-megabyte message to be hidden on a 160-gigabyte hard drive. The technique involves storing clusters of the file to be hidden in places on the disk determined by a code, which would need to be known by the person receiving they disk. To an inspector, the disk would look like any other disk on which data have been stored and deleted in the course of regular use. The technique works as long as none of the files on the disk are modified before it reaches its destination. There are instances in which encryption is not desirable, because the extra data it creates are a giveaway that there’s something to be found. This could be the case when someone is trying to smuggle information out of a country with a repressive government. [Source]

EU Developments 

EU – German Lawmakers Say Data Retention Directive May Be Illegal

The German Parliament said that the European Commission’s controversial Data Retention Directive may be illegal. The directive requires European communications service providers to retain data for up to two years identifying the source, destination, date, time and duration of communications, along with the equipment used, and, for mobile telephony, the location of the equipment. The directive applies to phone calls and e-mail or text messages, although not their contents. A report from the Bundestag’s Working Group on data retention said that it would be impossible to rephrase the directive to make it compatible with the E.U. Charter of Fundamental Rights. The legal experts said that the law is disproportionate in the measures it requires to fight crime, as data retention increases the crime clearance rate only slightly. “This marginal increase in the clearance rate by 0.006 percent could raise doubts about whether the provisions in their current form would stand their ground under a proportionality review,” said the report. European Data Protection Supervisor Peter Hustinx has described the directive, introduced in 2006, as “the most privacy invasive instrument ever adopted by the European Union.” “The principle of proportionality is binding on any state governed by the rule of law,” added Kai-Uwe Steffens of the Bundestag’s Working Group. “Therefore the Federal Republic of Germany must work towards outlawing data retention within the E.U.” “The E.U. must abort this experiment immediately and replace the completely disproportionate blanket collection of the entire population’s communications records with an instrument for preserving the data of suspects,” said Uli Breuer of the Bundestag’s Working Group. Later this year, the European Court of Justice (ECJ) will rule on the constitutionality of the principle of data retention, after a referral from the Irish High Court. [Source

EU – European Commission Issues Evaluation Report on the Data Retention Directive

The Data Retention Directive obliges Member States to adopt measures to ensure that data is retained and available for the purpose of investigating, detecting and prosecuting serious crime (as defined by each Member State in its national law) however, variations have emerged (e.g. Bulgaria and Estonia have defined “serious crimes” and other Member states e.g., Belgium and Denmark require data to be retained in relation to all criminal offences), it also specifies the categories of data to be retained (namely data necessary for identifying with respect to communication source, destination, date, time and duration, type, user’s equipment and location of mobile equipment) – twenty-one Member States provide for the retention of each of these categories of data in their transposing legislation (Belgium has not provided for the types of telephony data to be retained, does not have any provision for internet-related data) and the Directive requires that the categories of data must be retained for at least six months and not more than two years, but there is no consistent approach across the EU, e.g., fifteen jurisdictions specify a single period (e.g., Poland – 2 years, Latvia 1.5 years) and three specify six months (e.g. Bulgaria, Denmark, Estonia and Greece). The Romanian, German Federal Czech Constitutional Court annulled the laws transposing the Directive into their respective jurisdictions on the basis that they were unconstitutional (the Romania Court found the transposing law to be ambiguous in its scope and purpose, the German Federal Court said that data retention generated a perception of surveillance which could impair the free exercise of fundamental rights and the Czech Court held that the purpose limitation was insufficiently narrow given the scale and scope of the data retention requirement). The Article 29 Working Party criticizes data logging, periods of retention, the types of data retained and data security measures and the European Data Protection Supervisor has called on the EU to adopt a comprehensive legislative framework which regulates how Member States use the data for law enforcement purposes. A revision of the current data retention framework will be proposed and a number of options will be devised in consultation with law enforcement, the judiciary, industry and consumer groups, data protection authorities and civil society organisations. [Source

EU – Dutch Data Protection Watchdog Criticizes Google Over Wifi Info Collection

The Dutch data protection watchdog criticized Google for collecting data on private wireless networks, ordering it to contact 3.6 million Dutch WiFi owners and offer them a way to have their data deleted. The Dutch Data Protection Agency (DPA) slammed Google’s Street View service for collecting personal data from unencrypted WiFi networks, a practice Google has halted and apologized for. Peter Fleischer, Google’s Global Privacy Counsel, said in a statement that the company never inspected or used the data. But the bureau said Google’s current use of WiFi locations still amounts to gathering personal information. Google spokesman Mark Jansen denied that, saying that it can’t identify people from their WiFi alone. Jansen said Google was studying the Dutch decision. The company has three months to comply, appeal or face escalating fines. Last month, France’s privacy watchdog fined Google €100,000 ($143,000) for improperly gathering and storing data for its Street View application, which allows Internet users to virtually tour locations on a map at ground level. More than 30 countries have complained about such data-gathering by Google Inc. [Source] [Available in Dutch

EU – Article 29 WP Issues Opinion on Smart Metering

Directive 95/46/EC applies to personal data (“PD”) in a smart meter (e.g. the device enables an individual to be singled out from other consumers, information collected is used to make a decision, other than for billing purposes, affecting the individual, and achieving an objective of reducing energy consumption is dependent on the collection of large amounts of information about consumers’ behaviour); the numerous organisations involved in the processing of smart meter PD (e.g. energy suppliers and network operators, regulatory bodies, third party service providers and communications providers) can all, under certain circumstances, be defined as a data controller (e.g. when a regulatory body has access to data for policy setting and research purposes). Privacy by design must be utilized in terms of security measures (e.g. prevention of unauthorised disclosures or modification of PD and effective authentication of recipients), and minimising the amount of PD processed (e.g. through filtering or removal). Consent as a legitimate ground for data controllers’ PD processing is valid only when it is based on an informed decision by the data subject, and must be revocable; consumers could be allowed to make their own decisions regarding retention of PD (e.g. holding data on the meter itself or gateway device and being provided with “housekeeping” reminders). Consumers must be advised of the nature of smart meter operations and their privacy rights (e.g. one meter currently being tested does not have a display sufficient to be used for a subject access request as it will neither allow the customer to access the information already transmitted by the meter nor display the load graph stored inside the meter). [Source: Working Paper 183

EU – Article 29 WP Opines on EU Data Breach Framework and Future Policy Dev’ts

The Article 29 Working Party (“WP29”) provides recommendations for consideration in the area of data breach notification; it supports the introduction of a provision in the General Directive that extends personal data breach notification obligations to all data controllers (currently, the ePrivacy Directive only obligates providers of electronic communication services to provide such breach notification) and the European Commission should rely on the same core elements as in the ePrivacy Directive (it would be counterproductive to apply different ones to data controllers other than providers of electronic communication services, and the rules contained in the ePrivacy Directive reflect the views of the different stakeholders and represent a balance of interests). The WP29 notes that a harmonized framework should take into consideration experience being gained by national authorities already experimenting with personal data breaches; the Commission should, as soon as possible, conduct a survey of early practices that are being developed by competent authorities and propose implementing measures based on collected feedback (late intervention would increase risk of establishing permanent diverging approaches by Member States), standardize the circumstances under which a personal data breach should be notified, set forth the procedure to follow in case of a data breach (e.g. more concrete deadlines for notification of the breach to the authorities and concrete procedural steps, which could include a requirement to enlist forensic investigators in order to ascertain the facts and circumstances surrounding the breach), develop a standard EU format to be used when notifying (notifications to competent authorities should include, at the least, a description of the breach, effects of the breach and measures taken/proposed) and determine allowed modalities for serving notices to individuals (will notifications be permitted by means of email, telephone notification, newspapers etc.). The rules should allow space for the judgement of competent authorities in the light of the circumstances of each case; they should provide guidance as to the technological protection measures which, if applied and depending how they were applied, would create an exemption from notification. [Source: Working Paper 184

EU – Member States React to Commission Data Retention Ruling

MEPs are opposing the European Commission on its recent ruling against five member states that have not adequately adopted the Data Retention Directive of 2006. Under the current legislation, countries can retain “swathes” of telecommunications data for a period of six months to two years. MEPs from Germany, Austria and Sweden–all of which face fines—are pushing for shortened data retention periods, or “quick freezes,” and more targeted searches. Constitutional courts in the Czech Republic and Romania declared the directive violates Article 8 of the European Convention of Human Rights. One MEP from Germany explained, “There is no evidence that the far-reaching retention of data has led to any concrete results beyond compromising civil liberties.” [Source

EU – Interactive Advertising Bureau Issues Self-Regulation for Online Behavioural Ads

A self-regulatory online behavioural advertising (“OBA”) framework for Europe provides a set of 7 principles and use of a behavioural ad icon; principles include notice (e.g. for third parties and web site operators) to consumers regarding data collection and use practices for OBA, user choice (e.g. explicit consent must be obtained for data used for OBA that is collected and used via specific technologies that harvest data from URLs traversed by a particular computer across multiple web domains), data storage (e.g. retain data only for as long as necessary for business needs or as required by law), and sensitive segmentation (e.g. do not create data segments for OBA that target children); signatory companies (including Yahoo!, Google and Microsoft) and associations must comply with the framework by June 30, 2012, which includes provisions for an icon to be placed in or around an ad targeted using behavioural data and an opt-out mechanism for consumers. Members subject to the user choice over OBA principle must submit to independent audits of their self-certification to demonstrate their framework compliance (e.g. they must publish decisions of un-rectified non-compliance and findings of good compliance); consumer complaints handling programmes under the framework must be easily accessible and available in consumers’ local language. [Source] [Source] [FAQ and Framework] See also: [Submission on the Comprehensive Strategy on Data Protection in the European Union - Federation of European Direct and Interactive Marketing

EU – EU and U.S. Differ on Passenger Data Sharing

Bloomberg reports on the differing views between the EU and U.S. on the collection of air passenger data. “The U.S. wants to collect data on anyone suspected of crimes carrying sentences of more than a year,” while the “EU wants data to be handed over only in individual cases related to fighting terrorism and organized crime,” the report states. The amount of time data can be stored should be restricted, the EU says, as should third-party access. However, the U.S. wants the data stored for 15 to 20 years. The U.S. will have to enter agreements with individual member states if an agreement with the EU cannot be reached. [Source]

Facts & Stats 

US – Verizon 2011 Data Breach Investigations Report

According to Verizon’s 2011 Data Breach Investigations Report, the number of data breaches resulting from cyber attacks increased, but the total number of compromised records from breaches decreased. The number of records compromised in breaches dropped precipitously over the last two years from 361 million in 2008 to 144 million in 2009 down to just 3.8 million last year. The number of breaches in which these records were compromised, however, rose from just 141 in 2009 to 760 last year. One explanation for the apparent contradiction is that there have been fewer large breaches and more attacks on smaller companies. 92% of the attacks were launched by outsiders, an increase of 22% over statistic in last year’s report. The report notes a shift toward attacks on smaller companies that “haven’t taken basic security considerations into account,” according to Verizon. Also, the attackers appear to be stealing less information, perhaps in an effort to avoid attention. Physical attacks, like ATM and gas pump skimmers, made the top three methods of data theft for the first time. [Source] [Source] [Source] [Report

WW – IT Study Reveals Same Challenges, Accelerated Pace

A survey of 2,400 IT security specialists from around the world shows compliance, governance and information security management at the top of their priorities for the remainder of 2011. The study, conducted by not-for-profit IT security association ISACA, found that the complexities of the IT landscape are accelerating due to new technologies and regulations as well as an increase in data breaches. Tony Noble, a member of ISACA’s guidance and practice committee, notes that this year’s survey shows a need to better align “business with IT to unlock greater value,” adding that there’s a perception on the business side of organizations that “IT is managed in a silo.” [Source

US – Despite Breaches, Consumers Dish Out Data

Consumers continue to share their personal information with online retailers and social networks despite the frequency and size of breaches involving sensitive data, reports the Associated Press. Jim Dempsey of the Center for Democracy and Technology says that, as consumers, we are “schizophrenic” about technology in that, “We love it, we use it…we’ve woven it into our daily lives professionally, socially and personally. But we don’t really trust it, and we get upset when our data is lost or stolen.” According to the Privacy Rights Clearinghouse, more than half a billion records have been exposed in the past six years, the report states. [Source] [NYT Blog

UK – Numbers Show Many Data Breaches, Few Fines

Of the 2,565 data breaches identified by the Information Commissioner’s Office (ICO) since April 2010, “only 36 have resulted in a punishment–and only four have resulted in financial penalties,” according to The Guardian. An ICO spokesman said getting organizations to comply with the Data Protection Act “isn’t always best achieved by issuing organizations or businesses with monetary penalties.” Just this week, the ICO announced breaches at Norwich City College and NHS Birmingham East and North. A Christchurch nurse was also found guilty of misconduct for inappropriate access of medical records. The ICO’s acting head of enforcement said, “organizations have a legal responsibility to abide by the principles of the DPA.” [Source

EU – Kids Not Using Privacy Settings

Many children using social networking sites don’t employ privacy settings, making them vulnerable to stalkers and other risks, according to EU Commissioner for the Digital Agenda Neelie Kroes. EU data shows 77% of 13 to 16 year olds and 38% of nine to 12 year olds are on social networks, but 25% don’t use privacy settings, and many display phone numbers and addresses. “These children are placing themselves in harm’s way, vulnerable to stalkers and groomers,” Kroes said. She is urging social networking sites to make minors’ profiles accessible only to designated “friends” by default. [Source]


WW – Poll: 67 Percent of PCI-Regulated Companies Not Compliant

In a survey conducted by the Ponemon Institute, 67% of PCI-regulated companies lack full compliance with the standard; 50% of security professionals view PCI as a burden, and 59% do not believe it helps with security. The survey also found an increase in the number of data breaches since 2009, with non-PCI compliant companies experiencing more data breaches than PCI-compliant ones. The study found little connection between PCI-related expenditures and compliance levels. Imperva’s director of security strategy noted, “In a somewhat counterintuitive manner, those organizations (that) suffered no breaches are not necessarily those who spent the biggest budget.” [Source

CA – Software Glitch Kills Electronic Stubs for Federal Workers’ Paycheques

A mysterious security breach has shut down the federal government’s online pay system, affecting some 320,000 public servants. The system was pulled offline for “urgent” repairs on April 4 after officials discovered the privacy of eight account-holders had been breached. Pay is still being deposited as scheduled in employees’ bank accounts. But electronic paystubs with information about basic salary, overtime, bonuses, reimbursement of travel expenses and other key data has been unavailable for more than two weeks. The glitch affects virtually every federal department, from Health Canada to Public Works itself, which operates the self-serve online system for all government employees. A spokesman said it’s still not known when the problem will be rectified. Last spring, Auditor General Sheila Fraser reported that Public Works had completed an internal risk assessment that found the department’s pay and pension systems “were close to imminent collapse, and compensation specialists were leaving as a result.” Fraser noted the department had begun a project to modernize its systems, though she did not audit them. On the other hand, Public Works last year completed a so-called privacy impact assessment on its online paystub service that found it was at low risk of breaching workers’ privacy. The assessment was approved by the privacy commissioner’s office. [Source]


CA – IPC ON Issues Fact Sheet on Applying PHIPA and FIPPA/MFIPPA to PHI

Certain provisions within the Freedom of Information and Protection of Privacy Act (“FIPPA”) and its municipal counterpart, the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”), apply to personal health information (“PHI”) in the control of an organization defined as both a health information custodian (“HIC”) under the Personal Health Information Protection Act (“PHIPA”) and as an institution under FIPPA or MFIPPA (e.g. hospitals); the head of an institution is required to disclose any record if there are reasonable grounds to believe it is in the public interest to do so (e.g. that present a grave environmental, health or safety hazard to the public). FIPPA and MFIPPA contain provisions for permitted disclosures (e.g. to aid a law enforcement investigation), mandatory exemptions from disclosure (e.g. cabinet records, confidential information from other governments, or a trade secret), and discretionary exemptions from disclosure (e.g. where a disclosure could prejudice the conduct of intergovernmental relations or the defence of Canada or an ally). PHIPA does not limit a person’s right of access to PHI under FIPPA or MFIPPA if all PHI is reasonably severed from the record; there are provisions within FIPPA and MFIPPA that permit a HIC to refuse access to a record (e.g. where records could interfere with a law enforcement matter, prejudice the economic interests of an institution, or are subject to solicitor-client privilege). [Source]

Health / Medical 

CA – Don’t Shred Documents, McGuinty Tells Hospitals

Hospitals should ignore a major law firm’s advice to “cleanse” sensitive documents from their files to prevent the emergence of spending scandals like the one at eHealth Ontario, Premier Dalton McGuinty says. The advice from Osler, Hoskin & Harcourt LLP was aimed at keeping hospitals out of trouble starting in January, when they become subject to freedom-of-information laws, but it ended up causing more problems for McGuinty’s Liberal government as it prepares for the Oct. 6 provincial election. The memo from the law firm went out Oct. 22 but after media reports exposed it this week, the Ontario Hospital Association issued a cautionary note to its members. “The first principle for the OHA — and for the law firms that are actually assisting us in preparing hospitals for FOIPPA (Freedom of Information and Protection of Privacy Act) — is that the spirit and the letter of FOIPPA must be adhered to at all times, period,” it said. “To do otherwise would undermine public confidence in hospitals and our health-care system.” In its controversial four-page memo, the law firm said hospitals face “significant reputational risks” from freedom-of-information law, specifically mentioning the eHealth example and advising hospitals to consider “cleansing existing files on or before Dec. 31, 2011, subject to legislative record-keeping requirements.” The memo also warned that hospital staff should be aware their expenses, procurement of supplies and services, decision-making and emails will be subject to freedom-of-information requests in the new year. Health Minister Deb Matthews said any inappropriate shredding would be “completely unacceptable.” [Source

EU – Swedish DPA Says Hospital Data-Sharing Unlawful

Sweden’s data protection authority has ruled that a hospital’s failure to provide patients with the choice to opt out of the sharing of their medical and other data via an electronic health records system violated the law. The Data Inspection Board ruled April 18 that the sharing of patient records requires consent by the Patient Data Law, and Stockholm’s Karolinska University Hospital’s method of consent did not meet those requirements. The hospital belongs to a data-sharing network that allows database access to both public- and private-sector healthcare providers. (Article in Swedish). 

US – Breach List Grows, Encryption is Key

The Office for Civil Rights’ (OCR) list of major healthcare breaches—those affecting at least 500 individuals—h s grown to 265 incidents affecting 10.8 million. In the past month, 16 breaches were added to the list, including the Health Net and Eisenhower Medical Center incidents that totaled 1.9 million and 514,000 individuals, respectively. The report suggests these cases have highlighted the need for encryption, which one security expert calls “the single best way to protect sensitive data.” Under HITECH, healthcare facilities with major breaches are required to report them to the OCR within 60 days; however, breaches of data encrypted “using a specific standard” do not need to be reported, the report states. [Source]

Horror Stories 

WW – Reports: 77 Million PlayStation Network Accounts Compromised

According to Sony, hackers obtained users’ names, addresses, e-mail addresses birthdates, and account login and password, and may have also taken users’ security questions and answers. If you set up a sub-account for your child, that information may also be in hackers’ hands. Reuters and other news outlets are reporting that in all, as many as 77 million accounts may have been hacked, based on the number of PSN accounts. Sony also states, “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.” For the time being, Sony has temporarily disabled its PlayStation Network and Qriocity services so it can analyze these services for other security issues. Sony is advising its customers to watch for e-mail and postal mail scams orchestrated by data thieves, and to stay on the lookout for anything suspicious on your credit report or financial account statements. [Source] [Source] [Source] [Source] [Source] [Source] [Source] [Sony Executives ‘Deeply Apologize’ for Security Breach] [Sony Breach Ignites Phishing Fears / Are Consumers Suffering ‘Breach Fatigue?] [CA – Privacy Commissioner’s office looking into Sony PlayStation hack] [Change passwords, advises Alberta privacy commissioner]

Identity Issues 

US – US Proposes Online Identities for Americans

The US Government has published plans to create digital identities for Americans. The US Government wants to create a voluntary system that will allow Americans to access financial services online using one account. It hopes the new system will help protect against fraud and identity theft and reduce the barriers to trade that multiple accounts brings to businesses and consumers, the strategy said. Under the new plans users will be able to register for access to a network of government and businesses providing data and ways to pay for things online. The Government has called this the Identity Ecosystem, the National Strategy for Trusted Identities in Cyberspace (NSTIC) said. Users could pay taxes and phone bills by entering only minimal information about themselves in the Ecosystem, such as purely their age, the NSTIC document said. “The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual’s transactions, thus ensuring that no one service provider can gain a complete picture of an individual’s life in cyberspace,” the NSTIC document said. The Ecosystem will improve privacy protection and efficiency it said. ‘Trustmarks’ will be used to help users identify organisations that have met security standards, it said. The US Government said that it was up to the private sector to develop technologies that make online identities secure and easy to use, safeguard transactions, and protect anonymity, but said that there are incentives for the industry to produce such a system. The Ecosystem benefits will also extend to individuals because the current process is bureaucratic, the NSTIC strategy said. Although the system proposed is voluntary, there is concern that some Government departments will adopt it, effectively forcing Americans to create a profile. The US Government is planning to host workshops to discuss the proposals with industry and the public between June and September to try to finalise details for NSTIC. [Source]

Internet / WWW 

WW – In Reversal, Yahoo Will Store User Search Data Longer

In a move that is unlikely to win it any new friends in the privacy community, Yahoo has announced that it will retain consumer search data for a substantially longer period of time than it does today. Starting sometime in mid-July, Yahoo will hold raw search log file data, including IP addresses, cookies and search-related information, for up to 18 months. It currently retains such data for 90 days. Yahoo’s chief trust officer, Anne Toth, said in a blog post that the change was designed to give consumers a more robust and personalized search experience while also bringing Yahoo into closer alignment with industry-wide data retention norms. Toth’s announcement marks an abrupt reversal of Yahoo’s current data retention policy which it put in place in 2008. Under its current policy, Yahoo stores most log file data for just 90 days, though in some cases the company holds raw data for as long as six months for what it calls fraud and security purposes, and to comply with legal requirements. In contrast, Google stores search data for nine months, while Microsoft retains it for six months. [Source

EU – Internet ‘Right to Be Forgotten’ Debate Hits Spain

In a case that Google Inc. and privacy experts call a first of its kind, Spain’s Data Protection Agency has ordered the search engine giant to remove links to material on about 90 people. The information was published years or even decades ago but is available to anyone via simple searches. Scores of Spaniards lay claim to a “Right to be Forgotten” because public information once hard to get is now so easy to find on the Internet. Google has decided to challenge the orders and has appealed five cases so far this year to the National Court. A final decision on Spain’s case could take months or even years because appeals can be made to higher courts. Still, the ongoing fight in Spain is likely to gain more prominence because the European Commission this year is expected to craft controversial legislation to give people more power to delete personal information they previously posted online. “This is just the beginning, this right to be forgotten, but it’s going to be much more important in the future,” said Artemi Rallo, director of the Spanish Data Protection Agency. “Google is just 15 years old, the Internet is barely a generation old and they are beginning to detect problems that affect privacy. More and more people are going to see things on the Internet that they don’t want to be there.” [Source] See also: [Foggy Thinking About the Right to Oblivion - Peter Fleischer

UK – More than Half Would ‘Delete Everything Ever Posted About Themselves Online’

More than half of British adults are so concerned about their online reputation they would erase everything they have ever posted on the Internet about themselves, a survey revealed. A staggering 35% believe they could never consider a career in politics due to damaging personal material online. And nearly a quarter of people admit to having posted a photo or personal information that they wouldn’t want an employer to see, according to a study by security firm Norton. Researchers questioned 1,004 people aged 18 and over about the amount of their personal information that is publicly available online and how it could affect them personally. The study reveals a sense of unease among Britons about their online reputation, with over 50% saying they would gladly hit the ‘reset’ button to delete all information about them online. Some 40% admitted to not actively protecting their reputation and personal information on the Internet. Of these, 59% ‘never thought it was an issue’, while 20% wouldn’t know where to start. [Source

WW – Amazon Provides Details About Cloud Outage

Amazon has apologized for the outage experienced in portions of its cloud services platform and has released a statement offering more detail about the cause of the incident. The problem arose because of a configuration error that was made during a network upgrade. The error caused traffic that should have been directed to a primary network to be routed to a lower-capacity network. Amazon also detailed steps it is taking to prevent a recurrence. [Source] [Source] [Source] [ Some Customer Data Permanently Destroyed in Amazon Cloud Crash | Report

WW – Web Standards Group to Discuss Do Not Track

The Web standards organization, World Wide Web Consortium (W3C), met this week to examine online privacy and the main issues surrounding a universal do-not-track mechanism, reports Media Post. Discussion topics included definitions for do not track and the mechanism’s operational feasibility. Nearly 60 position papers have been submitted by Web companies, academics and others prior to the conference. W3C Co-chair Lorrie Cranor added that the group “has not yet formally taken on the task of formalizing do not track or any of the other consumer protection technologies in the tracking space but are looking at it and trying to determine if there’s a role for them and, if so, what direction to go in.” [Source]

Law Enforcement 

US – ACLU Seeks Documents Regarding Police Use of Data Extraction Devices

When the American Civil Liberties Union (ACLU) made a Freedom of Information Act (FOIA) request for documents containing information to help them determine if Michigan State Police were violating Fourth Amendment rights, they were told it would cost more than half a million dollars. The issue centers on the use of a data extraction device used by police. The device is capable of scraping data from phones in less than two minutes. The ACLU of Michigan is trying to determine whether police violated people’s Fourth Amendment rights by taking those data without search warrants. The Michigan State Police has issued a statement regarding allegations of their abuse of data extraction devices. The statement says there have been no allegations of wrongdoing and that “the [Michigan State Police] only uses the [devices] if a search warrant is obtained or if the person possessing the mobile device gives consent, … [and they] are not being used to extract citizens’ personal information during routine traffic stops.” [Source] [Source

US – Federal Authorities Access Facebook Accounts reports that federal investigators in Detroit, MI, obtained search warrants allowing them access to the Facebook accounts of suspected criminals. Investigators were able to view photographs, e-mail addresses, phone numbers, lists of friends and GPS locations to disprove alibis. The practice raises many privacy concerns, including whether information gleaned from social media sites can be authenticated. In addition to Michigan, search warrants for Facebook accounts have been requested in an additional eight U.S. states. Facebook representative Andrew Noyes added, “We never turn over ‘content’ records in response to U.S. legal process unless that process is a search warrant reviewed by a judge.” [Source]


WW – Your iPhone 4 and iPad 3G Are Recording All of Your Movements

Your iPhone 4 or your iPad 3G are recording all of your movements and storing the information in easy-to-access files, two British scientists reveal. Alasdair Allan and Pete Warden stumbled upon the unencrypted data buried inside their iPhones while working on another project. “All iPhones appear to log your location to a file called ‘consolidated. db,” Allan explained in a video he and Warden prepared to answer questions about the discovery. “This contains latitude and longitude coordinated along with a time-stamp. The coordinates aren’t always exact, but they are pretty detailed.” The tracker is embedded inside Apple Inc.’s newest iPhone, the iOS 4, and on the iPad 3G. The data are stored in your devices, as well as on automatic backups when you synchronize them with iTunes. “Apple have (sic) made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movement,” Allan and Warden explained. The good news, said Allan, is that it appears the detailed trail only exists on the owner’s devices and is not stored by Apple. The bad news is that it would be easy to crack the code and recover all the data if an iPhone were lost or compromised. [Source] See also: in 2009, Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his GPS phone data and then folks created a graphic showing his travels

WW – Apple Responds to iPhone Tracking, Privacy Concerns

Apple says it is collecting “anonymous traffic data” for location-based services, not tracking iPhone owners. The company adds it will update the software to log only seven days worth of data, rather than several months. Apple has responded to the revelation that its iPhone and iPad products track their users’ movements across mobile phone networks and WiFi networks around the globe. Two British researchers last week described at a tech conference in California how this tracking data was being stored in an unencrypted file on the phone itself. They also wrote a data visualization program so that any iPhone owner could diagram their data on to an easy-to-understand map. In a statement published to Apple’s website, the company said users were “confused” about what exactly the company was doing with this data. “Apple is not tracking the location of your iPhone,” the statement went on to say the location data that the British pair found was not the precise location of the iPhone itself, “but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location, which can be more than one hundred miles away from the iPhone.” The company also explained that it is “collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.” The statement also said the anonymous data it did have was used to help the phone find its location in regions where weak GPS signals could make the process take minutes rather than seconds. By using a log of WiFi networks and cell tower data, Apple noted that it could reduce this location time to “just a few seconds.” However, the US company called the months or years worth of data stored on each phone a “bug we uncovered,” and said that following a software update to be released in the coming weeks, the iPhone and iPad would only store seven days worth of such data and that this data would be encrypted. Requests for comment from the office of Peter Schaar, Germany’s federal data protection commissioner, and CNIL, the French national data protection authority, as well as to the Italian data protection authority, have so far gone unanswered. [Source] See also: [Smartphone privacy threats no surprise to security experts

WW – Apple Filed Patent Application for Tracking Technology

In 2009, Apple filed a patent application for technology to track users through smartphones. Apple has recently been the focus of attention because it was found that iPhones were tracking and storing user location data. Apple had said that it was not tracking users and that a bug was to blame for the retained data. The September 2009 patent application refers to “Location Histories for Location Aware Devices.” [Source] [Source

WW – TomTom Sorry for Giving Customer Driving Data to Cops

Navigation device maker TomTom has apologized for supplying driving data collected from customers to police to use in catching speeding motorists. The data, including historical speed, has been sold to local and regional governments in the Netherlands to help police set speed traps. As more smartphones offer GPS navigation service, TomTom has been forced to compensate for declining profit by increasing sales in other areas, including the selling of traffic data. On Wednesday, Europe’s biggest satnav device maker apologized, saying it sold the data believing it would improve traffic safety and reduce bottlenecks. TomTom has said that any information it shares has been anonymized, but customers shouldn’t take such assurances at face value. [Source] See also: [Google Tracks You Too, Internal E-mails Show

US – DOJ Wants Warrantless GPS Tracking Authority

The Justice Department wants the US Supreme Court to overturn an August 2010 lower court ruling that reversed the conviction and sentence of a drug dealer whose vehicle was tracked for a month through GPS without a warrant. DOJ wants the authority to place GPS tracking devices on suspects’ cars without warrants. Three other circuit courts of appeals have said that law enforcement authorities do not need warrants to use the devices, which have become more prevalent in investigations. A 1983 Supreme Court decision allowed the use of a tracking beacon placed on a container without a warrant. The circuit court that overturned the drug dealer’s conviction said that the difference in the cases is that the 1983 case involved tracking someone from one place to another, while the GPS devices provide continuous monitoring and noted that it “illustrates how the sequence of a person’s movements may reveal more that the individual movements of which it is composed.” [Source]

US – Most Mobile Apps Lack Privacy Policies: Study

TRUSTe’s survey of 1,000 smartphone users indicates privacy is a primary concern. The results indicate users are concerned about privacy and want more transparency and control over the collection and use of their personal information as well as choices about advertising and geolocation tracking. “This survey makes it crystal clear that privacy concerns are a huge stumbling block to consumer usage of applications and websites on smartphones,” said TRUSTe President and Executive Chair Fran Maier. Behavioral targeting was also cited as a key concern by respondents, with 85% wanting the chance to opt out of targeted ads. [Source] [Study]


NZ – Survey: Organizations Need Guidance for Offshore Data Storage

Results from a survey conducted by New Zealand Privacy Commissioner Marie Shroff indicate that the public and private sectors need more guidance for the offshore storage of personal information. “The International Disclosures and Overseas ICT Survey” queried 50 businesses and government agencies about where they stored personal information; reasons for its use and storage overseas, and how it was protected. The article suggests that many organizations have controls for data in transit but no controls for information once it’s sent overseas. “If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer,” said Shroff, “it is imperative that privacy issues are tackled and got right.” [Source] [Survey: International Disclosures and Overseas Information and Communication Technologies] [Media Release]

Online Privacy 

US – Congressmen Call for Mobile App Privacy Codes

House Bi-Partisan Privacy Caucus Co-Chairmen Edward Markey (D-MA) and Joe Barton (R-TX) have released the responses they’ve received from the nation’s four largest wireless carriers following their requests for information about how the companies collect, store and share customers’ PII. The Wall Street Journal reports that AT&T, Verizon Wireless, Sprint Nextel and T-Mobile have all responded that they seek subscribers’ consent for use of personal data, but “they can’t control how applications developed by third parties use location information that the carriers don’t provide.” Mobile device applications “shouldn’t have free reign over your location data and personally identifiable information. I believe it is time we hold third-party developers accountable,” Barton said. [Source] [Source

WW – Friendster to Erase Early Posts and Old Photos

Long before there was a Facebook, or even a MySpace, there was Friendster, a Web site that gave many people their first taste of the socially networked world to come. Friendster, which started in 2003, has long been eclipsed by younger, more nimble rivals, turning into something of a ghost town. But its current owners told users of plans to change its business strategy – and to wipe out the site’s trove of digital memories, including ancient dorm-room photos, late-night blog entries and heartfelt friend endorsements, known as “testimonials.” That set off a wave of nostalgia among Friendster members, even though most had stopped visiting the site long ago. [The New York Times] See also: [US: Hacked Facebook accounts, stolen photos posted on Sex Sites

US – Suit Seeks Class-Action Status

The Wall Street Journal reports on a lawsuit filed against the social network Myspace that alleges the company violated federal privacy law and its own privacy policy. The suit seeks class-action status. The plaintiffs allege that the company shares users’ personally identifiable information with advertisers despite a statement to the contrary in its privacy policy. The plaintiffs are seeking “$1,000 per person affected” in addition to other unspecified damages. [Source

US – Judge Says PII Loss Sufficient for Suit

A federal judge has allowed a lawsuit filed against a social media application developer for exposing 32 million users’ personally identifiable information (PII). Judge Phyllis Hamilton has allowed four causes of action by RockYou user Alan Claridge in U.S. District Court in the Northern District of California. RockYou wanted the case dismissed, alleging Claridge suffered no harm when his e-mail address and password were exposed. But the judge said that the “plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his personally identifiable information has caused him to lose some ascertainable but unidentified value and/or property right inherent in the PII.” [Source

UK – UK Law Will Require Consent

The United Kingdom’s final plan to implement the amended EU e-Privacy Directive (2009/136/EC) does not deviate from the directive’s requirement that effective consent be obtained from online users in order to place most cookies on their computers, according to the Department for Culture, Media and Sport report released last week. The plan does not use the phrase “opt-in consent,” but it is clear from the rules that it would amend the country’s Privacy in Electronic Communications Regulations to require that such consent be obtained from users. “Organizations running Web sites will need the user’s permission before a cookie can be used,” said Culture Minister Ed Vaizey. [Report]

Other Jurisdictions 

JP – Japan May Hold Individual Employees Liable for Violations of Data Protection Law

As part of an effort to increase penalties for violations of the country’s Personal Information Protection Act, officials in Japan plan to extend liability under that law to individual employees, according to recent reports in The Yomiuri Shimbun and The Japan Times. Currently, a company that violates the law may be fined or ordered to take remedial steps, and the company head may be imprisoned. The law revision would come as part of changes to the legal framework accompanying a proposed national identification number system. [Source]

Privacy (US) 

US – Committee to Hold Hearing on Mobile Phones

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) has announced the committee will hold a hearing in May on mobile phone privacy, following announcements that certain smartphones have stored and shared users’ location data, The Hill reports. The announcement comes amid calls for investigations and hearings on such privacy concerns and the filing of lawsuits prompted by reports of mobile device tracking. Rockefeller has called the recent incidents “just the latest in a string of concerns raised in the mobile marketplace,” since it “collects and uses a wide range of personal information–often with inadequate or untimely disclosure.” [Source

US – Flash Cookie Lawsuit Against Specific Media Dismissed

A judge has dismissed a lawsuit alleging an ad network used Flash cookies to track users online. The seven users who filed the suit did not “adequately allege” economic losses, ruled U.S. District Court Judge George Wu. The plaintiffs alleged that their data has value, that they were not compensated when ad company Specific Media used it and that their privacy was violated when they were tracked. Specific Media has denied using Flash cookies, the report states. Last year, two companies paid a $2.4 million settlement in a similar case. [Source]


US – Unprotected Wi-Fi Network Bring False Accusations of Illegal Activity

A Buffalo, New York man found himself the object of a home raid by federal agents who accused him of downloading child pornography over his wireless network. Only after taking a desktop computer, iPads and iPhones from the home and examining them over a few days did federal agents clear the man of suspicion and pin the crime on a neighbor who had accessed the unprotected Wi-Fi network. The story is not unique; a similar incident occurred in Florida. The stories drive home the importance of home users securing their wireless routers. [Source] [Source] A poll conducted for the Wi-Fi Alliance, the industry group that promotes wireless technology standards, found that among 1,054 Americans age 18 and older, 32% acknowledged trying to access a Wi-Fi network that wasn’t theirs. An estimated 201 million households worldwide use Wi-Fi networks, according to the alliance. The same study, conducted by Wakefield Research, found that 40% said they would be more likely to trust someone with their house key than with their Wi-Fi network password. In Germany, the country’s top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party. The ruling came after a musician sued an Internet user whose wireless connection was used to download a song, which was then offered on an online file sharing network. The user was on vacation when the song was downloaded. [Source

Google Wi-Fi Judge Asks if Packet Sniffing is Spying

The question of whether Google is liable for damages for secretly intercepting data on open Wi-Fi routers across the U.S. is boiling down to the definition of a “radio communication.” That appears to be the legal theory embraced by the Silicon Valley federal judge presiding over nearly a dozen combined lawsuits seeking damages from Google for eavesdropping on open Wi-Fi networks from its Street View mapping cars. The cars had been equipped with Wi-Fi–sniffing hardware to record the names and MAC addresses of routers to improve Google location-specific services. But those cars were also capturing the contents of internet packets that were sent over unencrypted Wi-Fi as they drove by, something the company said was an accidental leftover from testing. At the center of the legal flap is whether Google breached the Wiretap Act. The answer is important not only to Google, but to the millions who use open, unencrypted Wi-Fi networks at coffee shops, restaurants or any other business trying to cull customers. Google said it is not illegal to intercept data from unencrypted, or non-password-protected Wi-Fi networks. Plaintiffs’ lawyers representing millions of Americans whose internet traffic was sniffed by Google think otherwise, and are seeking unspecified damages. Judge Ware, however, suggested the answer to the far-reaching privacy dilemma lies in an unanswered question. He has asked each side to define “radio communication” as it applies to the Wiretap Act, and wants to know whether home Wi-Fi networks are “radio communications” under the Wiretap Act. In response, Google wrote last week that open Wi-Fi networks are akin to “radio communications” like AM/FM radio, citizens’ band and police and fire bands — and are “readily accessible” to the general public. Indeed, packet-sniffing software, such as Wireshark and Firesheep, is easily available online. Hence, because unencrypted Wi-Fi signals travel over the radio spectrum, they are not covered by the Wiretap Act, Google responded. “There can be no doubt that the transfer of any sign, signal, writing, images, sound, data, or intelligence of any nature transmitted over the radio spectrum constitutes a ‘radio communication.’ Indeed, there is nothing in the text or legislative history of the Wiretap Act that would exclude any transmission sent over the radio spectrum from the definition of ‘radio communication,’” Google wrote. The plaintiffs’ lawyers countered that the communications in question started on a computer and only briefly were relayed on radio waves “across the living room from the recipient’s router to her laptop.” “The fact that either the first or final few feet of the electronic communication may have gone via wireless transmission [‘Wi-Fi’] does not transform the communication into a ‘radio communication’ broadcast similar to an AM/FM radio or a CB.,” plaintiffs’ lawyer Elizabeth Cabraser wrote. “Nor is there anything in the statute to define ‘radio communications’ as synonymous with anything sent on a radio wave, however briefly and without regard to the entirety of the communication system at use.” Both sides agree, however, that it’s illegal to listen in on cordless phones. [Source]


EU – Austrian Lower House Passes Data Retention Bill

The lower house of the Austrian parliament has passed a measure endorsing the storage of private phone call and e-mail data, and the upper house is expected to soon pass it into law. Data will be stored for six months under the measure, which the European Commission adopted in 2006. The information will be available to investigators and public prosecutors in criminal procedures. A spokesman for an Austrian organization that opposes data retention said he’s “very concerned” and that the “risk is that the data retained will not only be used for finding terrorists…but will be used against normal people.” [Source]

Telecom / TV 

US – Wireless Carriers Reveal Location Privacy Policies

The nation’s top wireless carriers say they all collect personal information, including location data, about subscribers and use much of that information to tailor marketing pitches for more services. In letters responding to lawmakers’ questions, they described varied policies on protecting data and how long they retain location and other sensitive information such as a user’s name, SSN, and address. The queries to the carriers by Reps. Edward Markey (D-Mass). and Joe Barton (R-Tex.) come amid increased scrutiny of privacy on mobile devices and questions about how Apple and Google store data on users’ locations. AT&T said it is in the process of encrypting all sensitive personal information about its users such as credit card numbers, date of birth and specific data on a person’s location. It said it disposes of location-based information within five years. T-Mobile was more vague about its data retention and security program. The company said only that it keep personal information “as long as we have a business need, or as applicable laws, regulations, or government order require.” It did not say whether personal information is encrypted. A spokesman did not immediately respond to a request for comment. [Source

Apple Facing Lawsuit Over Location Tracking Data

Two people have filed a lawsuit against Apple over location tracking data that are stored on iPhones without users’ consent. The suit was filed in the US District Court for the Middle District of Florida. The plaintiffs are seeking an injunction that would require Apple to disable the tracking mechanism. They allege that Apple violated the Computer Fraud and Abuse Act because the company is aware that the majority of users do not pore over the details of user license agreements. In a separate but related story, independent testing shows that the iPhone stores location data even after location services are turned off. [Source] [Source] [Source] [Source] [Source]

US – Colo. Supreme Court Hears Case on Privacy of Ritter’s Calls on Personal Phone

