Biometrics
WW – Advancements in Facial Recognition Raise Privacy Questions
Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust.” While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” [New York Times]
US – Franken Wants Users Protected Against Facial Recognition ASAP
Sen. Al Franken (D-MN) has asked the Commerce Department to facilitate a discussion between tech companies and privacy advocates on facial recognition technology. In a letter to the Commerce Department’s National Telecommunications and Information Administration this week, Franken said the tech community should develop best practices “as quickly as possible” to protect individuals when it comes to the technology. “The urgency of this matter is underlined by Facebook’s recent expansion of its facial recognition database—already likely the largest in private hands,” Franken wrote, referring to Facebook’s recent update to its data-use policy that states it will use public profile pictures to identify users in other photos. [The Hill]
Canada
CA – Stoddart Departing Commissioner’s Post
Privacy Commissioner Jennifer Stoddart’s departure from office and the work she did while there, including taking on big companies like Google and Facebook in defense of Canada’s privacy laws. She’s also been an “outspoken critic” of how the federal government handles and protects Canadians’ personal information and has called for an update to the Privacy Act and the Personal Information Protection and Electronic Documents Act. Stoddart recently gave an exit interview in which she discussed the problems Canada faces, including protecting privacy rights in the face of new technologies such as drones and facial recognition. Assistant Privacy Commissioner Chantal Bernier will step up as interim privacy commissioner until Stoddart is replaced. [Postmedia News]
CA – Commissioner Supports Call for CSC Audit
Correctional Investigator Howard Sapers has recommended Correctional Service Canada “conduct an internal audit of its practices and procedures to protect personal information,” and that call has prompted a statement of support from Privacy Commissioner Jennifer Stoddart. “We are very pleased that the correctional investigator has called for an internal audit,” Stoddart’s statement reads. “Year after year, our own office has identified serious privacy concerns with respect to Correctional Service Canada (CSC).” The statement notes the CSC “consistently accounts for the largest number of complaints received by our office”—with 284 received in 2012-2013. [Canada NewsWire]
CA – Journalists Concerned About Bill C-461
Journalists and broadcasters are raising concerns that Bill C-461 “could undermine the journalistic and programming integrity of Canada’s public broadcaster, the CBC/Radio-Canada.” In a statement, the journalists cite multiple concerns, including that it “opens the door to privacy requests that could also jeopardize the CBC’s journalistic integrity.” The report suggests, “C-461 changes the Privacy Act by removing the CBC’s right to exclude privacy information collected for reasons of journalism and instead makes disclosure of that information subject to a test of injury to the CBC’s ‘independence.’” [CNW]
CA – What Does Unconstitutional Ruling Mean for Alberta Privacy Law?
In the wake of news that the Supreme Court of Canada has deemed the Alberta Personal Information Protection Act (PIPA) unconstitutional, Shaun Brown analyzes what the decision means for the province. “It was inevitable that freedom of expression would eventually clash with privacy legislation in the courts,” writes Brown, adding that the ruling was “not surprising.” The broad “prohibition-first” approach of PIPA means “there are bound to be certain purposes that maybe should be exempted from the requirement to obtain consent but could not be conceived by legislatures when privacy laws were initially drafted,” Brown writes. [Privacy Tracker]
CA – Cyber-Bullying Bill Revives Bill C-30 Controversy
A tough new law on cyberbullying is putting a spotlight on the Conservative government’s sweeping approach to strengthening police investigative powers. The proposed law was introduced Wednesday, and is reviving the controversy around the previously withdrawn Bill C-30. “Regrettably, the federal government is using this pressing social issue as an opportunity to resurrect much of its former surveillance legislation, Bill C-30,” said Ontario Information and Privacy Commissioner Ann Cavoukian, suggesting the new bill gives police surveillance powers that pose a risk to privacy. Meanwhile, Minister of Justice and Attorney General Peter MacKay has denied the “new anti-cyberbullying bill will do an end-run around legitimate Internet privacy protections.” [The Globe and Mail]
CA – Supreme Court to Hear Gun Registry Appeal
The Supreme Court has decided it will give Quebec’s government a final chance at making a case for preserving gun registry data. In June, the Quebec Court of Appeal ruled the province “has no property right in the data,” noting “its existence in a registry infringes the right to privacy,” the report states. “For the moment, we’re satisfied with the situation, and we’re preparing for the eventual creation of a Quebec arms registry,” said Stéphane Bergeron, Quebec’s public safety minister. Federal Public Safety Minister Steven Blaney issued a statement, however, that the Conservative government “will vigorously defend our legislation, adopted by Parliament, in front of the Supreme Court.” [The Globe and Mail]
CA – Opinion: Saskatchewan Should Look to Neighbours
Attorney Greg Fingas writes about Saskatchewan’s lack of provincial privacy law, noting that while it has managed to skirt the issues some of its neighbours have come up against, its citizens may not be getting the level of privacy protection they want. Federal law offers some protection to Saskatchewan residents, and Fingas says “it’s possible that our current privacy protection is sufficient. But given an ideal opportunity to ask what protection we expect for ourselves, we should keep an eye on our neighbours’ choices rather than avoiding the question entirely.” [Leader Post]
Consumer
US – Are Notice and Consent Still Relevant for Internet of Things?