If the Colorado Supreme Court rules former Gov. Bill Ritter doesn’t have to release a list of business calls made on his personal cellphone while in office, it will provide a simple recipe for public officials to conduct government business in secret. “It will send a green light to governments across the state to do what Gov. Ritter did throughout his term . . . keep public business private by paying for their own phone,” lawyer Steven Zansberg told justices. The Denver Post has sought access to Ritter’s cellphone records since 2008, arguing it is the only way for the public to know with whom the governor spoke and when, and that the records should be available under the Colorado Open Records Act. The newspaper has limited its request to calls made during business hours, and agreed that the governor’s office should be allowed to redact information about personal calls. Ritter has acknowledged that he gave up his state-paid BlackBerry in 2008, and that the “vast majority” of calls made on his personal cellphone during his term were related to his work as governor. But his attorneys have argued that because Ritter paid for the phone himself, and the call logs were not made, maintained or kept by him for official business, records of the calls are not public. A district court and the Colorado Court of Appeals sided with Ritter. The Post then appealed to the state’s high court. [Source]

US Government Programs 

US – Sens. Question White House on Oversight Board

Members of congress continue to question the Obama Administration about the dormant Privacy and Civil Liberties Oversight Board. According to, leaders of the Senate Homeland Security and Governmental Affairs Committee last week sent a letter saying, “It is inexcusable that, more than three years after the new board was meant to have begun its work, there is still no functional board at all.” The board was created in 2004 on the recommendation of the 9/11 Commission to oversee the protection of Americans’ privacy and civil liberties in the age of counterterrorism. The Obama Administration nominated two individuals to the five-member board in December. [Source

US – Privacy Advocates Question Proposed Supplemental Passport Form

Quick. Name where your mother was living and working when you were born. List who witnessed your birth. Now, name every residence where you’ve ever lived. And where you’ve worked. Don’t forget to give a list of all your current and former bosses, with a current phone number, if possible. A proposed supplemental form to U.S. passport applications could cause headaches for some and has drawn the ire of privacy advocates. But the U.S. State Department says the information requested on the form are questions that officials already ask when a person may lack proper documents to prove their citizenship when applying for a passport. The proposed form, DS-5513, likely would be given to passport applicants who may have questionable documents or insufficient proof of citizenship in the eyes of the government, said a State Department spokeswoman. Privacy advocate Edward Hasbrouk said the proposed form is too intrusive and “would be reintroducing the same kind of discriminatory practice” of rejecting applicants born to midwives. “Part of the settlement of that lawsuit was that they agreed to not make these kinds of inquiries of people unless there was a provision,” said Hasbrouk, spokesman for The Identity Project, which published a copy of the proposed form online. Obtaining passports became a high-profile issue across the Rio Grande Valley in 2009, when federal authorities began requiring U.S. citizens to show a passport to re-enter the country from Mexico. A flurry of denied and disputed passport applications emerged from many Valley residents who were born by midwives, casting doubt from the government about whether their birth certificates are valid. The American Civil Liberties Union filed a class action lawsuit against the State Department that was settled in June 2009, setting up a review panel for all denied applications requiring officials to list specific reasons for denying the passport application. Officials estimate the form would take about 45 minutes to complete and would be given to about 75,000 passport applicants — about one half of one percent of all applications processed each year. [Source

US – Audit Finds FBI’s Cyber Security Capabilities Not Maximized

According to an audit report from the US Department of Justice inspector general (IG), one-third of 36 agents interviewed lacked the necessary skills to investigate cyber intrusions. The audit examined the FBI’s ability to deal with the threat of national cyber security intrusions and finds major faults in the operations of the NCIJTF – the National Cyber Investigative Joint Task Force. Each of the FBI’s 56 field offices has at least one cyber squad but the report finds fault in the level of skills those field agents have. [Source] [Source] [Redacted report] [Justice

US – Papers Warns of Dangers of Alarmist Cyberthreat Rhetoric

A paper published by researchers at the Mercatus Institute at Virginia’s George Mason University says that the US government’s “alarmist rhetoric” about cyber threats facing the country’s critical infrastructure could result in the enactment of policy based on evidence that may not have a foundation in fact. The researchers, Jerry Brito and Tate Watkins, compared the dangerous possibilities of ill-informed policy to what happened in Iraq – a decision was made to invade the country based on rumors, not hard evidence, that the country’s political regime was connected to the September 11 attacks and that it possessed weapons of mass destruction. Decisions based on faulty information could lead to unnecessary regulation of network, and overspending on cyber security. [Source] [Source]

US Legislation 

US – Maine Passes Health Information Privacy Law

The bill requires a health information exchange (“HIE”) to obtain the consent of a patient prior to collecting, storing or disclosing that patient’s health care information and prohibits a health care practitioner from accessing that information without prior authorization (unless waived by the patient in an emergency); a HIE would be required to provide the patient with a website that permits the patient to view their health care information, identify who has accessed the records, select which records are to be included in the HIE system and which practitioners can access them (a non-electronic means must also be available for viewing health care information). The bill establishes a protocol for notification if a breach of the HIE system occurs and patient information is illegally accessed (requiring notice to both health practitioners and facilities that have access to the system and the affected patients within 60 days of discovering the breach). A patient may not be denied health care treatment, insurance coverage or insurance payment or reimbursement based on the failure of the patient or the health care practitioner to participate in a HIE system or charged a fee to access the health care information in the HIE system. [Source: LD 1337 - An Act to Ensure Patient Privacy and Control with regard to Health Information Exchanges - 125th Maine State Legislature – Text of Bill | Status Summary]

Workplace Privacy 

JP – Employees May Become Liable Under Law

Japanese officials plan to extend liability to individual employees under the Personal Information Protection Act, reports Hunton & Williams’ Privacy and Information Security Law Blog. The move is part of an effort to increase penalties for violations under Japan’s privacy law framework. Under current law, companies that violate the act can be fined, ordered to take remedial steps and a company head can face imprisonment, according to the report. The legal changes are part of the Japanese government’s planned introduction of a national identification system to help survivors of last month’s earthquake and tsunami. [Source]



01-15 April 2011


CA – Amendments to PIPEDA Enable Pickier Privacy Commissioner Investigations

Legislative amendments proclaimed in force last week mean that the Privacy Commissioner of Canada may now be more selective about the complaints her office decides to investigate. The amendments in question, made to the Personal Information Protection and Electronic Documents Act (PIPEDA), were actually contained in Bill C-28, Canada’s Anti-Spam Legislation, which received Royal Assent last December. Although most of that statute is not yet in force, last week the Governor in Council proclaimed in force some of the consequential amendments in that bill that affect PIPEDA, leaving for proclamation at a later date those PIPEDA amendments that coordinate with new obligations in the Anti-Spam law itself. Previously, PIPEDA required the Privacy Commissioner to investigate all complaints submitted to her office, regardless of their nature or seriousness, although she had some discretion in not having to prepare a report in all cases. With these new amendments, the Commissioner is no longer required in all circumstances to conduct an investigation in respect of a complaint received. Complaints need not be investigated if the complainant has not exhausted other grievance or review procedures that may be available, if the complaint could be more appropriately dealt with under another Federal or Provincial law, or if the complaint was not filed within a reasonable time after subject matter of the complaint arose. In all cases, complainants must be notified that their complaint will not be investigated. The Commissioner retains the right to reconsider a decision not to investigate a particular complaint, if the complainant is able to provide compelling reasons to investigate. The new powers have long been sought by the Commissioner as a way to better manage the workload of the Office of the Privacy Commissioner, by weeding out complaints whose resolution would be of little public interest or significance, thereby allowing for the focus of resources on issues of a broader systemic nature. The authority to manage the processing of complaints in this way is already afforded to some degree to other tribunals, including the Canadian Human Rights Commission and the Privacy Commissioner for Alberta. Once the investigation of a compliant commences, the new amendments also give the Privacy Commissioner the power to discontinue investigation in certain circumstances. Investigations may be discontinued where:

  • there is insufficient evidence to pursue the complaint
  • the complaint is trivial, frivolous or vexatious or is made in bad faith
  • the organization that was the subject of the complaint has provided a fair and reasonable response
  • the subject matter is already the subject of a report by the Commissioner
  • the complainant has not exhausted other grievance or review procedures that may be available
  • the complaint could be more appropriately dealt with under another Federal or Provincial law
  • the complaint was not filed within a reasonable time after subject matter of the complaint arose
  • the matter is being or has already been addressed via another grievance or review process, or pursuant to a procedure under another Canadian law.

As with a case of declining to investigate, the Commissioner must notify a complainant and organization of the discontinuance of a complaint, giving reasons for the discontinuance. With other tribunals that have the power to decline to investigate complaints, there has understandably been a reluctance to exercise this authority, since doing so denies a complainant a full consideration on the merits of the complaint. As a result, the bar for refusing a complaint has tended to have been set fairly high, with complaints being declined or discontinued only in the clearest and most egregious of circumstances. [Source: Mondaq News]


US – New York State Pursues Delinquent Taxes With Analytics Tool

New York state is among states that are deploying data analytics in the fight to collect delinquent taxes. In 2010, the state’s Department of Taxation and Finance implemented an IBM analytics tool to help recover $83 million in delinquent taxes – an 8% increase from 2009 and double the annual increase from previous years, according to an announcement from the company. IBM said the software inserts an algorithm into the department’s debt case management system. The software determines on a case-by-case basis the best course of action for collecting a delinquent tax given the department’s limited resources, while maximizing the amount of revenue collected. The department then develops an action plan for each case – delinquent or fraudulent taxes – based on the analytics data. The predictive modeling tool used in the IBM Tax Collections Optimizer is like what private-sector companies use for gathering predictive analytics. But the tool’s distinguishing feature is that it factors in budget and resource limitations in its decision-making, Barry said. New York isn’t the only state using analytics for tax collection. For example, last year Hawaii officials announced they had collected more than $100 million within a three-year period through a partnership between the Department of Taxation and CGI Technologies and Solutions. [Source

US – Texas Comptroller: Personal Records of 3 Million People Publicly Posted

The office of the Texas comptroller revealed on Monday that information of 3.5 million people were accessible on a public server for more than a year. The information includes names and mailing addresses, Social Security numbers, and for some people, birth dates and driver’s license numbers. These were inadvertently posted on a public server when three agencies transferred data. The information was not encrypted as required under state law. Moreover, personnel at the comptroller’s office did not follow internal procedures in posting such records. Comptroller Susan Combs said her office began publicly blocking after discovering the oversight on March 31. The state attorney general’s office is investigating what Combs described as a “serious issue.” The comptroller will begin sending notification letters on Wednesday to people with records involved in the security breach. Combs will be working with the Legislature to advance legislation to enhance information security as outlined in the Protecting Texans’ Identities report she released in December. This would include the designation of Chief Privacy Officers at each agency as well as the creation of an Information Security Council in the state. [Source]

Electronic Records 

WW – Iron Mountain to Shutter Cloud Storage Service

After only two years, Iron Mountain is planning to close its public cloud storage services , having already stopped accepting new customers as of April 1. The company will close its Virtual File Store services, which is targeted at archival of inactive file data and its Archive Service Platform , which allows software vendors to integrate the Iron Mountain API to leverage the company’s cloud architecture. Virtual File Store customers that stay with Iron Mountain will be transferred to a higher-value offering, File System Archiving (FSA) in 2012. The new offering will be a hybrid that leverages policy-based archiving on site and in the cloud with indexing and classification capabilities. Archive Service Platform customers have no migration path and are being terminated or moved to an alternative service provider. Iron Mountain’s announcement makes it the third public cloud infrastructure as a service (IaaS) provider to abandon the market over the past year, Gartner said. The others that have shut down are: Vaultscape, which launched its service in 2009 and closed in 2010, and EMC, which announced Atmos Online in 2009 and took it offline a year later. [Source]


RU – Russian Agency Says it’s Hard to Monitor Citizens Who Use Encrypted Services

The Kremlin will not ban Skype, Gmail and Hotmail, despite a recommendation to do so from the country’s Federal Security Service (FSB) because the services threaten national security. FSB says the services make it challenging to monitor citizens because they use encryption that is difficult to break. [Source] [Source]

EU Developments 

EU – Tech Companies Challenging France’s Data Retention Law

Several large technology companies are reportedly challenging the French government’s requirement that service providers, web mail providers, ecommerce companies and online video and music sites retain information about users for a year. The data they are required to store and to provide the government on demand include user names, passwords, IP addresses, and financial transaction information. The requirement was established by a February 25, 2011 decree that updates the Legal Regime for eCommerce Trust (LCEN). The decree is being challenged by the French Association of Community Internet Services (ASIC), whose members include eBay, Facebook and Google. LCEN says the decree was formulated without consulting the European Commission and that retaining the information poses a greater risk of data security breaches. [Source] [Source] [Source

EU – Annual Big Brother Awards Draw Attention to German Privacy Issues

Data protection and privacy are big topics in Germany today, but they weren’t always. The organizers of the Big Brother Awards like to think they had something to do with that. Late last week, this year’s BigBrotherAwards were handed out to organizations, businesses and individuals deemed to be undermining privacy and data protection using technology and information. The annual awards are bestowed by FoeBuD e.V., a German non-profit activist organization that was first formed in 1987 to protect civil rights and data security. The BigBrotherAwards include categories such as “Workplace,” “Politics” and “Consumer Protection.” This year a negative award was handed out to Facebook under the category of Communications for “systematically poking its nose into people and their relationships, behind the friendly facade of an ostensibly free service,” according to FoeBuD’s description of the award. According to the BigBrotherAwards website, the online social media platform is likened to a gated community “sprawling across the net in which people are monitored every step of the way. It is governed by the whims of a corporation that is earning billions with systematic privacy violations.” Other “winners” included the German auto manufacturer Daimler, for requiring blood tests of its employees, a practice FoeBud compared to vampirism, and Apple’s Munich branch, which the award accused of “taking their customers hostage by way of expensive hardware and subsequently blackmailing them into accepting a questionable privacy policy.” [Source]


US – Limits Sought to Employers’ Use of Credit Reports

Battle lines are being drawn in state capitals over whether workers should be judged by their creditworthiness. In 25 states, 49 proposed bills are being debated. The majority of the bills are aimed at restricting when credit histories can be used in the hiring process, says Heather Morton, analyst at the National Conference of State Legislatures. Economic stress is the main trigger. “Legislators are responding to the impact the recession has had on employment.” There is also concern about fairness, says Beth Givens, director of the non-profit advocacy group Privacy Rights Clearinghouse. “Using a credit report to make a hiring decision is essentially making a value judgment,” says Givens. “The employer is saying, ‘I think you’re an irresponsible and careless person because you have a bad credit report.’” [Source]


EU – Dog DNA Database to Prevent Foul Play

A Spanish town has set up a DNA database to track down owners who allow their dogs to mess in streets and parks without clearing it up. The town council of Hernani in northern Spain approved the introduction of a bylaw that will force owners to register their pet’s DNA for a municipal dog census. Under the scheme, which residents have called “Canine CSI”, deposits in the street will be collected by a team and sent to laboratories at the University of the Basque Country for analysis. Owners of dogs whose DNA matches the samples will be tracked down through the database and will face fines of up to euros 300 (pounds 265). Those who refuse to provide DNA analysis of their dogs face similar fines. But local dog owners were furious at the proposal and set up a Facebook page in protest, arguing that it was “unfair, ineffective and very costly”. The cost of DNA analysis, carried was about euros 45 (pounds 40) and must be borne by the pet owner. [Source]

Horror Stories 

WW – Epsilon Breach Compromises Millions of eMail Addresses

A security breach at US marketing company Epsilon Data Management appears to have compromised millions of email addresses. Epsilon sends email on behalf of more than 2,500 clients. Many of the companies have contacted their customers to notify them of the breach and the possibility that they may receive spam or malicious email that attempts to get them to disclose more sensitive information. Epsilon said the only information taken was names and associated email addresses. Affected companies include American Express, Citibank, The College Board, and BestBuy. [Source] [Source] [Source] [Source] [Source] [Source] [Senator Calls for Investigation Into Epsilon Breach] [Canadian consumers among victims of massive email security breach

US – Epsilon Received Warning of Potential Breach Months Ago

The data breach at Epsilon was likely due to a spear phishing attack, something the company was warned about several months ago. An Epsilon technology partner, Return Path, sent out a warning in November 2010 after an employee fell for a phishing attack, exposing thousands of email addresses to the attackers. Ironically, the type of information stolen during the attack could be used to launch spear phishing attacks against customers of some of the 2,500 companies on whose behalf Epsilon sends out email. [Source] [Source] [Source] See also: [US: Company that services L.L. Bean Visa reports privacy breach

WW – Data Breach Puts Millions of Bloggers at Risk, which hosts millions of blogs using the popular WordPress blogging software, announced that its servers had been breached and that sensitive data was likely taken. “We presume our source code was exposed and copied,” WordPress founder Matt Mullenweg said in a blog posting yesterday. “While much of our code is Open Source, there are sensitive bits of our and our partners’ code.” Mullenweg was unusually candid for a company president disclosing a major data breach. [Source

AU – BP Employee Loses Laptop With Unencrypted Claimant Information

BP’s acknowledgment that an employee lost a laptop containing unencrypted information of 13,000 people who have submitted claims associated with last year’s oil spill has prompted analysts to declare that failing to encrypt sensitive data on portable devices is inexcusable. The information compromised in the BP laptop breach includes names, Social Security numbers (SSNs) and dates of birth. Even a requirement for federal agencies to encrypt sensitive data on portable devices following a breach that compromised the security of records of more than 26 million veterans has not resulted in compliance. [Source

CA – Alberta School Board Loses Memory Stick With Employee Data

The private information of thousands of Edmonton Public School Board employees has been missing for more than three weeks. In a massive privacy breach, a USB memory stick containing information, including resumes and employment records of about 7,000 employees, was lost on March 22. The stick was used by a school board computer technician working in human resources to download the data, but then he lost it. The school board has recently sent out letters to the affected employees, advising them that their private information — possibly including banking data — may have gone astray. Provincial privacy commissioner Frank Work said the school board violated its own policies. “First of all, according to school board policy, you’re not supposed to use an unencrypted stick,” said Work. “They did.” “Second of all … they’re supposed to keep a list of what they download … onto a portable device, like a stick. They did not. And the third way they breached their own policy was they had kept too much information too long.” Work said he sees a privacy breach like this almost every month. But he said there is no point in penalizing the board financially because it has already spent thousands of taxpayer dollars to sort out the mess. [Source]

Identity Issues 

US – Obama Calls for Secure Online-Identity System

President Barack Obama unveiled an ambitious “National Strategy for Trusted Identities in Cyberspace“ proposal urging the private sector to create a trusted-identity system to boost consumer security in cyberspace. Digital rights groups cautiously welcomed the first-of-its-kind government proposal, calling it a blueprint for increased internet security and privacy. The latest plan, which distances itself from a national ID approach, calls on the private sector to develop methods by which consumers can create a secure, online identification to enable web transactions. The plan envisions replacing today’s reality of generally having to remember passwords for dozens of sites where consumers have already lodged their sensitive data, such as credit card numbers. The government is allotting up to five years for the “standardization of policy and technology” to come together. Implementation of the plan, the government said, “will not occur overnight.” [Source]

Intellectual Property 

NZ – New Zealand Passes Three-Strikes Anti-Piracy Law

Legislators in New Zealand have passed a three-strikes anti-piracy law. Vehemently opposed by members of the country’s Green Party and independent MPs, the Copyright and Infringing File Sharing bill provides for warning illegal filesharers twice; a third infringement would give rights holders the opportunity to bring the offender before a tribunal with the authority to impose fines of up to NZ $15,000 (US $12,000). Subsequent violations could result in a court order suspending the offender’s Internet account. Those opposing the law say that people could have their accounts suspended without sufficient proof of wrongdoing. [Source] [Source]

Internet / WWW 

EU – Microsoft launches StreetView rival in Europe

Microsoft is launching its own version of Google’s StreetView – dubbed Streetside – across Europe. Cars fitted with cameras have begun taking pictures around London and will start mapping major cities on the continent next month. The service is already available in 56 US towns and cities. Microsoft has been keen to avoid the privacy concerns that dogged Google’s service but said that it does plan to gather wi-fi data. Initially, Streetside will be on a smaller scale than Streetview, according to the company’s director of search, Dave Coplin. “We’re not setting out to record every street. We believe it is most valuable in urban centres where people want to find services,” he told BBC News. [Source

WW – Chrome Will Warn Users of Suspicious Downloads

Google plans to add a feature to its Chrome browser to warn users when they are downloading a file that is suspected to contain malware. The feature will rely on Google’s Safe Browsing service; if a user tries to download an EXE file with a URL that appears on the Safe Browsing blacklist, the user will receive a message that reads “This file appears to be malicious. Are you sure you want to continue?” Users will have the option of going ahead and downloading the questionable file if they choose. The new service will be tested with a subset of Chrome users running the dev version of the browser before being incorporated into the stable version of Chrome. [Source] [Source] [Source] [Source

EU – IAB Europe Releases Behavioural Advertising Framework

Google, Microsoft, AOL, Guardian News & Media and The Irish Times are among the companies that have signed up to a new cross-European self-regulatory framework for online behavioural advertising (OBA) that will see ads that target users based on previous internet activity being identified by a special icon. Developed by IAB Europe, the framework aims to improve transparency and consumer control when ads are delivered using OBA. By June 2012, all OBA-based display advertisements on the websites that have signed up to the framework will have an icon indicating that behavioural advertising is being used. If users click on the icon, which is currently being trialled in the UK, they’ll be directed to a company site with more information and they’ll have the ability to turn off OBA ads. They will also have the option of going to a new pan-European website,, which provides further information on OBA in the relevant language and a tool to manage data preferences, including turning off OBA with just a few clicks. According to IAB Europe, the major practical achievement of the framework is that it provides full transparency and control to users without limiting their browsing experience. IAB Europe said that as the obligations of the framework are only binding to signatory companies, it will be complemented by the European Advertising Standards Alliance’s (EASA) Best Practice Recommendations, also released today. According to IAB Europe, these recommendations are designed to “ensure that the entire advertising ecosystem adheres to rules that together guarantee that the value chain delivers the objective of enhanced control and consumer choice”. The companies that have signed up the OBA framework are: 24/7 Real Media, Adconion Media Group, AdGenie, Adnetik, AOL, ARBO Interactive, Audience Science, BBC Worldwide, BlueKai, Cognitive Match, CPX Interactive, Crimtan, Criteo, datvantage, Financial Times, Google, Guardian News & Media, Hi-Media, Independent Digital, Lotame, Media6degrees, Microsoft,, Orange, PRISA, Profero, Sanoma, Specific Media, Struq, tectonic, The Irish Times, Tribal Fusion, Telegraph Media Group, United Internet Media, ValueClick Media, Vibrant Media, Weborama, Yahoo and Yell. A copy of the framework and FAQs is available here. [Source]

Law Enforcement 

US – Cameras Read License Plates, Helping City’s Police

The Manhattan’s Police Department’s growing web of license-plate-reading cameras has been transforming investigative work. Though the imaging technology was conceived primarily as a counterterrorism tool, the cameras’ presence has aided in all sorts of traditional criminal investigations. The latest example came last month with the arrest of Marat Mikhaylich, a suspect in 9 bank robberies in New York and New Jersey. Even though the FBI had identified Mr. Mikhaylich through surveillance photos, he had managed to avoid arrest — until he added car theft to his criminal history. One or more of the NYPD’s security cameras detected the stolen car’s license plates and directed federal agents to a block in Queens. The next morning, Mr. Mikhaylich was arrested there, as he was stopped at a traffic light. There are 238 license plate readers in use in New York City, said Paul J. Browne, the Police Department’s chief spokesman. Of those, 130 are mobile. They are mounted on the back of police cars assigned to patrol duties across the city’s five boroughs and to specialized units like the highway and counterterrorism divisions. The remaining 108 cameras are set up at fixed posts at city bridges and tunnels and above thoroughfares. Yet the strategy for the use of the license plate readers has raised questions about whether they represent a system for tracking driving patterns, said Donna Lieberman, the executive director of the New York Civil Liberties Union. She said it was hard to tell whether interest in “effective and efficient law enforcement” was being balanced with the “values of privacy and freedom.” “We don’t know how much information is being recorded and kept, for how long, and by which cameras,” Ms. Lieberman said. “It’s one thing to have information about cars that are stopped for suspicious activity, but it’s something else to basically maintain a permanent database of where particular cars go when there is nothing happening that is wrong and there is no basis for suspicion.” When it comes to car thefts, the value of the cameras seems clear, Mr. Browne said. In 2005, the year before the first license plate readers were put in place, there were 17,855 reports of stolen cars in the city, according to police statistics. Last year, there were 10,334, the statistics showed. [The New York Times 

CA – Body Upholds Order that Officer Resign

The Ontario Civilian Police Commission ruled Wednesday that a disciplinary tribunal was right to order Ottawa police Const. Harinderpal “Bob” Mamak “to resign within seven days” or be dismissed. In doing so, the OCPC upheld a July 29, 2010, decision by hearing officer Terence Kelly. In September 2009, Mamak was found guilty of insubordination and breach of confidence under the Police Services Act. The charges were laid by the professional standards section of the Ottawa police in December 2007, in relation to Mamak’s unlawful use of the Canadian Police Information Centre, a federal database of suspicious and stolen vehicles and bicycles. Mamak can appeal the decision before the Ontario Divisional Court. Ottawa police said he remains suspended from duty with pay. [Source

US – States Address Privacy Risks of Digital Copiers and Electronic Waste

On April 1, 2011, a New York law went in effect requiring retailers of certain electronic equipment to institute electronic waste collection programs and to provide information to consumers on how to “destroy all data on any electronic waste, either through physical destruction of the hard drive or through data wiping.” Manufacturers of devices that have hard drives capable of storing personal information or other confidential data must include instructions describing how consumers can destroy such data before recycling or disposing of the devices, and businesses that sell products with hard drives must inform customers at the point of sale where the data destruction information can be located. In addition, five other states are considering legislation to address the privacy risks associated with digital photocopiers that may store personal information on their hard drives.

  • Connecticut would require businesses that lease digital copiers to ensure that all data is erased from the machine’s memory when the lease expires.
  • Florida would require financial institutions to implement security polices to identify copiers under their control and ensure that the hard drives on the copiers are erased before returning any leased copiers to a lessor or selling the copiers.
  • Nevada would require any business or data collector that owns or possesses a copier, fax machine or multifunction device (collectively, “digital office equipment”) that uses a data storage device to ensure that any personal information stored on such digital office equipment is either (1) encrypted or (2) physically or technologically destroyed before giving up ownership, physical custody or control of the digital office equipment.
  • New Jersey would require businesses to destroy personal information stored on digital copiers before disposing of the machines.
  • Oregon would require sellers and distributors of copy machines to remove, erase or destroy and personal information in a data storage device on the machines.

These bills reflect an enhanced focus on the privacy risks associated with digital office equipment. Last year, the FTC was investigating this issue after an exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information. The FTC eventually produced a report entitled “Copier Data Security: A Guide for Businesses” that offers businesses tips for securing data stored on digital copiers. [Hunton & Williams LLP, Security Law Blog]


CA – Abbotsford, Victoria Join Other Cities With Online Crime Maps

Police departments in Abbotsford and Victoria are following the example of several major Canadian cities and launching online crime maps. But while they are useful for police and the public to track clusters of auto theft or break and enters, one Vancouver homicide expert doesn’t believe they’ll have a significant impact on reducing crime. On Friday, the Abbotsford Police Department added a new crime-map feature to its website, And one day earlier the Victoria Police Department launched its own crime-map site at The system costs about $150 per month. Both maps employ CrimeReports software. Vancouver and West Vancouver, as well as other cities in Canada including Calgary, already use crime maps, databases that allow police to enter crime files, plot the type of call on a map and later analyze the data to identify criminals. Police agencies hope that posting the information online will encourage people to report crime, because they will be more aware of what is happening in their neighbourhoods. Neil Boyd, a professor at SFU’s school of criminology, said there is no way to know how well the databases are working, but he doesn’t believe they’ll have an immediate impact on reducing crime. He said the online maps could cause crime displacement, where criminals become aware that an area is being monitored by police and move elsewhere, but he added that it’s unlikely a criminal will use the maps. [Source]

Online Privacy 

EU – Court: Google Must Guarantee Anonymity of Street View Faces, License Plates

A Swiss court has ruled that Google must guarantee anonymity before publishing faces and license plates captured in Switzerland for the popular street view service. The Federal Administrative Court largely sided with Switzerland’s data protection commissioner who claimed that Google was breaching citizens’ right to personal privacy, according to the ruling published Monday. Google said it was disappointed by the verdict and is considering an appeal to the Swiss supreme court. The Bern-based court said Google needs to ensure that all faces and vehicle license plates are blurred before uploading pictures to the service that provides panoramic views from various positions along the world’s streets. It also ordered the company obscure other identifying features, such as skin colour and clothing, from people photographed in the vicinity of “sensitive establishments,” such as women’s shelters, retirement homes, prisons, schools, courts and hospitals. Google’s right to pursue its commercial interests does not outweigh Swiss privacy laws, the court said in an explanatory note. [Source

US – Free Pandora App Shares User Data

Online music service Pandora has acknowledged being served with a subpoena demanding documents related to information sharing practices. The subpoena appears to be connected to a federal grand jury investigation into information sharing practices of apps that run on Apple and Android mobile platforms. A report recently found that a Pandora smartphone app shares user information with advertisers. The shared data include age, gender, geographic location, birth date and device ID. [Source] [Source] [Source

WW – World’s First Personal Lifestyle Database System Released

The lifecentral group announced the immediate availability of the world’s first lifestyle database yesterday. The system allows any Internet user to reveal previously undiscoverable correlations between his or her activities, meals, moods, medications, and more. Lifecentral, available at, provides users with an easy-to-use and intuitive interface for entering data about every aspect of their lives. In just five minutes per day, a user can enter everything he or she has done, eaten, felt, and taken during that day. After a sufficient amount of data has been entered, users can then produce reports to examine correlations between aspects of their lives that they had previously been unable to discover. These correlations are often more precise than the generalized advice offered by medical professionals that is not tailored to a person’s unique physiology. Accounts at lifecentral are free to any user over 13 years of age. Users may choose to keep their data private on secure servers, to share data with selected friends, or to make their data available to the world. lifecentral does not mandate the entry of personally identifiable information, so users may elect to track data anonymously. lifecentral will never reveal individual, nonaggregate data to anyone. Data is available to export to external software such as Microsoft Excel if users wish to generate reports that are not available on the lifecentral site. [Source

CA – Ontario Teachers Advised Not to ‘Friend’ their Students Online

The Ontario College of Teachers released a report outlining appropriate online conduct for educators. While the report acknowledges that social media plays an increasingly important role in young students’ lives, it cautions teachers against using it to communicate with their students. It also reminds teachers that anything they publish online – despite their privacy settings – could eventually be viewed by their employer or students. Teachers are advised to:

  • Communicate electronically with students at appropriate times of the day, but if it would be too late to call them at home, don’t send an email either.
  • Use “established education platforms,” creating websites and profiles intended for class use only.
  • Notify parents of any decision to use social media platforms in the classroom, and consider giving them access to the sites.
  • Maintain a formal, courteous professional tone at all times, across all platforms.
  • Remove any “inappropriate content” that either they or others post to private accounts and assume that anything posted online can be accessed and altered.

Teachers are cautioned against:

  • Exchanging private texts, phone numbers, personal e-mail addresses with students.
  • Accepting students’ “friend” requests, or issuing “friend” requests to students.
  • Enabling any students to post to teachers’ social media accounts.
  • Creating an alter ego. (Courts can compel disclosure of your true identity, the report advises, so be transparent and authentic.)
  • Divulging student information
  • Criticizing students, colleagues and superiors and making “impulsive, inappropriate or heated comments.” [Source]


Other Jurisdictions 

AU – Right to Sue if Online Privacy Violated: New Law Recommended

A Senate Committee Report into the online privacy of Australians using the internet recommends giving all Australians a legislated right to online privacy, something which does not presently exist, Committee Chair Senator Mary Jo Fisher said. “This would mean a person could take legal action if his or her online privacy were seriously invaded,” Senator Fisher said. “The Report also recommends allowing an individual online user to dictate the amount of personal data that a web service provider can collect and use to target them with advertisements, through a ‘Do Not Track’ model,” she said. “The Committee recommends increasing the scope for the Office of the Privacy Commissioner to handle complaints about the use of online privacy consent forms. [Source

IN – Indonesian Lawmaker Resigns After Being Caught Watching Porn in Parliament

An Indonesian lawmaker who helped pass a tough anti-pornography law resigned Monday after he got caught watching sexually explicit videos on his computer during a parliamentary debate. The scandal has transfixed this predominantly Muslim nation since a local photojournalist filmed Arifinto, a member of the staunchly Islamic Prosperous Justice Party, gazing at the downloaded porn sites. [Source

MX – Update on Mexico’s New Privacy Law: No Immediate Enforcement

Mexico’s data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country’s new data protection law begin taking effect in July, the head of the DPA, the Instituto Deral De Acceso a la Información Pública (IFAI), said March 10 at a conference. As soon as the final rules are published in July, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies, IFAI President Commissioner Jacqueline Peschard Mariscal said. [Source

NZ – Juror Privacy to be Tightened

Legislation that will enhance the privacy, safety and security of jurors has been introduced to the New Zealand Parliament. Justice Minister Simon Power said the Juries Amendment Bill included a provision to remove the addresses of potential jurors from jury panel lists. The move comes after convicted murderer George Baker wrote to a juror whose name he saw on a list while he was representing himself in a trial. Currently, a jury list must contain the name, occupation, date of birth and full address of potential jurors. Since 2008, self-represented defendants have been prohibited from keeping a copy of the jury list or taking notes, but they can inspect it under supervision. In addition, where there is a real risk that an accused may intimidate jurors, the prosecutor can apply for a judge-alone trial. Mr Power said those changes were made to protect the privacy of jurors, but the Baker incident highlighted the need to further restrict access to the information. The proposed changes in the bill will:

  • remove the addresses of potential jurors from jury lists;
  • allow the prosecution, defence lawyer, or the court-appointed adviser to defendants representing themselves to have automatic access to all address information on request;
  • prevent the accused from ever seeing potential jurors’ addresses by prohibiting the defence lawyer or court-appointed adviser from showing the addresses to the accused;
  • extend the section of the Juries Act which makes it clear that misconduct in relation to jury lists may be treated as contempt of court to include the act of showing the accused, or any other person, jurors’ addresses; and
  • bar people from serving on a jury if they have, in the previous five years, been sentenced to home detention for three months or more. This puts them in the same category as those sentenced to a short term of imprisonment. [Source]


Privacy (US) 

US – US Judge Trying to Determine if Google Breached Wiretap Law

A federal judge presiding over combined lawsuits against Google over its inadvertent collection of packets sent over unprotected wireless networks is trying to decide if Google breached the Wiretap Act. US District Judge James Ware is seeking a definition of “radio communication” under the Wiretap Act to determine whether or not home Wi-Fi networks fall under this purview. Google says they do, while the plaintiffs’ legal team says that the data were only sent over radio waves while traveling between a home router and a laptop. Both parties agree that eavesdropping on cordless phones is illegal. [Source

US – Google Settles With FTC Over Buzz Privacy Charges

On Wednesday, March 30, Google settled deceptive privacy practice charges from the Federal Trade Commission regarding its social networking tool, Buzz. The terms of the settlement call for Google to launch a privacy program and undergo regular third-party audits for 20 years. The settlement does not impose a fine, but Google could face fines if it violates the terms of the settlement. The settlement is the first in which the FTC has ordered a company to implement a comprehensive security policy. On the same day, Google launched a new social networking tool called +1; it allows users to annotate search results to recommend pages to friends. [Google must undergo privacy reviews for next 20 years] [Source] [Source] [Source] [Source

US – Infra-Red Camera Scheme Put On Hold Over Privacy Concerns

A project in Boston designed to educate home owners about energy efficiency has been put on hold due to privacy concerns. The city was due to have a number of infrared cameras installed that would take aerial and street-level photos across approximately four miles in order to show heat loss in homes during the winter months. Boston officials planned on sharing the photos and analysis with home owners and were hoping the findings would increase enrolment in efficiency programs and also create business opportunities. The cameras were similar to the van-mounted cameras that take street view photos for Google maps and were built by researchers at the Massachusetts Institute of Technology. Besides just helping the average consumer, it was thought the technology offered by a company called Sagewell, could benefit larger groups, businesses and cities that want to save energy and money. Officials had planned to scan every building this way. But the project has been put on hold after the ACLU of Massachusetts raised concerns that the infra-red cameras would reveal information about what is going on inside the homes as they can take up to 20,000 images of homes per day. [Source]


EU – EU Commission, Firms Sign Privacy Deal On Smart Tags

The European Commission signed a voluntary agreement with companies that make or use smart tags, establishing privacy guidelines over the rapidly growing use of the identification chips. The new voluntary rules, to take effect before the end of the year, require companies to conduct a privacy risk assessment before putting a smart tag product on the market. About 1 billion smart tags – also called radio frequency identification devices or RFIDs – are expected to be used in Europe this year. The number of smart tags used worldwide is predicted to rise to 50 billion by 2020 from an estimated 2.8 billion this year, according to industry forecasts. Risk assessments would have to take into account the possible damage from personal data falling into the wrong hands, as well as suggest steps to prevent or mitigate any impact. [Source

US – ‘Ready Lane’ Opening at Peace Arch Crossing

It soon should be easier for motorists with an enhanced driver license to pass through Peace Arch border crossing into Canada at Blaine. U.S. Customs and Border Protection opens a “ready lane” next week to expedite travelers with radio frequency identification (RFID) documents. In addition to the Washington enhanced driver license, they include the NEXUS card, new permanent resident card and U.S. passport card. Customs and Border Protection spokesman Thomas Schreiber says the ready lane should be 10-to-15 seconds faster per car, which can make a big difference over time in a line of traffic. The agency is demonstrating the ready lane Thursday. It goes into operation next week. [Source]


US – SEC Fines Three for Failing to Protect Customer Data

The US Securities and Exchange Commission (SEC) has fined former employees of broker-dealer GunnAllen Financial for failing to adequately protect customer data. The company was liquidated in November 2010; the SEC maintains that GunnAllen former president Frederick O. Kraus and former national sales manager David C. Levine broke privacy rules when Kraus authorized Levine to take information about 16,000 clients with him to his new job; the data were transferred on a thumb drive. Kraus and Levine were fined US $20,000 each. Former chief compliance officer Mark A. Ellis was fined US $15,000 for failing “to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information.” The case is the first in which people have been fined solely for violating the SEC’s Safeguard Rule, or Regulation S-P, which requires financial advisers and institutions under SEC jurisdiction to protect customer data and give customers the opportunity to opt out of having their information shared with unaffiliated third parties. [Source] [Source

US – FBI, DoJ Act to Block International Botnet

The Justice Department and FBI have taken what they characterize as the most complete and comprehensive action ever by American authorities to disable an international botnet known as Coreflood, which is believed to have been operating for nearly a decade and infected more than 2 million computers worldwide. The U.S. attorney in Connecticut filed a civil complaint against 13 John Doe defendants, alleging that they engaged in wire fraud, bank fraud and illegal interception of electronic communications. Authorities also seized five command and control servers that remotely controlled hundreds of thousands of infected computers as well as 29 domain names used by the Coreflood botnet to communicate with the control and command servers. The government said it replaced the illegal servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. The government also obtained a temporary restraining order, authorizing the government to respond to signals sent from infected computers in the United States to stop the Coreflood software from running, which they contend would prevent further harm to hundreds of thousands of unsuspecting users of infected computers. Authorities said Coreflood records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account. [Source]


US – Requests for Stored Communication Data Not Reported

While US law requires reporting of requests to intercept communications data in real-time, no such requirement exists for requests for stored communications data. Christopher Soghoian, in his research article “The Law Enforcement Surveillance Reporting Gap,” says that law enforcement agencies have made tens of thousands of requests for stored data from companies like Facebook and AOL. Not only is it easier for law enforcement to get their hands on the information once it has become stored communication, but it is considerably less expensive, too. At one US service provider, wiretaps can run into the thousands of dollars, while account information is provided for US $40. [Source] [Source] [Read full article

CA – B.C. Transit Tests Security Cameras on Victoria Buses

B.C. Transit is using Victoria as a testing ground for security cameras on its buses. Closed circuit television cameras have been installed on three vehicles as part of a year-long trial. In addition to monitoring security, they will also record traffic incidents. Information gathered will help charter policy on the use of security cameras in B.C. Transit properties throughout the province, said Transit spokeswoman Joanna Linsangan. “It won’t just impact Victoria itself but also province-wide,” she said. The trial will show how well the system performs, where cameras can be best placed and how they affect operations. It will also identify any support or infrastructure needs. “Every camera has audio,” said Stephen Anderson, B.C. Transit senior manager corporate safety and security. “We can isolate audio from every camera and understand what happened — what communications happened between the driver and the member of the public during and after an incident.” Notices on each bus inform passengers of the video surveillance. Information is stored on a hard drive for one week before being over-written. It will only be accessed if an incident is reported, Anderson said. The Information and Privacy Commissioner’s Office has been consulted on the plan. [Source]

Telecom / TV 

US – Justice Department Opposes Digital Privacy Reforms

The U.S. Justice Department has offered what amounts to a frontal attack on proposals to amend federal law to better protect Americans’ privacy. James Baker, the associate deputy attorney general, warned that rewriting the 1986 Electronic Communications Privacy Act, or ECPA, privacy law to grant cloud computing users more privacy protections and to require court approval before tracking Americans’ cell phones would hinder police investigations. This appears the first time that the Justice Department has publicly responded to a set of digital privacy proposals unveiled last year by a coalition of businesses and advocacy groups including AT&T, Google, Microsoft, eBay, the American Civil Liberties Union, and Americans for Tax Reform. The Digital Due Process coalition hopes to simplify the wording while requiring police to obtain a search warrant to access private communications and the locations of mobile devices–which is not always the case today. A group of conservative and libertarian groups sent a letter to Leahy and Grassley urging them to move “immediately” to “extend the Fourth Amendment’s protections against the unreasonable search and seizure of digital documents and other electronic information.” It was signed by groups including TechFreedom, the Competitive Enterprise Institute, FreedomWorks, and the Liberty Coalition. “The current standards are messy, inconsistent, and unclear,” says Julian Sanchez, a research fellow at the libertarian Cato Institute, which is not part of either group. “I think DOJ has realized is that this is largely severable from the question of whether you…establish consistency in favor of uniformly protecting privacy–or uniformly permitting easier government access.” Baker, the associate deputy attorney general, also offered two suggestions: that any ECPA rewrite might include “the disclosure by service providers of customer information for commercial purposes,” and that the practice of telecommunications companies charging fees for the time it takes to process routine police requests should be curbed. The second suggestion, Sanchez suggested, might end up being used by the Justice Department as a bargaining chip “to splinter the telecom-civil libertarian coalition.” As for the first suggestion, Marc Rotenberg, director of the Electronic Privacy Information Center, said his group never joined the Digital Due Process coalition because it was “unwilling to address that issue which, we believe, for users is straightforward and obvious.” “ECPA amendments should cover commercial use of user data,” Rotenberg said. [Source]

US Government Programs 

US – Appeals Court Upholds Warrantless Laptop Border Searches

A 2-1 decision from the 9th US Circuit Court of Appeals says that US government authorities may seize digital devices at US borders without warrants and keep them for days while searching their contents. The case in question involves a man whose laptops and camera contained child pornography images. ICE agents seized the devices and transported them 170 miles to be searched. [Source] [Source] [6,500 warrantless searches since 2008].

US Legislation 

US – Sens. Kerry, McCain Introduce Online ‘Privacy Bill of Rights’

Sens. John Kerry and John McCain have teamed up to introduce a bill that would provide Internet users with a commercial privacy bill of rights. The Commercial Privacy Bill of Rights Act of 2011 is intended to create a framework to protect the personal information of all Americans. Customers should have the right to security and accountability, the right to know how their information is being used, and right to have the smallest amount of data collected about them as possible, the senators said. Kerry, a Massachusetts Democrat, said in a statement, that “Our bill makes fair information practices the rules of the road, gives Americans the assurance that their personal information is secure, and allows our information driven economy to continue to thrive in today’s global market.” McCain, an Arizona Republican, said the bill allows companies to continue marketing and advertising to consumers, but “does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing.” Specifically, the bill states that:

  • Collectors of information must implement security measures to protect the information they collect and maintain.
  • Collectors of information must provide clear notice to individuals on the collection practices and the purpose for such collection.
  • Collectors of information would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time.

Companies must provide users with the ability to opt-out of data collection unauthorized by the bill and opt-in to the collection of personally identifiable information. This requires a “robust and clear notice” about data collection, and the ability of users to access and correct their information. The bill would be enforceable by state attorneys general and the FTC, though not at the same time. It also bans private rights of action. The FTC would also be able to approve nongovernmental organizations to oversee safe harbor programs that would have “the ability to be exempt from some requirements of the bill.” The Department of Commerce can weigh in on these exemptions, which it will submit to the FTC. The bill comes several weeks after the Obama administration gave its seal of approval to a “consumer privacy bill of rights” intended to allow consumers to avoid unwanted online tracking or data collection. Microsoft, HP, Intel, and eBay released a joint statement in support of Kerry and McCain’s bill. The Center for Democracy & Technology said the bill “contains many strong elements.” [Source

US – Critics Say Proposed Online Privacy Law Does Not Go Far Enough

US lawmakers have proposed legislation that would allow Internet users the right to demand that their online activity not be tracked. The Commercial Privacy Bill of Rights, sponsored by Senators John Kerry (D-Massachusetts) and John McCain (R-Arizona), requires that consumers deliberately opt out of tracking practices through links on websites, drawing criticism from some groups who say the proposed law does not go far enough. Some critics would like to have a universal opt-out capability so consumers do not have to perform the cumbersome task of opting out on every site they visit. The bill does require that websites provide clear information about their data collection practices and that the organizations collect only as much information as necessary to conduct transactions or render services. The bill does not apply to data mining, surveillance or other actions used by governments to collect personal data. Local, state and federal law enforcement agencies are exempt, as are government agencies. [Source] [Source] [Source] [Bill]

Workplace Privacy 

CA – Good News For Employers: Right to Manage Sets Limits on Employee Privacy

Three arbitration decisions have been released that support an employer’s right to manage the safety, security and efficiency of its operations through the introduction of policies relating to workplace technology, periodic police record checks, and cell phone records checks, even though these may affect employee privacy rights. 

  • In the 2010 decision of International Union of Elevator Constructors, Local 1 v. Otis Canada Inc. [2010] B.C.C.A.A.A. No. 121 (QL), Arbitrator John Steeves ruled that telematic devices in its company vehicles did not violate employee privacy rights. Otis Canada Inc. had installed devices in its cars that used satellite technology to provide information about the start, stop and idle time of each vehicle, along with the name of the employee driving the vehicle. The information was available to managers and was used to evaluate fuel efficiency, determine if regular maintenance was being done, and whether there was any unauthorized use of the vehicle (the company had a strict policy prohibiting personal use of company vehicles). The devices did not have GPS technology, so they could not provide detailed information about the location of the cars. The union representing the employees filed a policy grievance alleging that the employer was collecting personal information (the employee’s location) through the telematic devices, and thereby violating the collective agreement and British Columbia’s Personal Information Protection Act (PIPA). The employer argued that the information being collected was related to its business, and therefore did not constitute “personal information” under PIPA. Further, if the information was “personal information,” then both the collection and the use were reasonable. The grievance was dismissed. Arbitrator Steeves found that the devices were used to record the working time of employees and that this formed part of the company’s general management rights to know what its employees are doing when they are working and when they are using company vehicles. He also found that the only personal information being collected was the employee’s name, and that this did not violate PIPA. There was the potential to use the information to investigate and discipline an employee, but the data being collected by the devices itself did not meet the definition of “personal information,” and therefore there was no violation of employee privacy in the circumstances. 
  • A second policy grievance relating to employee privacy rights was dismissed by Arbitrator Wayne Moore in Vancouver Firefighters’ Union, Local 18 v. Vancouver (City) [2010] B.C.C.A.A.A. No. 81 (QL). In this case, the union grieved a policy introduced by the City of Vancouver requiring those employees in its Fire & Rescue Services Department who held “designated positions of trust” to submit to police record checks every five years. These positions were identified primarily as those that have ongoing or significant relationships with vulnerable people or where the main duties involve protecting the security of people and/or material assets. Employees who failed to comply with the policy ran the risk of being disciplined or discharged. The union did not object to the employer’s practice of requiring police record checks at the time of hire, but argued that the ongoing requirement to disclose information about an employee’s police record, and the requirement that record checks be provided at five-year intervals, breached employee’s statutory and common law rights to privacy and exceeded the employer’s management rights under the collective agreement. The employer asserted that the policy was in furtherance of its legitimate interest in providing safe and effective services to the public. Arbitrator Wayne Moore upheld the policy with slight modifications. He noted that it was necessary for the employer to determine the suitability of employees, considering its interests in protecting the safety of the public and the security of the public’s property, as well as in ensuring the integrity of its operations and employees. In reaching his decision, Arbitrator Moore noted that in light of the need to maintain public trust and the integrity of its operations, the employer should not have to wait for complaints of misconduct before ensuring that the employees who hold designated positions are appropriate for the job. In his decision, Arbitrator Moore noted that this was not a blanket requirement of a criminal record check on all employees, but was limited to particular employees who had some degree of choice in deciding whether to apply for designated positions.
  • The third decision in this employer-friendly trilogy is that in the case of Teamsters Canada Rail Conference v. Canadian Pacific Railway Company (Case No. 3900, Canadian Railway Office of Arbitration & Dispute Resolution). After a number of serious collisions in the railway industry in North America, the Canadian Pacific Railway Company adopted a policy of asking employees to provide copies of their personal wireless telephone records as a routine part of investigations where a significant accident or incident remained otherwise unexplained. In the policy grievance that ensued, the union argued that the company’s request was unreasonably intrusive and violated employee privacy rights, and pointed to a decision by the Privacy Commissioner of Canada in which it was held that telephone records are “personal information” within the meaning of the federal Personal Information Protection and Electronic Documents Act (PIPEDA). After emphasizing the highly safety-sensitive nature of railway operations in Canada, Arbitrator Michel Picher dismissed the grievance and found that the company’s policy was compliant with the requirements of PIPEDA. In his decision, he noted that given the particular nature of railway operations, “There must be an inevitable balancing of interests between the privacy rights of employees and the interests of a railway employer to ensure safe operations.” In addition, Arbitrator Picher was influenced by the fact that the infringement was very narrow and that the company was not seeking any information beyond whether a cell phone had been used in close proximity to a railway accident. There was no attempt to go “behind the privacy” into the contents of any wireless communication. This finding is comparable to the Otis Canada Inc. finding; in that case, the information from the telematic devices only collected the name of the mechanic/driver and no other information personal to the individual, so it was found to be a narrow infringement on privacy. 

Key Points for Employers:

  • Employers have a right to ensure the efficient, safe and secure operation of their business. In some circumstances, the exercise of management rights will permit a reasonable intrusion upon employee privacy.
  • The implementation of technology, policies or practices that permit employers to collect, use and disclose personal information should be as narrow as possible in the circumstances, and should focus on legitimate interests such as ensuring the safe and effective operation of the business.
  • In order to minimize the likelihood of a successful complaint or grievance as a result of the introduction of new technology or policies in the workplace, consider providing notice of the changes and informing employees of the objectives behind implementing the technology or policy. [Source: Mondaq news

IS – Israel Monitoring Employees Email Severely Restricted

In a 91 page opinion, the National Labor Court laid down a clear set of rules on employers right to monitor their employees email messages. The rules impose severe restrictions on that right and employers should consider reforming their workplace policies accordingly. The issue that was brought before the court was whether an employer may access employees email messages and submit them as evidence in the course of court proceedings brought by the employee against the employer. Typically, the employer wishes to present evidence obtained from the employee’s email account, in an effort to dismiss the employee’s claim for unlawful termination. However, a “Fruit of the poisonous tree” evidential rule under the Privacy Protection Act, prohibits submission of evidence obtained through invasion to privacy. Chief Judge Nili Arad delivered the National Labor Court’s opinion on two appeals from District Labor Courts that reached inconsistent decisions related to the employers’ rights in that respect. The court laid down the following principles:

  • In light of the employer’s proprietary interest in the workplace and managerial prerogative, the employer should set a balanced policy for use of the corporate IT and email systems. The employer must bring the policy to the attention of the employees and must incorporate the policy into their personal employment contracts.
  • A clear line should be drawn between an email account allocated by the employer to an employee and an employee private email account, such as a webmail account.
  • An employer may allocate accounts to employees and designate them for work related purposes only (‘professional purpose accounts’), or for personal purposes as well (‘dual purpose accounts’), or for the employer’s personal purpose only (‘personal purpose account’).
  • If the employer makes the employees aware of the e-mail monitoring policy, then the employer may monitor the traffic data and contents of professional purpose accounts. However, if an employee uses the mailbox for personal e-mail exchange, even if in violation of the corporate policy, then the employer may access the personal messages in that account only subject to the employee’s explicit, informative and freely given consent and only if the contents of such personal messages are unlawful or abusive.
  • The employer may monitor and access personal messages in dual purpose and personal accounts, subject to the following terms: (1) There are unusual circumstances that justify access to the messages; (2) The employer first uses less invasive tools that reveal the monitored employee’s misconduct; (3) The employee gives explicit, informative and freely given consent to the corporate policy and specifically to the monitoring of or access to his personal (not work related) messages; (4) The employee provides specific consent to each access by the employer to the contents of personal messages in a dual purpose account, or specific consent for any surveillance activity by the employer which include access to a personal account, and to personal content in such account.
  • An employer may not monitor or access an employee private email account, even if the employee uses the workplace IT system to access the account and even if the employee consented to such access. An employee’s private account may be accessed only subject to an appropriate court order, that courts grant on rare occasions.
  • Based on the above laid down principles, the court granted the employees’ motion to suppress the evidence in both cases, because the employers obtained the evidence while unlawfully invading the privacy of their employees.

Employers should carefully study the opinion and make all necessary adjustments to comply with its requirements. Specific attention should be given to the corporate policies, employment contracts, adequate consent processes and to harmonizing the corporate information security system and policies with a new pro-privacy workplace environment. [Source]


16-31 March 2011


EU – NL Court Upholds Passport Fingerprint Demand

The Hague city council is within its rights to refuse to issue a passport to a woman who refused to give her fingerprints, a court has ruled. The court backed the council because fingerprints are required by law. The woman refused to comply because they will be stored in a database and used to track criminals. The woman argued this infringed her right to privacy and her human rights. In February, the Volkskrant reported a majority of MPs oppose plans to store fingerprint details from new biometric passports in a central data bank which will be accessible to police. The plan has already been attacked by lawyers and privacy experts. Even the security service AIVD warned that the data bank would be vulnerable to hackers and identity theft. [Source

EU – EDPS Issues Opinion on Turbine (TrUsted Revocable Biometric IdeNtitiEs) Project

The European Data Protection Supervisor finds that the Turbine biometrics project is implementing “privacy by design” as a key principle in its research (e.g. by complying with the data protection legislation in Norway and Italy for both the proprietary and public databases used, and by notifying the data protection authorities in Germany and Greece for the “real-life” scenario demonstrations that were conducted); the implementation of 2 features, irreversibility and revocability of biometric identification, were acceptable privacy compliant solutions (e.g. they met the Regulation 45/2001 requirements of legitimate, not excessive, and relevant collection and accuracy). A list of 10 best practices in the context of the use of biometric data was developed (e.g. user control over biometric data by default, credential check, deletion of samples and original templates, and fall back procedures). Volunteers provided written consent for the collection of their biometric data; those involved in the enrollment process were provided with training that emphasised the important of data protection both prior to and during the enrollment phase. [Source

CA – OPC Issues Paper on Biometrics and the Challenges to Privacy

The privacy challenges of biometrics include covert collection (e.g. gathering images of people’s eyes from a distance), cross-matching (e.g. collecting a fingerprint for one purpose and using it for a different purpose without the person’s knowledge and consent), and secondary information (e.g. iris images used for authentication can divulge health information). Organisations looking to deploy a biometric system should do the following – build privacy solutions into all stages of the lifecycle of the initiative, conduct a privacy impact assessment, and administer a 4-part test of necessity (e.g. what specific problem is being solved), effectiveness (e.g. some biometrics may not be counted on for identification because they are neither permanent nor unique), proportionality (e.g. the loss of privacy may not be appropriate if the benefit is minor and some biometrics are more privacy-sensitive than others), and alternatives (e.g. some forms of authentication that do not collect biometrics may work for certain tasks). Privacy principles to be considered are recording just the summary information of biometric data (e.g. using biometric encryption, cancellable biometrics or biometric tokens), verification rather than identification (e.g. a “one-to-one” match versus a “one-to-many” match), and using local storage (e.g. individual computers systems or smart cards) rather than centralized storage. [Data At Your Fingertips: Biometrics and the Challenges to Privacy

EU – Wolverton: ‘Eye Tracking’ May Be Coming to Your Computer

A Swedish company has unveiled a new system to track what users are viewing on a computer screen based on eye movement. Though eye-tracking technology has existed for some time now, it has primarily been used for academic and market research, for example, and has required people to wear special equipment. Tobii Technology plans to build eye-tracking—which beams low levels of infrared light into the user’s eye to work in tandem with sensors to track the reflection of the light and gauge a user’s point of focus—to the average computer. Still at the prototype development stage, the mainstream system is expected within a few years. [Source


CA – Air-Travel Bill Flies in Senate

An air-travel security bill that critics initially slammed as an infringement on passenger privacy and a surrendering of Canadian authority to the U.S. Department of Homeland Security has passed third reading in the Senate, winning support for an amended version of the legislation from both Conservative and Liberal members. The passage of Bill C-42 means personal information about Canadian passengers travelling to the U.S. or through U.S. airspace -including name, gender and birthdate —can now be shared with American authorities to determine whether any individual poses a threat to U.S. national security. Conservative Sen. Michael MacDonald said during a recent debate that the bill “will allow Canadian air carriers to comply with the law of another country —a law which, I might add, all nations, including the United States and Canada, are perfectly within their rights to implement.” Liberal Sen. Wilfred Moore said that while the bill initially sparked “great concerns” among Liberals, subsequent amendments to limit the use of passenger information and how long it will be kept by U.S. authorities have allayed such worries. [Source

CA – Court Says There’s No Tort of Invasion of Privacy in Ontario

The Ontario Superior Court of Justice has released a decision in Jones v. Tsige, 2011 ONSC 1475, which states, clearly and without ambiguity that there is no free-standing tort of invasion of privacy in Ontario. The facts involve a claim against an employee of a bank who reviewed the plaintiff’s confidential banking records on at least 174 occasions. Whitaker J. canvassed a number of authorities, including the well-known case of Somwar v MacDonalds, but concluded that there is no such tort. The Court notes that the plaintiff had a remedy under PIPEDA. [Source] [Source] [Decision

CA – OIPC BC Investigation Report F11-01 – British Columbia Lottery Corporation

The Commissioner determines that the BCLC security breach (individuals able to view the personal information (‘PI”) of other customers when they logged into the online platform) was not one that it could have reasonably prevented. An investigation into the online gaming platform revealed data collection issues (BCLC collected PI from potential customers to verify identity and sensitive registration information once the account is created which is transmitted unencrypted), information systems security policy deficiency (the policy had not been formally reviewed since 2005), policy training inadequacy (the individuals who attended the sessions were not formally tracked and a number had not attended training), access control problems (a small number of users’ accounts were found on the production systems where those users who no longer required access), no patch management (no patches since the environment was frozen in 2010 during the launch of casino games) and inadequate third party contracts (these do not require the service providers to adhere to BCLC security policies and procedures, including privacy requirements). BCLC took steps to resolve security issues. [Press Release] [Investigation Report

CA – Powers and Functions of the Ombudsman in PIPEDA: An Effectiveness Study

In this research document commissioned by the Office of the Privacy Commissioner of Canada, the authors recommend (1) extending the limits of the Ombuds Model to small and medium businesses – the current model does not appear to be well suited to the small and medium business sector where compliance rates are lower and where the risks to personal information is greater, and (2) granting limited order-making powers – compliance levels with PIPEDA remain too low, and the risk that consumers face with their personal information in the hands of small and medium sized businesses is too high, however, the OPC at this point does not need broad and intrusive powers, such as cessation orders. [Source

CA – OPC Tables Report on Privacy Implications of Street-Level Imaging Applications

The Canadian Federal Privacy Commissioner has tabled a study before the Report of the Standing Committee on Access to Information, Privacy and Ethics: Recommendations for technological innovators are to implement “privacy by design” into the development of new products and consult with the Privacy Commissioner to ensure privacy rights are protected; privacy protection needs to be a core consideration at the development stage, and two companies that deployed street-level imaging technology are moving in the right direction by appointing a Director of Privacy, mandating privacy training for employees and incorporating audits for projects under development. The Privacy Commissioner has made recommendations regarding street-level imaging technology including notifying citizens in advance that images are being taken and why, blurring faces and license plates to anonymize individuals (this technology needs to be improved), effective and quick take-down processes (so individuals can have their images removed), and not retaining raw data indefinitely (one company agreed to delete unblurred imagery after one year). [Report

CA – CAPAPA Appoints New Board Members

CAPAPA (Canadian Association of Professional Access and Privacy Administrators) Canada’s leading association of privacy and access professionals, has announced the appointment of four new directors to its Board. The CAPAPA Board of Directors now includes Dr. Teresa Scassa, who currently holds a Canada Research Chair in Information Law at the University of Ottawa; Marc Gagné, President of ATIPshop and Senior Consultant with Citizenship and Immigration Canada; Lawyer, consultant and author Michael Power; and Paulette Lacroix, Senior Privacy Consultant and Certified Management Consultant at PC Lacroix Consulting Inc. CAPAPA is now represented by a most distinguished group of Directors, from British Columbia to Newfoundland and Labrador:

1.       Robert Doherty, Privacy lawyer and consultant

2.       Marc Gagné, President of ATIPshop and Senior Consultant with Citizenship & Immigration Canada

3.       Paulette Lacroix, Senior Privacy Consultant and Certified Management Consultant at PC Lacroix Consulting Inc.

4.       Eric Lawton, Senior Privacy Specialist, Risk Management & Information Security, City of Toronto and Director of Professional Certification, CAPAPA

5.       George Michelau, Assistant Director of Education, Labrador School Board

6.       Sharon Polsky, President, Amina Corporation and National Chair, CAPAPA

7.       Michael Power, LL.B., Barrister and Solicitor

8.       Dr. Teresa Scassa, who currently holds a Canada Research Chair in Information Law at the University of Ottawa [Source]


US – Research: Users Read Labels, Not Policies

Kashmir Hill writes in Forbes about the work of a team of Carnegie Mellon researchers to come up with a new format for informing Internet users about their privacy. Quoting recent comments by Lawrence Strickling of the Department of Commerce that privacy policies that are “lengthy, dense and legalistic…do not appear to be effective in informing consumers of their online privacy choices,” Hill examines the researchers’ “nutrition label” approach to online privacy. Citing a 2009 study, the researchers “found that people demonstrated a better grasp of a company’s treatment of their data based on a ‘privacy label’ than a text version of a privacy policy,” the report states. [Source] [Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach]


CA – Federal Government Launches Pilot Open Data Portal

The Government of Canada has launched a one-stop shop for federal government datasets, which might inspire provinces to join the open data space. But the licence agreement may present obstacles for individuals, businesses and organizations. The GC Open Data Portal, available at, launched as a 12-month pilot project that promises a catalogue of over 260,000 datasets from 10 federal departments. The government plans to increase the number of datasets and the number of participating departments over the 12-month pilot phase, according to a Treasury Board press release. “The GC Open Data Portal is a catalogue of federal government datasets that are available for users, developers and data suppliers to find, evaluate, access, visualize and reuse federal government data,” states the online FAQ. The catalogue can be searched with keywords or browsed by categories. The data is available free of charge to the public for commercial and non-commercial use, under certain licensing conditions. Section 3 of the licence agreement prohibits the use of data for identifying individuals, businesses and organizations. “That whole clause is unprecedented … it can’t be found anywhere on other open data portals and I think it pretty much renders a lot of the data useless,” said Public policy entrepreneur and open government activist David Eaves. Eaves’ other concerns are two clauses in Section 4, which stipulate attribution notices. The government is also encouraging feedback from the public, noted Eaves. This provides an opportunity for developers, for example, to let the government know what data sets they want added to the catalogue, what formats are frustrating to work with and which datasets aren’t updated often enough. The 10 departments participating in the pilot phase include: Agriculture and Agri-Food Canada, Citizenship and Immigration Canada, Environment Canada, Department of Finance Canada, Fisheries and Oceans Canada, Library and Archives Canada, Natural Resources Canada, Statistics Canada, Transport Canada and the Treasury Board Secretariat. [Source

US – 2 years Open Records Order, Agencies Still Use Baffling Delays and Denials

One government agency is still trying to find correspondence for a political reporter between federal officials there and prospective presidential candidates — from the 2008 election. Another censored 194 pages of internal e-mails about President Barack Obama’s new rules on open government. Another agreed to hand over records of travel expenses then changed its mind and refused to turn them over. Two years after Obama pledged to reverse the Bush administration’s penchant for secrecy and comply more closely with the U.S. Freedom of Information Act, The Associated Press grapples with many of the same frustrating roadblocks and head-scratching inconsistencies. Exasperating delays and denials also affect ordinary citizens, researchers and businesses, and they frustrate the administration’s goal to be the most transparent in history. [Source]


WW – Google Make Ads Relevant by “Learning” on Gmail – Concerns For Privacy?

Google will begin trying out a new intelligent ad system which “reads” from your emails, learning from your messaging habits and interests to generate useful ad content, special offers and deals local to the individual Gmail-er. The plan is currently in effect, starting this month on a small scale, and Google plan to take this worldwide within a short space of time. Gmail users will receive a prompt informing them of the change, which is made without a choice, but the possibility to opt out of the new “personalised” ads will be available in the account settings. It’s likely many people will indeed choose to opt out for concern of privacy. However, Google do claim the ads will be generated from an automated system and no human eyes will be privy to your personal emails. Google also say no third-party advertiser will receive private information. [Source] Se also: [Spam Volume Drops by One-Third Following Rustock Takedown]

Electronic Records 

CA – Manitoba Launches E-Health Records

The Government of Manitoba has officially launched the first phase of its new e-health record system at seven health centres and hospitals across the province. The initial rollout of the eChart Manitoba system gives doctors the ability to view demographic, immunization and drug information. It also gives physicians access to select lab results. Over the next 18 months, up to 30 sites will be phased into the project with a second phase of eChart expected to go live before the end of 2011. With that update, doctors will be able to get access to diagnostic imaging reports, allergy information and more lab data sources will be added. The second phase will also allow doctors already running approved e-health software to integrate with eChart. [Source] See also: [FTC: Medical Identity Theft - FAQs for Health Care Providers and Health Plans]


WW – Fraudulent Certificates Issued for Major Websites

Nine valid but fraudulent certificates have been issued for major Internet sites – including Google mail, Microsoft Live, and Yahoo – raising the possibility of undetectable phishing, man-in-the-middle and drive-by download attacks, multiple advisories stated. The secure sockets layer (SSL) certificates, issued by root certificate authority Comodo, allow the attackers to sign fraudulent sites and content. The certificates were issued because of a compromise at a registration authority (RA) using stolen log-in credentials for one of Comodo’s European partners, according to the company’s report on the incident. [Source] Comodo has revoked the stolen certificates. [Internet Storm Center] [Internet Storm Center] [eWeek] [CNET]Update: [Comodo Says Two More Registration Authorities Were Compromised] [Iranian hacker claims he acted alone in stealing digital SSL certificates

WW – Twitter Offers Automatic Secure Connection Option

Twitter now offers users the option of always connecting to with HTTPS, which encrypts communication between the users’ computers and Twitter’s servers and helps prevent attackers from stealing sensitive data. Before the change, users who wanted to connect to Twitter securely had to enter HTTPS manually in the browser bar, but now they can configure their accounts so they are automatically connected with HTTPS. It is an especially good idea for people who access their twitter accounts over unsecured wireless connections. Twitter’s mobile website still requires users to manually enter HTTPS. Twitter hopes eventually to make HTTPS the default setting. [Source] [Source] [Source] [Source] [Source]

EU Developments 

EU – Reding Outlines Data Privacy Plans for Companies in Europe

European information society and media commissioner Viviane Reding has warned companies operating in the EU that they will face court action if they break forthcoming European data laws. Reding, who is currently preparing the new laws, warned that the EU would not hesitate to take action against non-EU companies that broke local laws on data collection and retention. “To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers,” she said. She explained that EU law would be based on four central principles. Firstly, citizens had to have a “right to be forgotten”, to opt out of data collection and for those companies collecting it to prove a need to store the information. Second, companies will have to be transparent on what data they are collecting and with whom it is shared. This was particularly important for young people on social networking sites she said. “The third pillar is ‘privacy by default’. Privacy settings often require considerable operational effort in order to be put in place,” she said. Finally, these laws must protect all EU citizens no matter where they are in the world. For example, third-party telecommunications companies would be bound by them whenever they processed data from an EU account. The other area that needs attention is law enforcement. Reding proposed that these same rules should apply to law enforcement organisations that were seeking to access commercial data as part of ongoing investigations. Legislative proposals on the new data protection rules would be released this summer, she said. [Source] See also: [EU Consultation document] [Google, Internet Companies Face Too Many Privacy Rules, U.S. Official Says] [Wall Street Journal: US, EU Seek To Guard Personal Data Exchanged During Crime, Terror Efforts]

UK – UK Responds to Call for Evidence on the Data Protection Legislative Framework

Responses to the call for evidence included confusion regarding whether anonymous data, IP addresses, and energy consumption are classified as personal data (“PD”); advancements in technology have led to uncertainties about whether certain data should be treated as sensitive PD (e.g. biometric information that could reveal race or health condition). Most respondents took compliance with subject access requests (“SARs”) seriously (e.g. through the use of “in-house specialists”, ensuring SARs were dealt with in a timely manner and keeping a log of SAR complaints); much of the organisational burden dealing with SARs relates to locating the information requested, the expense of redacting the relevant information from multiple audio, video and digital data sources, and the legislative requirement to retain PD for a specific period. Many data controllers thought that mandatory data breach notification would lead to “notification fatigue” (e.g. when data subjects no longer take notice of data breaches due to the volume of notifications); respondents had difficulty in quantifying mandatory breach notification costs, citing that it would depend on the type of breach and number of different costs (e.g. drafting and sending of notices, using data protection experts and establishing help lines). Many respondents would like to see clearer guidance from the ICO regarding consent in relation to certain disciplines (e.g. employment and medicine); it is generally thought that data subjects do not read fair processing notices in detail (e.g. they are too long and difficult to understand), which should use simple, plain language and be placed at the top of form. [Source

EU – French Regulator Fines Google Over Street View Data Collection

France’s National Commission for Information Freedom (CNIL) has fined Google 100,000 Euros (US $142,000) for the company’s inadvertent collection of personal data from unprotected Wi-Fi networks. (Google collected the data while gathering information for its Street View maps feature.) CNIL called Google’s activity an “unfair collection” of data and maintains that Google benefitted financially from the information it collected. [Source] [Source] [Source] [Source]

EU – German Court Rules Google Street View is Legal

Perhaps no Google product has spawned a better blend of quirkiness and scandal than Google Street View–cameras pranked with staged sword battles, naked men emerging from car trunks, unsavory snapshots of dead bodies, and the ire of multiple governments, primarily in Europe, who believe that it’s an invasion of privacy. But in one of those countries, Germany, Google Street View has had a victory of sorts. A Berlin court has ruled, according to Deutsche Welle, that it’s legal for Google to take the street-level pictures, striking down a lawsuit brought on by a German woman who sued Google over Street View and cited privacy and property rights. The case is complicated, because the woman who sued did so out of the possibility that her privacy might be invaded–e.g. if Google Street View happened to take photos of the front of her house, and that the camera on top of the Google Street View vehicle would see over the hedge in front of it. So the decision’s scope may be limited, and subsequently may not be evoked as frequently in property rights cases. The German lawsuit is certainly not the most bizarre one that Google Street View has produced: Last year, a Japanese woman sued Google and claimed that Street View had exposed her underwear drying on a clothesline, something which she then said caused her to lose her job. [Source]

EU – German Government Budgets 10 Million EUR to Set Up Data Protection Foundation

Federal DPA Issues Concept Paper: On February 8, 2011, the German Federal Commissioner for Data Protection and Freedom of Information issued a concept paper setting forth concrete suggestions for the creation of a Data Protection Foundation (the “Foundation”); among its tasks, the Foundation will test products and services for data protection compliance, educate citizens to help improve “self” data protection, conduct research activities, and establish a data protection seal. [Hunton & Willams LLP

EU – Czech Court Bans Telephone Data Retention

The Czech Republic’s Constitutional Court has overturned parts of a law that force telephone operators to retain data on telephone calls and Internet traffic. The court said the practice is unconstitutional. It says the provisions ordering data on all calls, faxes, text messages and e-mail exchanges to be retained for six months enabled a “massive” invasion into citizens’ rights and were not in line with the rule of law. Fifty-one lawmakers of Parliament appealed to the court to overturn the law, which was passed as part of anti-terrorism efforts. Germany’s Federal Constitution Court issued a similar ruling last year. The law stems from an European Union directive. [Source]

Facts & Stats 

US – OMB Report on Federal Agency FISMA Compliance

According to the Fiscal Year 2010 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002, cyber attacks against federal networks increased 40% in 2010. Agencies reported nearly 42,000 cyber incidents in 2010; in 2009, 30,000 incidents were reported. The report from the Office of Management and Budget (OMB) details agency compliance with Federal Information Security Management Act (FISMA) mandates. The report notes that agencies are beginning to deploy real-time scanners to monitor anomalies. The report says that 66% of IT assets at major federal agencies have automated surveillance tools. Most of the agencies are not using smart cards for system access, despite it being a requirement. As of October 1, 2011, agencies that have not installed electronic ID card readers on facilities and systems will have funds for other projects denied. [Source] [Report]


WW – Google Claims Chinese Government is Interfering with Gmail

Google says that Chinese authorities are interfering with its Gmail service. Gmail users are reporting difficulty using the webmail service in that country. Google says the interference appears to have been designed to make it look like the problems are in Google’s own systems, but the company has conducted thorough checks and found no problems on its side. [Source] [Source

WW – Facebook Traffic on AT&T Servers Detoured Through China

Internet traffic from AT&T servers bound for Facebook detoured through servers in China and South Korea, according to researcher Barrett Lyon. Lyon discovered the traffic’s path using traceroute. In his blog, Lyon calls the detour a routing mistake, and notes that the incident raises a number of questions, including whether the events constitute a privacy breach, whether Facebook should have notified users that their information was being sent over a network that might not be trustworthy, and whether Facebook should enable SSL by default on all accounts. [Source] [Source]


US – FTC Issues Annual Report 2011 on the Fair Debt Collection Practices Act

Complaints to the FTC against debt collectors increased in 2010 – categories of complaints include harassing the alleged debtors (i.e. repeated calls, using obscene language, calling at inconvenient times, and threatening violence), failing to send the required consumer notice (consumers were not made aware of the requirement for any disputes of their debt to be made in writing), failing to identify themselves as a debt collector (creating a false or misleading impression for consumers), revealing the alleged debt to third parties (either repeatedly calling employers, relatives, etc. or illegally disclosing the debt to them), impermissible calls to a consumer’s place of employment (such calls cannot be made if the collector knows or has reason to know the employer prohibits such calls), and failing to verify disputed debts (ignoring written disputes of a debt or failing to send a written verification of the debt). In 2010, the largest civil monetary penalty was obtained against a debt collector for $2.8 million (for misrepresenting that the collector was a law firm, would bring civil action or criminal prosecution against consumers, and non-payment would result in garnishment of wages or seizure of property); in 2011, the Consumer Financial Protection Bureau will enforce the Fair Debt Collections Practices Act concurrently with the FTC, and will have the authority to prescribe rules and collect complaints. [Source

WW – Payments by Cell Phones: Swiping Is the Easy Part

The cellphone has been more than a cellphone for years, but soon it could take on an entirely new role – standing in for all of the credit and debit cards crammed into wallets. Instead of swiping a plastic card at the checkout counter, consumers would merely wave their phones. There’s just one hitch: While the technology is already being installed in millions of phones – and is used overseas – wide adoption of the so-called mobile wallets is being slowed by a major behind-the-scenes battle among corporate giants. Mobile phone carriers, banks, credit card issuers, payment networks and technology companies are all vying to control these wallets. But first, they need to sort out what role each will play and how each will get paid. The stakes are enormous because small, hidden fees that are generated every time consumers swipe their cards add up to tens of billions of dollars annually in the United States alone. “It all comes down to who gets paid and who makes money,” said Drew Sievers, chief executive of mFoundry, which makes mobile payment software for merchants and banks. “You have banks competing with carriers competing with Apple and Google, and it’s pretty much a goat rodeo until someone sorts it out.” Consumer advocates, meanwhile, said they were concerned that a mobile system would bring higher fees and questioned whether consumers even want a new system. “Is it possible to make a system that’s too easy to use, where you reduce so much friction from the transaction process that people aren’t necessarily aware of what they’re spending on something?” asked Jan Chipchase, executive creative director at the design firm Frog Design, who studies mobile payments. [The New York Times]


CA – Ratepayers Win on Freedom of Information Request

Persistence has paid off for the Centre Hastings Ratepayers Association (CHRA). The CHRA made a freedom of information request more than a year ago with the Information and Privacy Commissioner of Ontario for the information contained in monthly spending vouchers of the Municipality of Centre Hastings. According to CHRA member Wendell White, “the association’s position was that monthly voucher information is public information” and some information on the voucher was being “blacked out” so it was unreadable. The privacy commissioner recently ruled in favour of the CHRA, ordering the municipality to “disclose to the appellant all of the responsive information contained in the voucher reports for the period from April 2009 to December 2010 by providing him with a copy by March 4, 2011” excluding any information pertaining to employee salaries or wages. As part of the ruling, CHRA will also be waived the $60 voucher fee because of its not-for-profit status. “It’s certainly recognition for the ratepayers, taxpayers — anybody,” White said of the decision. “It shows that you can’t just withhold information because you wish to.” [Source

US – DHS Document Review Process Blasted

The review process on releasing potentially sensitive government files from the Homeland Security Department to the public was onerous and overly political, a key official in the process had complained in a series of e-mails in late 2009. Chief Privacy Officer Mary Ellen Callahan, who was appointed by Homeland Security Secretary Janet Napolitano, said she wanted to change the process, according to uncensored e-mails newly obtained by the Associated Press. In the e-mails, she warned that the Homeland Security Department might be sued over delays the political reviews were causing, and she hinted that a reporter might find out about the process. The reviews are the subject of a congressional hearing later this week and an ongoing inquiry by the department’s inspector general. [Source]


UK – Police Hit Delete on DNA Profiles

DNA records will no longer be kept on innocent people questioned over routine crimes in England and Wales, the government has said. It will still keep samples of those questioned in connection with terrorist offences. The move is a major change in Government policy and will result in a massive reduction in the number of innocent people whose DNA is held by police. The move comes two years after the European Court of Human Rights (ECHR) called the policy for England and Wales an unfair interference with subjects’ rights to privacy. It forms part of the Government’s Freedoms Bill, a law that seeks to reform the way that records on individuals are kept and used, among other things. The Bill will reduce the number of people who will have to undergo criminal records checks; reform the law on investigations into individuals; reduce stop-and-search powers; and reduce the allowed period of pre-charge detention to 14 days. The Bill orders the destruction of DNA material in most cases where a person is not charged or convicted of a crime. For those whose samples were taken while detained under the Terrorism Act they must not be immediately destroyed, though. They can be kept for three years, or indefinitely in the case of people who have already committed a serious crime. Samples taken from people in the investigation of other serious offences and from people who have been previously convicted of serious offences can also be retained, some for three years and some indefinitely, the Bill said. The Bill also contains provisions reforming the use of technology for surveillance, including CCTV systems and automatic number plate recognition (ANPR) systems. The Government said that the Bill would rebalance the relationship between the state and individuals. [Source]

Health / Medical 

US – Army: To Reduce Suicides, Share Mental Health Info

Army officials say knowing more about soldiers’ mental health will help to prevent suicides, the rates of which doubled after 2004. But that thinking is troubling to some who say army access to mental health records may deter soldiers from seeking help if they feel their privacy is being violated. Though HIPAA protects health information, exceptions exist, such as when a patient might cause harm to himself or another. The army encourages doctors to report if a “high-risk” solider misses a counseling session, for example, and has begun to require a list of soldiers’ medical appointments. It’s unclear what other behavior might allow the sharing of private therapy information, said a HIPAA officer at Duquesne University. [Source]

Horror Stories 

US – Big Breach at NYC Hospitals

New York City Health & Hospitals Corp. is notifying 1.7 million patients, staff, employees of vendors and others who received services at two hospitals and two clinics during the past 20 years that some of their protected health information has been breached. Computer backup tapes were stolen from the truck of a contractor on Dec. 23, according to a HHC statement and letter of notification to affected patients. Types of protected information on the tapes included name, address, telephone number, Social Security number, medical records, insurance details, diagnosis and treatment information, and birth, admission and discharge dates. “The data in the stolen files is not readily accessible without highly specialized technical expertise and data-mining tools, and there is no evidence to indicate that the information has been accessed and misused,” according to the HHC statement. [Source] See also: [US: Health record privacy violation haunts VA workers] See also: [Nine-Year Sentence for Breaking Into Medical Center Computers

EU – Ireland Telecoms Firms Guilty of Data Breach

Leading telecommunications companies Vodafone, 02, Eircom and UPC have been prosecuted for spamming customers with unsolicited text messages and phone calls in breach of the Data Protection Acts. The four companies pleaded guilty to a list of charges related to making unsolicited sales calls and sending text messages for direct marketing purposes without the consent of the recipients. The cases were brought before the Dublin District Court by the Data Protection Commissioner on foot of complaints by consumers who were subjected to repeated cold calls and unwanted messages after they had expressly asked not to be contacted for marketing purposes. [Source

US – BP Employee Loses Laptop Containing Data on 13,000 Oil Spill Claimants

The personal information of 13,000 individuals who had filed compensation claims with BP after last year’s disastrous oil spill may have been potentially compromised after a laptop containing the data was lost by a BP employee. The information, which had been stored in an unencrypted fashion on the missing computer, included the names, Social Security numbers, addresses, phone numbers, and dates of birth of those who filed claims related to the Deepwater Horizon accident. A spokesman is quoted as saying that BP waited nearly a month to notify victims of the breach because it was doing “due diligence and investigating.” BP said the missing laptop is equipped with a security capability that allows security administrators to remotely disable the computer “under certain circumstances.” However the company offered no further details on what those circumstances might be or whether it has actually disabled the system so far. “Because this investigation and search for the missing laptop is ongoing, we are unable to provide additional detail that might jeopardize our investigation efforts,” the company said. BP has sent written notices to victims informing them about the potential compromise of their personal information and to offer them free credit monitoring services, the statement noted. The BP compromise is only the latest in a very long list of similar breaches involving the loss of unencrypted personal data stored on laptops, and mobile storage devices.[Source] [Source] See also: [Medical records found in Regina recycling bin] and also: [TripAdvisor says email list of members stolen

US – Restaurant Group to Pay $110,000 to Settle Allegations of Poor Security Practices

The Briar Group LLC, which runs a number of restaurants in the Boston area, has agreed to pay US $110,000 to settle allegations that it did not take adequate precautions to protect customers’ personal information and placed at risk of compromise information on tens of thousands of payment cards. The Briar Group was the target of a data security breach in April 2009; malware that had been surreptitiously placed on the company’s computer systems was not removed until December 2009. The Massachusetts attorney general filed a lawsuit as a result. According to the lawsuit, the Briar Group did not change default usernames and passwords on its point-of-sale computer system; did not have adequate security for its wireless network; and accepted credit card information from customers after learning of the breach. [Source] [Source

UK – University of York Launches Personal Data Leak Probe

Personal details of 17,000 York students and residents have been accidentally leaked online. Students’ addresses, phone numbers and even A-level results were published on the University of York website. Dates of birth, phone numbers and the phone numbers and addresses of emergency contacts were also made freely accessible. The university has apologised and has informed the Information Commissioner, which has the power to fine organisations up to £500,000. Gus Hosein, of campaign group Privacy International, said: “That’s the largest breach I have heard of in the UK. “There could be a significant fine now the Commissioner has fining powers. “It’s appalling. If the university cannot secure the information it should not be collecting it.” [Source]