Stakeholders met in Washington, DC, to explore and hash out the privacy and security implications of the Internet of Things (IoT). The rapidly emerging landscape of connected sensors and embedded technology has garnered the attention of the FTC of late, but the complexity of the IoT ecosystem was readily apparent during yesterday’s proceedings. Jedidiah Bracy covers the event and looks at calls for a new privacy paradigm around the Fair Information Practice Principles and the need for even more robust privacy design initiatives. [The Privacy Advisor]
WW – User Privacy Perceptions Could Cause Harm
A new study suggests that, though a majority of users believe they have responsibility to protect their privacy, most do not take steps to actually protect it. The disconnection between users’ attitude toward privacy accountability suggests that consumers’ perception is more ideological than practical, said Stephen Cobb, a senior security researcher at ESET, the organization that commissioned the Harris Interactive survey of more than 2,000 U.S. adults. “What I think people lack are the resources and education to follow all the way through with (protecting information),” he said, adding, “The average American adult isn’t going to walk through the door well-prepared to protect that company’s information … They need help. They need education.” [Network World]
US – Judge Who Ruled Against Google To Hear Yahoo Case
Following her ruling against Google’s request to dismiss a privacy lawsuit accusing it of using personal information gleamed from e-mails transmitted via Gmail, U.S. District Judge Lucy Koh is being sought after to hear similar lawsuits against Yahoo. The lawyer who filed a November 15 complaint against Yahoo says Koh’s recent ruling against Google’s request to dismiss the suit against it was “enormously important” for plaintiffs in group privacy suits. Yahoo has requested that three complaints filed against it be combined in an effort to minimize the labor or costs associated should the case be heard by three different judges. Separately, Yahoo has announced that following revelations that the NSA had accessed its data centers, it will add encryption to all of its products by spring 2014. [Bloomberg]
Electronic Records
WW – Hartzog and Selinger: Maybe We Need More Specific Terms
Woodrow Hartzog and Evan Selinger discuss some of the myths around Big Data and the importance of using the term correctly. Skepticism is important in order to help society set realistic expectations, the authors write, but like the concept of “privacy,” the term “Big Data” itself is problematic because “it has no set meaning.” At some point it will be important to assign specific terms, rather than “heuristic terms”—or “mental shortcuts” developed to make sense of complex ideas quickly—in order to accurately discuss such concepts as Big Data, the authors write. [Forbes]
Encryption
US – Lavabit Files Reply Brief in Appeal
Lavabit’s legal team has filed its reply brief in its case appealing the US government’s authority to demand the company’s master encryption key. The outcome of the case will decide whether an Internet company can be compelled to surrender master encryption keys when entities are seeking information about a single user. According to Lavabit’s brief, “the government has no general entitlement to search through the information of an innocent business.” [WIRED]
WW – Google Beats SSL Upgrade Deadline
Google has fulfilled its commitment to retire 1,024-bit encryption keys ahead of the scheduled target of the end of this year. Google has now replaced all certificates for its online services with new, 2,048-bit SSL certificates. The company is also taking steps to encrypt traffic between its data centers. [CNET]
EU Developments
EU – Commission Gives U.S. 13 Ways to Save Safe Harbor
The European Commission has released its report on EU-U.S. data flows, including a critique of the widely-criticized Safe Harbor framework , which makes 13 recommendations to improve the data-transfer mechanism. The commission says U.S. authorities have until summer of 2014 to implement the recommendations, at which point it will revisit the review. U.S. Federal Trade Commissioner Julie Brill said she’s pleased the commission has indicated its support for maintaining Safe Harbor as a data transfer mechanism. “I think some of the recommendations—increasing transparency and making alternate dispute resolution accessible and affordable—would be helpful.” Dutch MEP Sophie in ‘t Veld said that while she’s pleased there’s progress, the report is long overdue. “Maybe we’re now finally entering the phase where we no longer tolerate that our own EU rules are being overruled by third countries’ laws,” she said. Covington & Burling’s Henriette Tielemans said the report indicates a “genuine willingness on the part of the commission” to save Safe Harbor. [The Privacy Advisor]
EU – Safe Harbor Report Could Be the Start of Real Privacy Interoperability
According to Field Fisher Waterhouse Partner Eduardo Ustaran, the European Commission’s report on Safe Harbor lived up to expectations of being “critical” of the agreement but stopped short of “delivering a fatal blow to the scheme.” Ustaran writes for that false claims of compliance with Safe Harbor “appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating from the EU,” adding, “In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker…” [Privacy Perspectives]
EU – Brussels to Warn U.S. of Safe Harbor Risk
Lawmakers in Brussels are set to officially warn Washington that Safe Harbor may be at risk unless U.S. tech businesses change the way they handle the data collected on EU citizens, Financial Times reports. The European Commission (EC) has been reviewing the Safe Harbor pact and is slated to announce its conclusions on Wednesday. According to the report, the EU is not expected to scrap the deal, but its wording suggests the EU will move in that direction if changes are not made by U.S. businesses. “The personal data of EU citizens sent to the U.S. under the ‘Safe Harbor’ may be accessed and further processed by U.S. authorities in a way incompatible with the ground on which the data was originally collected,” the draft version of the EC report states. “The commission has the authority … to suspend or revoke the Safe Harbor decision if the scheme no longer provides an adequate level of protection.” [CNBC]
EU – Cookie Monsters of Silicon Valley Come to Brussels
In the world of online tracking, the cookie is king—but there may be a regime change on the horizon. Cookies are under more regulatory scrutiny than ever, especially in Europe, but even as legislation seeks to make cookie use more privacy protective, the technology itself is on the way out. Instead, server-side tracking alternatives and embedded device identifiers, mainly in the hands of Internet giants like Google, Facebook, Microsoft and Apple, are poised to supplant cookies in the digital tracking market. Thus, it is important to analyze the effect of these changes in the techno-business landscape on the EU regulatory framework. IAPP Westin Research Fellow Kelsey Finch examines how this new technology is likely to be viewed and regulated in the European Union. [Full Story]
EU – Berlin Now Home to Privacy Activists, Leakers
Germany’s once-divided city of Berlin has become a haven for privacy activists and whistleblowers attempting to avoid prosecution from countries such as the U.S. and UK. Documentary filmmaker and Edward Snowden conduit Laura Poitras has made Berlin home, as has former Wikileaks spokesman Jacob Appelbaum. One privacy activist said, “It’s a rather inviting social climate right now … Why be completely paranoid, go mad, have your house surveilled? There’s a reason people are coming here.” [The Washington Post]
EU – Safe Harbor’s in Trouble—Unless You Ask the U.S.
The U.S. Department of Commerce says Safe Harbor is still viable, and the FTC says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far. Angelique Carson talks with FTC Commissioner Julie Brill, the U.S. Department of Commerce, Covington & Burling’s Henriette Tielemans and Wilson Sonsini Goodrich & Rosati’s Christopher Kuner, both in Brussels, about the impact of new accusations that as many as 400 companies are violating Safe Harbor and what to expect in the European Commission’s December report on the pact’s viability. “I can’t overstress the hostility toward it here,” Kuner said. [The Privacy Advisor]
EU – Reding: U.S. Must Allow Europeans to Sue Agencies That Violate Privacy
EU Justice Commissioner Viviane Reding says the U.S. can win back EU trust by allowing EU citizens the right to sue U.S. agencies that violate their privacy. Reding said today’s meeting between EU and U.S. officials must make progress toward enforceable rights. Meanwhile, the U.S. Supreme Court has rejected a challenge of the National Security Agency’s telephone spying program, and two district courts will hear challenges to NSA snooping. In Luxembourg, Europe v. Facebook wants more specific answers on the federal data protection commissioner’s ruling that Microsoft and Skype did not break privacy law by transferring EU user data back to the U.S. [Bloomberg]
EU – EU Parliament could block data sharing with the US
After EU Justice Minister Viviane Reding was making positive noises about a deal with the U.S. on law enforcement access to data, MEP Jan Philip Albrecht said that there is a line in the sand the EU Parliament will not cross: “If a U.S. citizen has a problem with how his data has been treated in the EU, he can take it up with an EU court. We just want the same rights in the U.S. This should be possible. It would be very easy to fast-track change in the U.S.’s privacy act and simply add text to include EU citizens.” [Full Story]
EU – Opinion: Data Community Must Influence Law
“It is essential … that the information security community not only make the effort to be aware and prepare but also recognise and exert influence over” the eventual EU data protection legislation, writes Yves Le Roux of (ISC)2. Pointing to the lack of technical feasibility of the right to be forgotten, Le Roux writes that privacy pros and others need to speak up about such elements of the law that may not be practicable, noting that the IAPP Europe Data Protection Congress provides an opportunity to do just that. [Computerworld]
EU – Things Looking Up for U.S./EU Relations on Law-Enforcement Access?
U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Department in Washington. Prior to the meeting, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014. [Bloomberg]
EU – German Court: Google Rules Violate User Rights
A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts. [Bloomberg]
Filtering
EU – French Court Orders Search Engines and ISPs to Block Pirate Sites
A French court has ordered major search engines to block 16 video-streaming websites. Google, Microsoft, and Yahoo must prevent the sites from appearing in their search results. The order also applies to several Internet service providers (ISPs) used by residents of France, which will have to prevent users from accessing those sites. Some of the plaintiffs in the case told the judge that merely ordering a block on the sites would prove ineffective because the people behind the pirate sites would just re-create the sites with new names. Wiley Rein’s David Weslow says if the decision is upheld on appeal, “there may be a precedent in France for forcing search engines or other types of Internet service providers to take affirmation actions to disable certain online content even where a ‘take down’ request has not been filed with that Internet service provider.” A recent poll about whether government should play an increasing role in protecting online privacy indicated 52% voted yes and 48% voted no, indicating “there is not overwhelming agreement” on what should be done,, adding tech companies and governments should be prepared to weigh in. Meanwhile, Google says it will voluntarily remove a Google Maps image related to a young boy’s murder. [TechRepublic] [BBC] [WIRED]
Finance
WW – Coin Addresses Some Critics’ Concerns
When Coin released information about its all-in-one digital credit card last week, some critics voiced concern about the technology’s security and reliability issues. For example, some wondered how securely the credit card information is stored and whether the device could be used as a card skimmer. Others expressed concern that the device would not work if the associated phone is out of power, and wondered whether or not merchants would be willing to accept Coin for payments. Coin has announced some changes, including a method for reactivating the device even if users’ phones are out of battery. Coin will also lock onto the payment method users have chosen to avoid accidentally switching to other payment methods stored in the device. The company says that the stored card information is encrypted. [CNN]
EU – Dutch DPA Says Google Policy Violates Law
Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent,” Bloomberg reports. Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.” [Bloomberg]
US – Google to Pay $17M to Settle Cookies Case
Google has agreed to pay $17 million in a settlement with 37 states and the District of Columbia “over its unauthorized placement of cookies on devices running Apple’s Safari browser,” following Google’s agreement last year to pay a $22.5 million civil penalty to the FTC. In their case, the state attorneys general alleged “Google’s circumvention of Safari’s default privacy settings violated state consumer protection and related computer privacy laws,” the report states. A Google spokeswoman said, “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.” [IDG News Service]
EU – Court: Google Rules Violate User Rights
A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts. [Bloomberg]
EU – Complaints Over Google Terms of Service Filed in 14 Countries
Privacy advocate Simon Davies has filed complaints with 14 European data protection authorities stating that Google’s new terms of service violate European data protection law. The main issue involves changes to the “shared endorsements” feature, which allows Google+ users’ names and photos to be used in advertising for products they follow on the service. “The general position is that the ground rules shouldn’t be changed halfway through the match. Google acquired the data under one condition, and I’m asserting that it cannot change the purpose of that data after the fact,” Davies said. Davies’ other challenges target the feature’s opt-out mechanism and changes in the way users are required to interact with YouTube. [PCWorld]
Health / Medical
US – Debunking Three Cyber Insurance Myths
“In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals,” writes Experian Data Breach Resolution Vice President Michael Bruemmer, “Some professionals were adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly.” Bruemmer debunks three of the most common myths associated with cyber insurance and examines why small- and medium-sized businesses are not off the radar of hackers and other cyber thieves. [Privacy Perspectives]
Horror Stories
WW – Breaches Hit Health Exchanges, Anthem and More
Los Angeles Times reports that Anthem Blue Cross accidentally posted online the Social Security numbers (SSNs) and tax identification numbers of approximately 24,500 doctors. The data was mistakenly published within an online directory last month. Meanwhile, GovInfoSecurity reports on three breaches involving health insurance exchanges, including in Vermont and Oregon. In a separate report, the Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts discusses two essential steps organizations should take to help mitigate data breaches. More than 1,000 patients at California’s Redwood Memorial Hospital have been notified their personal information may have been compromised after an unencrypted USB drive was misplaced. Crown Castle has revealed that sensitive payroll data of its U.S. employees has been accessed by hackers. After a data breach affecting several city workers, the city of Milwaukee has said it will avoid using SSNs . And representatives from Adobe have said e-mails notifying those affected by a massive breach are taking longer than it anticipated. [L.A. Times]