Identity Issues 

US – U.S. Military Using Fake Online IDs in ‘Sock Puppet’ Operation

U.S. Central Command has launched its first online “sock puppet” operation to plant hundreds of fake identities across social-media sites in the Middle East. The $2.7 million contract for “commercially available software” from Ntrepid Corporation in California, awarded in August 2010, gives U.S. Central Command 50 user licences, with 10 fake identities per user, 50 static IP address management licences, and “virtual private servers,” the contract said. “These are for overseas acts,” U.S. Central Command Cmdr Bill Speaks told the Star on Friday. “They are not directed at domestic U.S. audiences and not in English.” The “sock puppets,” a term for fake online identities, will operate at the MacDill Air Force Base in Florida, where U.S. Central Command operates, and in Kabul, Afghanistan, and Baghdad, Iraq. The cyber double agents will use social media and other websites, but “not Facebook or Twitter,” said Speaks. “This is not for use on U.S.-based websites. They are American companies.” Each of the fake personas uses the Ntrepid software to create “cyber presences that are technically, culturally and geographically consistent,” each with their own background, history, supporting details and “real-time local information” to fool their new-found online friends. One person could be pulling the strings on 10 “sock puppets” at one time “from the same workstation and without fear of being discovered by sophisticated adversaries,” the contract said. Rotating the IP (Internet Protocol) addresses daily should help shield them from discovery. “This traffic blending provides excellent cover and powerful deniability,” the contract says. The software also creates an online history for them so that over time the picture is fleshed out. Speaks wouldn’t say where the sock puppetmasters will be, but he did say this is the first time U.S. Central Command has launched this kind of operation. [Source] See also: [Cloud Girlfriend: Start-Up Offers Fake Relationships for Facebookers

WW – RSA Deeply Penetrated; Says SecurID Information Stolen

An “extremely sophisticated cyber attack against RSA” may have compromised the security of RSA SecurID two-factor authentication products. In an attack preliminarily identified as an Advanced Persistent Threat, digital information relating to SecurID tokens was stolen from RSA systems. The company is contacting customers to let them know of the breach and to offer suggestions for “strengthen[ing] their SecurID implementations.” Forty million SecurID tokens have been deployed; they are often used to conduct financial transactions and at government agencies. [Source] [Source] [Source] [Source] [Source] [Source] [The letter to customers from RSA ] [SecurID Customers Advised to Prepare for Worst Case] [RSA BREACH: Data storage maker’s anti-hacking division hacked]

WW – Children the Target for ID Theft

Identity thieves are targeting children when picking victims, MSNBC reports. That’s according to a report published by Carnegie Mellon University fellow Richard Power, who examined 40,000 children’s profiles using data from identity monitoring company Debix. Power found that, of those profiles, 10 percent had identities that were “tainted in some way,” including 500 children with names attached to mortgages or foreclosures and 415 with driver’s licenses. The report is the first real attempt to quantify the problem of children’s identity theft, Power said. The child ID theft expert at the Federal Trade Commission said the results are “informative, giving us the best insight available into the potential scope and nature of the problem.” [Source] [Report: “Child Identity Theft: New Evidence Indicates Identity Thieves are Targeting Children for Unused Social Security Numbers“ ] 

WW – How Your Username May Betray You

By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture the users. “These results show that some users can be profiled just from their usernames,” says Claude Castelluccia, research director of the security and privacy research group at INRIA, and one of the authors of a paper on the work. “More specifically, a profiler could use usernames to identify all the site [profiles] that belong to the same user, and then use all the information contained in these sites to profile the victim.” Those who have more unique usernames are more vulnerable. “The other 50% of users are more difficult to link because their usernames have ‘low’ entropy and could in fact be linked to multiple users,” says Daniele Perito, a doctoral candidate at INRIA, who was involved with the work. The INRIA researchers have created a tool that can check how unique a username is, and thus how easily an attacker could use it to build a profile of a person. [Source]

Intellectual Property 

WW – McAfee Study Says Thieves Targeting Corporate Data

According to a study from McAfee, cyber thieves are increasingly targeting intellectual property. Some attackers are specializing in stealing data from corporate computer systems. In particular, information thieves seem to be looking for trade secrets, research and development reports, marketing plans and source code. The report also noted that many companies are not taking adequate measures to protect information and are not going public with news of data security breaches. Of the companies that reported experiencing a data security breach, just half said they had taken steps to improve cyber security. [Source] [Source]

Internet / WWW 

WW – EU and US Working Together on Web Regulation

Intensive meetings in recent months between Internet regulators from Washington and Brussels point to the fact that both the US and Europe are narrowing the gap in their approach to regulating the Web. Till recently officials on both the sides differed in their policy towards privacy on the Web. While Europe wants strict measures to protect individuals, the policy of the US has been to hold companies responsible for matters concerning privacy. However, after officials from both sides met again in Brussels last week, the gap seems to be narrowing, according to Reuters. EU justice commissioner Viviane Reding said, “Until recently there was a common belief that our approaches on privacy differed so much that it would be difficult to work together. This can no longer be argued.” Regulators on both sides say they have moved closer to a common position following US President Barack Obama’s endorsement this month of a “privacy bill of rights.” [Source

US – NIST Issues Guidelines on Security and Privacy in Public Cloud Computing

Key security and privacy issues include – trust (e.g. lack of visibility into cloud providers’ security, difficulty assessing and managing risk in cloud services, and insider threats now include cloud provider staff), architecture (e.g. traffic over virtual networks may not be visible to security devices, cloud providers hold significant amounts of ancillary data), identity and access management (e.g. attacks can manipulate validation mechanisms), software isolation (virtual machines may be large and difficult to analyze and improve security), governance (individuals may bypass an organization’s normal process for acquiring computational resources), and compliance (lack of information about location makes it difficult to ascertain if legal requirements are met); recommendations include incorporating mechanisms into the contract that allow visibility into cloud provider security controls, understand the cloud provider’s underlying technologies, virtualization and software isolation techniques used, and the laws that potentially impact cloud computing initiatives, duplicate physical network protection capabilities on the virtual network, ensure adequate safeguards are in place to secure authentication, and cover cloud computing environments in policies, procedures and standards used for application development and service provisioning. Public cloud outsourcing activities include planning (specify security and privacy requirements, assess risks, and evaluate the cloud provider’s ability to meet security and privacy levels stipulated), initiating (establish contractual obligations and assess cloud provider performance) and concluding (reaffirm contractual obligations, eliminate physical and electronic access rights, and recover organizational resources and data). [NIST - Draft Special Publication 800-144

WW – Top 11 Privacy Trends for 2011 – Ernst & Young

Privacy trends include governance, risk and compliance (“GRC”) tools (organizations can benefit from using GRCs by continuously monitoring their privacy program and asking GRC vendors for updated modules to help monitor risk and compliance), privacy by design (ensures that privacy professionals play an integral part in the consideration of the business developments that may impact both employee and customer personal information), hiring privacy professionals (requiring specific certification for professionals in marketing, IT, internal audit, compliance and legal), cloud computing (organizations should manage third-party reporting capabilities, review what business processes and personal information are needed before a move can be made to a cloud, assess what levels of protection and control they require and clarify retention periods and the ability of other parties to access the data for market research or other secondary activities), social networking (recruiters should have policies about how to use social networks to mine for information on candidates and should communicate those intentions when candidates are interviewed and organizations should be transparent about expectations of employees’ behavior on social networking sites and any monitoring practices and should bring together compliance and HR groups to discuss policies regarding personal information on social media sites of employees and job candidates), and use of mobile devices (organizations may apply technical controls that provide visibility such as requiring a download of a load set before allowing a personal device to connect to the firm’s network and should communicate what information is being monitored, how it is being monitored and the consequences for not adhering to mobile device policies). [Source]

Law Enforcement 

US – Thousands of FBI Probes After 9/11 Stir Privacy Concerns

Within months after the Bush administration relaxed limits on domestic-intelligence gathering in late 2008, the FBI assessed thousands of people and groups in search of evidence that they might be criminals or terrorists, a newly disclosed Justice Department document shows. In a vast majority of those cases, FBI agents did not find suspicious information that could justify more intensive investigations. The New York Times obtained the data, which the FBI had tried to keep secret, after filing a lawsuit under the Freedom of Information Act. The document, which covers the four months from December 2008 to March 2009, says the FBI initiated 11,667 “assessments” of people and groups. Of those, 8,605 were completed. And based on the information developed in those low- level inquiries, agents opened 427 more intensive investigations, it says. The statistics shed new light on the FBI’s activities after the 2001 terrorist attacks, as the bureau’s focus has shifted from investigating crimes to trying to detect and disrupt potential criminal and terrorist activity. It is not clear, though, whether any charges resulted from the inquiries. Because the FBI provided no comparable figures for a period before the rules change, it is impossible to determine whether the numbers represent an increase in investigations. Still, privacy advocates contend that the large number of assessments that turned up no sign of wrongdoing show that the rules adopted by the Bush administration have created too low a threshold for starting an inquiry. Attorney General Eric Holder has left those rules in place. [The New York Times

CA – 85% of B.C. Adults in Police Database ‘Disturbing’

The B.C. Civil Liberties Association says it is disturbing that up to 85% of B.C. adults have their names in a police computer database designed to track criminals. The association has written a letter to B.C. Solicitor General Shirley Bond, asking her to investigate why the majority of B.C.’s law-abiding citizens are in the PRIME-BC database. Even more troubling, said Robert Holmes, president of BCCLA, is that no information is available as to how long the information is kept on file. The computer database is used by police to record contacts with citizens, including “negative police contact,” which can then be used to prevent people from getting jobs, BCCLA claims. “With more than eight out of every 10 B.C. adults in this database, we’re wondering if people know what the police are writing about them,” Holmes said in a statement. “These notes by police officers can prevent people from getting jobs, schooling and training, and it is difficult if not impossible to remove or alter incorrect information.” The RCMP’s policy for the retention and destruction of records is online here. A spokesperson for the office of the Solicitor General has since issued this statement: ““It is wrong to suggest that 85 per cent of British Columbians names are entered into PRIME. In fact, many are multiple calls involving the same people. Names are retained for a minimum of two years, and privacy is maintained through federal and provincial privacy legislation. This is the same privacy standard maintained by other police forces across the country. PRIME is an important tool that is helping us to make big strides in maintaining the safety of communities throughout the province.” [Source] UPDATE: [BC Privacy czar to probe use of police database] See also: [Goldman Sachs Programmer Sentenced to 8 Years in Prison for Code Theft]


WW – Location Privacy and Wireless Body Area Networks

One of the factors that is rapidly changing the nature of healthcare is the increasing availability of wireless sensors that can monitor blood pressure, body temperature, blood oxygen levels and so on. These devices transmit their readings back to a hub, such as a smart phone, which then sends the data to a health care monitoring service. The benefits of this approach are many. One example is the “virtual ward” in which patients are monitored at home and visited by mobile medical teams when the data shows that it is necessary. That’s generally better for the patients and cheaper for the community that has to pay for it. One crucial requirement of such a system is privacy since these so-called wireless body area networks will be broadcasting highly personal information. It’s relatively straightforward to protect this data thanks to the many kinds of data encryption algorithms that are available. But Mohammed Mana at the University of Tlemcen in Algeria and a couple of buddies point out that data privacy is not the only issue at stake. They argue that another important issue is location privacy. They say that even though the data within a wireless body area network is encrypted, it’s still possible to track the location of the individuals simply by tracking the unique hardware addresses associated with the gadgets themselves, which are not encrypted. Such an attacker doesn’t even have to be particularly nearby. He or she could pick up the signals from a wireless body area network from a distance using ultra sensitive antennas, for example. Mana and co have a solution, however. Their idea is to make the monitoring devices within a body area network use pseudonyms which constantly change in a way that is hidden from external view. So although an eavesdropper may be able to pick up a temporary hardware address, that would quickly change preventing anybody following it. Mana and co say their new protocol is light weight and energy efficient, both important factors for networks that are likely to run on limited battery power. [Source] SEE ALSO: [Thailand: Patient data need protection

UK – Home WiFi Users Lack Understanding of Security

According to a survey from the UK Information Commissioner’s Office (ICO), nearly half of home computer users who have WiFi networks do not understand WiFi security settings. Most Internet service providers (ISPs) now set up and install customers’ WiFi security settings, but 40 percent of WiFi users do not understand those settings and 16 percent are either using an unsecured network or do not know if their network is secured. ICO head of policy Steve Wood pointed to Google’s Street View data collection vehicles gathering information from unprotected networks as evidence that users need to be aware of their network settings. [Source] [Source] [UK’s Information Commissioner’s Office guidelines for home users on how to secure their wireless networks

WW – Facebook ‘Places’ App Puts Soldiers at Risk by Telling Enemy Where They Are

Army chiefs have warned soldiers that a Facebook application that discloses their location could pose a security risk from terrorists. Troops have been urged to switch off the Facebook ‘Places I Checked Into’ application, which uses global-positioning satellites to pinpoint where they use a hand-held device. The Facebook Privacy Settings pamphlet, issued to units worldwide, warns the application ‘may inadvertently compromise the locality of a military user’. It continues: ‘Of significant note, users on operations in Northern Ireland are potentially putting themselves at risk by drawing attention to their exact whereabouts.’ The booklet, issued by the Army’s 643 Signal Troop, adds: ‘Personnel are generally unaware of the vulnerabilities associated with openly providing a vast amount of personal information on the internet.’ It follows growing concern in military circles about terrorists using the internet to monitor troops. An MoD spokesman said: ‘It is our duty to ensure that our personnel, who are a very unique user group…understand how to use social networks and channels safely and responsibly.’ [Source

WW – Color App: A New Frontier in Social Networking Privacy

Color, a new app, has launched with the goal of re-inventing the idea of social networking for the smartphone era. Now the question is whether users are ready for its notion of privacy. Color tells users that they shouldn’t expect any of the photos, videos or other information that they share through the app to be private. However, it does use a basic social standard to determine who gets to take a look at your stuff — people you’re physically near. Whenever the app is turned on, Color captures a lot of data about the world around the phone, including GPS location, information from the gyroscope, and even ambient light levels. It uses that data to figure out where the user is — and whether there are other Color users nearby. If there are other Color users nearby, the service automatically puts all of them in the same social network, instantly sharing each others’ photos, videos and messages from inside the app. When somebody else looks at one of your photos, you get a notice about it. (There is no lurking.) The Color app also keeps tracks of the people who users are around the most often, like family, co-workers and best friends. Those people get automatically added to what Color calls an “elastic network,” whose photos, video and other information you get regular updates about, even when you’re not around them. If you stop spending so much time around a member of your elastic network, that person’s photo starts to turn grey and eventually disappears (in a reference to the film “Back to the Future.”) There are no privacy settings to adjust, though you do have the ability to block a specific user from seeing what you share through Color. Each Color account is associated with a smartphone’s device ID, not a full name or other personally identifiable information. Users set up an account by entering a screen name and taking a photo, presumably of their face, to identify them to other users. [The Wall Street Journal

WW – Social Network Turns User “Likes” Into Ads

Facebook’s “sponsored stories” ad plan, which has raised concerns among privacy advocates, is now being rolled out across the social network. For those who don’t like the plan, Forbes reporter Dan Tynan suggests in his report, “don’t ‘Like’ it—or anything else. Because once you do…There is no opting out. Facebook can use your name and profile image alongside any product you endorse, per its privacy policy.” A forthcoming plan to allow third-party advertisers to put users’ images and names in a similar way will have an opt-out, the report states. [Source] [Source] See also [Wall Street Journal: Privacy Lost: Customized Ads Come to Television]


SK – Proposed Law in South Korea Would Mandate Security Software on PCs

Proposed legislation in South Korea would require users to have security software on their PCs. The Korea Communications Commission (KCC) would have the authority to decide which security products are acceptable and which are not, which means the security solution providers would be wooing the government rather than users. The KCC would also have the authority to “examine the details of the business, records, documents and others’ of those believed to be out of compliance with the security software mandate. Dancho Danchev, the article’s author, points out that security software “only mitigates a certain percentage of the risk … [and that] multiple independent reports and tests show that despite users running antivirus software, they still get infected with malware.” [Source

IN – Group Calls for National Body to Oversee Privacy

The Associated Chambers of Commerce and Industry of India (ASSOCHAM) is calling for a national body to oversee cybersecurity and data protection concerns. ASSOCHAM also wants a “detailed regulatory, legal and policy-enabling regime to facilitate further protection and preservation of cybersecurity,” the report states. The calls came from the ASSOCHAM event “Safeguarding the Digital Economy.” The group’s cyberlaw committee chairman, Pawan Duggal, said, “Both the requirements of national sovereign governments as those of balancing the needs of data protection and privacy have to be appropriately addressed.” [India Infoline News Service]

Online Privacy 

WW – Yahoo’s Offers Cookie Opt-out Button Ahead of New EU Law

Yahoo! Has introudced a feature that allows users to opt out of cookies. The icon was unveiled last Friday ahead of a new law that will come into force in the EU on May 25 known as the “Cookie Directive,” which will require online companies to obtain explicit consent to track users’ Web movements via cookies. Yahoo’s mechanism involves an “Ad Choices” icon that users can click to find out what information has been collected about them and modify their preferences on targeted ads. “Businesses like ours depend on the trust of our users,” said Justin Weiss, Yahoo’s director of international privacy and policy. [Source] See also [Advocates: Device Fingerprinting Easier to Track Than Cookies] and [Chrome Will Warn Users of Suspicious Downloads] and [CDT: What Does “Do Not Track” Mean: a Scoping Proposal - Center for Democracy and Technology

WW – Microsoft Adds Do-Not-Track Tool to Browser

Microsoft will be including 2 new features in Internet Explorer 9 – a do-not-track tool to help people keep their online habits from being monitored, and “tracking protection lists”, which will let users prevent specific Web-tracking companies from snooping on their browsing habits. It is uncertain how effective these privacy protection tools will be – the system will only work if tracking companies agree to respect visitors’ requests, no companies have publicly agreed to participate, and the Interactive Advertising Bureau says its members do not know how to respond to a do-not-track request (a header) because there is no context for headers or common definitions, and there is no standard operating procedure in place for entities to detect or react to headers. [The Wall Street Journal

WW – Mozilla Releases Firefox 4

Mozilla has released Firefox 4; the updated browser includes a number of new security features. Content Security Policy (CSP), which is enabled by default, helps stop cross-site scripting (XSS), data injection and other web-based attacks. CSP allows sites to let the browser know what information is legitimate. Firefox 4 also lets users automatically connect to websites through secure connections with the HTTP Strict-Transport Security (HSTS) feature. Firefox 4 also allows users to opt out of behavioral tracking. [Internet Storm Center] [Source

US – Man Charged with Polygamy After Posting Second Wedding Photo Online

You’ll never believe who turned him in: his first wife – because the two were still married. Here’s a tip we never thought we’d have to share: If you’re already married, don’t post pictures of your new wife on Facebook. An already-married Grand Rapids, Mich. man had what NewsFeed can only assume was a joyous wedding ceremony last July. But it turns out Richard Barton, Jr. already had a wife, whom he married in 2004. When photos of Barton and his new Michigan wife turned up on Facebook, his old (but still current) wife, living in Rhode Island, took issue with Barton. She alerted authorities, who arrested Barton for polygamy. [Source] See also: [How Young is Too Young for Kids to Start Social Networking?]

Other Jurisdictions 

AU – Content Providers Slammed for “Hostile” Privacy Policies

Long-time privacy advocate Dr Roger Clarke has called for tough new laws to rein in “hostile” terms and conditions used by international internet content giants like Facebook and Google. Speaking before the Joint Select Committee on Cybersafety, Clarke branded the business models of the internet and social media companies “consumer-hostile” and exploitative of “people and their data”. Clarke – who runs the Xamax business consultancy and chairs the Australian Privacy Foundation – appeared before the committee in a private capacity. He called on content service providers to “clarify” terms and conditions of use, including how much personal data could be used by a provider “for their own purposes”. Clarke also said that information on privacy settings – and the extent of user control over them – should be concisely tabled and clearly visible to consumers. Clarke called for “baselines” for privacy and disclosure to be established, backed by enforcement tools like “regulatory action” and “quick and efficient access to judicial warrants”, which could be used to force oversight. [Source

AU – Pilots Sue Over ‘Invasive’ Airport Screening Procedures

Two US commercial airline pilots complained in a lawsuit that new screening procedures for flight crews – scaled back after complaints by pilots – were still too invasive and violated privacy rights. The US Transportation Security Administration on October 19 started requiring air travelers and flight crews to go through full-body scanners or physical patdowns amid concerns that militants could hide a bomb underneath their clothing and detonate it aboard a plane. Pilots and flight crews complained the new screening exposed them to excessive radiation because they fly so frequently and that extra scrutiny for them was unnecessary because they already control the planes. [Source] [Australia to Get Stick Figure Airport Body Scanners This Year

AU – Digital Privacy a Concern, Says Federal Information Commissioner John Mcmillan

The expanding volume of sensitive personal information held in government and business databases is driving public concern about privacy protection, federal Information Commissioner John McMillan has warned. “People are concerned at how much is recorded about them in relation to their financial and taxation affairs, their family and medical history, employment records and transactions with agencies,” Professor McMillan told the Australian Government Solicitors Information Law conference in Canberra. “They are worried about the inconvenience and damage that may result if information is incorrect or out of date, and the danger their personal information will be misused, wrongly disclosed, merged inappropriately with other personal data, or revived at a time when it would be better buried or destroyed.” Data protection and management of personal information were now a high priority for organisations, with privacy breaches damaging to individuals and costly for government and industry. “Breaches can arise from simple programming and clerical mistakes,” Professor McMillan said, revealing the privacy commissioner received 60 notifications of data breaches in the past year. Professor McMillan said the Gillard government had announced its intention to strengthen the powers of the Privacy Commissioner to make enforceable determinations and seek civil court penalties for serious or repeated offences. “The prospect of (financial) penalties for privacy breaches will provide an added incentive for organisations to take their responsibilities seriously,” he said. [Source]

Privacy (US) 

US – Google Settles With FTC Over Buzz Privacy Charges

On Wednesday, March 30, Google settled deceptive privacy practice charges from the Federal Trade Commission regarding its social networking tool, Buzz. The terms of the settlement call for Google to launch a privacy program and undergo regular third-party audits for 20 years. The settlement does not impose a fine, but Google could face fines if it violates the terms of the settlement. The settlement is the first in which the FTC has ordered a company to implement a comprehensive security policy. On the same day, Google launched a new social networking tool called +1; it allows users to annotate search results to recommend pages to friends. [Source] [Source] [Source] [Source

US – Privacy Advocates, FTC, Google React to Proposed Buzz Settlement

Amid announcements by the FTC and Google that the two have reached a settlement agreement on privacy issues raised over last year’s introduction of the Google Buzz social network, FTC officials, privacy experts and advocates alike have been weighing in on the implications of the proposed settlement. Under the proposed settlement, Google has agreed to provisions including the implementation of a comprehensive privacy program to include independent privacy audits for the next 20 years. In its announcement, the FTC specifies, “The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-EU Safe Harbor or other privacy, security or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties…” FTC Commissioner J. Thomas Rosch issued a separate statement on the proposed agreement, stressing that he has approved of accepting the consent decree for public comment purposes but has concerns that such an opt-in requirement in the agreement “might sometimes be contrary to the public interest.” Public comments on the consent agreement are being accepted through May 2. [Source] See also: [US: Tech firms hiring White House staffers

US – EPIC Files Objection to Lawsuit Settlement

The Electronic Privacy Information Center (EPIC) has objected to a class-action settlement reached between Google and Gmail users. EPIC filed its opposition in court this week, saying that the part of the settlement that doles out $6 million to Internet privacy interests is flawed because the funds were given to groups that “receive support from Google for lobbying, consulting or similar services.” EPIC had requested but was not granted a share of that sum. The filing states that the court should reject a deal “that encourages organizations to stand by quietly while others do the actual work of safeguarding Internet privacy.” [Reuters

US – U.S. Court of Appeals Affirms Cell Phones are Computers

The Court of Appeal affirmed a district court’s decision that an ordinary cellular phone (used only to place calls and send text messages) was a computer; the district court found that “computer” has the meaning given in U.S. vs Kramer, 18 U.S.C. § 1030(e)(1), that is, an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device. [Decision

US – Privacy Lawsuits Rain Down on Netflix

In the wake of the most recent suit alleging a privacy violation by the world’s foremost video-rental provider, Netflix “has been accused of violating U.S. privacy laws in five separate lawsuits filed during the past two months,” with each case alleging the company “hangs onto customer information, such as credit card numbers and rental histories, long after subscribers cancel their membership.” The lawsuits allege the company has violated the Video Privacy Protection Act. The most recent suit was filed last week by a Michigan resident. Each of the plaintiffs has filed suit in U.S. District Court, and the complaints are seeking class-action status. [Source

WW – UDID: The Next Privacy Frontier?

Companies that make their money in the mobile computing space – application developers, device manufacturers, software adaptors – have a new worry. Many functions and applications used on iPhone devices currently rely on reporting that includes the UDID unique device identifier. Two new lawsuits against Apple for its use of UDID information may change the way that mobile functions and applications are built, managed and paid for. The UDID for the iPhone is a 40 character identifier that is set by Apple and stays with the specific defined device forever. Its function is to uniquely identify any one iPhone, allowing the UDID to be connected with the name and behaviors of that iPhone’s user. The Wall Street Journal may have started the snowball of lawsuits rolling in its ongoing series of articles about how the computer industry tracks people using the internet. The Journal’s investigation examined 101 popular smartphone applications (“Apps”) and found that 56 of them sent the UDID for their smart phones to other companies without the user’s awareness or consent. Five of the Apps transmitted personal details of the user like age and gender. Because each UDID is specific to each iPhone, it cannot be shut down or suppressed by users in the way that cookies may be deleted on laptop or desktop computers. The suits against Apple complain that releasing this information without the user’s consent or knowledge violates a number of U.S. federal and state laws including the Electronic Communications Privacy Act. [Source] See also: [The changing meaning of “personal data” ] SEE ALSO: [OPC Canada - Fact Sheet - Privacy on the Go: Workplace Tips for Protecting Personal Information on Mobile Devices

US – PG&E Unveils ‘Opt-out’ Plan for its Controversial SmartMeter Program

After months of controversy, PG&E has unveiled an opt-out plan for its SmartMeter program that further enraged its critics, who said its high fees would punish the customers it was designed to help. Barely meeting a deadline set by the California Public Utilities Commission, PG&E released a plan that would give customers the option of having the wireless portion of the device turned off but force them to pay hundreds of dollars for the privilege. [Source]

US – Hearing Date Set for WikiLeaks Twitter Data Demand Appeals

Three people associated with WikiLeaks are appealing a ruling that grants federal prosecutors access to records of their Twitter use. The legal team for the three maintains that the ruling violates a federal statute and the US Constitution’s First Amendment rights to free speech and association. The filing seeks to overturn the earlier ruling. The US Justice Department is seeking the Twitter records as part of a grand jury investigation into WikiLeaks and its disclosure of classified UG government information. A hearing is set for April 22. [Source] [Source] [Source]


EU – EU Issues Opinion on the Revised Industry Proposal for an RFID PIA

The Working Party endorses a revised industry-proposed data protection impact assessment framework (“framework”) for RFID applications, following changes that will require a privacy impact assessment (“PIA”) when tags may be used outside the operational perimeter of an RFID application or are carried by persons (this addresses a concern that third parties may misuse RFID tags for tracking and profiling purposes); the framework takes effect August 11, 2011 (6 months after the date of this opinion). The framework contains two phases – categorizing RFID applications into 4 levels, with a full scale PIA required for the top levels (RFID tags are carried by individuals and applications further process personal data) and a risk assessment (identifying the risks to personal data, identifying controls to respond to the risks, and resolving the conditions of implementation for the application); personal data in an RFID application includes a unique ID contained in a tag, if the tag is destined to be carried by a person. [Article 29 WP Working Paper 180]


WW – Companies Lose Business Following Data Breaches: Study

A study conducted by the Ponemon Institute on behalf of Symantec, 37% of data loss cases reported in the UK in 2010 involved system failures; that figure is 7% higher than it was in 2009. The study also found that the average cost of data breaches for large UK companies in 2010 was GBP 1.9 million (US $3.1 million), an increase of 13% from 2009. The report also found that companies that suffer computer breaches experience significant financial repercussions in lost business. [Source] [Source] [Source

WW – Most Companies Keeping Mum on Data Breaches

For corporations, the threat of data breach is more dangerous than ever—but, according to a new study, most companies still do not take the measures needed to keep their information secure, nor are they always up front with their customers about security breaches. A recent study by McAfee outlined the difficulties companies face while securing information. Their study, “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency” surveyed over 1,000 senior IT professionals in the U.S., U.K., Japan, China, India, Brazil and the Middle East. Despite the danger of losing corporate intellectual capital or customer information to cybercriminals, it appears that companies have not always been vigilant about trying to improve security, even following successful attacks. Of all the organizations that had experienced a data breach, only half undertook actions to fix and protect their systems from later break-ins. A quarter of companies assess the risks to their data twice a year, or less. But not many companies actually report suffering data breaches. Three in ten firms report all data breaches, with the majority, or six in ten companies, “picking and choosing” what breaches they share. Recently, Mozilla expressed its regret over failing to disclose a breach involving stolen SSL certificates for sites including GMail, Skype, Yahoo Mail and more. The attack was suspected to involve the work of the Iranian government. McAfee notes the report “also shows that organizations may seek out countries with more lenient disclosure laws, with eight in ten organizations that store sensitive information abroad influenced by privacy laws requiring notification of data breaches to customers.” And the biggest hassle may be yet to come, as the rise of devices like tablets and smartphones presents an as yet unsolved challenge for locking down information securely. [The Huffington Post] See also: [NSA to Join Nasdaq Hack Investigation] and [Australian Government Computers Attacked] and [European Parliament Network Attacked] and [NASA IG Finds Vulnerabilities in Agency Systems

WW – SecurID Customers Advised to Prepare for Worst Case

How serious is the security threat posed by the theft of inside information about SecurID, the two-factor authentication system sold by EMC division RSA? “It is important enough that it required an official note to the stock markets.” But, despite the apparent severity of the breach, RSA’s failure to detail what was stolen is generating an immense amount of customer frustration, because they don’t know if their SecurID hardware fobs are still secure, or if they might provide attackers with a conduit through enterprise defenses. Until RSA coughs up more information, security experts advocate conducting a thorough and immediate SecurID risk assessment. “Our recommendation for customers which have RSA SecurID cards implemented is to first carefully analyze the situation and their specific risks — [for example] which type of information is at risk if the RSA SecurID-based authentication is not only at risk — like now — but an attack actually takes place?” Next, identify specific technologies and remediation activities for securing at-risk data or accounts. “These actions might range from increased threat analysis and forensics to adding other authentication technologies.” RSA had 40 million SecurID hardware token customers by 2009, as well as 250 million users of SecurID software. [Source

US – NIST Issues Guidelines on Managing Information Security Risk

Organization, Mission, and Information System View, March, 2011, by the Joint Task Force Transformation Initiative, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology: NIST Special Publication 800-39 

WW – No Keystroke Loggers on Samsung Laptops

Concerns about Samsung laptops shipping with pre-installed keystroke loggers have proven to be groundless. An anti-virus program called VIPRE misidentified a folder created by Microsoft Live Application Suite as a known keystroke logging software. An executive with the company that that makes VIPRE has apologized for the incident. [Source] [Source] [Source] [Source

US – Captured Images of Your Physical Keys Can Be Used to Make Copies

Computer scientists at the University of California: San Diego, Jacobs School of Engineering, have presented proof-of-concept for capturing images of physical keys from a substantial distance and using those images to make working copies of the keys. “We built our key duplication software system to show people that their keys are not inherently secret,” said Stefan Savage, the computer science professor from UC San Diego’s Jacobs School of Engineering who led the student-run project. “Perhaps this was once a reasonable assumption, but advances in digital imaging and optics have made it easy to duplicate someone’s keys from a distance without them even noticing.” Professor Savage notes, however, that the idea that one’s keys are sensitive visual information is not widely appreciated in the general public. “If you go onto a photo-sharing site such as Flickr, you will find many photos of people’s keys that can be used to easily make duplicates. While people generally blur out the numbers on their credit cards and driver’s licenses before putting those photos on-line, they don’t realize that they should take the same precautions with their keys.” [Source]

Smart Cards 

US – Obama Administration Proposes Online Privacy Bill of Rights

The outcry over internet firms’ habit of surreptitiously tracking web surfers’ activities has clearly resonated inside the White House. On March 16th the Obama administration announced that it intends to work with Congress to produce “a privacy bill of rights” giving American consumers greater control over how their information is collected and used by digital marketers. Those who have been lobbying for change agree with, but are unsympathetic to, internet firms’ worries that such a law could dent their advertising-driven business models, which rely on tracking and targeting consumers to maximise revenues. “This is dimming the prospects of Google, Facebook and other digital ad companies,” says Jeffrey Chester of the Centre for Digital Democracy. Quite how dark things get for them will depend on the details of the bill. It will seek to lay down the basic principles of internet privacy rights, broadly following recommendations published last December by the Department of Commerce. The department’s report said consumers should be told more about why data are being collected about them and how they are used; and it called for stricter limits on what companies can do with information they collect. Whatever legislation finally emerges is likely to give a broader role to the FTC, which will almost certainly be charged with deciding how those principles are translated into practice and with policing their implementation. Among other things, the FTC is known to be keen on a formal “do not track” system, which would allow users to block certain sites from monitoring their online activities. [Economist] [Analysts Weigh In on Privacy Bill of Rights]


US – The Right to Sue Over Wiretapping

Federal authorities have always made it difficult to bring a legal challenge against the government’s warrantless wiretapping enterprise that was set up by the Bush administration in the years after the Sept. 11, 2001, attacks. Because the wiretaps were secret, no one could know for certain if they were being tapped, so the government urged judges to throw out lawsuits for lack of proof of real harm. That strategy was halted last week when a federal appeals court said that civil liberties and journalism groups challenging an eavesdropping law could pursue a suit trying to get the government’s wiretapping declared illegal. In an important ruling, the United States Court of Appeals for the Second Circuit reinstated a lawsuit that a federal district judge had thrown out in 2009. The new decision might lead to a significant – and far too long delayed – legal review of the statute. The law in question, passed in 2008, amended the Foreign Intelligence Surveillance Act. It essentially legalized retroactively President George W. Bush’s outlaw program of wiretapping certain terror suspects without a warrant. It also immunized telephone companies that cooperated in the program. And it permitted the government to listen to the international phone calls of Americans who are not engaged in criminal activity, and to read their e-mail messages. At great cost to the privacy of innocent people, it reduced the longstanding protections of judicial supervision over these powers. The law was challenged by human rights, labor and news media organizations, led by the ACLU. They argued that their communications with clients and interview subjects outside the country would almost certainly be monitored under the law, in part because their jobs required conversations with activists and others whose work would be of interest to the government. Some are lawyers representing accused terror suspects in the United States and often need to communicate with the suspects’ family members or acquaintances outside of the country. The government argued that the plaintiffs had to prove that they were monitored or harmed, but the Second Circuit didn’t buy that defense. The plaintiffs had every reason to believe that they were being monitored, the court said, and some even spent considerable sums to go abroad for meetings to avoid the eavesdropping. The final outcome of this legal challenge is far from certain; the government, if it follows its pattern, is likely to cite another familiar defense that a full trial would reveal state secrets. But just by allowing this lawsuit to proceed, the Second Circuit has sent an important message: The government cannot count on simplistic legal arguments to avoid scrutiny of its program to spy on civilians. When one challenge is allowed, others will follow. [The New York Times]

Telecom / TV 

EU – ENISA Report: Top Ten Smartphone Risks

The risks that present the highest level of information security risk for smartphones include data leakage resulting from device loss or theft (encryption is recommended, but weaknesses exist in the implementation of encryption in smartphones), attacks on decommissioned smartphones (if decommissioned improperly, attackers can gain access to data on the device), and unintentional data disclosure (the user is unaware that an app collects and publishes personal data trace users). [Report] Other recent ENISA Publications: ENISA – App Kill-Switch – The Last Line of Defence | Privacy, Accountability and Trust – Challenges and Opportunities (Feb 2011) | Bittersweet cookies. Some security and privacy considerations (Feb 2011) | Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (Jan 2011) 

US – Mobile Phone Users Lax on Security: Survey

A survey conducted by the Ponemon Institute on behalf of ACVG says that mobile phone users in the US are lax on mobile phone security. Nearly 84% of those surveyed use the same phone for both business and personal matters. Many people also make purchases over their mobile phones. Few consumers use phone-locking passwords and many use the same password for multiple apps. [Source

UK – UK Users Not Wiping Mobile Devices Before Selling Them

An investigation commissioned by data protection company CPP Group found that many people in the UK who sell their old smartphones and SIM cards are failing to wipe the devices of sensitive personal data. More than half of the devices examined for the study were found to contain credit card PINs, bank account information, and login information for social networking sites. The information was gathered from 35 used phones and 50 used SIM cards. Users selling old phones should perform a factory reset. Unless old SIM cards are being transferred to another of the owner’s devices, they should be destroyed. [Source] [Source] [Source] [Source]

UK – Teachers’ Union Says No to Bill Allowing Searches of Student Mobiles

The UK teachers’ union, NASUWT, calls government plans to allow teachers to search and even delete content on student mobile phones “reckless”, according to the BBC. The education bill introduces the following measures in order to help combat cyber-bullying: (6E) The person [eg, a teacher] who seized the item [eg, ‘an electronic device’ belonging to a pupil] may examine any data or files on the device, if the person thinks there is a good reason to do so. (6F) Following an examination under subsection (6E), if the person has decided to return the item to its owner, retain it or dispose of it, the person may erase any data or files from the device if the person thinks there is a good reason to do so. Teachers claim that putting these measures into action will cause friction between teachers, pupils and parents. [Source

EU – Irish Parliament Passes Communications (Retention of Data) Act 2011

Ireland has passed a law that would transpose the Data Retention Directive requirements for service providers to retain for two years, fixed network telephone and mobile telephone data (e.g. calling telephone number, name and address of subscriber, number dialled, date and time of call, location of mobile callers and equipment identifiers such as IMEI number), and for one year, internet access, e-mail and internet telephony data (e.g. user ID, name and address of user, user ID of communication recipient, date, time and duration of communication, calling telephone number for dial-up access and DSL or end point of the originator of the communication); service providers are persons who provide a publicly available electronic communications service or public communications network. Service providers must provide the retained data to law enforcement for preventing, detecting and investigating serious offences (e.g. punishable by 5 years imprisonment, false reporting of child abuse, poisoning, and making false statements in a proceeding), for safeguarding the security of the State and to save a human life; service providers must also take appropriate security measures and destroy the data one month after their retention period has passed (unless they have been accessed under a disclosure request). [Source]

US Government Programs 

US – Panel Urges TSA to Implement ‘Trusted Travelers’ Program

Treating every airport passenger as a potential terrorist slows the security system, is needlessly frustrating and deters some people from flying, according to a report that recommends ways to ease bottlenecks at security checkpoints. The report, commissioned by the U.S. Travel Association, calls on airlines to allow passengers to check one bag free of charge and urges the creation of a voluntary “trusted traveler” program that partially resembles a mandatory one previously proposed by President George W. Bush – and shot down by Congress. The federal government would not need congressional approval to mandate that airlines allow one checked bag free. But it is doubtful that the TSA could implement a trusted-traveler initiative without congressional approval. Adding impetus to the report is the heavyweight panel behind it, headed by Tom Ridge, former secretary of homeland security, and former congressman Jim Turner (D-Tex.), who was on the House Homeland Security Committee. Travel industry analysts think the long-awaited report will continue the debate over screening procedures and add another element to it: Even a voluntary trusted-traveler approach would require passengers to provide credit information, tax returns and other personal data to verify that members pose little or no risk. In return, they would be allowed to zip through security. The proposal of a trusted-traveler program takes the debate through a thicket, pitting the right to privacy against the goal of secure flight. Congress rejected a Bush administration plan known as CAPPS II that would have tapped into credit information to verify passenger credentials. “The key difference is that the program we’re recommending is totally voluntary,” said Geoff Freeman, executive vice president of the U.S. Travel Association, which commissioned the study a year ago. The report recommends a voluntary trusted-traveler program in which passengers would supply fingerprints and other personal information in return for an identification card that would allow them to bypass security lines. Members would enter a kiosk where either fingerprint or iris scanning technology would be used to confirm their identity. Both the passenger and carry-on bags would pass through an explosives-detection device, but there would be no requirement to remove shoes, coats or hats. [Source

US – United States Government to Allow E-Verify “Self Check”

Starting on March 21, 2011, the U.S. Citizenship & Immigration Services (USCIS) will allow an individual to use E-Verify to check on his or her work authorization status and correct errors in the federal databases used by E-Verify. E-Verify is an Internet-based employment verification system run by the USCIS, part of the Department of Homeland Security (DHS). Until now, only employers were allowed to use the system to verify the work authorization of newly-hired employees. Any individual over the age of 16 will be able to use E-Verify Self Check by first providing information to authenticate the person’s identity and then submitting work authorization information normally provided in completing Form I-9 employment authorization forms. A message of “work authorization confirmed” will be displayed if the information provided by the individual matches the information contained in the DHS, Social Security Administration (SSA), and Department of State databases used by E-Verify. If there is a mismatch in the information, the Self Check will provide a message such as “Possible mismatch with SSA” or “Possible mismatch with Immigration Information.” The Self Check will also provide instructions on how to request corrections of errors in database records. Employers may not use Self Check as a pre-screening tool for possible new hires. For example, an employer may not require a job applicant to present Self Check certification as a condition of application for employment. As before, employers can only use E-Verify to confirm employment authorization of workers once they are hired. This use of E-Verify is limited to employers enrolled in the program. Self Check will initially be available only in Arizona, Colorado, Idaho, Mississippi and Virginia. The USCIS plans to expand Self Check to other states over time and eventually make it available throughout the United States. The service is free. A preview of the program is available at the USCIS website. [Mondaq News]

US Legislation 

US – Obama Administration Calls for New Privacy Law

The Obama Administration is backing a new data privacy bill of rights aimed at protecting consumers against indiscriminate online tracking and data collection by advertisers. In testimony prepared for the Senate Committee on Commerce Science and Transportation, the Commerce Department’s assistant secretary, Lawrence Strickling, said that the White House wants Congress to enact legislation offering “baseline consumer data privacy protections.” Such a bill is needed to protect personal data in situations not covered under current law, Strickling said, adding that any legislation should be based on a set of fair information practice principles and give the U.S. Federal Trade Commission enforcement authority. He also called for incentives to encourage the development of codes of conduct on privacy matters. Strickling said the administration’s call for new online privacy protections stems from recommendations made by the Commerce Department in a paper released in December. Many of those in the industry who weighed in on the idea at the time backed the creation of a new online consumer privacy law, he said. The document was based on a comprehensive review of existing privacy protections and of ongoing data collection, consumer tracking and profiling practices online. The administration’s support for privacy protections is very significant, said Joel Reidenberg, a professor at Fordham Law School who specializes in privacy issues. “This is the first time since 1974 that the U.S. government has supported mandatory general privacy rules,” Reidenberg said. [Source