WW – Breaches Affect School, Dating Site, Health Plan
A New York school district is alerting thousands of students and their parents of a security breach that saw some of their data posted online. A list of 15,000 names and school ID numbers were posted. Meanwhile, Anthem Blue Cross has begun notifying customers that their names, business addresses and tax ID numbers were posted to the company’s website this month. And online dating service company Cupid Media suffered a breach in January this year exposing names, e-mail addresses and passwords in plaintext. In an opinion piece for Dark Reading, Robert Lemos warns that cloud data is increasingly vulnerable to hacks. [Newsday]
US – Cupid Media Data Breach Affects Millions of Accounts
A data security breach at online dating network Cupid Media has exposed personal information from 42 million accounts. The compromised data include email addresses and unencrypted passwords. The data theft was discovered because it was stored on the same server where attackers had stored data stolen from Adobe, PR Newswire, and several other organizations. The Cupid Media breach apparently occurred in January 2013, and users were notified. The Australia-based company operates more than 30 specialized dating websites. [ComputerWorld]
Identity Issues
US – Screen Actors Guild Sides Against Amazon in Privacy Dispute
The Screen Actors Guild (SAG) has announced it is supporting an actress’s privacy suit against IMDb.com. The SAG said the company “committed an unconscionable breach of trust” when it accessed actress Junie Hoang’s credit card information to determine and publicize her real birthdate. “Individual IMDb profiles contain information that most people would consider private and that can be used for improper purposes,” the SAG wrote in an amicus brief to the Ninth Circuit Court of Appeals. [MediaPost]
Internet / WWW
WW – UN Passes Internet Privacy Resolution
The United Nations General Assembly’s Human Rights Committee has unanimously approved an unlawful surveillance resolution originally proposed by Brazil and Germany. Though symbolic, the resolution looks to pass along privacy rights to people around the world. The U.S., along with the other “Five Eyes” nations, had tried to dilute some of the resolution’s language, the report states. Brazil’s UN ambassador said the resolution “established for the first time that human rights should prevail irrespective of the medium and therefore need to be protected online and offline.” Germany’s ambassador queried, “Is the human right to privacy still protected in our digital world? And should everything that is technologically feasible, be allowed?” [Associated Press]
EU – EDPS: Telecoms Market Reform Plan Would Put Privacy at Risk
New net neutrality laws would mean Internet users’ privacy rights would be at risk, according to the European Data Protection Supervisor (EDPS). The European Commission’s telecoms market reform plans would allow Internet service providers to engage in “wide-scale, preventive monitoring of communications content,” an affront to data privacy and protection as well as consumer trust in electronic communication services, the EDPS said. [Out-Law.com]
WW – Facebook Forges Ahead with Planned Changes
While Facebook has moved forward with changes to its privacy policies alerting users it may use their profile pictures, location and other personal information in advertisements, the company has deleted a controversial line in the policy on teens’ use of the site. The line stated Facebook assumed teens had obtained permission from their parents, drawing the ire of critics including Sen. Ed Markey (D-MA), who said Facebook should not profit from the personal information of children and teens. Facebook Chief Privacy Officer Erin Egan said, however, that the company wouldn’t gain additional rights as a result of the statement; rather, it was meant to get kids and their parents discussing the terms, The Washington Post reports. [Washington Post]
Law Enforcement
EU – Things Looking Up for U.S./EU Relations on Law-Enforcement Access?
U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Deparetment in Washington. Prior to the meeting, reports Bloomberg, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014. [Bloomberg]
Offshore
AU – Pilgrim Discusses New Powers
Privacy Commissioner Timothy Pilgrim said his office “won’t take a ‘softly-softly’ approach with new regulatory powers that will become available to it in March.” Pilgrim said “The two sets of principles we have are fundamentally very similar to the ones that are coming into place. The private sector has been working with them for over 12 years; the government has been working with them for over 25 years; there’s a common theme, so there shouldn’t be a big challenge in complying with them.” He noted, however, that for “difficult organisations and some intransigent organizations,” the office would take a stricter stance. Meanwhile, the Australian Law Reform Commission will be recommending updates to privacy laws to address serious invasions of privacy. [IT News ull]
HK – Critics Say Hong Kong Data Protection Law Needs Update
Critics of Hong Kong’s data protection law say the law is “miles away” from comparable laws internationally and needs an update in order for the city to tackle privacy challenges and embrace opportunities presented by public data use,. Reviews of the law have come following the privacy commissioner’s forced shutdown of mobile app “Do No Evil” for privacy violations. “There is a need to conduct a public consultation again to see whether people think the law now needs to be amended,” said lawmaker Charles Mok, adding he hopes the government will engage the public. [South China Morning Post]
SA – South Africa: Zuma Signs Privacy Bill Into Law
South African President Jacob Zuma’s administration announced on Wednesday that he has signed the Protection of Personal Information Bill into law. “The act will give effect to the right to privacy, by introducing measures
to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties,” said presidential spokesman Mac Maharaj. The bill contains eight principles that express the right to privacy provided in the constitution and establishes the Office of the Information Regulator, which will take over responsibility for the Promotion of Access to Information Act. [Global Post]
IN – India’s Privacy Bill to See Further Delay
Differences between the ministries of Home and Law and the Department of Personnel and Training mean the Right to Privacy Bill has little chance of being tabled in this winter’s session of Parliament. The bill was originally proposed in 2011 and aims to “safeguard security interests of all affected individuals whose personal data has or is likely to have been compromised by such a breach.” Causing the divide is a provision stating the proposed law will supersede all provisions of the 58 existing laws that touch on privacy, Economic Times reports. An official at the Department of Personnel and Training told ET that the bill has been “stuck at the law ministry for several months now.” [Indian Express]
Online Privacy
WW – Viral Video Exposes Privacy Disconnect
A video went viral last week in which the host, Jack Vale, decided he wanted to know “how easy it would be to get personal information from complete strangers.” Vale located nearby social media users by using his own location and identifying nearby users who publicly posted basic personal information. It turned out that identifying and gleaning additional personal data was relatively simple. Privacy Perspectives explores the experiment, looking at “what seems to be a common disconnect between our online and offline lives” and possible lessons for online businesses. [Full Story]
WW – Browser Extension Allows Users to Use “Fake” Identifiers
U.S.-based Abine is adding features to its anti-tracking browser extension to allow users to hide their personal details during web transactions. The features are being added to “DoNotTrackMe,” an extension for browsers such as Firefox, Internet Explorer, Chrome and Safari. Users can give a one-time credit card number and a disposable e-mail address and phone number, the report states, rather than using their real details. [PC World]
Other Jurisdictions
AU – Final Set of APPs Released for Comment
The Office of the Australian Information Commissioner (OAIC) has released the final set of Australian Privacy Principles (APPs). APP 12 and 13 cover access to and correction of personal information and require organisations to give consumers access to the information organisations hold on them and to take reasonable steps to correct information as well as “contact other organisations that hold the same information about a person so that they can update these details,” the report states. The consultation period is open until 16 December. [ComputerWorld]
MY – Long-Delayed Malaysian Data Protection Law Now In Effect
Passed originally in 2010, Malaysia’s Data Protection Law is now actually in effect, after years of postponements. The Malaysian Minister of Communications and Multimedia announced on November 14 that the law would go into effect the next day, leaving professionals to scramble to make sure they are in compliance. Major features of the law include: An exemption for Malaysia’s federal and state governments, a category of personal data that is considered so sensitive that it requires explicit consent, cross-border transfer restrictions and criminal penalties of up to $156,000 and imprisonment of up to three years. [Hunton & Williams’ Privacy and Information Security Law Blog]
Privacy (US)
US – Site Settles After State Alleges COPPA Violation
New Jersey has reached a settlement with a California app developer who allegedly violated COPPA by collecting the personal information of customers, which included children. Dokogeo has agreed to pay the state $25,000, but that payment will be suspended for 10 years and voided if the company complies with the settlement’s terms, which include Dokogeo’s disclosure of the type of information it collects on its apps and website and how it shares data with third parties. Meanwhile, attorneys at Reed Smith discuss the increasing attention state Attorneys General are paying to privacy lately. [NorthJersey.com]
US – Apple Wins iPhone Privacy Lawsuit Dismissal
A federal judge has dismissed a lawsuit that accused Apple of not complying with the privacy promises it makes to iPhone and iPad users. The class alleged the company violated its privacy policy by allowing unique identifiers to be shared with third parties, thereby compromising user privacy. U.S. District Court Judge Lucy Koh ruled consumers failed to show they had read the privacy statements prior to purchasing the devices and none had submitted evidence they “read or relied on any particular Apple misrepresentation regarding privacy.” [MediaPost]
US – Data Broker Settles With NJ Attorney General
A firm specializing in the tracking of car buying has settled charges with New Jersey’s attorney general after it was accused of using code to identify websites visited by its customers without their knowledge or consent and selling the harvested data. At least 181,000 consumers were affected. The Tennessee-based data broker in question, Dataium, has been fined $99,000, payable over the next two years, and will be liable to pay a suspended amount of $301,000 if the company fails to comply with the settlement over the next five years. New Jersey Division of Law Director Christopher S. Porrino said, “Dataium allegedly used software code to track the websites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world.” Meanwhile, the city of San Diego, CA, has settled with a family after their DNA was swabbed without their consent by police. [InformationWeek]
US – ProPublica Hires Angwin to Investigate Privacy Issues
ProPublica has announced the hiring of investigative journalist Julia Angwin of The Wall Street Journal to cover privacy, technology and the surveillance state beginning early in January. Beginning in 2010, Angwin led a team of reporters to chronicle online privacy issues in The WSJ’s “What They Know” series. She is also the author of the forthcoming Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance. “Julia brings with her a magnificent portfolio of work, and she will be a stellar addition to our staff,” said ProPublica Managing Editor Robin Fields. [ProPublica]
US – Opinion: NSA Dragnet “Violates the Spirit of Framers’ Intentions”
Sens. Ron Wyden (D-OR), Mark Udall (D-CO) and Martin Heinrich (D-NM) write that, “The bulk collection of Americans’ telephone records—so-called metadata—by the National Security Agency (NSA) is, in our view, a clear case of a general warrant that violates the spirit of the framers’ intentions.” The senators opine that there’s no proof of the program’s usefulness in protecting national security and call for an end to it while promoting their Intelligence Oversight and Surveillance Reform Act and expressing disappointment with the Intelligence Committee for rejecting the act in multiple forms. Meanwhile, some are questioning the credibility of the Review Group on Intelligence and Communications, which will soon deliver a report on the NSA’s surveillance activities, saying it is made up of administration insiders. [The New York Times]
WW – Twitter Encrypts; Zuckerberg Says Gov’t “Continuing to Blow It” on Privacy
Twitter has announced it has encrypted its services to protect user data from cyber criminals and intelligence agencies. Lawyers for Lavabit—which closed its e-mail services rather than share master encryption keys with the government—have filed a reply brief in a case that may determine whether a company must be compelled to turn over such keys. Lavabit Founder Ladar Levison recently spoke about his experience with The Privacy Advisor. Meanwhile, the NSA’s John Inglis said he is skeptical about the NSA sharing the vast troves of data it collects with other federal agencies such as the FBI or DEA—indicating he does not agree with a reform bill proposed by Sen. Diane Feinstein (D-CA). The Wall Street Journal reports that a federal judge appears to be “receptive to critics” of the NSA’s collection of phone metadata, but one federal lawyer has argued that Americans have “no expectation of privacy” in making phone calls. And on ABC’s This Week , Facebook CEO Mark Zuckerberg said the U.S. is “continuing to blow it” on privacy issues. [Full Story]
US – BBB: Ad Campaign Violated Industry Code
The Better Business Bureau has said a genetic testing company’s recent online ad campaign didn’t comply with the ad industry’s privacy code. Company 23andMe retargeted users who had visited 23andMe’s website, according to the report, but the ads lacked the AdChoices icon, which allows users to opt out of behavioral advertising. The company as well as its ad-campaign agency and the platform used all said they expected the other to serve the icon. The failure “highlights the need for greater awareness and vigilance from all companies that comprise this diverse and interdependent ecosystem,” the Better Business Bureau said in a statement. [MediaPost News]
US – FTC Announces New Chief Technologist, Senior Advisor Privacy/Security
The FTC has announced the appointments of Harvard University Prof. Latanya Sweeney as chief technologist and University of Pennsylvania Wharton School Assistant Prof. Andrea Matwyshyn as a senior policy advisor on privacy and data security issues. “I am delighted to welcome Latanya to the FTC. She has done groundbreaking work in the anonymization of sensitive consumer information and privacy technology, and I look forward to the contributions she will make to the FTC’s efforts to protect consumers,” said Chairwoman Edith Ramirez, adding, “Andrea is a rising academic star whose insights on the intersection of technology innovation and data privacy and security law will be enormously valuable to the FTC’s efforts to protect consumer privacy while promoting innovation. [Full Story]
Privacy Enhancing Technologies (PETs)
WW – Will the Internet Become Private as a Standard?