US – “Privacy Bill of Rights” Draft Released

Following up on his announcement that he would soon submit the “Commercial Privacy Bill of Rights Act of 2011“ during a hearing on the call for federal privacy legislation, Sen. John Kerry (D-MA) and the bill’s cosponsor, Sen. John McCain (R-AZ), have published a draft of the legislation. The draft includes provisions to “give the Federal Trade Commission authority to craft privacy regulations and to operate a Web site where consumers can opt out of online behavioral targeting.” In the Hogan Lovells Chronicle of Data Protection, Christopher Wolf highlights major provisions of the draft legislation, including what would constitute PII and “unique identifier information,” safe harbor programs, access to data and opt-in consent. “No private rights of action are allowed,” Wolf writes, “and state laws–except those dealing with health or financial information, data breach notification or fraud–are preempted.” [Source

US – Senate Committee Holds Hearing on the State of Online Consumer Privacy

 Impact to Subscriber: In line with Sen. John Kerry’s statement that the status quo for online privacy cannot stand, a Senate Committee hearing heard support for online consumer privacy legislation from the Department of Commerce (based on a collection of agreed-upon fair information practice principles that provide the FTC with enforcement authority and creates incentives for developing codes of conduct, such as by offering a safe harbor for signatories), Microsoft (establishing reasonable baseline privacy protections), and Intuit (a principles-based approach should be taken). Participants testified that online consumers should have choices about how their information is being collected and used; the FTC set out 5 critical principles for a Do Not Track system of universal implementation (consumers do not need to repeatedly opt out on different sites), easy-to-find and use, persistent (choices should not be deleted if cookies are cleared or browsers updated), opt out of tracking altogether (do not limit the system to only tracking for advertising), and effective and enforceable without technical loopholes. [Source] [Source

US – Senator Pushes for Mobile Privacy Reform

Sen. Ron Wyden’s (D-OR) has proposed a bill that would provide privacy protections for geolocation information. Once introduced, the Geolocational Privacy and Surveillance Act (GPS Act) would seek to require law enforcement to obtain a warrant before accessing information related to a wireless device or GPS system, for example. The bill will likely gain “strong support” from Internet companies, civil libertarians and wireless carriers, “many of which have joined a coalition saying that location information should be accessed only with a warrant,” the report states. The bill would require court evidence relating to location data be thrown out if procedures weren’t followed and allows for civil lawsuits and damages in cases where location data is inappropriately accessed and used. [Source

US – Proposed Legislation Would Replace FISMA Paperwork with Real-Time Monitoring

US Representative James Langevin (D-Rhode Island) has introduced a bill that would replace the paper-intensive compliance requirements of the Federal Information Security Management Act with automated, continuous monitoring. The Executive Cyberspace Coordination Act would also create a National Office of Cyberspace in the White House and increase the Department of Homeland Security’s (DHS) authority over private networks that are part of the country’s critical infrastructure. [Source] [Source]

Workplace Privacy 

CA – Material on Work Computer Private, Court Rules

Ontario’s top court has found a right to privacy in material contained on a work computer. A judgment on from the Ontario Court of Appeal broke new ground on an issue that is exploding into the court system – the extent to which Internet information is private and beyond the reach of the law. The case involved a Northern Ontario high school teacher charged with possessing child pornography. The judges said that police breached his Charter rights by viewing his computer files without a warrant. “The police technique was intrusive in copying the entire contents of the hard drive,” the court said. “The contents of the hard drive of a laptop may contain extremely personal information such as medical and financial reports, personal journals, e-mails and appointments. At the same time, the court concluded that school officials who stumbled upon the pornographic images had a right to monitor whether the school computer system was being used appropriately. Frank Addario, a lawyer for defendant Richard Cole, said that the ruling has repercussions for employees who use their electronic devices for personal purposes, “which is pretty well everyone. “There was a belief that ownership meant control of privacy, but that’s an old school way of looking at privacy,” Mr. Addario said. “Most Blackberry users carry a subset of their existence around with them regardless of who paid for the hardware.” In a pretrial ruling, the trial judge in the case tossed out the evidence as a violation of Mr. Cole’s privacy rights. The Crown appealed to Superior Court, which reversed the ruling and sent it back for trial. The defence appealed that ruling to the Ontario Court of Appeal. Toronto lawyer Scott Hutchison, a privacy expert, said that the court has given a sound answer to a vital question. “This case comes down firmly on the side of privacy and holds that employers cannot give police investigators access to a workplace computer,” he said. “This case makes it clear that the employer may own the computer, but that doesn’t give them the power to waive the employee’s privacy rights,” Mr. Hutchison added. “It recognizes the realities of how people use modern workplace technology. People don’t artificially ‘switch off’ their privacy interests just because the device in question is owned by someone else.” [Source] [Mondaq: Work computers - user rights v owner rights] and [Breach of privacy case holds lessons for IT departments

US – Ex-Employee’s Blogs Can’t Be Stopped, NY Court Rules

Joseph Lazzarotti and John Snyder comment on Cambridge Who’s Who Publishing v. Sethi, a case recently covered on because of its reference to an alleged data breach that had never been reported in the media. The court ruled that Cambridge Who’s Who could not get an injunction that would stop its former employee from writing about a data breach that occurred while he was employed by them, nondisclosure agreements notwithstanding. [Pogo Was Right

US – DHS Sets Privacy Policies for Selected Social Media Tools

The Department of Homeland Security has trained its employees not to collect personal data from individuals with whom they interact via social media tools such as widgets, mobile applications, text messages and Real Simple Syndication feeds. Given the nature of such tools, some personal data — such as user ZIP codes — may be collected and displayed by the systems during sign-on or may be published in a public profile of the user. To protect privacy, DHS officials are not collecting or storing such personal information, says a 19-page report from the Office of the Chief Privacy Officer. The report gives an overview of DHS’s strategy for one-way social media communications, also including podcasts and video streams, in which it primarily pushes out messages to subscribers who request such services. [Source

AU – Australian Government Bans Free Web-Based eMail Services for Employees

Government workers in Australia will no longer be able to use free web-based email services like Gmail and Hotmail. The government made the blanket decision following a report from Australia’s Federal Auditor-General recommending that “agencies should not allow personnel to send and receive emails on agency ICT systems using public web-based email services.” For situations in which government employees require access to these services, the auditor recommended the use of single, stand-alone desktops. The ban will take effect on July 1, 2011. [Source] [Source

US – U.S. Supreme Court Clarifies Informational Privacy In Security Clearance Context

In a widely-watched case that pitted privacy rights against national security issues, the U.S. Supreme Court has issued a narrow ruling allowing the federal government to ask employees about drug counseling, medical treatment, sexual matters and other personal information. On January 19, 2011, the nation’s highest court unanimously upheld the National Aeronautics and Space Administration’s background checks in a defeat for scientists, engineers and others who argued the in-depth investigations were too intrusive. (NASA v Nelson et al, No. 09-530). The Respondents in this case were longtime government contract employees at NASA’s Jet Propulsion Laboratory (JPL) in California. At the time the Respondents were hired by NASA, there was no policy in place that required government background checks on contract employees, but the Department of Commerce later mandated that all contract employees with long-term access to federal facilities would have to undergo a standard background check by October 2007. As a result, the JPL announced that employees who did not timely complete the new required background check would be denied access to the JPL and face termination. The background check at issue consists of a standard form (SF-85), which inquires into whether an employee has “used, possessed, supplied, or manufactured illegal drugs” within the last year. If a JPL employee answers in the affirmative, then he or she must provide details about any treatment or counseling received and then sign a release authorizing the government to obtain personal information from schools and employers, among others. Upon the completion of SF-85, the government mails a questionnaire (Form 42) to the employee’s references that asks open-ended questions about the honesty and trustworthiness of the employee. The constitutional right to “informational privacy” has only been discussed by the Supreme Court in two cases, and even there, the Court did not go so far as to acknowledge that here is such a right. In both cases, Whalen v. Roe and Nixon v. Administrator of General Services, the Court held that any concern about the violation of privacy rights was eliminated by existing legislation that provides sufficient protection against the dissemination of private information. Prior to the JPL deadline, Respondents filed suit seeking an injunction and claiming a violation of their constitutional right. The District Court held in favor of the government, but the Ninth Circuit Court of Appeals reversed, ruling in favor of the employees. In the Supreme Court, Justice Samuel Alito wrote a majority opinion that again refused to declare whether there is a constitutional right to informational privacy and opted instead to assume that, even if there were such a right, it would not prevent the government from asking the sort of questions included on SF-85 and Form 42. The government interest in obtaining background information for the sake of hiring a competent, reliable workforce was held to outweigh the privacy interests of the individual employee. The Court ruled that the questions at issue were reasonable, in light of the fact that millions of private employers use background checks in order to make hiring decisions, checks which include questions about drug use and treatment. Similar to its holdings in Whalen and Nixon, the Court concluded its decision by stating that the Privacy Act provides sufficient safeguards against the dissemination of any personal information revealed in the course of an employee background check. Had the Court issued an opinion in favor of the JPL employees, and acknowledged a constitutional right to informational privacy, it is likely that both the government and private job application process would have been tremendously affected. Employees and prospective employees who are asked to provide sensitive information in order to retain or gain clearance could have had the option of pursuing litigation if their refusal to respond to such inquiries resulted in a denial of access or employment. This narrow decision maintains the status quo and allows the government to continue with its standard background checks. [Source

CA – Province Slammed for Secret Criminal Checks on Labour Inspectors

A branch of the Ontario government responsible for ensuring employers act fairly and obey the law has been criticized for infringing the privacy rights of its employees and violating a collective agreement. In a landmark decision, the Crown Employees Grievance Settlement Board found the labour ministry acted unreasonably by conducting secret criminal background checks on its inspectors. The Ontario Public Service Employees Union filed a grievance last year after a workplace health and safety inspector found out, via the ministry’s legal services branch, that his name had been run through the computerized Canadian Police Information Centre and registered a “hit.” The inspector hadn’t been told about the search beforehand or asked for his consent, but was questioned about the result. It involved an offence for which he’d been pardoned. “OPSEU was saying it is a fundamental right for employees to have privacy and you don’t give up privacy rights just because you choose to work for the Government of Ontario,” said Kate Hughes, a lawyer representing the union. “Your criminal or your disciplinary record are private to you.” [Source

US – Bizarre Incident in a Manager’s Living Room

A manager whose outburst at his TV set was accidentally recorded by a co-worker’s voicemail says Verizon fired him for his comments, which included his beliefs on politics and health care. Richard D’Arpe, a manager for Verizon for 15 years, says he was at home and off duty when he made a work-related call to Christian Flete, a technician. He hung up and put the phone “somewhere in the vicinity of his pants pocket.” It was July 7, 2010. While watching a news documentary, D’Arpe says, he became upset and “began to yell at his television regarding politics, health care and his beliefs. These comments were not directed at anyone.” D’Arpe did not realize that his phone had accidentally redialed Flete, whose voicemail caught D’Arpe’s rant. D’Arpe says he “was completely unaware of the entire incident at this point in time.” But Flete, who is not a party to the complaint, filed an incident report with D’Arpe’s manager about the message, D’Arpe says. He adds that Flete forwarded the message to an undisclosed number of colleagues, who in turn continued forwarding the message to others. D’Arpe was confronted by his manager and an Equal Employment Opportunity agent the next day and was suspended. D’Arpe says he refused to attend a meeting to discuss his employment status: “As Mr. D’Arpe was well aware that a number of other employees received the voicemail, he feared for his own safety and decided not to attend this meeting.” He was fired on July 14, “for violation of the company code of conduct.” D’Arpe says that any violation of that code did not occur at work, nor was it directed at any Verizon employee. It “merely represented comments made in the privacy of his own home and outside of the workplace.” He seeks punitive damages for wrongful firing, negligence, defamation, and privacy invasion, and documents, including a copy of the voicemail recording. [Source

US – Arizona County Employees Unhappy About Saliva Test

An Arizona county is trying to get reliable data on whether its employees are smokers by testing saliva, a move some workers are resisting. Maricopa County, which includes Phoenix and its suburbs, is not compelling employees to have their saliva tested – but those who do not, along with those who test positive for tobacco – will pay higher insurance premiums. Chris Bradley, who heads the county’s Business Strategies and Healthcare Program, said officials found that relying on employees to self-report that they or someone in their immediate family smokes produced data that appeared to be at odds with reality. Some employees who say they do not smoke are leery of handing over a saliva sample. They say they fear the county can gather other information and share it with other agencies. [Source



01-15 March 2011


CA – Canadian Air Passengers a Step Closer to U.S. Law After Bill Passes

The House of Commons passed a controversial private member’s bill that would force airlines to provide passenger information to the United States when they travel to American destinations or even pass through U.S. airspace. Bill C-42, introduced by Conservative House leader John Baird while he was transport minister, passed its third reading by a vote of 246 to 34. The NDP was the only party to vote against the proposed bill, which now moves to the Senate for consideration prior to royal assent. Opposition parties and civil liberties groups have said the proposed bill raises privacy concerns because Canadians’ personal information would be in American hands. The legislation is designed to amend Canada’s Aeronautics Act and essentially gives the U.S. the final say on who gets to travel on Canadian flights that pass over its airspace. Canadian airlines currently aren’t obligated to share flight information with the U.S. unless passengers are landing there. If made law, the bill would comply with American laws so that Canadian airlines would have to provide passenger information 72 hours before departure. U.S. Homeland Security officials would then screen travellers’ names, birthdates and sex information against lists of suspected terrorists, including the notorious American no-fly list. If a passenger shares the same name as someone on a no-fly list, he or she could be questioned, delayed or even stopped from boarding a flight. Last month, a British man was stuck in Canada for three days after he was barred from boarding a flight because his name was on a security threat list. Dawood Hepplewhite, 30, of Sheffield, England, said British High Commission consular officials had to intervene so he could leave Toronto. Hepplewhite’s name appeared on the U.S. no-fly list, and his flight from Toronto to England was scheduled to fly through U.S. airspace. Last month, the Canadian Civil Liberties Association said the government should disclose how Canadian passenger flight information will be shared with the U.S. “Canadian sovereignty has gone right out the window. You are going to be subject to American law,” Liberal transport critic Joe Volpe told Postmedia News when the bill was introduced. [Source]


US – ID Theft Tops List of Consumer Complaints

The Federal Trade Commission (FTC) yesterday released its list of the top consumer complaints for the year 2010, and identity theft tops the list for the 11th year in a row. According to an FTC press release, the commission received 250,854 complaints related to identity theft–19 percent of all of the complaints received. According to the Consumer Sentinel Network Data Book report, “government documents/benefit fraud” was the most common form of reported identity theft, and Florida is the state with the highest per capita rate of reported identity theft complaints. The category “Internet services” accounted for the third-highest number of complaints, with 65,565 reported to the FTC in 2010. [Source] [Text of Full Report

US – Study: Attitudes on Privacy Becoming Polarized

According to a Ponemon Institute study, 58% of social network users feel their privacy is less important to them than it was five years ago, while 53% of non-users said it is more important, reports. Ponemon Institute Founder Larry Ponemon, CIPP, called the findings surprising, adding, “The fact is there’s not a lot of complacency about privacy now. People are thinking about this.” Privacy expert Alessandro Aquisti says one reason for the polarization may be that the more people use social networks, “the more costly it becomes for others (who aren’t members) to be loyal to their views…That means some people’s right to privacy is being rendered more difficult to protect precisely by the right of other people not to care about privacy.” [Source] See also: [Why should I care about digital privacy?

WW – Study: Data Anonymity Changes Internet Users Minds

A PubMatic study asked about 500 Internet users how they feel about advertisers tracking their online activities. The study found that the anonymity of the data and how the data is used matters to respondents. Once respondents understood that only anonymous data was used for ad targeting, 40% changed their response from disapproving of the practice to approving of it. PubMatic’s vice president of marketing said, “Everyone knows the user’s privacy is paramount and that we provide a service to them. Understanding the how and the why changes everything.” [Source]


CA – Ontario Public Sector Must Go Beyond “Patchwork Adoption” of Open Government

Experts from the Office of Ontario’s Information and Privacy Commissioner (IPC) will make the case for taking a proactive approach at the 2011 Information Management and Access and Privacy Symposium at the Metro Toronto Convention Centre. Brian Beamish, Assistant Commissioner for Access, will discuss the benefits of Access by Design (AbD) as it relates to the open data and open government movement. The concept of AbD was developed by Commissioner Cavoukian to provide a set of fundamental principles that encourage a proactive approach to releasing government-held information. The objective is to foster a culture of transparency and accountability, where access is the default. [Symposium] [Source

CA – Ontario Could Let Cameras Capture Courtroom Dramas

Canadians have never been able to watch courtroom dramas unfold in their living rooms the way American viewers have come to expect. But now, Ontario, Canada’s largest court system and the only one in the country to specifically legislate a ban on cameras, is opening the door to delivering trials to the public via the small screen. In an interview with The Canadian Press, Ontario’s attorney general says he’s open to the idea of allowing cameras in courtrooms and says the time is right to canvas judges, Crown attorneys and defence lawyers on their opinions. “I’m interested in the views of people as to whether we should move forward,” Chris Bentley said. [Source

US – Man Pleads Guilty to Looking at Passport Files

The Justice Department has now netted a dozen convictions of State Department workers who looked at confidential passport records of celebrities in violation of privacy laws. Former State Department contractor Mark Carter of Upper Marlboro, Md., became the latest when he pleaded guilty to unauthorized computer access. The investigation began in 2008 after officials discovered access of files containing photos and personal information for then-presidential candidates Barack Obama, John McCain and Hillary Rodham Clinton. Federal agents found the unauthorized access extended well beyond politics. For example, Carter admitted he looked at the files for celebrities, musicians, actors, business leaders, a professional athlete, his colleagues and family members. He could face up to a year in prison and a $100,000 fine at sentencing Aug. 5. [Source] See also: [CA – Snooping Bureaucrats Get ‘Slap On The Wrist’

CA – Against Lawyer’s Advice, Toronto City Council Spent Over $250,000 on Legal Fees

Toronto city council has spent more than $250,000 pursuing a legal fight against the advice of its own lawyers, including $96,057 on a recent unsuccessful court case, according to confidential documents viewed by The Globe and Mail. The city’s top lawyer is recommending council abandon its quest for access to a database containing private information about residents, something the province’s privacy commissioner and two outside legal experts warned would violate privacy laws. The database legal saga began four years ago, when some councillors began pushing for “read-only” access to the Integrated Business Management System (IBMS,) which contains up-to-date information such as the status of permits, applications and inspections. The city’s legal department warned that granting councillors unfettered access to IBMS would violate privacy laws because the database includes the names and personal information of constituents. But if council votes this week to reject that advice, an appeal would cost at least another $35,000, the documents say. [Source

CA – Ottawa School Board Gets Personal

Ottawa-Carleton District School Board surveys asking students and their parents probing questions about home life, religious affiliation and sexual orientation are permitted under the Municipal Freedom of Information and Protection of Privacy Act and will go ahead unchanged in April and May, the board announced. Between April 18 and May 20, the board will survey the parents of students from junior kindergarten to Grade 6, while students in Grades 7 to 12 will be asked to complete the survey on their own. The Office of the Information and Privacy Commissioner of Ontario handed the board its final report. The board went to the commission to have its plans looked at in October, before those plans were made public. After a number of complaints were called into the commissioner’s office about the potential use of the information, potential errors, lack of anonymity and the process of withholding consent, a privacy investigation was launched. The report found that the information the survey hoped to glean was personal, but that it was OK to collect under the act because it was “necessary to the proper administration of a lawfully authorized activity.” The survey questions touch on a wide range of issues, including academic abilities, bullying, extracurricular activities, cultural backgrounds and language and religious affiliation.[Source

EU – Hackers Breach French Finance Ministry, Take G20 Files

The French Finance Ministry has confirmed that hackers infiltrated 170,000 of the agency’s computers in December and stole data related to the G20. The attack involved Trojan horses and was discovered in January, according to French Budget Minister Francois Baroin. Officials are investigating. [Source]


WW – Google Faces Second Privacy Lawsuit Over Gmail Content Scanning

Google is being sued for the second time over its practice of scanning Gmail message content to serve users ads relevant to the messages’ topics. The first lawsuit brought by a Texas man in November 2010, has been sealed. The new suit, on behalf of Kelly Michaels, focuses on Google’s Terms of Service agreement. The complaint claims that Google asks users to agree to its Terms of Service, but doesn’t ensure that the users understand what it is they are agreeing to. The Google Terms of Service agreement includes 92 paragraphs. The Google Program Policy and Privacy Policy are also separate entities; the Privacy Policy includes 55 external links. [Source

CA – Canadian Scientists Crack Code for Tracing Anonymous Emails

Engineers and computer scientists at Concordia University have cracked the code for tracing anonymous emails. For the first time, said data-mining expert Benjamin Fung, analysts have used the complex algorithms and almost imperceptible human quirks that make up the concept of “frequent pattern” to work out each person’s unique email fingerprint or “write-print.” “The people who wrote the email don’t even recognize what they are doing,” Fung told the Star. “One of the features we break down is vocabulary richness. That would be hard to increase quickly.” Other telltale evidence of the mystery writer can come from common grammatical mistakes, an unconscious extra space between each paragraph or patterns in punctuation. “We’ve collected thousands of features to find the different combinations,” Fung said. The combinations are the key. All of the suspects may misspell “consensus,” but not all of them misspell “consensus,” use commas instead of periods, and think “none” takes a plural verb. “Everyone has a unique combination. We see it as quite useful in criminal investigations.” The cyber-forensic tool, reported in the journal Digital Investigation, can ferret out the author of emails used for phishing, spamming, cyber bullying, email bombing, child pornography and sexual harassment, among others. The next stage of research will be to apply the data-mining method to the even shorter texts of instant messaging, chat rooms and social media, said Fung. [Source] See also: [Robert Soloway Exits Prison, Disavows ‘Spam King’ Ways] [Fighting Spam And Spyware Canadian Style - Part I – McCarthy Tetrault Analysis] and also: [IPv6 Shift Will Impede Spam Filtering

US – Cyber Attackers Release Internal Bank of America eMails

The group of hackers that calls itself Anonymous has released email messages that they say demonstrate fraud at Bank of America (BofA). The information appears to come from an unnamed whistleblower, a former employee of Balboa Insurance, which used to be owned by BofA. The emails indicate that the company withheld foreclosure information from regulators. [Source] [Source] [Source]


CA – Friends of Medicare Call for Better Protection After Unencrypted PHI Disappears

Friends of Medicare are calling for Alberta to write privacy protection into law after yet another unencrypted hard drive containing patient information went missing. Two surgery videos and 3,600 photos of wounds, lab specimens and dead infants, all labelled with the patients’ names, went missing during an office move at the Misericordia Hospital in January, Covenant Health announced. The external hard drive, about the size of a book, was put under a desk during the move and couldn’t be found a week and a half later. The files were not originals, only four of the files have birth dates attached, and none contain financial information, but the hard drive should have been encrypted, said Covenant Health president. “In this case, a staff member did not follow policy,” he said. “We have a very solid policy that just wasn’t followed.” The Office of the Information and Privacy Commissioner will be investigating, he added. [Source]

EU Developments 

EU – Reding Calls for “Right to be Forgotten”

The European Commission’s new rules for Internet user privacy should protect EU citizens no matter which country the data is stored in, said Justice Commissioner Viviane Reding. The Wall Street Journal reports that during a speech in Brussels today, Reding said the commission’s proposed rules–expected to be finalized this summer–should provide citizens the “right to be forgotten…When modernizing the legislation, I want to explicitly clarify that people shall have the right–and not only the ‘possibility’–to withdraw their consent to data processing,” Reding said. She also called for harmonization of EU data protection rules and for the burden of proof that data collection is necessary to rest on data controllers, not Web users. [WSJ

EU – US-EU Data Sharing Efforts Snagged by Privacy Oversight Debate

The United States-European Union high-level contact group for data sharing has begun converting shared data exchange principles into workable standards, said a Homeland Security Department official speaking March 2. But the collaboration effort has hit a roadblock in the area of privacy oversight. Europeans argue that the United States lacks an independent agency that is equivalent to the EU authority over data privacy. “One thing that has been of debate or discussion with the Europeans is this issue of independence,” said Mary Ellen Callahan, chief privacy officer at DHS, while speaking at an American Bar Association event in Washington, D.C. “So what does the independence of the data protection commissioners get you? It gets you the ability to review something ex post in an objective fashion.” Callahan argues that there are plenty of bodies conducting ex post review in the U.S. federal government—the Government Accountability Office, inspector generals and Congress–and creating more bureaucracy is unnecessary. One solution that could move the high-level contact group beyond this impasse would be for Congress to make the dormant Privacy and Civil Liberties Oversight Board more independent and give it a full staff, said Abraham Newman, a foreign service professor at Georgetown University. [Source

EU – Germany Adopts Telecom Breach Notification Requirements

The German government has adopted a draft law that revises the German Telecommunications Act to include breach notification requirements for telecommunications companies. The law brings Germany into alliance with the European e-Privacy Directive. Under the draft law, telecommunications companies are required to notify the federal data protection commissioner and the federal network agency about data breaches. The law also includes provisions requiring “providers of location-based telecommunications services to send text messages informing users whenever their mobile devices are being tracked on location,” according to the report. [Hunton & Williams Privacy and Information Security Law Blog

EU – Irish Notification Requirements Didn’t Make Deadline

Data Protection Commissioner Billy Hawkes says a new code of practice that would have forced data breach notification cannot be enforced because it was not put it front of parliament before the last session’s dissolution. Hawkes said at a recent Irish Computer Society event that though he approved the code last year, it “does not have the force of law because the final step to give it such force was never taken,” the report states. Hawkes said, “the code of practice that exists now is not legally binding–it’s just strong recommendations.” He added that he would like to see penalties put in place to “complement” notification requirements. [Source

EU – French Decree Mandates Yearlong Data Retention

Internet service providers, video sites and other Web sites will be required to retain certain personal data on users for one year after account closure, according to a decree published in the official gazette. “Decree 2011-219 states that information provided upon contract subscription or account creation…must be kept,” the report states. Such information may include names, postal addresses, pseudonyms, phone numbers and passwords. “Web sites will also have to keep for one year after any content is published the user name, type of protocol used, nature, date and time of the operation,” according to the report. [Source

EU – Spanish Parliament Reduces DPA’s Penalties

The Spanish Data Protection Agency (DPA) is described as “one of the more enforcement-oriented DPAs in the EU,” but parliament has modified its penalty structure to lower many fines, the Hogan Lovells Chronicle of Data Protection reports. The main modifications include warning businesses and giving them a set amount of time to resolve breaches before fines would be levied and changes in the level of infringement for certain transfers of personal data, the report states. The modifications were announced in the wake of Europe’s highest court’s review of the DPA’s order that Google remove links to Web content due to privacy concerns. [Source

UK – New Camera Commissioner Could Cause Confusion, Says Privacy Watchdog

The Information Commissioner has warned that new plans for a Surveillance Camera Commissioner could result in confusion and conflicting regulation. The Government has proposed a new code of practice on the use of CCTV networks and traffic-monitoring automatic number plate recognition (ANPR) systems. The code will establish a new watchdog to ensure that it is followed, the Surveillance Camera Commissioner. The code was proposed by the Government’s Freedom Bill. In its evidence on that Bill to the Public Bill Committee, data protection regulator the Information Commissioner said that the appointment of another commissioner with some of the same duties as him could cause damaging confusion. [Source] See also: [UK: Unmanned spy drones and facial recognition cameras could soon be the norm]

Facts & Stats 

US – New Jersey Comptroller Finds Data on Machines Marked for Auction

An audit conducted by the Office of the New Jersey State Comptroller found that nearly 80 percent of retired state government computers headed for auction still contained sensitive personal data. The computers examined were being held at a state surplus property warehouse. New Jersey guidelines require that data be removed from hard drives before computers are sent to the warehouse. The audit was prompted by a number of arrests of warehouse employees. New Jersey state comptroller Matthew A. Boxer says that he believes it is likely that other machines containing data have already been sold because no outside agency had investigated the procedures before his office looked into the matter at the warehouse. [NYT] [GovTech] and also: [Solid State Drive Firmware Destroys Data

WW – Working On-The-Go Could Pose Privacy Threats

The ability to take work on the road via laptops, tablets and smartphones enabled for WiFi access is convenient, but these mobile offices are vulnerable to data breaches, The New York Times reports. According to a report by Symantec and the Ponemon Institute, such breaches are becoming more expensive. From leaving laptops in hotel rooms to using public WiFi to sharing information on social networks, experts detail the myriad risks to personal and business data. Prof. Betsy Page Sigman of Georgetown’s McDonough School of Business suggests, “You want to be overly cautious, especially if you are around a lot of competitors.” [Source

WW – Survey: Quick Responders Pay More for Breaches

InformationWeek reports that the cost of a data breach for a U.S. company continues to rise, reaching $7.2 million in 2010, an increase of 9% from the previous year. A Ponemon Institute study, published by Symantec, found that companies that responded to a breach rapidly paid more than companies that responded slowly. “Quick responders paid $268 per record, an increase of 22% from 2009, while organizations that took more time paid $174 per record, a decrease of 11% from 2009,” the report states. Negligence topped the list of data loss causes. [Source]


EU – Medical Malpractice Case at Heart of Legal Debate

A plastic surgeon who was cleared of wrongdoing in a criminal medical malpractice case 20 years ago is at the heart of a legal debate in a Spanish court. The case involves the Spanish data protection authority’s request for Google to remove from its search results links that go to a 1991 newspaper article about the surgeon’s troubles. Google is contesting the request, saying that to do so would be censorship. But “Spain has always taken an extremely strong line over privacy,” says a Barcelona lawyer, and now the European Court of Justice may become involved. [Source

WW – Google Remotely Removes Infected Apps from Android-based Devices

Google has begun using its “remote removal function” to purge infected apps from Android devices running versions prior to 2.2.2. About 50 apps were found to be infected with malware known as DroidDream; all have been removed from the Android Market. Google has also suspended the accounts of the developers believed to be responsible for the infected applications and plans to take legal action. [Source] [Source] [Source] [Source] [Source] [Source] and also: [Google Pulls Infected Apps From Android Marketplace

US – Legislative Subcommittee Approves Bill Nullifying Net Neutrality Rules

The House Energy and Commerce Committee Subcommittee on Communications and Technology has voted to nullify the Federal Communications Commission’s (FCC) net neutrality rules. The action was taken through the subcommittee’s approval of a bill that uses the Congressional Review Act. It now goes before the full committee. [Source] [Source]


EU – European Lawmakers Still Worried About Banking Data Security

Europe’s police force, Europol, has approved requests to send private citizens’ banking data to the U.S. Department of Treasury without sufficient consideration for data protection laws, according to an internal report. An official report on an investigation carried out by the organization’s Joint Supervisory Body (JSB) was made public by the German Commissioner for Data Protection and Freedom of Information. Since August 2010, the European Union has allowed European citizens’ financial data to be transferred to the U.S. under the Terrorist Finance Tracking Agreement, also known as the Swift agreement. However, one stricture of the accord specifies that the U.S. must “clearly substantiate the necessity of the data” in combating terrorism. The JSB inspection team was made up of seven data protection experts who found, that of the four requests made by the U.S. since the Swift pact was established, all were too abstract to allow proper verification for whether they comply with the accord. The report concludes that given the dearth of information, verifying whether the requests to date “are in line with the conditions of the agreement, is impossible.” Oral statements from the U.S. Treasury to Europol personnel had a bearing on the decisions, but even the JSB team has no knowledge of the content of those statements. Therefore it is impossible to tell whether omissions in the written requests were rectified by oral information, according to the report. This renders proper inspection by Europol’s Data Protection Office impossible, concluded the report. Giving Europol a role in implementing the controversial agreement was one of the concessions made to the European Parliament after it initially rejected the accord over concerns about civil liberties. On Wednesday these misgivings resurfaced. Parliamentarians said that Europol appears to be just rubberstamping requests for the transfer of bulk data, without any kind of scrutiny or oversight. Alexander Alvaro, Parliament’s rapporteur on the TFTP Agreement, called for “all relevant documents must be declassified.” “This report should send alarm bells ringing in Brussels,” added Sophie In’t Veld, vice-president of the parliamentary committee on civil liberties. “It would seem Europol has not been respecting the agreed data protection safeguards which we insisted upon as a condition for this agreement to go ahead. We need clarification on how these data transfers are being processed.” The Commission is due to publish its evaluation of the TFTP on March 17. [Source

CA – Canada Still Has More Work to do on Money Laundering: Report

An evaluation of Canada’s anti-money laundering and anti-terrorist financing regime over the past decade suggests government institutions still don’t share enough information among themselves. The report presented to the Finance Department by a private consulting firm Monday says a lack of proactive disclosures from Canada’s financial intelligence unit hampered efficiency. The report says the inefficiencies in the regime’s efforts related to the Financial Transactions and Reports Analysis Centre of Canada stem from the strict rules the agency has to operate under. The evaluation was mandated by the Treasury Board with its findings meant to contribute to an upcoming five-year parliamentary review of the Proceeds of Crime act. [Source]


CA – CAJ Opposes Proposed B.C. ‘Proactive’ Disclosure

The Canadian Association of Journalists has told the British Columbia government it opposes so-called proactive disclosure plans proposed for ministries and agencies because they will lead to fewer freedom-of-information requests. The Office of the Information and Privacy Commissioner for British Columbia was seeking input on proposed changes to legislation in B.C. that would, in part, require all FOI requests to be posted freely online after the requester had gone through the expense of filing the request. “The CAJ supports proactive disclosure. We’ve been advocating for more routine disclosure for years as part of our work promoting access to information and open government,” CAJ president Mary Agnes Welch said. “What the B.C. government is proposing is not proactive disclosure. This is still reactive disclosure, because it relies on a formal request being filed and a long and at times expensive legislated process.” In particular, the CAJ opposes the idea that someone who would file an FOI request, work through the red tape and pay at times exorbitant fees to see what they’ve asked for would see the fruits of that effort immediately posted online for all to see—before even receiving their own paper copy. If the province insists on continuing to charge these fees, then those paying them should have time-limited exclusive access to review what they paid for before a full public posting. [Source] [BC: Why David Hahn Has Investigative Reporters in a Tizzy] See also: [US: Lawmakers’ cell phones often out of public reach]


US – Researchers Present Study of Vulnerabilities in Cars’ Computer Systems

Researchers at the University of California, San Diego and the University of Washington have published a paper in which they say they have found ways to break into newer-model cars’ computer systems through Bluetooth and cellular network systems and through the diagnostic tools used by auto mechanics. The same researchers presented a study last year describing how they were able to shut off a car’s engine, lock the doors, turn off the brakes and falsify odometer readings. That attack required plugging a laptop into the car’s diagnostic system. The new paper focuses on remotely accessing a car’s computer system. The researchers, Stefan Savage and Yoshi Kohno, acknowledge that the attacks are challenging, but Savage noted that “When people first started connecting their PCs to the Internet, there wasn’t any threat and then over time it manifests. The automotive industry … has the benefit of the experience we went through.” [Source] [Source]

Health / Medical 

US: New App Gives Patients Instant Access to their Medical Records

University Health Care now offers a free application for students to access their medical information directly from their iPhones. MyChart, developed by Epic Systems Corporation, gives patients instant access to lab results, medications, immunizations and any other medical records. The smartphone app keeps record of interaction with any U care facility or physician as well. The program also serves as a reminder for any needed medical care. If a patient is due for a shot, checkup or any type of procedure, MyChart will alert the patient with a notification. Curtis Newman, director for the MyChart project, said the “ask my doctor” feature is a major bonus for students in particular. MyChart’s developer has yet to come out with technology in support of the Android or BlackBerry operating systems, but Newman said these will likely follow close behind. [Source] See also: [State AGs to Get HIPAA Training

US – OMB Reviews Information Disclosure Changes to HIPAA Privacy Rule

The Office of Management and Budget’s review of a Health and Human Services (HHS) proposal to extend the HIPAA privacy rule’s requirements to “include disclosures during the previous three years for treatment, payment and healthcare operations (TPO) if a healthcare provider uses an electronic health records (EHR) system.” The Medical Group Management Association is raising concerns about the plan, writing to HHS that the stipulation “that the TPO accounting is only required for those physician practices that have adopted an EHR suggests that the government believes TPO disclosures would be collected and stored on this one clinical system. This is simply not the case.” [Source

US – Study: HIPAA Laws May Have Borders, Ethics Don’t

It is a breach of ethics to post pictures of medical patients receiving treatment outside of the U.S., even if HIPAA laws don’t extend that far. That’s according to researchers in a recent Journal of Medical Internet Research study, who looked at 1,023 medical students’ Facebook pages and found 12 photos of patients being treated in developing countries. In the U.S., patients agree to be photographed after signing consent forms. But in developing countries, patients may feel that by signing such a form, they have a better chance at receiving care, says one of the study’s authors. “Use your moral and ethical compass,” she tells practitioners. “What if this was your child?” [Source]

Horror Stories 

US – CA Investigating Latest Health Net Data Breach

After Health Net, Inc. in California announced that several data servers containing sensitive health and personal information on its enrollees are unaccounted for, state officials said the security breach involves “personal information for 1.9 million current and past enrollees nationwide.” The California Department of Managed Health Care, the only stand-alone HMO watchdog agency in the nation, also provided further details beyond the plan’s statement, saying that the missing records on nine servers are “for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in the California Department of Insurance products (another state agency that has oversight responsibility) and a number enrolled in Medicare.” “The DMHC has opened an investigation into Health Net’s security practices,” said DMHC spokesperson Lynne Randolph. “Health Net has agreed to provide two years of free credit monitoring services to its California enrollees, in addition to identity theft insurance, fraud resolution and restoration of credit files, if needed.” [Source] See also: [Health Canada mails details of marijuana users] and [Youth-only clinic delivers privacy patients crave] and also: [Privacy breaches found at Central Health] See also: [2010 Annual Study: U.S. Cost of a Data Breach – Ponemon/Symantec] 

US – Company Fined for Improper Document Disposal

The Office of the State of Illinois Director of Insurance’s has issued a decision to fine an insurance company for its improper disposal of private insurance documents. MetLife must pay a fine of $75,000 and provide credit fraud protection for those customers who may have been affected when a former sales office discarded clients’ personal documents in a dumpster without shredding them. The documents, which remained in the dumpster for up to four days, included such information as Social Security numbers, birth dates and account balances. [Source

US – Student Data Losses for Three Institutions

The State reports that the University of South Carolina has notified 31,000 current and former faculty, staff and students throughout its eight campuses about a breach that exposed their personal information–including Social Security numbers (SSNs). Meanwhile, at Missouri State University, the names and SSNs of 6,030 students of the College of Education were accidentally posted online and searchable through Google, reports SC Magazine. The university has worked with Google to remove the lists and is notifying those affected and offering them identity theft protection. In a separate incident, the Alaska Department of Education and Early Development is notifying students and parents that 89,000 students’ personal information was being temporarily stored on an external hard drive that was stolen from its Juneau headquarters. [Source

US – Blood Bank Loses Data on 300K

Cord Blood Registry (CBR), the world’s largest stem cell bank, has notified about 300,000 people that their data may have been have been exposed when storage tapes and a laptop were stolen from an employee’s locked car last December. According to CBR’s director of corporate communications, the tapes may have contained credit card numbers, driver’s license numbers or social security numbers but no medical information. CBR sent letters to affected people dated February 14 offering a year of free credit monitoring and assurances of better security practices in the future, but some are questioning why it took so long for them to notify people and why the data was not better protected. [Source

US – BCBS of Florida Mails Forms to Wrong Addresses

Blue Cross and Blue Shield of Florida (BCBSF) has alerted about 7,400 of its members that for three months it has been mailing explanation of benefits forms to old addresses. The error occurred when BCBSF converted to a new source of customer mailing address information. According to BCBSF, no Social Security numbers, dates of birth of financial information was exposed. The company has corrected the problem and notified all affected customers. [Source]

Identity Issues 

WW – Fingerprinting to Supplant Cookies?

Several startups are experimenting with tracking technologies that could supplant cookies as behavioral targeting mechanisms. Device fingerprinting operates by tracking mobile phones, PCs, TVs and cars using unique identifiers. Based on the device’s properties and settings, fingerprinting allows advertisers to link to and track the device and transmit messages based on activity. It’s easier to opt out of fingerprint tracking than cookies, developers say; because the device’s fingerprint lasts as long as the device itself, opting-out must only happen once. In addition, the developers say, the new technology already complies with do-not-track principles because users can “opt out of both tracking and targeting independently.” [Source

US – CA Zip Code Ruling Incites Flurry of Class Actions

In the month’s time since the California Supreme Court decided that zip codes are personal information, 106 class-action lawsuits have been filed. That’s because the presiding justices ruled that the law would apply retroactively, putting every retailer that has collected zip codes during credit card transactions since the Beverly-Song Act of 1971 at risk for liability. In a Privacy Advisor exclusive, experts discuss the potential implications of the Pineda v. Williams-Sonoma decision. Among them, Linda Woolley of the Direct Marketing Association says the case is “very troubling” and has “great implications for what marketers do in terms of data collection,” while Martin Abrams of the Center for Information Policy Leadership at Hunton & Williams says the court’s decision is the “wrong approach.” [Source]

Internet / WWW 

UK – UK ISPs to Clarify Traffic Management Policies

Major broadband providers in the UK will soon clarify their network traffic management practices. BT, Virgin Media and others have signed a voluntary code of practice saying they will provide consumers with clear information about when Internet connection speeds are slowed, why they are slowed, and what effect the throttling will likely have on consumers’ broadband service. The disclosures will also state whether the provider has arrangements with specific content providers to prioritize their traffic. [Source] [Source] [Source] See also: [AT&T to Impose Data Caps for Broadband Customers

US – Twitter, Facebook Still Reluctant to Join Free Speech Initiative

Three years ago, some of the world’s leading tech companies agreed to participate in the Global Network Initiative (GNI) – a code of conduct designed to protect online speech and privacy around the world. The initiative was originally launched in response to brewing tensions in China, where some Internet companies were accused of complying with government censorship policies in order to pursue profit-driven agendas. Today, the GNI can count corporations like Google, Microsoft and Yahoo among its prized members, but there are still some glaring omissions – including Facebook, and Twitter. According to its code of conduct, all initiative participants are required “to avoid or minimize the impact of government restrictions on freedom of expression,” while doing their best to protect user privacy whenever government regulations “compromise privacy in a manner inconsistent with internationally recognized laws and standards.” All companies and organizations are subject to evaluations from independent auditors, who determine whether or not their policies comply with the initiative’s objectives. [Source

US – Private WiFi Intended to Protect Consumers on Public WiFi Networks

Private Communications Corporation (PCC), a security technology company that protects personal data and information online, today announced the launch of Private WiFi®, its flagship Virtual Private Network (VPN) software. Private WiFi encrypts all data going into and out of a person’s computer to support online privacy, protect consumers’ identities and secure sensitive communications transmitted over the more than 400,000 known unencrypted WiFi networks or “hotspots” worldwide, according to JiWire. Microsoft’s 2010 U.S. Remote Working National Research findings suggest that more employees are working from public places, reporting 21% on a plane, 27% from a coffee shop and 37% on vacation. Consequently, users are increasingly taking advantage of WiFi networks in public places. In fact, the U.S. experienced a 17.3% growth in public Wi-Fi usage in 2010. Despite such rapid growth in public WiFi usage, many are unaware of the risks associated with transmitting information across unprotected public networks. [Source

UK – Home WiFi Users Lack Understanding of Security

According to a survey from the UK Information Commissioner’s Office (ICO), nearly half of home computer users who have WiFi networks do not understand WiFi security settings. Most Internet service providers (ISPs) now set up and install customers’ WiFi security settings, but 40% of WiFi users do not understand those settings and 16% are either using an unsecured network or do not know if their network is secured. ICO head of policy Steve Wood pointed to Google’s Street View data collection vehicles gathering information from unprotected networks as evidence that users need to be aware of their network settings. [Source] [Source

WW – Report Forecasts Pros and Cons of the Cloud

Experts have suggested that 75% of senior business leaders believe that privacy and security concerns are the key impediments to the adoption of cloud computing, the Financial Times reports in an analysis piece on the benefits and risks of cloud computing for entities in the UK and EU. With the European Commission anticipating introducing data protection reforms later this year, the report stresses that “to comply with EU personal data requirements, the data controller needs to ensure that the security standards are appropriate, having regard to the nature of the personal data, the state of technological development and the cost of implementing particular measures.” [Source

EU – Cloud Provider: Legislation Required for Cloud Success, Census

“Legislation is an impediment” to the UK government’s G-Cloud initiative, say officials from Lockheed Martin, the largest provider of cloud services to the U.S. government. In the UK and Europe, data privacy laws prevent the movement of data outside the jurisdiction, which is “the antithesis of cloud computing’s concept.” For the cloud to succeed, privacy and confidentiality legislation will need to change, the report states. “Governments should all be updating their laws if they aren’t already,” said Melvin Greer, chief strategist for Lockheed Martin, adding that the UK government and the G-Cloud initiative “will have to deal with the concept of having a secure infrastructure…” [Source

WW – Google Street View Expands Off-Road Imagery

Google Street View has added more locations in the U.S. and around the world, the company revealed on its blog this week, thanks to a high-tech tricycle that’s filming public and private places that aren’t accessible by roads. In 2009, the company unveiled the “trike,” a modified bicycle with camera and surveying equipment mounted in the rear. For more than two years, the trike has been mapping bike paths, gardens and many other off-road areas around the world. “Some of the properties that we are currently interested in include zoos, parks, universities, amusement parks, outdoor marketplaces, stadiums, monuments, tourist destinations and race tracks (to name a few),” according to Google. “I feel like we’re just scratching the surface of what sorts of images our users want to see,” Google engineer Daniel Ratner, the trike’s inventor, told McClatchy news service. [Source]

Law Enforcement 

CA – Ontario Police Can Detect Computers Accessing Child Porn

Halton police say technology is helping them pinpoint predators in their war on child pornography. A one-second snapshot of Internet use on Wednesday morning showed six Oakville computers, seven in Burlington, four in Halton Hills and five in Milton were accessing child pornography sites at that moment, said Det.-Sgt. Brad Cook. Police also detected 158 computers in Halton that accessed child porn last month, he said. But Cook said police won’t reveal how they can track Internet traffic for fear of giving an upper hand to those who troll child porn sites. Police departments around the world are engaged in an evolving game of technological cat-and-mouse with web offenders. In 2005, Halton was one of several Canadian police departments that adopted the Microsoft Child Exploitation Tracking System (CETS). The CETS database acts as an information repository, helping officers organize data and share information across jurisdictions. Halton is among 18 police services across Ontario involved in a joint forces strategy to protect children from sexual abuse and exploitation. [Source] See also: [Ottawa man victim of Facebook, email scam] and [In Social Media Postings, a Trove for Investigators]


CA – IPC, ASU Partner on Applying Privacy by Design to Mobile Technologies

Ontario’s Information and Privacy Commissioner Ann Cavoukian and Arizona State University’s Privacy by Design Research Lab have released a new white paper that maps the way forward for achieving meaningful privacy protection in the mobile space. The new report builds on original research conducted by ASU’s new PbD Research Lab, which convened an expert panel of top executives from leading mobile organizations to identify privacy and security challenges in their rapidly-expanding field, and propose potential solutions, grounded in real-world experiences. Focusing on the solutions identified by this expert panel, The Roadmap for Privacy by Design in Mobile Communications outlines practical tools to help developers, service providers, and users achieve mobile privacy. [Source

CN – China to Track Its Citizens Using Cellphones

The Chinese government is planning to track Beijing’s 17-million mobile-phone users using their phones’ built-in GPS. The initiative is being sold as a way to curb traffic congestion, but human-rights campaigners worry the government will use the information to quell unrest. In a city infamous for its nine-day traffic jams, the “information platform of real-time citizen movement” would use signals from a mobile phone’s GPS to monitor traffic and track how residents were using the subway, bus lines and roads, according to the Chinese government’s website. Beijing’s inhabitants would be able to buy some of the data, helping them avoid bottlenecks as they moved through the city. Specific information about individuals would not be available. But some worry this latest announcement could be part of a larger plan to curtail dissent. Last year, China passed legislation making it illegal for the country’s 850 million cellphone users to register their SIM cards under a false name. “Certainly the use of the platform will not be limited to gathering traffic information. Officials in other areas, such as anti-terrorism and stability maintenance, will also find it useful.” There is no word on whether people will be able to opt out of the program, which is expected to launch in the first half of this year. [Source

CN – Mobile Phone Tracking Proposal Approved

An expert panel has approved plans to collect real-time location data on 17 million China Mobile subscribers to help resolve Beijing’s traffic problems. Under the program, phones’ locations will be registered with base stations then collected, aggregated and reviewed by transportation officers and city planners. The first phase of the Beijing Real-Time Travel Information Platform is expected to roll out in June. Once the program is up and running, the government plans to send the aggregated data back to citizens to help them make smart travel decisions. While the deputy director of social development said the data would only be used for traffic control–and mobile users’ privacy would be protected–the panel that approved the plan recommended linking the platform with city-management efforts in other government departments. [Source

EU – Industry Submits Code of Practice for Online Maps

Germany’s digital industry has submitted a voluntary code of privacy to the government in response to public concerns over services like Google’s Street View that publish images of residences online. The draft code of practice, submitted by a federation representing the industry, would establish a Web site disclosing information collected about German towns, explain how Germans can file objections to data gathering and offer links for complaints, the report states. Interior Minister Thomas de Maizière, who received the industry’s code, called it “a sign of greater transparency by German businesses and international corporations.” [Source]


LV – DPA Suspends Electronic Tax Service

Latvia’s data protection inspectorate has suspended the State Revenue Service’s tax return service due to privacy concerns. The inspectorate ordered a halt to the Electronic Declaration System due to the fact that “users who happen to know another person’s identity number can find out that person’s name, surname, address and other personal data,” the report states. The system will remain suspended until the revenue authority finds a way to control access. [Source]

Online Privacy 

EU – E.U. Privacy Directive Angers Start-Ups

U.K. start-ups have reacted angrily to the stance by the country’s Information Commissioner on the European e-Privacy Directive on web cookies which comes into effect in May. According to the E.U.’s Privacy and Electronic Communications Directive “explicit consent” must be collected from Internet users who are being tracked via cookies. The e-Privacy Directive was passed in Brussels in 2009. It comes into force on May 25. [Source] See also: [Peter Fleischer blog: Foggy thinking about the Right to Oblivion] See also: [Data Mining: How Companies Now Know Everything About You] and [New York Times: Tracking Users’ Web Footprints] and [Peer Swire paper: Social Networks, Privacy, and Freedom of Association] [Executive Summary] [Full report

WW – Consumer Group: Cookie Concerns Continue

An investigation by Which?, a consumer group, that points to difficulties for Internet users to manage local shared objects–more commonly known as Flash cookies–is sparking a push for stricter online legislation. The difficulties of removing local shared objects from hard drives and features comments by Sarah Kidner of Which?, who suggests, “If such practices are happening without the user’s knowledge, it is pretty serious and could be in contravention of data protection law.” A member of the group’s legal counsel says that “as the online behavioral advertising industry innovates to collect ever more data,” both the UK Information Commissioner’s Office and the EU need to address such technologies. [Source

US – Judge: Debt Agency Can’t Contact Woman on Facebook

A Florida debt collection agency has one less tool in its quiver for contacting debtors. A judge has ordered Mark One Financial LLC not to contact a debtor or her family or friends via Facebook. Attorney Billy Howard said in doing so, the company violated his client’s privacy and a provision of the state’s consumer protection law. He said that debt collectors are turning to social media increasingly to retrieve payments and, increasingly, debtors are looking for legal remedy. “It’s the beginning of an epidemic,” Howard said. [Source]

Other Jurisdictions 

NZ – Privacy Measures Removed to Help Quake Response

Privacy protections for taxpayers and other New Zealanders have been temporarily removed or amended to help the response to the Christchurch earthquake. Using controversial legislation put in place following last September’s quake, Earthquake Recovery Minister Gerry Brownlee has made an “Order in Council” allowing the Inland Revenue Department to share information with other Government agencies. A spokesman for Finance Minister Bill English said the order, which is in force until the end of October, was to allow processing of claims under the Government’s $130 million financial support package for Christchurch’s employers and workers, specifically the wage support subsidy. Information sharing for anything other than earthquake-related support would “absolutely” not occur. [Source

MY – Prime Minister: SMS to 4 Million Didn’t Violate Privacy

Malaysian Prime Minister Datuk Seri Najib Abdul Razak says he did not violate people’s personal privacy or the data protection law when he sent Chinese New Year messages to citizens. The four million messages were sent to three telecommunications companies for transmission, he said in response to inquiries. “The Prime Minister’s Office has ensured that the principle of personal data protection was not compromised and the terms and conditions of the companies were fully respected,” Najib said, adding that the prime minister had no access to any of the recipients’ personal data. [Source]

Privacy (US) 

US – Administration: Privacy Bill of Rights Needed

The Obama Administration is weighing in on the dialogue surrounding online privacy, and the consensus is that the time has come for baseline privacy legislation at the federal level. That was the focus at a Senate Commerce Committee hearing on consumer privacy. The Department of Commerce “has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers,” explained National Telecommunications and Information Administration Administrator Lawrence Strickling. This Daily Dashboard exclusive examines the testimony and reactions from legislators, industry and advocates at today’s hearing paired with expert opinions on a U.S. “privacy bill of rights.” [Source

US – Supreme Court Determines Corporations Are Not Persons

The U.S. Supreme Court has ruled that the term “personal privacy” does not extend to corporations. The 8-0 decision in FCC v. AT&T, which was prompted by an appellate court decision to extend a Freedom of Information Act exemption prohibiting the release of information that causes “unwarranted invasion of personal privacy” to corporations. In his opinion, Chief Justice John G. Roberts Jr. wrote, “We do not usually speak of personal characteristics, personal effects, personal correspondence, personal influence or personal tragedy as referring to corporations or other artificial entities. In fact, we often use the word ‘personal’ to mean precisely the opposite of business-related…” [Source

US – Bureau to Enforce Self-Regulatory Program

The Council of Better Business Bureaus plans to announce it will start enforcing its program to make online tracking more transparent and give consumers an easy way to opt out. In an effort to avoid government regulation, the council released self-regulatory principles in 2009 that require companies to “clearly explain how they track and use information about consumers’ Web activities,” the report states, including an icon that users can click on for information and to modify ad preferences. The council will employ 300,000 volunteers who will use software allowing them to view companies tracking their Web movements to be sure companies are complying. [Wall Street Journal

US – CDT Receives 2011 IAPP Privacy Leadership Award

The Center for Democracy and Technology has received the 2011 IAPP Privacy Leadership Award. The annual award recognizes a global leader in the field of privacy and data protection. Presenting the honor at the IAPP Global Privacy Summit in Washington, DC, IAPP Board of Directors treasurer Brendon Lynch, CIPP, said the CDT “is at the forefront of efforts to keep the Internet open, innovative and free. They have consistently been a leading voice for free expression and privacy in communications and have fostered practical and innovative solutions to public policy and civil liberties.” CDT President Leslie Harris accepted the award on stage with CDT staff members Justin Brookman, Jim Dempsey and Erica Newland and CDT board chairman Deidre Mulligan. [Source

US – FTC Settles With Online Ad Agency for Privacy Violation

The Federal Trade Commission said that it settled with online advertising provider Chitika for allegedly tracking online activities of users who had opted out of the company’s service. The consumer protection agency had been investigating Chitika for deceptive practices, it said. Between May 2008 and February 2010, the company allegedly placed cookies on the Web browsers of consumers who had explicitly asked to bar the tracking service from collecting information to be used for behavioral advertising. Chitika had stopped tracking those users for just 10 days and then resumed placing cookies on their browsers to target ads, the FTC said. The cookies are used to collect information about users, such as the searches they perform, items purchases and sites visited. In a settlement agreed to unanimously by the FTC, Chitika agreed to stop making misleading statements about the extend of its data collection and to extend to five years the period it is barred from tracking users to opt out of its service. Highlights from the settlement:

-          Every targeted ad by Chitika must include a hyperlink that takes consumers to a clear opt-out mechanism.

-          Chitika must destroy all identifiable user information collected about users who had opted out of the service.

-          Chitika must alert consumers who previously tried to opt out that their attempt was not effective and advise those users to opt out again to avoid targeted ads.

“The FTC investigated Chitika as part of its ongoing efforts to protect consumers’ privacy online,” the agency said in a release. “The FTC charged Chitika’s claims about its opt-out mechanism were deceptive and violated federal law.” [Source

US – Twitter Settles With Feds Over ‘09 Obama Hack

Twitter has settled a federal complaint over a pair of 2009 breaches in which hackers were able with relative ease to gain access to user accounts, including one used by President Barack Obama. The FTC had accused Twitter of promising privacy and security to users while, it alleged, protections were so lax hackers were able to take over accounts with little effort. The final consent order does not impose fines for what amounts to a truth in advertising violation. But it does require that Twitter tighten its security system, perform security audits every two years for the next decade and not make deceptive security claims. Twitter agreed to the punishments, but admitted no violation of law. Among the sloppy practices outlined in the FTC order:

  • From July 2006 to July 2009, nearly all Twitter employees had total access to the Twitter system, including the ability to reset passwords, read users’ direct messages and nonpublic tweets and send tweets in any user’s name.
  • Twitter employees used the public Twitter login page to get into these admin accounts and there were no controls on how strong such passwords had to be or how long they lasted. Twitter did not lock down accounts after multiple wrong password guesses.

On Jan. 4, 2009, a hacker took advantage of these flaws using an automated password guessing tool (a so-called dictionary attack) to figure out an employee’s administrative password, after submitting thousands of guesses into Twitter’s public login webpage. Once in, the hacker reset passwords, passed them along to other hackers and sent out Tweets from the president’s account — one promised Obama’s followers $500 in free gasoline for filling out a survey — as well as from Fox News. [Source] [Source] [Source] [Source] [Source] See also: [Judge Denies Request to Throw Out Order Seeking Twitter Account Information

US – E-Commerce Site Makes Changes After Users Complain

As a result of privacy concerns voiced by a number of users, an e-commerce Web site has decided to stop publishing customers’ purchase histories within user feedback posts. Etsy recently activated a “people search” tool allowing users to search for other users’ names as a way to view purchases and recommendations. However, some users claimed they were not notified that their information would become public when they initially entered their full names on the Web site. Etsy has now disabled the feature and says it is considering further changes to protect buyer privacy, Ars Technica reports. In the future, the site may allow users to post purchases, but it would be “completely opt-in,” executives said. [Source] See also: [The Changing Meaning of “Personal Data” by William Baker and Anthony Matyjaszewski ]

Privacy Enhancing Technologies (PETs) 

WW – Microsoft Do-Not-Track Tool to Debut

Microsoft’s newest version of Internet Explorer is set to release with a do-not-track tool to help Internet users “keep their online habits from being monitored.” However, concerns persist as to whether self-regulatory approaches will work. Microsoft and Mozilla have adopted do not track in the wake of the Federal Trade Commission’s recommendation for such tools, highlighting “the pressure the industry faces to provide people with a way to control how they are tracked and targeted online” with legislation being contemplated at the federal level. However, the report goes on to state, industry-based systems “will only work if tracking companies agree to respect visitors’ requests,” and to date, none have publicly agreed. [The Wall Street Journal

US – U.S. Funding Tech Firms That Help Mideast Dissidents Evade Government Censors

The Obama administration may not be lending arms to dissidents in the Middle East, but it is offering aid in another critical way: helping them surf the Web anonymously as they seek to overthrow their governments. Federal agencies – such as the State Department, the Defense Department and the Broadcasting Board of Governors – have been funding a handful of technology firms that allow people to get online without being tracked or to visit news or social media sites that governments have blocked. Many of these little-known organizations – such as the Tor Project and UltraReach- are unabashedly supportive of the activists in the Middle East. [Source]


US – Walgreen Accused of Selling Patient Data

Walgreen Co is the target of class-action lawsuit related to how the company profits from customers’ prescription data. The suit claims that Walgreens deprives its customers of the “commercial value of their own prescription information,” by selling it to data mining companies. “We believe this information belongs to the patient who paid for the drug, not the pharmacy,” said a lawyer for the plaintiffs. Last week, a Pennsylvania man filed suit against another drugstore chain for similar activities, but that suit alleges the activity violated the privacy of consumers. [Source

US – Health System Installs Data Protection Technology

New Jersey’s Saint Barnabas Health Care System is rolling out a “major data loss prevention initiative that will enforce new content-control restrictions” on more than 10,000 computers used by the system’s staff. Software installed on each computer will enable policies on what kind of data they collect or what they e-mail, according to a spokesman for the healthcare system, and will be capable of recognizing what is patient information and what is “just a medical document,” he said. [Source] See also: [DLP Comes of Age]


US – Homeland Security Looked Into Covert Body Scans at Public Venues

The Homeland Security Department paid contractors millions of dollars to develop and study surveillance systems that could covertly track pedestrians and check under people’s clothing with airport-style body scanners as they enter train stations, bus depots or major events, newly released documents show. Two contracts the department signed in 2005 and 2006 were part of its effort to acquire technology to find suicide bombers in a crowd of moving people, according to documents given to the Electronic Privacy Information Center (EPIC), a privacy-rights group that is suing Homeland Security. The department dropped the projects in a “very early” phase after testing showed flaws. EPIC lawyer Ginger McCall says the project is disturbing nonetheless because it shows the department “obviously believed that this level of surveillance is acceptable when in fact it is not at all acceptable.” A $1.9 million contract with Rapiscan Systems, which makes airport body scanners, asked the company to develop similar machines for “covert inspection of moving subjects” and to find explosives on suicide bombers “through clothing, backpacks and other packages.” The contract was signed in 2005. Rapiscan’s airport body scanners require subjects to stand still while the machines create an image of passengers underneath their clothing to reveal hidden weapons. EPIC has sued the department to stop their use, saying the machines violate privacy. Rapiscan Vice President Peter Kant says the company gave Homeland Security a prototype machine designed “primarily for non-aviation settings” because it could scan people while they were moving. [Source 

US – Drivers May Lower Insurance Premiums by Getting Monitored

Progressive is one of a growing list of insurers with discounts for monitoring: Although the programs are voluntary, they’ve raised the eyebrows of privacy advocates. One worry is that the insurers eventually will make the monitoring mandatory. And while insurers say they information will only be used for discounts - not punitively - there is little to prevent them from “changing the rules down the line” says Robert Ellis Smith, publisher of Privacy Journal. And, he notes, some states have privacy laws that might ban such programs even if drivers are willing to opt in. Progressive says it is trying to protect privacy while delivering discounts. It notes that its device, for instance, doesn’t have GPS tracking, so it doesn’t know where a participant is driving. It also doesn’t monitor speed. He predicts the program, now available in 32 states, will appeal to drivers who feel they aren’t getting the discounts that their safe driving habits deserve. Insurance companies typically set rates based on accidents or tickets, but also on such factors as age, gender and ZIP code. [Source] See also: [US: ‘Black boxes’ common in US autos, but many drivers don’t know they’re there

WW – Cable, Satellite Test Targeted TV Ads

As cable and satellite providers test systems to target ads to specific households, The Wall Street Journal reports that data gatherers are compiling information on what viewers are watching with such personal data as prescription records to “emulate the sophisticated tracking widely used on people’s personal computers with new technology that reaches the living room.” However, some industry executives are raising privacy concerns, pointing to the push to regulate online tracking. Others say TV targeting is less intrusive, as it involves outside companies providing aggregated data without PII. The founder of one such company says they do not know who is sitting in front of any given TV, noting, “We don’t want to look in the window. It is a little spooky.” [Source]

Telecom / TV 

IN – RIM Hits India’s Email Demands

A top executive of BlackBerry-maker Research in Motion Ltd. said Indian security agencies are making “rather astonishing” demands for increased powers to monitor email and other data traffic, raising serious privacy issues that threaten to harm the country’s reputation with foreign investors. Robert Crow, vice president of industry and government relations for RIM, said India’s Home Ministry, which oversees domestic security, wants the ability to intercept in real time any communication on any Indian network—including BlackBerry’s highly secure corporate-email service—and get it in readable, plain-text format. Such a broad requirement raises the question of whether the government believes any communications are legally off-limits, he said, including email conversations of foreign ambassadors and financial records that get transmitted over secure telecommunications networks to Indian outsourcing companies. [Wall Street. Journal] [Source] See also: [Montreal city hall addresses BlackBerry privacy]

US Government Programs 

US – Proposed DOT Rule Invasion of Privacy, Says AIA

AIA is very concerned that a new rule proposed by the Transportation Department would constitute an unnecessary and undesirable invasion of privacy, hampering the mobility of citizens and companies. “The Block Aircraft Registration Request program functions much like a ‘Do Not Call’ list for private aircraft owners,” said AIA President and CEO Marion C. Blakey. “The rule that the FAA is proposing would strip away that right to privacy.” Currently, private aircraft owners can choose to have access to their private travel itineraries blocked to third parties. Through its Aircraft Situation Display Information and National Airspace System Status Information data, the FAA has all the information it needs to monitor the movement of legally registered aircraft for safety and security reasons. The rule proposed in Docket No. FAA-2011-0183 would make available the personal and business itineraries of law-abiding citizens to anyone requesting them, unless the aircraft owner could demonstrate a “Valid Security Concern.” American companies need to be able to operate and explore new business opportunities free from surveillance or competitive interference. For example, under the proposed rule, business competitors would be able to track the movements of private aircraft owners, making it easier to discern their proprietary business plans. “When Americans get in their cars, they don’t have to worry that strangers are able to follow their every movement,” said Blakey. “Why should citizens who fly their own aircraft be subject to such scrutiny?” [Source]

US Legislation 

US – Proposed Bill Would Put Curbs on Data Gathering

Senators John McCain (R-AZ) and John Kerry (D-MA) are the most recent federal legislators moving forward with plans for online privacy legislation. The Kerry-McCain proposal “would create the nation’s first comprehensive privacy law, covering personal data gathering across all industries,” The Wall Street Journal reports, with an “online privacy bill of rights…that would require companies to seek a person’s permission to share data about him with outsiders” and would pertain to such data as names and addresses to identification numbers and biometrics. “It would also establish a program to certify companies with high privacy standards” that would be allowed special provisions for selling personal data, the report states. [Source] See also: [WSJ Poll: Is Your Personal Info for Sale?] and also [Privacy in the Legislative Branch: A Quick Update

US – RI Legislators Seek to Protect SSNs

The Boston Globe reports on a push by two Rhode Island lawmakers to keep businesses from asking for the last four digits of customers’ Social Security numbers (SSNs). The new legislation follows an existing state prohibition on recording full Social Security numbers on personal checks, the report states. Sen. Dominick J. Ruggerio (D-North Providence) and Rep. Brian Patrick Kennedy (D-Hopkinton) have introduced bills seeking to end a practice where businesses may record partial SSNs, noting an entire number can be determined from those few digits. [Source

US – Drug Database Passed in South Carolina

South Carolina has joined nine other states in passing a law to adopt a national database for tracking the sale of pseudoephedrine, which can be used to make methamphetamines. While pharmacies throughout the state have been recording purchases, National Precursor Log Exchange (NPLex) allows states to share information. Privacy advocacy groups are not “watching NPLex,” says the report, but when “personal information is collected into a database, there is always a chance of some secondary use,” said Tena Friery of Privacy Rights Clearinghouse. Meanwhile, an Arkansas Senate panel is backing legislation to create a statewide database for tracking some prescription drug purchases. [Source 

U.S. – Bill Would Make It Illegal to Take a Picture of a Farm

The days of photographing picturesque farm landscapes will be a thing of the past if a new U.S. bill passes. The legislation, moved by Florida senator Jim Norman, would make it a felony to take photos or videos of farms without written permission from the owners. The bill does not explain the reasons behind it. It is a move that has Canadian farming groups scratching their heads. “We’re going the opposite way of this legislation,” said Crystal Mackay, executive director of Ontario Farm Animal Council. “We encourage farmers to open their barn doors. We’re here to have a conversation with you.” A similar bill was put forward in Iowa, but that one focuses on making it illegal for people to shoot undercover videos and gain access to farming facilities under false pretenses. The Iowa legislation is in response to animal activist groups, which have released videos taken from inside farming facilities, said Iowa Senator Sandy Greiner. [Source]

Workplace Privacy 

US – Employee Fired for F-Bomb Tweet on Chrysler Account

An employee of Chrysler Group LLC’s social media agency has been fired after it was discovered the person dropped the f-bomb in a tweet on the Chrysler brand’s official account. The message has since been removed from the account, but the offending quip has been re-tweeted by some Twitter users. The Auburn Hills-based carmaker posted a response on its official blog apologizing for the actions of the New Media Strategies employee. “Chrysler Group and its brands do not tolerate inappropriate language or behaviour, and apologize to anyone who may have been offended by this communication,” the post read. The blog also confirmed an employee at NMS had been fired for the Motown diss. [Source

CA – Probe Into Request for Leadership Candidates’ Social-Media Passwords Continues

British Columbia’s privacy commissioner says she isn’t backing off her investigation of a request by the B.C. NDP for party leadership candidates to provide social-media passwords even though a high-profile dispute on the issue has been resolved. Elizabeth Denham said that she is pleased that MLA Nicholas Simons has reached a compromise with the party, which is poring over candidate sites to look for embarrassing information. However, she said she worries about similar requests, which may be at odds with provincial privacy legislation. “This is a teachable moment for other organizations.” [Source] [Leadership candidate rebuffs B.C. NDP request for social media passwords]



15-28 February 2011


CA – OPC Issues Report on Biometrics and the Challenges to Privacy

Canadians are witnessing a growing interest among government and private-sector organizations in adopting systems that use biometric characteristics to automatically identify people or verify their identity. But whether a fingertip, a face or an iris is being scanned, what’s being collected is personal information about an identifiable individual. The Office of the Privacy Commissioner of Canada has prepared a primer on biometrics (“Data at Your Fingertips”) and the systems that use them. It also describes some of the privacy implications raised by this emerging field, as well as measures to mitigate the risks. [Source]


CA – Alberta Proposes Missing Persons Act

New legislation proposed by the Alberta government will make it easier for police when searching for missing persons. Bill 8: the Missing Persons Act will allow a police agency to obtain the personal information they need to help find missing persons in cases where the police have no reason to suspect that a crime has been committed. The proposed legislation is intended to balance fundamental privacy rights with access to important information such as cell phone and financial records. [Source

CA – Funding Available for Privacy Research and Education in Canada

The Office of the Privacy Commissioner of Canada is calling for proposals for cutting-edge privacy research and public education projects in Canada. The application deadline is March 14, 2011. The Office is interested in receiving research proposals focusing on four priority areas: 1) identity integrity and protection, 2) information technology, 3) genetic privacy, and 4) public safety. However, the Office will continue to accept research proposals on issues that fall outside these areas. As well, the Office invites proposals to fund public education and regional outreach initiatives that aim to inform Canadians about their privacy rights and how they may better protect their personal information. All proposals will be evaluated on the basis of merit by OPC officials, and the maximum amount that can be awarded for each research or public education project is $50,000. ot-for-profit organizations, including education institutions and industry and trade associations, are eligible, and this includes consumer, voluntary and advocacy organizations. [Source

CA – Supreme Court Deabtes National Security Versus Privacy

Canada’s highest court will have a tough decision later this week when it has to choose between the public’s right to now versus national security issues when it comes to the domestic activities of both CSIS and the RCMP. In what’s being called a case of history against national security, the Canadian Press is challenging the government’s refusal to fully disclose the 1,142-page dossier on socialist icon Tommy Douglas, widely regarded as the father of Canada’s medicare system. Uncensored information released by Library and Archives Canada shows RCMP security officers shadowed Douglas for 50 years, showing particular interest in his links to the peace movement and Communist party members. The library is refusing to release the entire dossier saying fuller disclosure would jeopardize the country’s ability to detect, prevent or suppress “subversive” activities. [Source]


US – Research: Consumers Want Transparency, Control

Recent research indicates that when it comes to online privacy, what consumers want is security and control. Ball State University’s Center for Media Design found that “the notion of privacy is actually ‘situational’ and depends on the context of the consumer, the nature of their information being tracked and the organizations that are tracking it,” the report states. With a focus on how consumers—rather than advocacy, industry or regulatory groups—react to online tracking, the first round of research found that college students surveyed are concerned about online tracking, but the focus is “not about privatizing their information. It’s about keeping it secure.” [Source] [Research website]


CA – Bureaucrats Sending Sensitive Information on BlackBerrys

Senior federal bureaucrats are sending sensitive government information on their BlackBerrys despite warnings to stop. Deputy ministers at Transport Canada, Veterans Affairs and Public Works have all used a BlackBerry feature called PIN messaging to discuss information that is supposed to be secure, The vulnerability of government communications was exposed this week with the revelation that computer networks at two federal departments were compromised by hackers. Exactly what the hackers were after is unclear but Internet service at the Treasury Board and finance department has been curtailed as a result. [Source] See also: [Foreign hackers attack Canadian government] and [Montreal councillors’ email privacy questioned

US – US Immigration Computer System Vulnerable to Insider Threats

According to a report from the Department of Homeland Security (DHS) Office of the Inspector General (OIG), the US Citizenship and Immigration Services’ (USCIS) processing system is vulnerable to insider threats. The OIG brought in a third-party group from Carnegie Mellon University’s software engineering institute to evaluate insider threats on systems at USCIS. [Source

CA – Family Suing Alberta Government Over Alleged Privacy Breach

Four years of domestic abuse “hell” followed by nearly a decade-long battle to obtain a nationwide name change came crashing down for a Canadian mother and daughter after the Alberta government posted their identities online. “Jane” and her daughter “Janet Doe” obtained Unpublished Secure Name Changes more than five years ago and began rebuilding their lives with new connections, re-location and the security of never having to look over their shoulders. But all the effort and security went up in flames after a Google search revealed both the old and new identities of the Does were published online in the Alberta Gazette – the official newspaper of the Government of Alberta. Now, nearly 19 months later after contacting top Canadian officials, agencies and individual organizations for a settlement, no restitution has been received. [Source]


WW – Google Investigating Problem that Reset 150,000 Gmail Accounts

Google is looking into a problem with Gmail that emptied the inboxes of a small percentage of users over the weekend. Some users have had their information restored; Google engineers are working on the problem. About 150,000 accounts appear to have been reset, meaning that users cannot access their stored emails, attachments and chat logs. [Source] [Source] [Source]

Electronic Records 

AU – APF Concerned About E-Health Implementation

The head of the Australian Privacy Foundation says that patients’ medical data is vulnerable because e-health projects are being planned absent their input. “Because consumer representatives have had so little input, there’s a very strong chance sensitive data will be compromised, and the system won’t suit people’s needs,” says Roger Clarke, who adds that consumer engagement only began in January. A health department spokeswoman said that consultations with consumers and privacy groups have been “constructive,” and “The government is serious about a personally controlled system in which privacy protections will be a key element.” [Source

CA – Feds Order Monster Hard-Drive Grinder for Sensitive Data

The federal government has ordered a monster machine to chew up its discarded hard drives, USB thumb drives, CDs, and even ancient Beta videotapes. Like a tree chipper, the grinder will rip apart a range of data-storage devices into pieces so tiny the sensitive information can never be recovered. The Public Works Department is calling for “destruction equipment that performs disintegration, which is the physical demolition of electronic storage devices to particle sizes too small for data retrieval or reassembly,” says a recent tender document. Until 2005, the RCMP’s technical security branch provided departments with free hard-drive overwrite software, known as DSX. But the Mounties stopped supporting the program six years ago because it often did not work properly on newer drives with larger storage capacities, leaving confidential information in place. Some newer hard drives have software embedded in them that allow their entire contents to be securely erased on the proper command. But data storage in other formats such as memory sticks, and even in some new hard drives, sometimes cannot be reliably overwritten, creating headaches for security-conscious departments. [Source] [UK – The Limits of Anonymisation in NHS Data Systems

WW – Erasing Data on SSDs Proves Difficult

A study published by researchers at the University of California at San Diego says that it is more difficult to erase data from solid state drives (SSDs) than from hard disk drives (HDDs). On some SSDs, overwriting the data several times can make it inaccessible, but some techniques proved more successful than others. Techniques for sanitizing hard drives may not work well on SSDs because their internal architecture is so different. Cryptographic erasure, which involves encrypting the device so that users must provide a password to use it, and when the device is ready to be retired, deleting the cryptographic keys on the SSD, appears to be quite effective. [Source]

EU Developments 

EU – Europe’s Top Court to Hear Google Case

The European Court of Justice (ECJ) will consider the Spanish Data Protection Authority’s demands for Google to remove from search results the links to Web sites that contain certain information about citizens. The ECJ will “offer guidance on whether Spain’s demands comply with European law.” A Google official said the company is pleased that Europe’s top court will review the issue. “It shows that key issues are at stake,” said Google’s head of European external relations. “We believe that European law rightly holds the publisher of material responsible for its content.” [Source

EU – Regulators Seek Stronger IP Address Protection

German data regulators are considering making it illegal for Web companies to provide their visitors’ IP addresses to third parties without their users’ permission. The Lower Saxony DPA has already moved in that direction, with Data Protection Commissioner Joachim Wahlbrink recommending that users’ permission be in place before IP addresses can be passed on to advertisers. Germany’s revised law only allows the use of personal information for marketing “if the individual has expressly consented to such use.” The Lower Saxony DPA’s order to one online marketer to remove an ad tool feature may result in a lawsuit from the company, the report states. [The Register

EU – AFDCP Report Finds Lack of Compliance

The French Association of Data Protection Officers (AFCDP) has determined that 82% of organizations do not abide by the French Data Protection Act. The AFCDP’s annual report for 2011, published last month, found that just 18 percent of responding organizations addressed information access requests in a “legally satisfactory manner,” Monique Altheim writes, adding, “This very useful survey by the AFCDP illustrates how the passing of data protection acts alone is totally useless unless these laws actually get enforced,” questioning that “if legislation does not even guarantee significant compliance, what kind of compliance will ‘self-regulation’ achieve?” The AFCDP’s Bruno Rasle told the Daily Dashboard that most individuals are not familiar with the right of access, “So it is not, until now, very often used,” and “organizations are not ‘trained’ to handle it when it occurs.” Rasle explained that the French press only began writing on this right last year, “but things change. Our results show the presence of a CIL (French version of DPO) provides better quality response. For AFCDP, it is a strong sign: Someone is needed to handle the subject/do the job, and the DPO is the right man. And since we’ve started this index, we see a lot of improvements–thanks also to the CNIL’s onsite audits and penalties. We are confident we are going to see major improvements in the near future.” [Source

EU – CNIL Announces Data Processing Exemption

The French Data Protection Authority (CNIL) has published its Deliberation No. 2011-023, which should make reporting requirements less odious for companies that have no operations in France but use subcontractors or cloud providers there to process data. The French Data Protection Law requires companies to file with CNIL and, in some cases, obtain authorization in advance. Under the new declaration, payroll processing, workforce management and the management of databases of clients and prospects for personal data collected outside of France will be exempt from the requirement for data that is returned to the data controller, or other specified recipient, “for the benefit of the data subject,” the report states. [Source]


WW – Libya Cuts Internet, Bahrain Restricts Traffic

There are reports that Internet access in Libya has been shut down. In that country, the “Internet is essentially owned and controlled by the government through a telecommunication company,” which is chaired by the eldest son of Moammar Gadhafi. The government of Bahrain has reportedly restricted Internet traffic and blocked access to YouTube in an effort to impede protesters’ momentum. The government claims the Internet traffic is lower because connections are overwhelmed. Last week, US Secretary of State Hillary Clinton announced her department’s policy on Internet freedom. [Source] [Source] [Source] [Source] [Source

AU – Supreme Court: Data Could Prevent Fair Trial

The Australian Supreme Court has ordered newspapers to delete certain articles from their Web sites, saying that they could impact the fairness of an upcoming trial. The jurors on the trial will also be ordered to refrain from reading about or discussing the case, but “The confidence in the integrity of the jurors does not mean the court should not protect them from incidents that put their integrity to the test,” said Justice Derek Price. One publishing executive described the decision as “the modern equivalent of burning books,” and a civil liberties advocate said the order appears to “discriminate against the Internet because courts never ordered the removal of a microfiche from every library in the state.” [The Age]


EU – Refuses to Reveal Bank Data Transfers to US

The European Commission and Europol have once again refused to reveal any information about how the Terrorist Finance Tracking Agreement between the E.U. and the U.S. is working six months after it came into force. The so-called ‘SWIFT’ accord, which allows the bulk transfer of European citizens’ financial data to the U.S. authorities, came into force on Aug. 1 last year. In December, German representatives revealed that questions from the German data protection commissioner about how many requests the U.S. has made for data and how many, if any, have been approved, were not answered. Europol said that questions could only be answered by the Commission. But the Commission said that ‘neither the Commission nor Europol nor the member states have the power to bindingly interpret the agreement.” Europol further indicated that such sensitive information is in any case top secret. The German delegation to the Council of Europe said that repeatedly sidestepping the questions is not helpful and will lead to growing public mistrust. [Source] [MEP: Swift ‘secrecy’ may hamper new data deals with US

US – FINRA Imposes $600K Fine on Lincoln National Units

The Financial Industry Regulatory Authority (FINRA) has reached an agreement with Lincoln Financial Securities Inc. (LFS) and Lincoln Financial Advisors Corp. (LFA) over inadequate data security. FINRA fined the broker-dealer and financial advisory firms a combined $600,000 for allowing employees to “use shared usernames and passwords to access customer records from any Web browser on any network” and other inadequacies, the report states. FINRA fined LFS $450,000 and LFA $150,000. [Source

WW – PCI Council Launches Training Program

The PCI Council begins its series of training programs intended to educate practitioners on Payment Card Industry Data Security Standards (PCI DSS). The courses “cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant.” Offerings include in-person sessions as well as online training, and there will likely be supplemental guidance throughout the year. Version 2.0 of the PCI DSS went into effect last month, and merchants have one year to comply with the new standard. [Source]


CA – Privacy Rules Halted Investigation of Rogue Scientists

The federal government has been pushing Canada’s largest research council to release the names of scientists who fudge research results, plagiarize reports or misspend grant money, according to federal documents obtained by Canwest News Service. But the Natural Sciences and Engineering Research Council has yet to change its rules, despite pointed recommendations from its political masters. The council, which distributes $1 billion in federal funding every year to thousands of researchers across the country, says federal privacy laws prevent it from identifying scientists involved in misconduct, or their universities. [Source]


US – DHS to Test Portable “Real Time” DNA Analyzer

The Homeland Security Department this summer plans to begin testing a DNA analyzer that’s small enough to be easily portable and fast enough to return results in less than an hour. The analyzer, about the size of a laser printer, initially will be used to determine kinship among refugees and asylum seekers. It also could help establish whether foreigners giving children up for adoption are their parents or other relatives, and help combat child smuggling and human trafficking. Only DNA can positively determine family relationships. Eventually, the analyzer also could be used to positively identify criminals, illegal immigrants, missing persons and mass casualty victims. [Source]

Health / Medical 

US – OCR Plans to Tighten Up HITECH Privacy, Security, Breach Regs

Financial penalties for single privacy and security violations will be increased to $50,000 per violation with a maximum fine of $1.5 million under final HITECH privacy, security and breach notification rules. Adam Green, senior health IT and privacy advisor at the HHS Office for Civil Rights (OCR) says changes to the current rules will be made under the OCR’s authority, will arrive in 2011 and “need to be revised to reflect the more widespread use of electronic data and electronic health records.” Besides steeper fines, key changes the OCR aims to implement include direct liability for business associates and subcontractors and restrictions on the use of patient data for marketing and fundraising, the report states. [Source

US – HHS Stepping Up HIPAA Privacy Rules Enforcement

The US Department of Health and Human Services (HHS) appears to be getting serious about enforcing Health Insurance Portability and Accountability Act (HIPAA) privacy rules. HHS has imposed enforcement actions against two organizations for HIPAA privacy violations. Cignet Health was charged a civil monetary penalty of US $4.3 million for failing to provide patients access to their own medical records and failing to cooperate with an HHS investigation into the matter. When Cignet finally sent boxes of records to the US Justice Department, they included records for the 41 individuals who had requested their records as well as records of 4,500 other people. Massachusetts General Hospital will pay HHS US $1 million for the exposure of personal information of 192 patients when documents were left on a subway in March 2009. HHS appears to be getting serious about enforcing HIPAA privacy rules. Both incidents are the result of business process failures rather than technology failures. [Source] [Source