The Internet Engineering Task Force (IETF) has asked the architects of Tor, a privacy-protecting web-browsing tool, to discuss the idea of using their product to make private web browsing the Internet standard, Salon reports. “Collaborating with Tor would add an additional layer of security and privacy … that goes beyond encrypting your communications,” the report states. Andrew Lewman, executive director of Tor, says the idea is “worth exploring to see what is involved. It adds legitimacy; it adds validation of all the research we’ve done”; however, he adds, “The risks and concerns are that it would tie down developers in rehashing everything we’ve done, explaining why we made decisions we made. It also opens it up to being weakened.” Meanwhile, new app Aether is an encrypted network that lets people share content anonymously. [Full Story]
WW – Software Aims to Protect Social Media Content
Managing social media privacy settings might become easier due to software that can suggest privacy settings for content you share with different groups. The software uses data-mining techniques to analyze the structure of users’ social network and then predicts what kind of privacy they would choose, the report states. It was developed by researchers at Penn State and the Missouri University of Science and Technology, and its developers say the software is 77%- accurate in guessing what kind of privacy people would assign each piece of content. [MediaPost]
EU – EuroPriSe Seal To Change Hands January 1
The German data protection authority that operates the EuroPriSe privacy certification seal, the Independent Centre for Privacy Protection Schleswig-Holstein (ULD), announced this month that it is transferring operations to a new entity to be known as EuroPriSe GmbH as of January 1. This, said Thilo Weichert, head of ULD, will allow the program to grow in a way that was not possible as part of a regulatory body like ULD. Jurgen van Staden of 2B Advice explains the new organization will allow for extending certifications to a much larger group of methods, concepts, people, training sessions and websites “in accordance with the tried and tested certification structure EuroPriSe experts and customers have come to know.” [Privacy Advisor]
WW – LG Investigating Reports of Smart TV Data Snooping
LG is looking into reports that some of its Smart TVs are gathering information about customer viewing habits and sending the data back to the manufacturer. The activity reportedly occurs even when customers have turned on certain privacy settings. A recent blog (link in BBC story) said that the TVs gather data about which channels customers watch and what devices are connected to the television. The blogger found that an option allowing collection of viewing data was on by default, but even after he switched it off, the information was still being sent, although a flag in the data indicated that he had changed that preference. A second blogger says that LG Smart TVs share not only that information but also the names of files shared on home and office networks. Asked for comment, LG responded, “Customer privacy is a top priority at LG Electronics and, as such, we take the issue very seriously. We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.” [CNET UK] [BBC] [Ars Technica] [Ars Technica] [Opinion: TV's Rollout Shows Lack of PbD, Transparency]
WW – LG Plans To Update Firmware Following Smart TV Allegations
Following a UK blogger’s allegations that smart TVs are collecting user data on such details as what channels are watched and the names of media files streamed over networks, LG has responded saying that the information collected was “not personal but viewing information.” The company said it has verified that even when the Smart TV platform is turned off by the user, information apparently continues to be transmitted, though the data is not retained by the server. “A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted,” the company said. [CNET]
WW – Open-Sourced Router Privacy Project Unveiled
Embedded systems design company Redfish Group has launched an open-sourced router project to help protect online privacy. Called ORP1, the project aims to protect the privacy of users across all their devices located within their homes. ORP1 is set to feature a user-friendly interface with an OPSec virtual privacy network and Tor server, the report states. Redfish Managing Director Justin Clacherty said, “I’ve really wanted to get an open networking platform out there for a while now, and we just felt that a router was the way to go, especially with all the NSA revelations and people’s worrying about the different U.S. tech companies providing equipment to us, which may have backdoors.” [ZDNet]
US – Washington’s Complex Approach to Data Brokers
Politico reports on two current government investigations into data brokers and what those could mean for the federal government’s approach to the industry. The FTC and the Senate Commerce, Science and Transportation Committee are each conducting separate investigations. It is not yet known when results will be arrive, the report states. FTC Commissioner Julie Brill has been promoting her Reclaim-Your-Name concept , a one-stop shop for consumers to access their online profiles compiled by data brokers, but the marketing industry is pushing back. Direct Marketing Association Vice President for Government Affairs Rachel Thomas said, “We don’t believe a one-stop, one-size-fits-all web portal with every data broker in the world is going to be something that actually increases consumer understanding in the way that is necessary.” [Politico]
WW – How To Do PbD in Predictive Analytics
IBM Fellow and Entity Analytics Group Chief Scientist Jeff Jonas discusses his involvement with Privacy by Design and how he integrated it into new predictive analytics software. Jonas has created technology that allows businesses to collect and analyze data from multiple sources in real time to help make “smart” decisions. He said, “One of my goals in the use of Privacy by Design in the G2 project was what kind of privacy features can I bake in that cost no more? In other words, they’re by default. They’re built in. In fact, a few of them, you can’t even turn them off. That way, someone’s not left there with a decision, ‘Yeah, we trust ourselves. I don’t have to pay extra for a privacy feature. I’d rather just buy more disk space.’” [Data Informed]
Security
US – Technology Council Report Says Govt Needs to Improve Cybersecurity
A report from a presidential technology council says that the US government is not setting a good example in cybersecurity. According to the report from The President’s Council of Advisors on Science and Technology, “the Federal Government rarely follows accepted best practices.” The report’s “Overarching Finding” reads: “Cybersecurity will not be achieved by a collection of static precautions … [but instead] requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses.” Among the report’s recommendations is that Internet service providers (ISPs) increase their real-time threat response. [Ars Technica] [SC Magazine] [Report]
US – Will A Not-So-Friendly R2-D2 Be Your Next Security Guard?