US – Advances in Health Care IT Increase Data Breach Risks, Says Deloitte

Health care organizations using advanced technologies are at increasing risk for patient data breaches, warns a new Deloitte report. The report, “Privacy and Security in Health Care: A Fresh Look“, says that as the health care industry increasingly adopts electronic health records, clinical data warehousing, home monitoring, and telemedicine, the risks of patient data breaches are also increasing. This could lead to more medical fraud and identify theft. Some of the reasons identified in the report for inadequate data protections by health care providers include lack of internal resources, poor internal controls over patient records, lack of upper management support for data security, outdated policies and procedures, and inadequate personnel training. The report recommends that the health care industry adopt a three-prong approach to improve data security: develop and implement appropriate data security controls to mitigate or avoid risk; adopt and implement policies, procedures, and training to mitigate or avoid risk; and verify organizational compliance with policies and standards. [Source] [Press Release

UK – Patients’ Privacy Threatened In NHS Shake-Up, Say Doctors

The overhaul of the NHS will spell the end of doctor-patient confidentiality, the British Medical Association has warned. The association says new legislation will give the Government, quangos and local authorities the power to access sensitive medical details without the patient’s permission. It fears that the change will lead to patients withholding information from doctors. The doctor’s union raised its concerns in a letter to Simon Burns, the health minister. It is calling for the legislation to be redrafted so that proper safeguards are in place. [Source

CA – Study Raises Concerns About Security Measures for Clinical Trial Data

Privacy and security safeguards designed to protect patients’ sensitive files during clinical trials are inadequate, according to a study published in the Journal of Medical Internet Research. Khaled El-Emam – Canada research chair in electronic health information at the Children’s Hospital of Eastern Ontario Research Institute – led the study. Key Findings

  • Researchers successfully decoded passwords for 14 of 15 files transmitted by e-mail. Thirteen of the 14 compromised files contained sensitive health data and other identifying information, such as dates of birth and names of the clinical trial site.
  • Unencrypted patient data was shared through e-mail and posted on shared drives with common passwords.
  • Some password choices were as simple as number sequences like “123” or the names of car manufacturers.
  • Having inadequate security can harm patients participating in clinical trials, potentially leading to medical and non-medical identity theft. [Source]


Horror Stories

US – Massachusetts General Takes $1 Million Hit for Losing 193 Patient Records

Following closely on the heels of its first Health Insurance Portability and Accountability Act (HIPAA) privacy rule fine, the Department of Health and Human Services (HHS) has doled out a $1 million fine against Massachusetts General Hospital for a data breach involving 192 patients begin treated for infectious diseases. HHS levied the fine on Mass General for a data breach involving the loss of documents containing names and medical record numbers of 192 patients at the hospital’s Infectious Disease Associates practice, as well as billing forms that included names, dates of birth, medical record numbers, health insurers and policy numbers, diagnosis, and names of provider for 66 of those patients. The practice treats patients with HIV/AIDS, as well as other infectious diseases. According to HHS, the documents, which were not recovered, were left by a Mass General employee on the subway on March 9, 2009. In addition, Mass General agreed to take actions to prevent future data breaches, including implementing a set of policies and procedures regarding information that is removed from the hospital’s premises, training personnel on these policies and procedures, and designating the hospital’s director of internal audit services to serve as an internal monitor to assess the hospital’s HIPAA compliance and produce semi-annual compliance reports to HHS for three years. [Source] See also: [Patient privacy breached at St. Thomas Elgin General Hospital] and [HK – Lost Flash Drive Contains Patient Records]

Identity Issues 

IN – ‘Aadhar’ Does Not Breach Privacy: Nilekani

Allaying privacy fears surrounding ‘Aadhar’, the Unique Identification Authority of India Chairman Nandan Nilekani said the project would in no way put at risk citizens’ security and rights. “The data collected of the individual by means of biometric system will only be for the sake of their identification and access to other facilities like availing bank loans, being part of the PDS system and others. There is no way other agencies or non-concerned parties having access to the Aadhar data base,” Nilekani said. He asserted that the 12-digit Aadhar number will not have much personalised information about the resident for anyone to misuse. He said, nevertheless, the government was looking to put into place a data security law to iron out any privacy issues. UIDAI has issued close to 2 million Aadhaar numbers and targets to touch the 600 million mark by 2014. [Source] See also: [Technology diluting privacy: Indian Supreme Court] and [IN: 45% active users want to pay for goods, services through mobile

IN – Indian Gov’t to Tighten Cyber-cafe Rules: ID & Monitoring

New rules proposed by the Indian government would require users at cyber-cafes to establish their identities, while placing the onus on cyber-cafe operators to take precautions to ensure that their computers are not utilized for any illegal activity. The proposed rules, which would come into effect under the country’s Information Technology Act, reflect concerns that the Internet is being used for illegal activities such as planning terrorist attacks and viewing pornography in public, which is illegal in India. The government has viewed public Internet services offered by cyber-cafes with suspicion for some time, and more recently it has scrutinized other online communications, including through mobile phones. Under the proposed rules for cyber-cafes, operators cannot allow a user to use computer resources without the person’s identity first being established. Users will be asked to establish their identities by producing documents such as their passport, voter identity card, photo credit card, driver’s license, or identity cards issued by schools and colleges. Users who cannot establish identity to the satisfaction of the cyber-cafe operator might be photographed by the cyber-cafe using a Web camera. The photographs are to be part of the log register, which may be maintained in physical or electronic form. The Ministry of Communications and Information Technology has invited public comments on the new rules. The rules would require cyber-cafe owners to store and maintain certain backups of logs and computer resource records for at least six months for each access or login by any user. These include the history of websites accessed, mail server logs as well as logs of any proxy servers, network devices, firewalls or intrusion prevention and detection systems that are installed. Partitions of cubicles in the cyber cafe would not be allowed to be higher than four and a half feet from the floor level, and minors would be denied access to computers from these cubicles unless they are accompanied by parents or guardians. The draft rules, if they come into effect, would also require that all the computers in a cyber-cafe be equipped with safety and filtering software to avoid access to websites relating to pornography, obscenity, terrorism and other material deemed objectionable. Cyber-cafes would also have to display a board, clearly visible to users, prohibiting them from viewing pornographic sites, according to the proposed rules. [Source]

Intellectual Property 

US – Lawsuits Challenge U.S. Online Data Brokers

Two lawsuits in federal court in California that challenge the way a popular online data-mining company does business could give consumers more privacy protection from firms that sell personal information on the Web. In the most recent complaint, filed last week in the Central District of California, plaintiff Thomas Robins alleged that Spokeo Inc. violated the Fair Credit Reporting Act by offering false data about individuals without giving them the chance to correct or remove inaccurate reports. The suit alleged that Robins’ Spokeo profile was rife with misinformation, stating that he was in his 50s, married with children and employed in a professional field. Robins is actually in his 20s, single and has no children. He argued that such false representations have hurt his employment prospects, causing him anxiety and lost earnings. In a similar suit filed in September in the Northern District of California, plaintiff Jennifer Purcell alleged that Spokeo marketed her personal information in violation of the FCRA, which restricts who can access personal information. Both Robins and Purcell are seeking class-action status for their cases. The lawsuits reflect efforts by privacy advocates to gain some measure of control over the data aggregators like Spokeo, which have proliferated. The Privacy Rights Clearinghouse lists over 130 online data vendors on its website, including Intelius, Jigsaw and Peek You. Robins and Purcell face the challenge of proving actual harm – a heavy burden in privacy cases where the damage is seldom tangible. [Source]

Internet / WWW 

UK – High Court: Newspaper’s Anonymous Posters Can Stay Anonymous

The Daily Mail does not have to identify the people behind two anonymously posted comments on its website because to do so would breach their rights to privacy, the High Court said. The subject of a news story had demanded information from the Daily Mail that would help her to identify the two commenters so that she could sue them for defamation, but the Court said that identification of those people would be disproportionate. But Justice Sharp said that the posters’ rights to privacy were more important than the woman’s right to take legal action about comments that were little more than “pub talk”. Jane Clift sued Slough Council after it put her on its list of potentially violent people following her complaint to the Council about the antisocial behaviour of a man in a park. The Council said that Clift’s conduct in complaining had been threatening and it put her name on the list, where it could be seen by Council departments and Government agencies, for 18 months. Clift won her case and was paid libel damages. The Daily Mail’s website carried a report on the story and a year after its publication Clift saw it. She objected to remarks made by two readers in the comments section of the web page. She asked the High Court to order the Daily Mail to give her information which could help identify the people so that she could sue them for defamation. Justice Sharp said that Clift’s case was not strong enough to merit the identification, and that she should not have taken the comments as seriously as she did. [OUT-LAW News

US – Cyber Security Bill Expressly Prohibits Internet Kill Switch

Legislation introduced in the US Senate late last week clarifies the intent of the bill’s sponsors. The Cybersecurity and Internet Freedom Act specifically denies the President the “authority to shut down the Internet.” The new language comes in response to reports that the bill’s sponsors had written a provision for an Internet kill switch into the legislation. The new bill would require critical infrastructure operators and owners to address vulnerabilities on their networks. [Source] [Source] [‘Kill Switch’ Internet Bill Alarms Privacy Experts

US – Legislator Calls for Secure Default Web Pages

Senator Charles Schumer (D-NY) is calling on online companies to switch their default pages from HTTP to HTTPS to help protect users who connect to the Internet through public Wi-Fi hot spots. The advent of programs like Firesheep makes it easy for people with little or no technical skill to steal sensitive information, including login credentials and financial account information. [Source]

Law Enforcement 

CA – Alberta Government Will Make Public Police Database Report

Alberta Solicitor General Frank Oberle says the government will make public an internal government report that shows how a new police database will affect people’s privacy. The government initially said it would not release the assessment of The Alberta Law Officers’ Network, known by its acronym, Talon. A spokeswoman had said that “once the privacy commissioner has reviewed it, then we will be guided by his comments.” Oberle did not say when the review will be released. His department has previously said it would be complete by early March. [Source

US – Lawful Access Proposals: Privacy vs. Policing

The Washington Senate Judiciary Committee heard testimony on a bill that would prohibit local law enforcement agencies from collecting and storing information about an individual’s political, religious or other First Amendment-protected views unless “there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity.” Law enforcement turned out in force in opposition to the bill. Don Pierce, executive director of the Washington Association of Sheriffs and Police Chiefs, said the bill would prevent police from collecting information and storing it as they conduct criminal investigations. “We call these tidbits of information ‘clues,’” he said. “If you pass that bill, you will effectively prevent us from collecting that information.” Police also raised concerns about the potential cost of the bill, which calls for audits of law enforcement agencies to ensure compliance. Sen. Adam Kline, D-Seattle, the chairman of the Senate Judiciary Committee and the prime sponsor of the bill, suggested that the bill would create some accountability for agencies that investigate and collect information about protected speech. Michael German, the ACLU’s policy counsel in Washington, D.C., and a former FBI agent, said unjustified law enforcement investigations of political activity protected by the First Amendment have a chilling effect on such speech and are “damaging to democracy.” [Source] See also: [US: GBI arrests Georgia Cop for Running Tag info]


IN – Indian Government Publishes Draft Rules

The Ministry of Communications and Information Technology has proposed three draft rules that would implement the Information Technology Act, 2000. The rules include Reasonable Security Practices and Procedures and Sensitive Personal Information, which covers information processed in India no matter its origin; Due Diligence Observed by Intermediaries Guidelines, which requires intermediaries to notify computer resources users of unethical and unsafe online activities and police these actions, and Guidelines for Cyber Cafés. The rules are open for comment through today, and according to the report, the U.S. Department of Commerce is considering submitting comments on behalf of the U.S. government. [Hunton & Williams Privacy and Information Security Law Blog]

Online Privacy 

EU – ENISA Warns About Privacy Threat from Next-Generation Cookies

The European Network and Information Security Agency (ENISA) is warning that new types of cookies with “privacy-invasive” features for marketing, tracking, and profiling pose increased privacy risks for computer users. In its policy paper Bittersweet cookies: Some security and privacy considerations, ENISA said that new types of cookies being developed by the advertising industry support user-identification in a persistent manner and do not have enough transparency about how they are being used. To mitigate the privacy and security implications of these next-generation cookies, ENISA recommends that users’ informed consent should guide the design of systems using cookies; the use of cookies and the data stored in cookies should be transparent for users. In addition, users should be able to manage cookies, in particular new cookie types. All cookies should have user-friendly removal mechanisms which are easy to understand and use by any user. Also, storage of cookies outside browser control should be limited or prohibited, and users should be provided with another service channel if they do not accept cookies, ENISA recommends. [Source

WW – SANS Technology Institute Paper: Assessing Privacy Risks from Flash Cookies

This paper was developed by students Stacy Jordan and Kevin Fuller as part of the SANS Technology Institute Masters Program. It includes an analysis of flash cookies; a description of the risks of using flash cookies; and technical approaches for detecting, removing, managing and analyzing flash cookies. [Source] [Paper

US – Ad Industry Slams Do-Not-Track Proposal

The public comment period on the FTC’s “Protecting consumer privacy in an era of rapid change: A proposed framework for businesses and policymakers” report has ended, and the reactions are varied. Industry groups, for example, are among those opposing calls for a do-not-track mechanism to improve consumer privacy online. InformationWeek reports on the assertion by industry groups that the FTC’s proposal would “wreck the ability of Web sites to provide personalized content.” The Interactive Advertising Bureau, which suggests “a do-not-track program would require reengineering the Internet’s architecture,” is instead recommending self-regulation for online advertising. [Source

US – IAB Members Must Publicly Affirm Privacy Principles

In the midst of looming online tracking legislation, the Interactive Advertising Bureau (IAB) has voted to require all its members to sign a new code of conduct that includes compliance with the industry’s self-regulatory principles. The IAB is giving members up to six months to follow the principles, which state that companies must provide clear notice of cookie-based behavioral advertising in at least two places and must obtain user consent—though it may be on an opt-out basis–in order to track. Companies that fail to comply face a six-month suspension and possible FTC sanctions, the report states. [Source

US – Facebook Responds to FTC’s Privacy Plans

In its 29-page response to the FTC’s proposal for protecting privacy online, Facebook offered one of the most comprehensive looks to date at its stance on privacy and how the company believes the issue will – and should – evolve. While acknowledging that government regulation ought to play a role in safeguarding user information on the Internet, Facebook argued in the response that web companies should be principally self-regulated so as not to stifle innovation. The company said it agreed with the FTC that greater transparency and the option of “context-sensitive privacy protections,” or what the FTC had called “privacy by design,” were important, but stressed the importance of taking into account individuals’ evolving perceptions of privacy. [Source] [Facebook’s comments to the FTC]

WW – Facebook to Redeploy Sharing Feature

As Facebook plans to reactivate a feature that would allow third-party applications to request contact information from users, Rep. Ed Markey (D-MA) says he is not satisfied with the company’s response to his inquiry about such features. After Markey and Rep. Joe Barton (R-TX) last month wrote to the company about privacy concerns, Facebook suspended the feature temporarily. It now says it will redeploy the feature alongside enhanced “user controls.” Responding to Markey’s concerns about third-party access to minors’ contact information, a Facebook spokesman said children under 13 are prohibited from using the site and that it is “actively considering” whether third parties may request information from anyone under 18. [Source] [Facebook letter

US – Google in Privacy Trouble Again for Collecting Kids’ Digits

Google has nabbed the “privacy outrage spotlight” this week over its collection of the last four digits of children’s social security numbers in an art contest — Doodle 4 Google. Documentary director Bob Bowdon brought the practice to light in a Huffington Post editorial, pointing out that Google’s entry forms for the contest requested children’s date and city of birth, as well as the last four digits of their SSNs. He hyped the story by pointing out that “a national, commercial database of names and addresses of American children” could “be worth many millions to marketing firms and retailers.” Children’s protection groups started rumbling; “twenty-six hours later Google released an updated Parental Consent form without requiring the last four digits of the child’s SSN, although the form still inexplicably asks for the child’s city of birth,” wrote Bowdon. Broadcasting & Cable reports that Google was using the SSNs to sort entries and prevent duplicate entries. The children’s city of birth was needed to ensure that the contest was limited to U.S. citizens. Privacy advocate Anne Collier, executive director of, tells the Associated Press: “It was a stupid mistake, but they corrected it so let’s move on.” But yesterday, Congressmen Joe Barton and Ed Markey, heads of the House Privacy Caucus, released a joint statement saying they plan to hold a hearing over children’s privacy because of the Google flap: We are deeply disturbed by recent media reports that Google may have engaged in sketchy practices with its Doodle 4 Google contest by collecting the social security numbers of children who participated in the contest. This is unacceptable. [Source

WW – Google Mapping Feature Expands, Authorities Concerned

As Google moves forward with plans for its Street View mapping feature in Israel and Switzerland, authorities are voicing concerns. The company will soon photograph 218 miles of the Swiss Alps for the feature, despite a pending court challenge. A hearing is scheduled for February 24 after Switzerland’s data protection officer argued in 2009 that Street View’s privacy safeguards were insufficient. Google has agreed not to post new photos in Switzerland until a ruling has been made and said it has made improvements. The company has also met with Swiss data protection officials. Meanwhile, as Google plans to launch Street View in Israel, officials are concerned about potential uses of the images. [Source

AU – Nations Look to Retain Data for One Year

Talks between the U.S. and Australia could result in Internet search providers (ISPs) retaining data on users for one year. The talks, slated for July, aim to align data retention periods between the two countries and Europe. Though some European nations suggest retaining data for five years–an idea being considered by the European Convention on Cybercrime–both the U.S. and Australia believe that’s too long, according to Australia Attorney General Robert McClelland. McClelland added that governments have a “strong obligation” to balance the scope of data retention and law enforcement needs for data to solve crimes. [Source]

Other Jurisdictions 

NZ – Emergency Code Issued After Earthquake

In the aftermath of the Christchurch earthquake, Privacy Commissioner Marie Shroff has issued an Information Sharing Code to allow emergency services to “share personal information as necessary to assist victims of the earthquake and their families.” The code will remain in effect for the next three months and will then be reviewed. “Although the Privacy Act already allows collection and disclosure of information in emergencies and for public safety, greater certainty will help everyone,” Shroff said. The code is aimed at helping identify injured individuals, assisting with medical and financial needs, notifying families and making it possible for visitors to get home. [Source]

Privacy (US) 

US – Supreme Court: Businesses Do Not Have Personal Privacy Rights

Corporations do not have personal privacy rights when it comes to the disclosure of federal records. That’s according to a U.S. Supreme Court ruling. The case was brought forward after an Appeals Court ruling that found an exception in the federal Freedom of Information Act where the U.S. Congress defined a “person” to include “an individual, partnership, corporation, association or public or private organization.” In today’s ruling, the justices unanimously overturned the prior court’s finding that “corporations can assert personal privacy in claiming the records should be exempt from disclosure,” the report states. [Reuters

US – California’s High Court Rules That Stores Can’t Request ZIP Codes

Retailers do not have the right to ask consumers for their ZIP code while completing credit card transactions, according to a ruling by the California Supreme Court. California’s high court of seven judges unanimously stated that the practice of requesting customers’ ZIP codes infringe on their privacy rights. The ruling, which overrules previous decisions by trial and appeals courts in the Golden State, pointed to a 1971 State law that prohibits businesses from asking credit card users from information that could be used to track them down. Requesting ZIP codes “would permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly,” the ruling stated. [Source

US – FERC Report Cites Smart Grid Privacy Concerns

The Federal Energy Regulatory Commission (FERC) this month released its biannual report, which includes questions about smart meters and privacy. The report outlines concerns about consumer data privacy as companies continue to deploy new technologies, and customers, unsure of the purposes and uses of such technologies, push back. “The existing business policies and practices of utilities and third-party smart grid providers may not adequately address the privacy risks created by smart meters and smart appliances,” the FERC report states. Jeff St. John writes that this year may be the year that “smart grid privacy finally becomes a must-do, rather than a oft talked-about, subject.” [Source

US – Suit: Sharing Device IDs Violates Privacy

The most recent potential class-action suit against Apple and 11 outside companies is for allegedly violating the privacy of iPhone and iPad users. The suit is the fourth case of its kind and was filed in U.S. District Court in California. It alleges the company violated federal and state laws and contends that users did not authorize Apple to share their devices’ unique identifiers with application developers and other parties. However, the report states, it remains to be seen “whether courts will rule that transmitting a unique device number–as opposed to a name or street address–raises any privacy issues.” [Source

US – Customer Sues Game Retailer for PII Collection

A California resident has filed a class-action lawsuit against a game retailer for allegedly “requesting and recording personal information from its customers without their knowledge or consent.” Melissa Arechiga filed the suit last week on behalf of all customers who made a purchase within the last year at a GameStop location that allegedly collected her name, credit card number and personally identifiable information (PII). The suit claims that the store made no attempt to delete the information from the electronic cash register after the credit card number was recorded, which violates a California law prohibiting corporations from requesting credit card customers to provide and record PII, the report states. [Source]

Privacy Enhancing Technologies (PETs) 

WW – Governing Body Accepts Microsoft Tracking Proposal

The World Wide Web Consortium (W3C), the governing body for HTML5, has accepted Microsoft’s tracking opt-out proposal to protect consumer privacy. Microsoft’s Tracking Protection allows users to choose not to be tracked on the Web by blocking the content that does the tracking, the report states. Internet Explorer’s corporate vice president, Dean Hachamovitch, said online privacy is a high priority for consumers and governments around the world. Ashkan Soltani, a privacy and security researcher, called Microsoft’s release of the program “a great move” that demonstrates the company’s recognition “that for this to work, you want both technology and policy to work in tandem.” [PCWorld

WW – Start-Ups Capitalize on Data as Currency

Entrepreneur Shane Green’s company allows people to personally profit from providing companies with their personal data, which he says has become “a new form of currency.” His company is one of about a dozen start-ups aiming to capitalize on privacy as marketers increasingly rely on personal data for targeted ads. One London real estate developer now offers to sell people’s personal information on their behalf and give them 70% of the sale, the report states, while others offer products to help block online tracking or charge to remove users from marketing databases. One entrepreneur said while “privacy” was a hard sell as of two years ago, investors are now quick to jump at opportunities. [Wall Street Journal: Web’s Hot New Commodity: Privacy

US – Despite Tracking Concerns, Investments Continue

The Wall Street Journal reports that in spite of ongoing concerns about tracking and a push for legislation to regulate online advertising, companies that specialize in this kind of tracking continue to secure venture capital investments. “Since 2007, venture firms as a group have invested $4.7 billion in 356 online ad firms,” the report states, increasing at a rate of 29% last year alone. While a Jafco Ventures partner suggests, “Advertisers want to buy individuals. They don’t want to buy (Web) pages,” Chris Fralic of First Round Capital says privacy concerns can influence investment decisions. As he puts it, “What I look for are the consumers raising their hands” against having their privacy compromised. [Source]


EU – Working Party Approves Self-Regulatory Proposal

The Article 29 Working Party has approved an industry proposal for a privacy and data protection impact assessment framework for RFID self-regulation. Although it rejected a series of drafts, including a March 31, 2010, proposal that contained only “scattered references” to risk assessment, industry reworked its proposal and submitted its latest version, the Revised Framework, on January 12. The industry proposal was developed at the request of the European Commission, which issued a recommendation in 2009 on the implementation of privacy and data protection principles in applications supported by RFID. In its February 11 opinion, the Article 29 Working Party endorsed the revised framework. [Source]


WW – Security Shocker: Android Apps Send Private Data in Clear

Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users’ privacy, a computer scientist says. In a simple exercise for his undergraduate security class, Rice University professor Dan Wallach connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google’s mobile platform. What he saw surprised him. The official Facebook app, for instance, transmitted everything except for the password in the clear, Wallach blogged on Tuesday. This meant that all private messages, photo uploads and other transactions were visible to eavesdroppers, even though the account had been configured to use Facebook’s recently unveiled always-on SSL encryption setting to prevent snooping over insecure networks. Google Calendar showed a similar carelessness in Wallach’s experiment by also sending and receiving data in the clear. That makes it possible for snoops to see your schedule when the service is accessed on unsecured networks. Wallach found a few other apps that took a cavalier approach to user privacy. [Source] See also: [Modified Android App Sends Surreptitious Text Messages to Premium Numbers] [NYT: Security to Ward Off Crime on Phones] and [Suspect in iPad data theft remains jailed in NJ

AU – Security to Go Under Privacy Microscope

The Australian federal privacy commissioner Timothy Pilgrim intends to clamp down on businesses that neglect security standards following a string of public data breaches this year. Future investigations will focus on determining if businesses have adopted baseline privacy and security benchmarks before collecting customer data. Businesses will need to have constant “strong risk assessment processes” that ensure only necessary customer data is held within corporate systems, he said. “Businesses need to make sure the privacy protections are strong and are built early into the systems. Information will be vulnerable when the right security controls are not in place, as we found with the Vodafone system.” Privacy probes will examine whether security systems have been “regularly updated” and are designed in accordance with industry benchmarks including ISO 27002:2006. [Source

UK – Keystroke Loggers Found on Library Computers

Keystroke logging devices were found plugged in to computers at libraries in Cheshire, UK. It is not known how long the devices were connected to the computers before they were discovered. Keyboards are now being plugged in to ports at the front of computers. [Source] [Source]


AU – Australian Government Opens Consultation on Cybercrime Treaty

The Australian government is seeking public comments on a proposed cyber crime treaty that would allow the government to order real-time network traffic data collection. Australia is considering signing the Council of Europe Convention on Cybercrime, which was established in 2004. Australia is in line with much of the treaty already, but the treaty’s provisions for collection and storage of traffic data would require legislative amendments. [Source] [Source] [Source] see also: [New Technology Hinders FBI Wiretaps

JP – Japan Company Developing Sensors for Seniors

Japan’s top telecoms company is developing a simple wristwatch-like device to monitor the well-being of the elderly, part of a growing effort to improve care of the old in a nation whose population is aging faster than anywhere else. The device, worn like a watch, has a built-in camera, microphone and accelerometer, which measure the pace and direction of hand movements to discern what wearers are doing – from brushing their teeth to vacuuming or making coffee. In a demonstration at Nippon Telegraph and Telephone Corp.’s research facility, the test subject’s movements were collected as data that popped up as lines on a graph – with each kind of activity showing up as different patterns of lines. Using this technology, what an elderly person is doing during each hour of the day can be shown on a chart. The prototype was connected to a personal computer for the demonstration, but researchers said such data could also be relayed by wireless or stored in a memory card to be looked at later. Plans for commercial use are still undecided. [Source] See also: [Canadian Doctor filmed naked patients with hidden camera

UK – Freedoms Bill good for CCTV, Not for Privacy

A statutory code of practice covering CCTV/ANPR is to be produced by the Home Secretary and regulated by a new “Surveillance Camera Commissioner”. The code’s application is limited to policing bodies and local authorities; it does not cover the CCTV systems that are installed by Government Departments, the Security Service, other public bodies, or used in large shops or shopping malls. If the measure was intended to limit CCTV surveillance, then one would expect that some of these missing areas would be covered in its provisions. Also not covered in the code is the use of CCTV in the domestic circumstance. The Home Secretary is seeking powers that could extend the bodies that are subject to the code. There is no penalty if the code is breached, although a breach of the code may be raised in any legal proceedings. There are no new individuals rights created – for instance, for the Surveillance Camera Commissioner to investigate complaints about the operation of the code. There is also a possibility of at least two regulators with apparently overlapping responsibilities; this does not seem to be a useful proposal if privacy protection is an objective. The Surveillance Commissioner could be a third regulator if CCTV is used in combination with covert directional microphones. There is no provision in the code with respect of retention of CCTV images, but retention provisions can be included in the code at any time. Also missed from all the press coverage is the role of Automated Number Plate Recognition (ANPR) camera systems. ANPR is important because of the police have a policy of “denying criminals the use of the roads” [Source] [UK: People get power to take CCTV abusers to court] see also: [US: ‘Spier’ education: Officials pull plug on website promoting hidden camera gadgets for principals]                                                                                             

NZ – Reality TV Show Breached Privacy

A Northland man whose arrest for possession of a small amount of cannabis was shown on TV2’s Police Ten 7 programme had his privacy breached, in what the Broadcasting Standards Authority (BSA) says is a “landmark decision” regarding filming reality television. It has ordered TVNZ to pay the man $1500 in compensation for breach of privacy and the Crown costs of $1000. [Source

WW – Microsoft Addresses Silent Updates in Blog Posting

Microsoft has admitted that it has been issuing “silent” updates for some time. The fixes are not documented in security bulletins and are usually delivered to address variants of vulnerabilities for which fixes have already been issued. [Source] [Source

WW – Microsoft Changes Stance on Internet Quarantining

Microsoft’s Scott Charney has had a change of heart about where the responsibility for keeping inadequately protected machines off the Internet should lie. Last year at the RSA conference, Charney, who is Corporate VP for Trustworthy Computing, said that ISPs should take the lead, possibly scanning machines and quarantining those deemed unsafe. Speaking again at RSA this year, Charney says he “realize[s] that there are many flaws with that model.” Users may perceive the scans as invasive, and an unpatched machine could keep someone who uses it for communication from reaching emergency services. The biggest stumbling block, said Charney, is the cost imposed on ISPs. The new position would have web service providers impose requirements on users. [Source] [Source] [Source]

Telecom / TV 

AU – Australian Communications Authority Questioning Telecoms About Data Security

Following Vodafone’s exposure of customer data, the Australian Communications and Media Authority (ACMA) is starting to crack down on other telecommunications providers. Ten major players in Australia’s telecommunications market have been contacted by ACMA, which is seeking answers to questions about how each company handles customer information security. [Source

UG – Uganda: Phone Tapping Law Comes Into Force

President Yoweri Museveni has assented to the Regulation of Interception of Communications Act 2007, which authorises the tapping of telephones and other private communication for security purposes. The Act, which has now become law, forbids repeated sending of abusive messages and letters. “A person who repeatedly makes abusive telephone calls or causing another person to make abusive telephone calls to the victim, commits an offence,” reads the Act. This also means telecommunication service providers will be required to register SIM cards of their clients. The President assented to the Act on February 17, 2011. [Source] See also: [Jamaica: Nelson tackled on privacy rights stance]

US Government Programs 

US – Bill Would Require CISOs in Federal Agencies

The E-Government Act, currently in front of congress, would require federal agencies to designate a senior officer as chief information security officer (CISO) and lays out the responsibilities of that position. Sponsored by the leaders of the Senate Homeland Security and Governmental Affairs Committee, the bill states that the CISO would oversee agency security operations and report annually to the agency head. The CISO would also, with the federal CIO, “establish, maintain and update an enterprise network, system, storage and security architecture” to be accessed by a newly created National Center for Cybersecurity and Communications. [Source]

US Legislation 

US – Full-Body Scan Privacy Law Gets One Step Closer to Reality

Back in December, a law being proposed by Senator Chuck Schumer would make it a crime to distribute or save images taken as part of an airport security scan. That law has come one step closer to becoming a reality after being unanimously accepted as an amendment to the FAA Reauthorization Bill being considered by the Senate. The legislation, known as Security Screening Confidential Data Privacy Act, ensures that anyone — airport staff or member of the public — with access to scanned body images would be prohibited from photographing or disseminating those images. Violators could face up to one year in prison and a fine of up to $100,000 per violation. In addition to airports, the bill would also cover images from scans in courthouses and federal office buildings. It also covers not just the original image files, but any photographs taken by cameras, cell phones or any other video device. By being attached to the non-controversial FAA Reauthorization Bill, which sets travel policy for the entire country and funds the Federal Aviation Administration, insiders tell Consumerist that the privacy legislation is virtually guaranteed to pass. The Senate is expected to vote on the complete bill as early as this week. [Source] [DHS: Body Scanners Do Not Store, Transmit Images]

Workplace Privacy 

US – Disneyland Workers Plan Lawsuit Over Privacy Concerns

Two Disneyland Resort employees will seek to certify a class action lawsuit against the Walt Disney Company to stop Disney from encoding the worker’s Social Security numbers in a barcode printed on their cast member identification cards. Jorge Iniestra and Josh Stern claim this practice violates a California privacy law, and exposes the cast members to the risk of identity theft. The union says the lawsuit could involve 20,000 Disneyland Resort employees, and that Disney employees elsewhere in California may also be covered by the action. Local 11 says that workers at the Walt Disney World Resort in Florida also have the same information on their ID cards, but that those workers are not part of this lawsuit. [Source] See also: [Florida Police Obtain Warrant to Search ‘All Persons’ in Apartment Complex] and also: [Court gives SPCA access to workers’ compensation documents in dog slaughter case

US – Maryland AG: Requiring Employees’ Personal Passwords is Legal

Maryland Attorney General Douglas Gansler says requiring a prospective state employee to turn over his social networking user names and passwords as a condition of employment could be appropriate and legal. A day after Maryland’s Department of Public Safety and Corrections suspended the practice, which it used to root out potential employees’ possible gang affiliations, Gansler says the major problem is there hasn’t been a written policy in place for corrections officials. Gansler, whose office defends the corrections department in court, says it “it would be patently unfair” to say to a current employee, who had passed all background checks, “Now you’re going to have to waive all your privacy rights on the Internet in terms of your social networking.” “It’s a completely different issue to prospectively do it, and say ‘You can be a correctional officer at this facility, but one of the things you should know up front is that you’ll have to give up your passwords to your social networking websites.’” Gansler says his office was not consulted by corrections officials before or after the policy was put in place, or since it was temporarily suspended after complaints from the American Civil Liberties Union of Maryland. [Source] [Want A Job? Password, Please!]

CA – Many Companies Monitor Employees Online Use

Any electronic correspondence sent at the workplace should be considered about as private as a postcard. That’s the message from the head of Quebec’s Privacy Commission, Jean Chartier, who recently advised that a “computer screen is not a wall that you can hide behind.” A case set to unfold this week before Montreal’s city council illustrates the lingering question surrounding how much privacy an employee can expect at work, The Montreal Gazette reports. A city employee claims to have been spied upon by officials who say they investigated the employee based on allegations of misconduct. Employees must work within the employer’s guidelines, Quebec’s privacy commission warns. [Source



01-14 February 2011


AU – No Ad Hoc Biometrics Sharing: Privacy Chief

Australian Privacy Commissioner Timothy Pilgrim has warned pubs and clubs collecting biometric information from their patrons not to “automatically” share that information with other clubs unless they have notified their patrons. This week the news emerged that the collection of personal information such as biometrics and driver licence details by pubs and clubs has soared. Clubs and pubs use the information to reduce the risk of violence by pinpointing offenders and banning them from venues. “The office is aware of the use of this technology by some organisations. Any pubs and clubs using this technology should be aware that under the Privacy Act, organisations must provide individuals with notice of what will happen to the collected information,” Pilgrim said. “It cannot be automatically shared with other venues, even if the purpose for sharing it is the same across all the organisations.” Pilgrim also backs a voluntary privacy code created by the Biometrics Institute. Clubs NSW has agreed to sign onto the charter and will participate in upcoming biometric privacy discussions, but the reception from other states has been cold, according to Biometrics Institute head Isabelle Moeller. Interesting points in that code include that the venues have to provide individuals with access to the personal information stored, and if possible, be given the opportunity to have their information removed from the system. All biometric information should also be encrypted immediately after collection, according to the code, and third-party auditing of the system should be implemented. [Source

EU – Reding Investigating Passport Laws

The Dutch government is treating innocent citizens as potential criminals by storing their fingerprints for passports, according to MEP Sophie in’t Veld, who has incited a European Commission investigation into whether Dutch passport legislation breaches EU data protection rules. The government stores four fingerprints in a central database kept by local councils. European Justice Commissioner Viviane Reding is leading the commission’s investigation. In’t Veld says the Dutch practice is much more privacy-intrusive than other EU-member states’ practices and that the United Nations Human Rights Council is critical of the practice. [Radio Netherlands Worldwide]


CA – Joint Border Plan Gets Green Light

Canada and the United States are poised to take a major step toward common border security controls that could lead to joint government facilities, sophisticated tracking of travellers, better cyber-security protection and improved oversight of overseas cargo shipped to both countries. Prime Minister Stephen Harper and U.S. President Barack Obama are expected to give the green light to a comprehensive shared review of border security aimed at tightening protection from terrorists and easing the flow of cross-border traffic. They are expected to assign a working group of government officials to study the issue and return back with an “action plan” within several months. On Parliament Hill, the Harper government came under attack again from the Liberals and New Democrats for negotiating the border security deal in secret – potentially putting Canadian sovereignty at risk. But business groups are welcoming the development. Several “principles” would buttress the Action plan: a “greater sharing of information” between the two nations; co-operation to develop and implement security initiatives and standards; respect for privacy and civil liberties; and recognition of the “sovereign right of each country to act independently in its own interest.” [Source

CA – Feds say Google Maps, Canpages Taking Right Steps to Protect Privacy

A House of Commons committee says the privacy of Canadians is being protected by online mapping applications like Google Maps. The committee has been examining efforts by companies that build online maps using real pictures of homes and streets, such as Google and Canpages, the report states, and says both companies’ policies about notifying individuals of filming and blurring identifying information are sufficient. Following Privacy Commissioner Jennifer Stoddart’s investigation and subsequent recommendations about Google Street View cars’ accidental collection of WiFi data, MPs now say they are “cautiously optimistic” that Google is taking privacy more seriously since it hired a privacy director and introduced employee training. Stoddart had said today was Google’s deadline for compliance. The committee, however, said it has concerns about companies not considering privacy in the development phase of new technologies. [Winnipeg Free Press] See also: [CA – Report: Lottery Site Privacy Problems Fixed] [Google adds optional two-step Gmail security]


US – Survey: Americans Worry About Online Privacy

Most Americans are worried about privacy and viruses when using social networking media. Seven out of 10 Facebook members surveyed said they are either “somewhat” or “very concerned” about their privacy on the site. In the same survey, 52% of Google users also said they are somewhat or very concerned about privacy while using the search engine. Privacy attorney Chris Wolf of Hogan Lovells says, however, that companies are increasingly paying attention to privacy concerns and that new services revolve around “ways to empower people to protect their information,” the report states. [Source] See also: [Did the Internet Kill Privacy?] 