“The night watchman of the future is five feet tall, weighs 300 pounds and looks a lot like R2-D2—without the whimsy.” A California company’s mobile robot. Knightscope’s K5 Autonomous Data Machine, was unveiled, developed “as a safety and security tool for corporations, as well as for schools and neighborhoods,” the report states. Some see such a move as “an entry point to a post-Orwellian, post-privacy world,” the report states, quoting the Electronic Privacy and Information Center Marc Rotenberg as saying, “This is like R2-D2’s evil twin.” [The New York Times]
UK – Air Passengers Allowed to Refuse Scanners as More Are Installed
Security scanners are currently in use at 10 of the UK’s busiest airports and are being deployed at 11 more, according to Transport Secretary Patrick McLoughlin. At the same time, passengers are now being offered alternate options after refusing to go through the scanners, while previously they were simply not allowed to fly. “From today, passengers who opt out of being screened by a security scanner will be allowed a private search alternative. This is a method of screening which we consider is of an equivalent security value to a security scan,” McLoughlin said. [Computerworld UK]
WW – Companies Largely Support BYOD, Lack Sufficient Policies for IT
While the majority of IT specialists say their companies support bring-your-own-device (BYOD), a recent survey indicates they don’t use tools or policies to protect corporate data, Bank Systems & Technology reports. The Zix Corporation and Ponemon Institute survey found that 56% of respondents say their companies seek to replace current BYOD solutions. “Companies are swiftly adopting BYOD to enable work productivity and create efficiencies but are hitting significant road bumps in cost, security and employee concerns,” said the Ponemon Institute’s Larry Ponemon. Meanwhile, one security expert cautions against the pitfalls of BYOD policies, including a once-size-fits-all approach. [Full Story]
US – NIST Holds Last Workshop Before Cybersecurity Framework Becomes Final
The National Institute of Standards and Technology held its fifth workshop on President Barack Obama’s executive order for a cybersecurity framework, the last before the framework is due to be finalized in February. The workshop was intended to solicit feedback from stakeholders. While many expressed enthusiasm about the swiftness with which the framework has moved from concept to model, there are still questions on how to apply the framework and what adoption will look like. “From my perspective, the framework should be used as a guidance,” said AT&T’s vice president of global public policy. [Computerworld]
US – US Defense Contractors Now Required to Implement Security Standards
The US Department of Defense (DOD) will now require contractors to implement “established information security standards” on all classified and unclassified networks. Companies contracted to make weapons for DOD will be required to report all network security breaches “that result in the loss of unclassified controlled technical information.” The requirements will be built into contracts. [The Hill] [Yahoo! ] NextGov] [Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information]
Surveillance
US – FAA Unveils Privacy Rules for Test Sites
The Federal Aviation Administration (FAA) has issued privacy requirements for U.S.-based drone testing sites. Earlier this year, the FAA announced there will be six drone testing sites to help integrate the technology into the National Airspace System. Some have questioned whether the agency has the authority to issue privacy requirements. One commenter said, “Existing privacy laws are sufficient to cover the responsible use of (drones). There already exist federal, state and other laws that protect privacy … tort law may also provide avenues of recourse for plaintiffs to protect their privacy rights.” The ACLU’s Chris Calabrese said the government has taken an “important step” by issuing the requirements, but added, “Congress must also weigh in on areas outside the FAA’s authority…” [Courthouse News Service]
US – Amazon Envisions Eventually Delivering Packages in 30 Minutes Via Drones
On 60 Minutes, Amazon CEO Jeff Bezos unveiled plans to use unmanned aerial vehicles (UAVs) to deliver packages to customers. University of Washington Law Prof. Ryan Calo said this is the type of commercial application Congress envisioned when it ordered the Federal Aviation Administration (FAA) to open up airspace to the technology. “By 2015, the FAA has to come up with a set of rules that integrates just the kind of thing that Amazon is talking about,” said Calo, adding that the agency may initially require humans to guide the UAVs remotely. [The Washington Post] [60 Minutes]
US – Data Broker Settles With NJ Attorney General
A firm specializing in the tracking of car buying has settled charges with New Jersey’s attorney general after it was accused of using code to identify websites visited by its customers without their knowledge or consent and selling the harvested data. At least 181,000 consumers were affected. The Tennessee-based data broker in question, Dataium, has been fined $99,000, payable over the next two years, and will be liable to pay a suspended amount of $301,000 if the company fails to comply with the settlement over the next five years. New Jersey Division of Law Director Christopher S. Porrino said, “Dataium allegedly used software code to track the websites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world.” Meanwhile, the city of San Diego, CA, has settled with a family after their DNA was swabbed without their consent by police. [Information Week]
WW – Suspicious Internet Route Hijacking Raises Concerns
Earlier this year, researchers began noticing suspicious activity called route hijacking, a type of man-in-the-middle attack on Internet traffic. The technique routes the traffic through countries around the world where it could be inspected and possibly altered before being sent on to its final destination. Internet traffic by its very nature can travel widely and by what would not appear to be the most direct path, but the recent attacks indicate that the traffic is deliberately being routed in certain ways. In some cases, large chunks of traffic from financial institutions, government agencies, and service providers in several countries have been routed through servers in Iceland and Belarus. [Ars Technica] [NBC News]
Telecom / TV
US – Investors Want AT&T, Verizon to Share Gov’t Requests
Investors have asked AT&T and Verizon to reveal what data was shared with U.S. and foreign governments and what measures were taken to protect users’ privacy. New York State Comptroller Thomas DiNapoli said, “Transparency allows investors to make informed decisions about corporate behavior … Publishing regular reports on requests for information from governments would be an appropriate response to shareholder and customer concerns about trust and privacy in the digital world.” A spokesman for AT&T said, “As standard practice we look carefully at all shareholder proposals, but at this point in the process we do not expect to comment on them.” Meanwhile, newly released FISA court documents reveal that the NSA shared bulk e-mail and phone records data with other government agencies, a violation of court-ordered procedures, The Guardian reports. [Bloomberg]
US Government Programs
US – U.S. Accountability Office Calls for Baseline Privacy Legislation
The Government Accountability Office (GAO) has released a report calling for a comprehensive federal law governing the collection, use and sale of personal data by businesses. The report was called for by Sen. Jay Rockefeller (D-WV) earlier this year. The GAO analyzed current law, regulation and enforcement actions and convened with representatives from government, advocacy groups, trade associations and data broker organizations, concluding, “Congress should consider strengthening the current consumer privacy framework to reflect the changes in technology and the marketplace, particularly in relation to consumer data use for marketing purposes.” The Direct Marketing Association (DMA) said, “While we do not share the GAO’s opinion … DMA was pleased to see that the report recognized the important economic benefits that derive from the responsible use of consumer data…” [AdWeek]
US – Six Practical Tips Gleaned from the DHS Annual Privacy Report
Privacy sector folks might think they don’t have much to learn from the Department of Homeland Security Privacy Office’s 2013 Annual Report to Congress, but you may find that the report contains plenty of relevant and useful information to help you manage your organization’s privacy program. Dennis Holmes tackles the task of analyzing the 86-page report and bubbling up the six practical tips most likely to give your program a boost. [Privacy Perspectives]
US Legislation
US – Pennsylvania Senate Committee Amends Proposal for DNA Database
The Pennsylvania Senate in June passed a proposal allowing police to collect and retain DNA from anyone arrested for a felony or misdemeanor, expanding the current law which allows for DNA collection from those convicted of a “serious felony.”. However, the House Judiciary Committee amended the bill before approving it to address concerns that the bill was too broad. One amendment would stop police from entering DNA data into any state or national database until a suspect is “held for court at a preliminary hearing or waives his right to the hearing,” the report states. Another makes it easier for those determined innocent to have their DNA records expunged. One ACLU representative says the amendments don’t go far enough. [The Sentinel]
US – NJ Social Media Privacy Law In Effect, NYC Debating Its Own
On the heels of New Jersey’s Social Media Privacy Law going into effect, the Staten Island City Council is looking at a bill that would provide similar protections for employees and potential employees. Councilwoman Debi Rose (D-North Shore) one of the bill’s sponsors, said it “would eliminate the ability of an employer to demand or retaliate against failure to divulge a job applicant’s or employee’s private social media account information,” adding, “Privacy rights in this technological age must be protected. Information that is
not available to the rest of the public cannot be demanded by an employer and should not hinder an individual’s prospective or current employment.” [SI Live]
US – Disparate State Laws = Breach Response Confusion, Unprotected Subjects
While companies work to navigate disparate state breach laws, plaintiffs’ lawyers are on the hunt for the next “mega lawsuit, and data privacy looks very promising with its litigation trifecta: major consumer exposure, complex and increasingly antiquated state and federal data privacy laws, and ever larger and more frequent data breaches.” Standardizing and modernizing data breach laws is the first step to protecting consumers and organizations, according to the report, noting that “as companies constantly work to keep one step ahead of the bad guys, the goal should be to achieve real data security with legal clarity, rather than another big payday for the plaintiffs’ bar.” [Mondaq]
US – VT Supreme Court Rules No Privacy on Workplace Computer
In a case that involved Rutland Police Department employees viewing and sending pornography on work computers while on duty, the Vermont Supreme Court ruled that the employees had no right to privacy. Additionally, because the computers were city property and the employees were on duty, there was no basis to redact personally identifying information from the records. The report from HR.BLR.comincludes major takeaways from the decision, including that “personal information about public employees may be disclosed if the broad public interest served by the disclosure outweighs individual employees’ expectations of privacy.”
US – FTC v. Wyndham: Round One
Last week, FTC v. Wyndham, a privacy case that commands the close attention of thousands of privacy professionals worldwide, challenging a decade of escalating Federal Trade Commission activity in the field of data security, went to oral arguments on the defendant’s motions to dismiss. Wyndham Worldwide Corporation was charged in June 2012 for “unfair and deceptive acts and practices” arising from alleged data breaches in its franchisees’ computer systems. In this exclusive for The Privacy Advisor, IAPP Westin Fellow Kelsey Finch examines this case, where the company is disputing whether “its failure to safeguard personal information caused substantial consumer injury,” and perhaps more importantly, whether the FTC even has the authority to regulate data security. [Full Story]
US – How To Handle California’s New DNT Law
Last month, California passed a new amendment to the California Online Privacy Protection Act (CalOPPA) that requires companies that collect personal information from Californians to address how they respond to Do-Not-Track (DNT) signals from browsers in their online privacy policies. According to Stephanie Sharron and Emily Tabatabai, the legislation “may raise as many questions as it answers,” because, due to the lack of consensus from the W3C, “companies are required to disclose how they respond to a browser’s DNT signals, when there is no consensus on what the DNT signal means in the first place.” So what are companies to do? Discover practical options in this Privacy Tracker blog post. [Full Story]
Workplace Privacy
US – Study Finds Hiring Discrimination Based on Social Media
A Carnegie Mellon study that found many businesses use social media to look up job applicants and suggests they use such data to discriminate. The study revealed that between 10% and one-third of U.S. firms searched social media to check on job applicants early in the hiring process. One of the study’s authors, Alessandro Acquisti, said, “By and large, employers avoid asking questions about these traits (such as religion or sexuality) in interviews,” adding, “But now technology makes it easier to find that information.” Meanwhile, The Atlantic’s featured article for December reports on the now common combination of Big Data analytics and human resources—also known as “people analytics”—and the way it’s transforming how employers hire, fire and promote employees. [The Wall Street Journal]
EU – Prosecutors Investigating IKEA Execs for Data-Spying
Prosecutors in France are investigating three senior IKEA executives amid allegations they authorized illegal spying on employees and customers. Chief Executive Stefan Vanoverbeke and two others were possibly involved in a “conspiracy to collect a range of personal information including criminal records, automobile registrations and property records,” the report states. According to prosecutors, the executives collected such data in order to watch employees and also reveal “unflattering details” about customers bringing lawsuits. IKEA France has been ordered to post a bond of 500,000 euros. [The New York Times]
US – Officers May Be Tracked Via GPS-Equipped Cars
Boston, MA, police officers are worried that their superiors will be tracking their every move now that Boston police cruisers are likely to be equipped with GPS tracking devices. Administrators say the devices will allow dispatchers to view where officers are located rather than waiting for a radio response, accelerating response times to crimes. The plan awaits the approval of the City Council. “Nobody likes it. Who wants to be followed all over the place?” one officer said. Officers would be alerted if someone from the public requested GPS records. Meanwhile, developers of license-plate tracking technologies are developing rich databases, the contents of which are sometimes for sale. [The Boston Globe]
+++