UK – Wired UK Tries to Creep Out Readers With Invasive Personalized Covers

Some British subscribers to Wired Magazine are in for a surprise this month — a few select readers are receiving personalized versions of the magazine, with their personal details spilled across the cover. The first report of a “dossier issue” came from Benjamin Cohen, a technology reporter. Titled “Your Life Torn Open,” a paragraph on Cohen’s cover begins, “We mean you, Benjamin Cohen,” and then goes on to list his employer (Channel 4 News), that he will be 29 on August 14th, his address — current and former (not shocking that a magazine mailed to you would have that), his parents’ address, and that he had met up with his ex-boyfriend earlier this month. The only piece of information that seemed to really shock him was that last bit (Wired had mined his Twitter account).Condé Nast did not respond to a media request as to how many of these covers were printed. [Source]


US – Seattle Ramping Up Single Sign-On

Seattle launched a new website this week allowing citizens to customize’s home page to display only the services relevant to them. On My.Seattle.Gov, users can add a widget to view crime stats for their neighborhoods, news feeds, events occurring in their communities and Seattle Channel Live videos. The customization functionality is modeled after Google’s customization tool iGoogle. Seattle’s Office of the Mayor used the launch as an occasion to announce’s single sign-on function. Having been in place since 2009, the single sign-on is a work in progress. It aims to authenticate users with one sign-on to access the roughly 50 services on that usually require individual registrations. So far, the single sign-on covers the following services: Residents can use the single sign-on to submit electronic Department of Planning and Development permits and watch their permits progress through the system. Police reports can be seen via the single sign-on, and Seattle Department of Transportation employees can use it to access a project management tool for interacting with vendors. [Source

CA – Tories Accused of Digging Up Dirt on ‘Liberal’ Profs

Two University of Ottawa professors, vocal critics of the federal Conservative government, say they have become targets of a new political intimidation tactic, aimed at using their private, personal information against them. Professors Errol Mendes and Amir Attaran, frequently castigated as Liberal sympathizers by the Conservatives, were notified in recent weeks of two unusually massive freedom-of-information requests at the U of Ottawa, demanding details of the professors’ employment, expenses and teaching records. The person (or persons) behind the requests remains anonymous under Ontario law, but Mendes and Attaran are convinced that it’s part of an academic witch hunt by the governing party – part of a wider campaign to silence university voices that may be critical of the Conservatives. This hyperpartisan chill descended on the federal bureaucracy years ago – now the concern is that it’s stretching into academia as well. “I was stunned,” said Mendes, who said the University of Ottawa does not intend to release much of the information requested, since most of it is personal and private and therefore exempt from the disclosure requirements in the legislation. [Source] See also: [Cat’s ‘privacy’ protected by BC Liberals

US – Oregon Prisons Hit by Worker Info Breach

The Oregon Department of Corrections (DOC) announced that a non-employee had access to a thumb drive that may have contained the payroll information of up to 550 staffers from at least three correctional facilities. The DOC and the state police are investigating the breach. An agency spokesperson said, “We do not believe the breach was malicious in intent, nor do we have any indication at this time that the personal information has been used or misused.” The DOC is offering free credit protection to those affected and is reviewing its internal security practices to prevent future breaches. [KTVZ

CA – Ontario Privacy Boss Slaps Vaughan, PowerStream

Ontario’s information and privacy commissioner has ruled that the way municipally owned energy company PowerStream and the City of Vaughan shared customer information in the past violates rules of the Municipal Freedom of Information and Protection of Privacy Act. Since 2005, PowerStream has shared customer information via electronic records with city staff. The information was then used periodically by the mayor and members of council to send a “welcome letter” to new city residents, according to the report. City hall watchdog Richard Lorello filed the complaint with the commissioner one year ago over concerns that residents’ personal information was being improperly used. The seven-page report written by assistant commissioner Brian Beamish does not make any recommendations because the sharing of information between the electricity company and the city stopped when the complaint was made. The commissioner’s office is satisfied the practice has stopped. [Source]

Electronic Records 

US – HHS Rule to be Reviewed

The Department of Health and Human Services’ Office of Civil Rights (OCR) is asking the White House Office of Management and Budget to review its new privacy rule that will provide “an expanded requirement that healthcare providers track and be able to report to patients any disclosures of their medical records.” The rule is aimed at improving patient privacy rights by building on provisions included in HIPAA. Meanwhile, a study is making headlines with findings that protected health information (PHI) breaches affecting more than 6 million individuals have been recorded since HITECH’S Breach Notification Rule was issued in August of 2009. [Modern Healthcare

US – Study: Medical Social Networks Lack Privacy Protections

A recent study of 10 medical condition-focused social networks revealed that privacy policies “significantly varied.” “Social but safe? Quality and safety of diabetes-related online social networks,” which was conducted by researchers from Children’s Hospital Boston, revealed a lack of safeguards for personal health information privacy protection, with only three sites providing member control for personal information and the vast majority using privacy policies that were difficult to read. Elissa Weitzman, the study’s lead author, voiced concerns about the implications for patient safety and said such sites need policies to protect members’ privacy. [InformationWeek] [US: Data Mining Technology Burns User Privacy Rights, Say Experts] SEE ALSO: [Most Americans favor electronic medical records: study] AND ALSO [CMA Revises Privacy Policy - strengthens pateint rights of access]

EU Developments

EU – PNR Data Could Be Required for EU Travel

Proposals set to come before the European Commission will require air travelers to have their passenger name record (PNR) data—such as home addresses, mobile phone numbers, credit card information and e-mail addresses—checked by authorities and shared with other member states if links to terrorism or serious crime are suspected. Negotiations between member states and the European Parliament on the plan are expected to last two years. “So far, the U.S. and other countries using the PNR system have failed to convince us about its necessity,” said German MEP Manfred Weber, adding, “There are deficits in the usage of current data. So why should we collect even more mass data?” [EUobserver] [OUT-LAW: EU Commission proposes new directive on storing air passenger details] [EU wants air-passenger data for probes of terrorism, crime

EU – German Justice Minister Focuses on Privacy Leadership

Justice Minister Sabine Leutheusser-Schnarrenberger’s comments that Germany should become a leader in international data protection standards. Urging the EU to include agreements on data protection standards with the U.S. in its revision of existing data protection laws, she spoke of the “different legal cultures” of data protection on both sides of the Atlantic, noting, “For this reason, I believe it is important that we strive to achieve basic ground rules of what constitutes data security.” Leutheusser-Schnarrenberger has announced the creation of a German foundation to explore such data security issues as developing technology to protect users’ privacy. [Source] [Source] See also: [UK Minister resigns after breaching data protection code

EU – Data Retention Implementation Faces More Delays

As Sweden prepares to implement the European Data Retention Directive, a parliamentary committee’s request for consultation may further delay such action. Sweden was to have implemented the directive in September 2007. The European Commission sued the country in 2010 for failing to do so. Now, the Parliamentary Constitutional Committee wants the government to consult parliament on details within the directive and “has sent its opinion to the Committee on Justice, which is currently hearing a report on how the directive is to be introduced in Sweden.” [Stockholm News]

EU – Privacy Watchdog Urges Stronger Data Protection in EU Law Review

Organisations which lose personal data should be forced to disclose the data security breach, the European Union’s privacy watchdog has said. Planned changes to EU privacy law do not go far enough, said the official. [OUTLAW] [EDPS Opinion] See also: [Communication to the European Parliament (20-page / 215KB PDF) outlining its proposals for reforming data protection law] 

EU – EC Publishes Israel’s Adequacy Status

The European Commission (EC) has published its opinion formalizing Israel’s status as “adequate” under the European Data Protection Directive. The decision, rendered in October 2010, follows the recommendation of the EC’s Article 29 Working Party. It allows for personal data transfers between EU countries and Israel. Israel is one of only a handful of countries to have obtained adequacy status. [Source

UK – Advocates Angered Over End of BT Investigation

Privacy groups are criticizing the Information Commissioner’s Office (ICO) for closing its investigation of a BT data breach. The ICO said BT cannot be held responsible for the incident in which a spreadsheet with such confidential information as customer names, addresses and telephone numbers was sent to a law firm by a BT employee, the report states. While the ICO closed its investigation after determining the company was not liable for a mistake committed by one of its employees, advocates contend such a move “appears to give the green light to companies like BT claiming to have a data protection policy but failing to adequately enforce it.” [The Guardian] [Crackdown on firms spying on internet users in bid to Tighten Data Privacy Rules] [BT Class Actions Abound

WW – G8 May Have Privacy Focus

Following up on its efforts in October to move toward the goal of adopting “an international binding legal instrument harmonizing the protection of privacy,” France has announced its intent to bring the world’s Internet leaders to the G8 Summit in May. An announcement from France’s Commission nationale de l’informatique et des libertés (CNIL) suggests that including privacy on the agenda for the G8 “would mark a critical milestone in the protection of privacy against the development of digital technologies.” Despite the continual exchange of data across borders and the prevalence of biometrics, geolocation and surveillance, the CNIL points out that “there is no globalized legal answer, and the levels of privacy protection are disparate.” [Source

EU – Berlusconi Probe Human Rights Violation of Privacy?

An ally of Silvio Berlusconi says the Italian government might appeal before Europe’s human rights court, alleging that a prostitution probe targeting the premier is a violation of his privacy. Italian prosecutors want to put Berlusconi on trial on charges he had sex with a 17-year-old and tried to cover it up by using his power. Berlusconi has dismissed the allegations as a smear campaign. Franco Frattini, foreign minister and close Berlusconi ally, said that on the privacy-violation issue “there is rich jurisprudence” at the European Court of Human Rights in Strasbourg, France, according to LaPresse news agency. He reportedly said “the privacy-violation is a theme that can be brought forward not just in Italy but before the Strasbourg court.” [Source]

Facts & Stats 

US – Study: Compliance Saves Money

A benchmark study conducted by the Ponemon Institute and sponsored by Tripwire has shown that investing in IT and security compliance can save companies money over time. Through interviews with 160 IT practitioners across a broad range of industries, the study found that companies that review and maintain compliance with security standards spend an average of $3.5 million yearly, while the cost of noncompliance came in at $9.4 million—due mostly to business disruption and loss of productivity, according to the researchers. Tripwire’s Rekha Shenoy noted that, in terms of compliance reviews, “PCI was the one that was top of mind across all industries, because they all take card payments.” [Bank Info Security]


US – FTC Settles Credit Report Complaints

The FTC has approved proposed settlements of complaints against three credit report resellers for lax security practices that resulted in hackers accessing more than 1,800 credit reports without authorization between October 2006 and June 2008. The settlements require each company to create comprehensive cybersecurity programs and obtain independent audits of the programs every other year for the next two decades. “These cases should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it,” said FTC Consumer Protection Bureau Director David Vladeck. The agreements will be available for public comment through March 7. [CIO] [FTC Press Release

US – Financial Industry Asks to Opt Out of FTC Rules

With the FTC deadline for public comment on its recent privacy rules recommendations just two days away, industry and individuals are weighing in on all sides of the issue. The Securities Industry and Financial Markets Association (SIFMA), which represents large banks and investment firms, has asked “to not be regulated by any FTC privacy rules at all,” citing sector-specific privacy regulations that already apply. SIFMA wrote, “financial services firms appreciate more than almost any sector of the economy the importance of maintaining the confidentiality of customer information.” The FTC, meanwhile, has suggested that certain types of information–including financial, health and geolocation data–require “special protection.” [paidContent

US – State Settles Online Privacy Dispute

The Seattle Times reports that the American Civil Liberties Union (ACLU) and the North Carolina Department of Revenue have settled their dispute over the state’s efforts to collect personal information about e-commerce customers for tax purposes. The ACLU and online retailer Amazon filed a federal privacy lawsuit against North Carolina last year. As part of the settlement, the state has agreed not to ask for information that could link consumers to the products they purchase online. The agreement “will go a long way toward protecting the privacy and free speech rights of online customers in North Carolina and hopefully elsewhere,” said ACLU attorney Aden Fine. [Source]


CA – Canada Kept U.S. Border Talks Under Wraps: Document

The federal government deliberately kept negotiations on a border deal with Washington secret while it planned ways to massage public opinion in favour of the pact, according to a confidential communications strategy. The 14-page public relations document recommended that talks keep a “low public profile” in the months leading up to the announcement by Prime Minister Stephen Harper and U.S. President Barack Obama. At the same time, the government would secretly engage “stakeholders” — interested parties such as big business groups and others — in a way that respected “the confidentiality of the announcement.” In advance, the government departments involved — including industry, foreign affairs, international trade and citizenship and immigration — were to “align supportive stakeholders to speak positively about the announcement,” according to the strategy prepared by Public Safety Minister Vic Toews’ officials. On Friday, Harper and Obama signed off on a plan that for the first time envisions throwing up a single security ring around the perimeter of Canada and the U.S. The wide-ranging blueprint calls for increased cooperation between the two countries’ police, border and intelligence agencies; an integrated Canada-U.S. exit-entry system using high-tech identification techniques and more sharing of information about Canadians with U.S. authorities. At least three major business organizations — the Canadian Chamber of Commerce, the Canadian Council of Chief Executives and the Canadian Trucking Alliance — quickly issued statements praising the framework agreement Friday. The document was prepared last fall, when the Canada-U.S. talks were being conducted without any public notice. [Source] [Harper and Obama eye sweeping change in border security] See also: [Public salaries not so public in Quebec]

Health / Medical 

US – FTC Releases Medical Identity Theft Guide

The FTC has released information for healthcare providers and health insurers about how to help patients minimize the risk of medical identity theft and deal with the consequences if it occurs. The Medical Identity Theft FAQs for Health Care Providers and Health Plans publication says indications that medical identity theft has occurred include health plan statements that benefit limits have been reached or insurance claim denials due to medical conditions the patient doesn’t have. Healthcare providers and insurers should advise victims to notify health plans, file complaints with police and the FTC and review credit reports, the report states. [Source

US – Hospital Breaches Require Credit Protection

Two U.S. health plans are providing credit protection to patients and employees after data breaches potentially exposed Social Security numbers (SSNs) and other personal details. Oklahoma’s Saint Francis Health System is notifying 84,000 affected employees and patients that their personal information may have been compromised after a laptop was stolen containing names, dates of birth, mailing addresses, SSNs and diagnostic codes about patients treated prior to 2004. Meanwhile, New York City Health and Hospitals Corp. has filed a lawsuit against a data storage and transport vendor to recover breach notification costs after files on 1.7 million patients and employees were stolen. [Health Data Management

US – Survey: Privacy, Accountability Lead Health IT Concerns

Doctors and patients agree on the way health IT should be used in modern healthcare, according to a Markle Foundation survey. The Markle Survey of Health in a Networked Life interviewed 1,582 members of the public and 779 physicians. It found that respondents are accepting of technology’s increasing role in healthcare, but both groups want privacy and accountability provisions. A majority of both groups support allowing individuals to know who has accessed their records and the controls to change incorrect data. The majority also supports breach notifications and a policy against government collection of PII for quality improvement programs, the report states. [InformationWeek

US – Survey: Despite Privacy Concerns, Many Want EHRs

Despite privacy concerns, researchers from the University of Chicago have found that most Americans surveyed support a move to electronic health records (EHRs). “Our core finding is that a large majority of Americans support use of health IT to improve healthcare and safety and reduce costs,” said Daniel Gaylin of the University of Chicago National Opinion Research Center. The survey of 1,000 people found that while nearly half said they had worries about the privacy of EHRs, 64% thought the benefits of being able to access their records online outweighed those concerns, the report states. [Reuters

CA – Dickson: Breaches Need Stiffer Penalties

Saskatchewan Privacy Commissioner Gary Dickson said that the province needs to dole out stiffer penalties to individuals and organizations responsible for data breaches. The comments came on the heels of a breach at the Sun Country Health Region where an employee inappropriately accessed patient prescription data. Dickson said he was “impressed” with the investigation but noted privacy breaches involving electronic health records are serious matters and risk undermining public confidence in the system. “In a number of cases, termination would be the appropriate response,” Dickson said, adding, “A minor fine or a suspension of a couple weeks without pay in my mind really minimizes what I think is a much more serious matter.” [Source] See also: [University Hospital Fires Three After Breach] and [Universities Suffer Medical Record Breaches]

Horror Stories 

US – Millions Affected by PHI Theft

Confidential information on about 1.7 million New York City hospital patients and employees dating back as far as 20 years was stolen in December. The New York City Health and Hospitals Corporation (HHC) reported the breach on Friday. While a recent study indicates that well over half—61%—of such breaches are the result of malicious intent, HHC President Alan D. Aviles noted, “The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data.” HHC will provide credit monitoring to potentially affected individuals as the stolen data included names, addresses, Social Security numbers and medical information. [The Wall Street Journal

US – Dating Site Hacked, Names and Passwords Exposed

The online dating site eHarmony has announced that a hacker used a vulnerability to access the usernames, e-mail addresses and passwords of users of its informational site eHarmony Advice. The Krebs on Security blog first reported the vulnerability and soon after found eHarmony data offered for sale on an online marketplace for hacked data. The company says it has fixed the vulnerability and is notifying affected customers and suggesting that they change their passwords. “At no point during this attack did the hacker successfully get inside our eHarmony network,” the company said in a blog post. The company has not released the number of users affected, but says it represents less than .05 percent of eHarmony’s 33 million users. [CNET News] [Source] SEE ALSO: [‘Dating’ Site Imports 250,000 Facebook Profiles, Without Permission

US – Sensitive E-mail Affects 2,400

A data breach at California’s Medicaid program has affected about 2,400 beneficiaries. The Human Services Agency of San Francisco says a former employee e-mailed records to her personal computer, two attorneys and two union representatives, the report states, in an effort to demonstrate that she was responsible for a disproportionately high caseload. The agency’s director says that though the records included Social Security numbers and names, they did not include medical or benefits information. The agency is mailing letters to those affected. [CaliforniaHealthline

US – Councils Fined £150,000 After Laptop Theft

The Information Commissioner’s Office (ICO) has fined two councils a combined total of £150,000 after two laptops were stolen. Ealing Council used the laptops to provide a service for itself and Hounslow Council. The laptops contained data on more than 1,700 individuals and were not encrypted. Ealing Council has been fined £80,000 for the breach, and Hounslow Council has been fined £70,000 for failing to have a written contract in place with Ealing and not monitoring its operational procedures. Deputy Commissioner David Smith said the Hounslow Council fine makes clear that organizations can’t outsource services “unless they ensure that the information is properly protected.” [ComputerWeekly

EU – Job Recruiting Site Breached

Ireland’s Gardaí are investigating a data breach on the job recruitment Web site The data protection commissioner has also been informed of the breach, which the company says exposed the names and e-mail addresses of its users. According to a message posted to the site’s homepage, no other data has been compromised, but the company is recommending that once the site is back online, users change their usernames and passwords. “We have a process in place for eventualities such as this; when we were notified, we shut down the server and the database to prevent any access,” the message says. [Silicon Republic

US – SSNs on Envelopes in Ohio

A company hired by the Ohio Department of Job and Family Services mailed 8,000 letters to day care providers with member numbers–which in some cases are the providers’ Social Security numbers–printed on the outside of the envelopes. The breach affected the at-home child care providers paid by the state; child care centers are given random six-digit numbers. A Department of Job and Family Services spokesman said the department is “extremely disappointed” by the breach, and it will be offering identity theft protection services to those affected. [The Chronicle-Telegram]

Identity Issues 

JP – Gov’t to Implement National ID System

Privacy concerns have arisen about recently announced government plans for a comprehensive identification system to be implemented in 2015. The Council for a Number System for Social Security and Taxation drafted the plan, which would assign each citizen a unique number. The system would store such personal information as name, gender, annual income and number of dependents, the report states. But the plan calls for a third party to monitor the stored data, and it has yet to be determined what information could be used for business purposes, prompting concerns about data protection and privacy. A bill pertaining to the ID system is expected this fall. [Source] See also: [US – Schmidt Discusses Trusted Identity Program] See also: [After Octopus Breach, Concerns Persist]

Internet / WWW 

US – NIST Releases Cloud Guidelines, Definitions

The National Institute of Standards and Technology (NIST) released guidance on cloud computing, Gov Info Security reports. Two drafts, “Guidelines on Security and Privacy in Public Cloud” and “The NIST Definition of Cloud Computing,” seek public comments until February 28. The guidelines include such provisions as ensuring security and privacy in cloud solutions before deployment, ensuring cloud providers meet organizations’ privacy and security guidelines and maintaining data protection accountability, the report states. The definitions provided are the result of NIST putting its “ear to the ground and listening to what the public and private sectors are saying,” a NIST co-author said. [Source

EU – Commissioner: EU Should Guide Cloud Deployment

The European Union is set to introduce a set of cloud computing guidelines that will address data protection, privacy regulations and common approaches to cloud deployment. At the World Economic Forum in Davos, European Digital Agenda Commissioner Neelie Kroes said the EU can help the transition to the cloud run “smoother and faster,” and should take care that data protection achievements do not clash with the cloud. The three areas the EU should get involved in are the cloud’s legal framework around data protection and privacy, technical and commercial fundamentals and supporting pilot projects towards cloud deployment, the report states. A document containing plans for such action should be released by 2012, Kroes said. [Computerworld]

Law Enforcement 

US – Legislators Question Facebook on Privacy

As privacy legislation discussions continue at the federal level, Reps. Edward Markey (D-MA) and Joe Barton (R-TX) of the House Energy and Commerce Committee have again sent a letter to Facebook CEO Mark Zuckerberg about privacy concerns. Writing to Zuckerberg, the legislators requested answers to questions prompted by changes the social network outlined last month about sharing such user data as mobile phone numbers and addresses with third parties, nextgov reports. Markey said the goal is “to better understand Facebook’s practices regarding possible access to users’ personal information by third parties. This is sensitive data and needs to be protected.” [Source

UK – ICO Approves Crime Maps But Warns of Possible Privacy Dangers

Privacy watchdog the Information Commissioner’s Office (ICO) has said that police must take care to ensure that the localised crime maps launched today in England and Wales do not breach privacy laws. Information Commissioner Christopher Graham was consulted over the new maps and said that in their current state they do not breach the privacy of individuals involved in or affected by crime. He said, though, that there is a danger of that happening and that reviews will be necessary to check that current protections are adequate. The ICO helped police and the Government to put in place measures to ensure the privacy of individuals, he said. The maps allow users of the police website to see the details of what crimes and incidences of antisocial behaviour have happened on their, or any other, streets. [OUT-LAW

CA – New Alberta Police Database Allows Officers to Share Real Time Information

The Alberta government is quietly building a $65 million police information database that will allow officers across the province to share details about proven and suspected criminal activity in real time. The Alberta Law Officers’ Network, or Talon, is meant to help police catch increasingly sophisticated criminals, but civil liberties groups and academics worry it unnecessarily invades citizens’ privacy and will be open to abuse. “The concept is that we will have a single source of the truth,” said Ayaaz Janmohamed, executive director of the solicitor general’s information technology branch. “It is going to create this information repository, which will allow for a master index of any person who comes into contact with any police agency in Alberta.” The program has been in the works for more than five years. The servers are now online, the top-secret office building that houses the servers is nearly complete and pilot projects are slated to begin in Calgary this fall. Every police service in the province is expected to be online by 2013. Janmohamed said the information in the massive databases will be used to varying degrees by police, crown prosecutors and sheriffs who work on Alberta highways and in provincial jails. Talon will allow them to quickly access information about a person of interest, just as the Canadian Police Information Centre does, though the databases contain different kinds of information. CPIC contains details about pending charges and a permanent record of convictions, as well as information about recent acquittals and discharges. Talon contains much more sensitive and personal information, including speculations, unproven allegations, investigation theories, details of 911 calls – virtually any record of a citizen’s contacts with the police. Unlike CPIC, officers will not have to provide a reason for accessing the information. Information and Privacy Commissioner Frank Work has been involved in the planning process and the government is following his recommendations. A privacy impact assessment is expected to be finished by early March, and it will review rules about who can access the information, who has custody of it and who ultimately controls it. The assessment will not be made public. [Source

US – Police Test App that Instantly Reveals Criminal Records

A new iPhone app will give California Police the ability to instantly see what’s been previously reported to have happened inside a home and who with a criminal record has lived there. The SafetyNet Mobile Insight app enables an officer to point an iPhone’s camera at a location, and using the phone’s GPS to bring up the address, check the law enforcement history or officer safety hazard information of the location in question – within seconds of getting a 911 call. The app can also track police units to determine how far away an officer is from a crime scene. Hoss said as newer versions come out, he’d like to see more querying functionality and license plate recognition incorporated. When the trial began, 70 percent of San Mateo’s and Burlingame’s officers already owned a personal iPhone, Hoss said, which they were allowed to use during the testing phase. However, he isn’t sure he wants officers using their personal phones on the job, partly for security reasons. The system feeding data into SafetyNet Mobile Insight is encrypted through a virtual private network and data isn’t stored on the phone. If an officer loses the phone, the device would be remotely wiped of data. For now, the app only searches within the participating city’s database of criminal records, so an officer in another part of the state wouldn’t have access to San Mateo’s database. [Source] See also: [US: Catholic Church gives blessing to app that helps people confess

CA – Strip-Searched Woman Sues U.S. Border Guards

A woman from Stratford, Ont., has launched a $500,000 lawsuit in a U.S. federal court against two female U.S. border guards in Detroit. In March 2010, Loretta Van Beek was pulled over by customs agents and sent to secondary inspection when customs officers found a few raspberries in her car that she’d forgotten to declare. After more than an hour of questions, Van Beek was told she was being denied entry on suspicion that she was living illegally in the U.S. Van Beek said she was marched into a holding cell by two female agents and ordered to remove her shirt and stand spread-eagled against the wall, and subsequently strip-searched in an invasive way. She said they photographed her and took her fingerprints, then sent her back to Canada. U.S. Customs and Border Protection wouldn’t comment on Van Beek’s case but said the rules state: “We rely upon the judgment of our individual CBP officers to use their discretion as to the extent of examination necessary. However, CBP officers are expected to conduct their duties in a professional manner and to treat each traveller with dignity and respect.” A spokesperson said a strip-search is allowed when there is reason to believe someone is hiding something on his or her body, and the person has to be told the reason. Van Beek said she wasn’t given a reason. The lawsuit documents were filed on Feb. 9, 2011. [Source]


IN – State of Data Security and Privacy in Banking Industry

After releasing the annual security surveys on the IT & BPO industry in past few years, the Data Security Council of India (DSCI) in association with KPMG under the aegis of CERT-In released first report on the State of Data Security and Privacy in the Indian Banking Industry. The report deals with the state of data security and privacy concerns and offers insight into banking industry’s capability for data protection. G Gopalakrishnan, Reserve Bank of India’s executive director, released the survey report. The survey covered some 20 banks and interviewed chief information security officers (CISOs). Asper the findings of the report, customer awareness on information security along with insecure customer end points is one of the most significant challenges faced by banks. External threats and the increasing usage of online and mobile channels along with regulatory equipment are driving banks in India to invest in information security. Managing security is more challenging in online banking and phone (IVR) banking as compared to other service delivery channels, the report states. [Source

PH – Data Privacy Law Moves On

The Philippines House of Representatives last week passed a second reading of the proposed Data Privacy Act, which aims to set regulations for the processing of personal information. The bill recently received the endorsement of both the committee on information and communications technology and the committee on government reorganization and has the backing of the business process outsourcing sector. Chief author of the bill Roman Romulo says, “The bill is quite strong…you are expected to adopt adequate organizational, physical and technical measures to protect your electronic files.” Meanwhile, a proposed cybercrime bill that seeks international cooperation in fighting cybercrime is also in congress. []

Online Privacy 

US – Study: “Flash Cookie” Tracking Persists

A Carnegie Mellon University study suggests that about 10% of popular Web sites may be using so-called “Flash cookies” to track users. The study, commissioned by Adobe, tested the 100 most popular Web sites and 500 others that were randomly selected, finding “none of the 500 random sites engaged in re-spawning, and only two of the 100 most-popular sites engaged in re-spawning,” the report states. However, a significant number of Web publishers “still won’t say if they’re using Flash cookies for tracking.” Adobe, the creator of Flash Player, has condemned the use of its local storage objects for tracking purposes and recently introduced changes to simplify Flash’s privacy options. [paidContent] See also: [US: History Sniffing Code Collides With Privacy Concerns] [The Dirty Little Secrets of Search

EU – Reding: Tracking Technologies Highly Intrusive

European Union regulators are concerned that mobile phone and computer technologies that monitor online activities threaten individual privacy rights. “I am concerned about the use of highly privacy-intrusive tracking technologies,” EU Justice Commissioner Viviane Reding said in a speech in Brussels yesterday. “Mobile phones and computers have become tracking devices.” She added that tracking technologies can have serious consequences for people and can lead to criminal penalties. Reding’s concerns come as the European Commission reviews the EU’s data protection law with plans to update it to reflect new technologies that have emerged since the law passed nearly 16 years ago. [Bloomberg] [Internet Tracking May Threaten Privacy Rights, EU’s Reding Says

US – Judge: Juror Must Turn Over Online Posts

A California judge has ordered a juror to turn over social networking posts he made during the trial of several gang members or face possible jail time. The juror’s attorney has called the order an invasion of privacy and plans to appeal, while defense counsel for the alleged gang members have suggested the posts will help determine whether the juror was influenced by communications outside of the courtroom. The juror had “allegedly characterized the evidence as ‘boring’ in one posting and revealed he was on the jury in another,” the report states. [Mercury News] [Juror Appealing Social Network Order] [Juror: Social Network Posts Are Private

US – WikiLeaks Supporters Trying to Prevent U.S. Access to Their Twitter Accounts

Three people involved with WikiLeaks are trying to bar a federal judge in Alexandria, Va. from gaining access to information about their Twitter accounts. According to a Washington Post report, the individuals are challenging a December 14 court filing that would force Twitter to disclose private information about their accounts. The court documents were unsealed at the request of lawyers from the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EEF). These organizations are also trying to get other court filings related to WikiLeaks unsealed. EEF legal director Cindy Cohn said that the government’s request for access to these Twitter accounts “raises serious First and Fourth Amendment concerns.” “It is especially troubling since the request seeks information about all statements made by these people, regardless of whether their speech relates to WikiLeaks,” she said. The effort is part of the Department of Justice’s ongoing investigation into whistle-blowing organization WikiLeaks. A hearing to unseal further court proceedings is scheduled for February 15 at the U.S. District Court in Alexandria, Va. [Source] See also: [Anonymous Hacks Security Firm Investigating It; Releases E-mail

UK – ‘Twitter Messages Not Private’ Rules PCC

Material that is published on Twitter should be considered public and can be published, the Press Complaints Commission (PCC) has ruled. The decision follows a complaint by a Department of Transport official that the use of her tweets by newspapers constituted an invasion of privacy. Sarah Baskerville complained to the PCC about articles in the Daily Mail and Independent on Sunday. The messages included remarks about being hungover at work. She complained that this information was private and was only meant to be seen by her 700 followers. Ms Baskerville said she had a clear disclaimer that the views expressed by her on Twitter were personal and not representative of her employer. Ms Baskerville complained to the press regulator, arguing that she could have a “reasonable expectation” of privacy and that the reporting was misleading. But the PCC said the potential audience for Ms Baskerville’s tweets was much wider than her followers, because each message could be forwarded by others, known as retweeting. It also agreed with the newspapers’ argument that Twitter was publicly accessible and that the complainant had not taken steps to restrict access to her messages and was not publishing material anonymously. As a result, the commission ruled that the articles did not constitute a breach of privacy. [Source

US – Analysts Support Code of Ethics

The Web Analytics Association is supporting an online code of ethics in the midst of increasing scrutiny of the Internet data industry to allow consumers to opt out of online tracking and offer clear privacy policies explaining data collection and usage. However, questions remain about how such a self-regulatory approach would be enforced, the report states. “We have to trust that this is a community of professionals and that putting your name and city–and behind the scenes your e-mail address–means you’re actually committed to following through,” said one of the Web analytics experts behind the effort, adding, “it’s about the long-term health of our sector.” [The Wall Street Journal]

Other Jurisdictions 

AU – Vodafone Investigation Concludes: Act Breach

After an investigation, Privacy Commissioner Timothy Pilgrim has found that Vodafone breached the Privacy Act by failing to take reasonable steps to protect its customers’ information, but the commissioner dismissed claims that information was made public. The company had been accused of allowing billing and call records to be stored on a public Web site with only a password to protect them. Pilgrim found that some staff may have breached company login and password policies, and that “Vodafone did not have the appropriate level of security measures in place to adequately protect their customers’ personal information.” [ABC News

IS – Israeli Bill Aims to Ban Media Images of Victims Without Consent

The Knesset Law Committee held a third and final debate on an amendment to the Protection of Privacy law that would prohibit the publication of images of injured or deceased persons without their consent or the consent of their family members. The bill, which is sponsored by United Torah Judaism MKs Uri Maklev and Moshe Gafni, aims to protect the privacy of victims of terrorist attacks, violent crimes or accidents, by prohibiting the media from displaying images in which the victims can be identified. Opponents of the bill said it was an attempt to limit freedom of the press and would harm the public’s right to information. They urged that a solution be found by increasing self-regulation by the media rather than by legislation. Maklev said that though he respected and cherished the work of the media, the amendment would strike a balance between the public’s right to information and the individual’s right to privacy. He said that the amendment would strengthen media ethics, prevent outlets from competing with each other over who has a more bloody photo and present guiding principles to unregulated online news distributors. [Source]

Privacy (US) 

US – CA Court: ZIP Codes Are Personal Information

The California Supreme Court has ruled that merchants may not collect ZIP Codes from credit card customers. In a unanimous decision, the justices deemed that ZIP Codes are part of a person’s address and are therefore covered by the state’s 1971 Credit Card Act, the report states. “The legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction,” Justice Carlos R. Moreno wrote. [Los Angeles Times

US – Report: Companies Will Hire More Privacy Pros

Ernst & Young has released its new report “Privacy Trends 2011: Challenges to Privacy Programs in a Borderless World,” and the findings include expectations that organizations will invest more in the protection of personal information. Accounting Today reports that the study indicates organizations will allocate more funding in the year ahead toward hiring “highly skilled certified privacy professionals and invest in technical controls that monitor and manage external attacks and internal leaks from within the organization.” The report suggests that beyond privacy professionals, many positions that impact the use of personal information—such as IT, audit, legal and marketing–will become increasingly focused on privacy risk and compliance. “In an increasingly borderless business environment, protecting personal and professional information is a paramount concern,” says Sagi Leizerov, CIPP, executive director and leader of privacy advisory services for Ernst & Young. “New technologies associated with mobile communication, social networking and cloud computing have erased the boundaries of how we do business today, but while these new technologies provide tremendous opportunities, they also present new privacy risks for organizations and employees alike.” [Source

US – Industry Opposes FIPPs-Based Regulations

A coalition of advertising, media and business organizations has submitted comments to the Department of Commerce arguing that while Fair Information Practice Principles (FIPPs) are a “useful tool” when analyzing online privacy, they should not be codified in new laws. The comments were submitted in response to calls for industry and advocacy groups to develop enforceable, self-regulatory privacy policies. A FIPPs-based framework for online privacy “would reduce industry’s ability to respond to changes in consumer preferences and would hinder advancements in technology,” according to the coalition, which includes such groups as the Interactive Advertising Bureau and Newspaper Association of America. Some privacy advocates, meanwhile, have submitted comments that government regulation is needed to protect consumers. [Source]

US – DMA to Enforce Self-Regulation Initiative

The Direct Marketing Association (DMA) has announced enforcement plans for its online data collection self-regulatory program. The DMA is requiring members to place the “Advertising Option Icon” on ads, linking to pages that educate consumers about data collection and offer opt outs from online tracking and will investigate consumer complaints about noncompliance. For members that do not comply, “the ultimate sanction is that you are thrown out of the association. If a non-member is persistently noncompliant, we will refer them to the FTC,” said Linda Woolley of the DMA, who stressed that, “the goal is not to rat people out. The goal is to make companies comply.” [Direct Marketing News

US – Swire: Federal Privacy Office Needed

Peter Swire writes in support of a proposal in the Department of Commerce’s new green paper to create a federal privacy policy office. Swire disagrees with comments by some privacy advocates that the creation of such an office would weaken the Federal Trade Commission’s privacy efforts. “I believe there is an extremely strong case in favor of developing an ongoing privacy policy capability in the executive branch,” Swire writes. “Privacy policy requires familiarity with a complex set of legal, technological, market and consumer considerations. Good government thus calls for creating an institutional memory and a group of civil servants experienced in privacy policy.” [Center for American Progress] [Memo

US – Franken Named Head of New Privacy Committee

Sen. Al Franken (D-MN) has been selected to chair the new Senate Judiciary Subcommittee for Privacy, Technology and the Law. Franken said his goal will be to “make sure that we can reap the rewards of new technology while also protecting Americans’ right to privacy.” The new committee was created by Senate Judiciary Committee Chairman Patrick Leahy (D-VT) to “oversee laws and policies governing the collection, protection, use and dissemination of commercial information by the private sector,” the report states. Leahy said the new committee will focus on how new technology has “unleashed new questions about how to protect Americans’ privacy in the digital age.” [The Washington Post] [Committee Gives Online Privacy a Higher Profile

US – Apple Hit With Another Suit Alleging Privacy Violations

A lawsuit has been filed in federal court alleging privacy violations in the way Apple shares information collected from iPhone, iPad and iPod Touch users with advertisers. The suit, which seeks class-action status, states that the company shares information about browsing history, application use and other personal details without user consent, alleging the result is that application developers can “put a name to highly personal and in many cases embarrassing information derived from app downloading activity and usage, and Internet browsing history, that would otherwise be anonymous.” The company previously stated its apps are not supposed to transmit user data without prior permission, the report states. [PC World

US – Court: No Common Law Duty to Protect PII

An Illinois appellate court case–”the first that we are aware of in the United States”—is focusing on the question of “whether common law duty exists to safeguard personal information.” An Illinois appellate court upheld the dismissal of a suit over the unauthorized disclosure of such sensitive personal information as names, addresses and Social Security numbers, finding that no such duty to protect personal information exists for purposes of a negligence claim. Speculating that the case could be appealed to the Illinois Supreme Court, the report suggests, “Based on the strong dissent, it appears as if the majority opinion may be at risk for an overturn.” [Information Law Group

US – Judge Dismisses Data Aggregator Lawsuit

A U.S. District Court judge has dismissed one of two lawsuits filed against an online data aggregator after determining the plaintiff did not “allege he had been injured by Spokeo.” Privacy advocates are concerned about the information the company makes available, noting that although this case has been dismissed, the questions it poses “will almost certainly reappear in other litigation–especially given the wave of recent privacy lawsuits.” The report also highlights a complaint brought before the FTC alleging that Spokeo “violates federal law by offering information about users’ financial status and credit ratings without giving consumers the protections required by the federal Fair Credit Reporting Act.” [Source]

Privacy Enhancing Technologies (PETs) 

US – ACLU Launches Privacy Mobile App Contest

Branches of the American Civil Liberties Union (ACLU) and others are launching a contest challenging mobile application developers to address privacy concerns for mobile phones and other portable devices. The 2011 Develop for Privacy Challenge aims to encourage developers to build open-source tools for mobile devices to help users understand and address privacy threats, the report states. Brian Alseth, technology and liberty director at the ACLU of Washington, said the contest’s goal is to show developers that “privacy doesn’t need to be an afterthought in new technologies. Rather, privacy can and should be a fundamental building block.” Contest submissions may be made at the Develop for Privacy Web site until May 31. [InfoWorld] [IPC Press Release] See also: [Privacy as Competitive Edge: Can A Start-Up Search Engine Compete On Privacy?]


EU – Art 29 WP Posts Opinion on Revised RFID PIA

This opinion is a follow-up to opinion 5/2010 (WP 175) on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.. [Opinion 9/2011 on the revised Industry Proposal for a Privacy & Data Protection Impact Assessment Framework for RFID Applications -11 Feb 2011] [Privacy & Data Protection Impact Assessment Framework for RFID Applications 12 January 2011] See also: [ENISA Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications [March 31, 2010]


US – TSA Deploys New Body Scanners

The Transportation Security Administration this week debuted software designed to make airport body scanners less invasive. The software creates generic body images and displays any detected anomalies in a red outlined box around the specific area of concern. The software will be incorporated at Reagan National Airport in Washington, DC, and in Atlanta, the report states, and could eventually land at all 78 airports currently using body scanning technology. “We believe it addresses the privacy issues that have been raised,” said TSA Chief John Pistole. [The Washington Post] [Source

US – Nasdaq Suffers Security Breach

Nasdaq OMX Group says it found suspicious files on its U.S. computer servers. Nasdaq says it found malware at the end of last year and alerted forensic groups and U.S. law officials and that the FBI and Department of Justice are now investigating. The malware was pointed at Nasdaq’s Web-based program, where about 5,000 companies store documents for board members, the report states. Nasdaq deleted the malware and says no customer information appears to have been compromised as a result of the security breach. Law enforcement officials have not yet issued a statement on the case. [Banking Business Review] [NASDAQ Breach: You Should be Concerned]


US – ACLU Calls for Moratorium on City Cameras

The American Civil Liberties Union (ACLU) is calling for a moratorium on installations of surveillance cameras in Chicago and new policies to prevent their misuse. The city has more than 10,000 surveillance cameras, capable of tracking people or vehicles, searching for images of interest and reading license plates, the report states. “Our city needs to change course before we awake to find that we cannot walk into a bookstore or a doctor’s office free from the government’s watchful eye,” an ACLU spokesman said. A spokeswoman for the Chicago Police Department said it is committed to “safeguarding the civil liberties of city residents” and “upholding the constitutional rights of all.” [Source] See also: [US: Female hostellers damage CCTV cameras to protect privacy] [UK: Coventry’s Stoke Park School has 112 CCTV cameras] [US: Supermarket camera suspect charged with privacy violation] and [US: Red-Light Cameras Lower Traffic Deaths, Agency Claims - NYT

AU – Vehicle Tracking Devices Could Be Used to…Track

A private car-for-hire company in Australia has announced it will install GPS devices in up to 30% of its fleet. The company said the devices will allow them to know if the cars are driven out of the contracted range or on dirt roads, which would breach contract. But Civil Liberties Australia calls the move an “excessive invasion of privacy.” Meanwhile, the U.S. National Highway Transportation Administration will consider new rulemaking that would require event data recorders to be installed in passenger vehicles, according to a press conference announcement. The announcement has some privacy advocates concerned that the recorders could be used to track Americans’ movements. [] [Source

US – Smart Meters Face Resistance

The New York Times reports on the growing opposition to smart meter installations at homes in Maine and California. The wireless meters report hourly home energy usage back to the utility. Some Maine residents have launched e-mail campaigns, and some municipalities in both states have adopted moratoriums on meter installation. A group of Californians has launched a “Stop Smart Meters” campaign, and four protesters have been arrested for blocking trucks delivering meters to homes. In response to privacy concerns, the vice president of Edison Electric Institute, the national association of utilities, said, “We’ve always gotten information about customers’ usage and always kept it confidential. We’re going to honor their privacy.” [Source 

CA – Cavoukian Releases Smart Grid Study

Ontario Privacy Commissioner Ann Cavoukian released a study on an Ontario utility’s approach to smart meter deployment, which she says should serve as the model for all future smart grid investment. Released at a California event, Operationalizing Privacy by Design: The Ontario Smart Grid Case Study is the third in a suite of papers on smart grid deployment. It describes the utility’s policy to only include customer identification information in the company’s own billing records and not share it with third parties unless consent is acquired for service offers. “Smart grid technologies have the potential to collect extremely detailed information about energy consumption in the home, which can lead to the unwelcome profiling of individuals,” Cavoukian said. [The Globe and Mail] [Utilities work to prevent privacy backlash over smart grid]

Telecom / TV 

US – Obama Touts Plan to Get Wireless Internet to 98% of U.S.

President Obama has outlined a plan to expand super-fast wireless Internet connections. Speaking at Northern Michigan University, Obama said he would use $18 billion in federal funds to get 98% of the nation connected to the Internet on smartphones and tablet computers in five years. To get there, the federal government will try to bring more radio waves into the hands of wireless carriers to bolster the nation’s networks and prevent a jam of Internet traffic. He said he hoped to raise about $27.8 billion by auctioning airwaves now in the hands of television stations and government agencies. And with that auction money, the government would fund new rural 4G wireless networks and a mobile communications system for fire, police and emergency responders. [Source]

US Legislation 

US – Speier Introduces Financial Privacy Bill

The former California lawmaker who sponsored some of the nation’s strongest financial privacy protections during her time as a state senator has dropped a new federal law. Now in the U.S. Congress, Rep. Jackie Speier (D-CA) introduced the Do Not Track Me Online Act of 2011. The bill has elicited support from privacy advocates and warnings from the online advertising industry. It would let consumers opt out of having their online activities tracked through the creation of a do-not-track system such as the one called for in the Federal Trade Commission’s recent report on Internet privacy. Also, Speier introduced the Financial Information Privacy Act of 2011. [MediaPost News

US – Speier to Introduce Do-Not-Track Bill

Rep. Jackie Speier (D-CA) plans to introduce an online privacy bill next week directing the FTC to begin a do-not-track program for online advertisers. The program would enable consumers to opt out of behavioral advertisers’ tracking. The bill is meant to provide a floor rather than a ceiling, according to the report. Speier worked with Consumer Watchdog, Consumer Federation of America, Consumers Union and the Electronic Frontier Foundation on the bill. Meanwhile, Rep. Bobby Rush (D-IL) is expected to re-introduce his online privacy bill next week. [The Hill] See also: [Online Privacy Legislation Expected To Abound] [National Journal] See also: [Wyden Discusses Mobile Privacy Bill

US – Senators Propose Body Scanner Legislation

U.S. Senators Charles Schumer (D-NY) and Ben Nelson (D-NE) proposed legislation that would make the misuse of airport body scan images a federal crime, Computerworld reports. The Security Screening Confidential Data Privacy Act would prohibit the dissemination or photographing of scanned body images, punishable by up to one year in prison and a $100,000 fine per violation. The bill follows advocates’ and passengers’ concerns about privacy as the machines are increasingly implemented at U.S. airports. Marc Rotenberg of the Electronic Privacy Information Center is pleased with the legislation and said, “Obviously, there are no circumstances under which anyone should be able to take an image generated by one of these devices and circulate it to others.” [Source

US – Legislators Introduce Breach Bills

Hawaii legislators have introduced several bills to amend the state’s data breach notice law. Among those, security breach bill S.B. 728 and its house companion would require more specific notification in security breach cases, would eliminate the harm trigger in state law and would apply to any disclosure of records. It also would list the plaintiffs’ rights of action and would state that any person at risk for identity theft as a result of a data breach may sue for damages sustained. S.B. 796 would widen the definition of a security breach and would require three years of credit monitoring service by the responsible party to those affected. [Covington & Burling’s Inside