01-15 October 2010

Privacy News Highlights
01–15 October 2010

Biometrics 

CA – Sex Offender Name Changes Prompt New Fingerprint Policy

People who work with the most vulnerable members of society must be prepared to submit fingerprints as part of a new RCMP policy aimed at closing a loophole created by pardoned sex offenders who change their names. It’s a change spurred by news earlier this year that former hockey coach and convicted sex offender Graham James had been granted a pardon, but some groups say it’s discouraging legitimate volunteers, who can’t start work until they clear what is a sometimes-lengthy process. As of July 9, anyone applying for a vulnerable-sector verification in order to work with children, the elderly or the disabled — and whose birthdate and sex match those of a convicted sex offender — is now required to submit to a fingerprint search. That process can take months and is presenting serious administrative challenges, say some RCMP detachments. The odds of exact birthdates matching are high, as there are more than 14,000 pardoned offenders in the national database. If a match is found, fingerprints are taken on paper by local police and sent to the RCMP in Ottawa for comparison. Since the policy went into effect, there have been 9,600 fingerprint checks; in all of 2009, there were just 2,500. [Source] See also: [Acton man repeatedly mistaken for convict with same name] and [IBIA Statement Regarding the Release of the National Research Council Report – Biometric Recognition: Challenges and Opportunities

US – Report Calls for Caution as Use of Biometric Technology Spreads

As Canada forges ahead with plans to introduce biometric passports, an expansive U.S. study calls for caution in using the identification technology, warning that it is “inherently fallible” and does not work as well as one would think from watching police shows on TV. The report, which questions whether biometric identification is truly reliable, concludes that more study is need to improve the “numerous sources of uncertainty” in existing technology, which is being increasingly embraced by governments and businesses. “For more than 50 years, the promise of biometrics has outpaced the application of the technology,” said Joseph Pato, a chief technologist for Hewlett-Packard and chair of the blue-ribbon committee that wrote the 160-page report. The report, which was years in the making, notes that biometric recognition is becoming “a routine method” for identifying criminals, tracking patient medical information, and accessing numerous services. “Even very small probabilities of misrecognitions — the failure to recognize an enrolled individual or the recognition of one individual as another — can become operationally significant when an application is scaled to handle millions of recognition attempts,” the report said. Furthermore, the inevitability of false alarms could produce mistrust of the system and threaten security because “operators could become lax about dealing with potential threats.” Another shortfall mentioned is that biometric information can be affected by changes in age, environment, disease, stress, and other factors. The study has drawn some criticism in the U.S., where biometric proponents have dismissed the findings as outdated. The study also notes that legal challenges against biometrics are growing and recent decisions have raised “serious questions” about the admissibility of the technology as evidence in criminal cases. [Source

UK – School Installs Facial Recognition Cameras to Stop Students Turning Up Late

It could make the time-honoured tradition of taking the school register a thing of the past. Cutting-edge cameras are being used to scan children’s faces as they enter school. The face-recognition technology makes sure they have turned up, records whether they were on time or late and keeps an accurate roll call. It can also deliver messages to pupils as they sign in. Ten schools have started using the system, which is likely to be introduced elsewhere if considered a success. But privacy campaigners reacted angrily yesterday, warning that the technology was another ‘encroachment on civil liberties’. Britons are already subjected to the greatest level of electronic surveillance in the world, with our movements said to be recorded in some way about 3,000 times a week. [Source

AU – Fingerprinting Gamblers is ‘One Option’: Gillard

The federal government is considering the use of fingerprint technology in clubs to help track problem pokie players. But Prime Minister Julia Gillard says the system, suggested by Senator Nick Xenophon, is just one option to enforce mandatory pre-commitment limits. “We’ll be looking at the whole range of technology that could be used to meet the same pre-commitment,” she told reporters. “The Productivity Commission (inquiry into problem gambling) did not define which technology to use. That has to be the subject of inquiry and discussion.” [Source] [The Sydney Morning Herald

Canada 

CA – Gov’t Data Sharing “A General Concern”

The findings of the federal privacy commissioner’s investigation into Veterans Affairs Canada’s data handling have prompted concerns that other federal departments may be disseminating personal information about government critics. Commissioner Jennifer Stoddart last week released investigation results indicating that Veterans Affairs contravened the Privacy Act in sharing a veteran’s sensitive records with certain government officials. Stoddart said that the potential that other departments may be engaging in similar activities is “a general concern,” but “At the present time, I have no indication that this is happening in other departments,” Stoddart said. [The Hill Times] See also: [Feds spent $1 million plus testing scrapped census

CA – Privacy Czar Issues Warning to Tech Sector

Canada’s Privacy Commissioner Jennifer Stoddart says that the ubiquity of social media and smart phones is blurring the line between work and play, and privacy watchdogs are having trouble keeping up. Canada’s privacy boss has a firm message for the tech industry: The government is toughening its security standards – now, it’s your turn. Federal departments adopting new technology “need to know that developers in the private sector are incorporating the privacy safeguards that the public expects,” Jennifer Stoddart told the final day of the Government Technology Conference (GTEC). [Source

CA – Complaints Backlog Prompts Criticism of Privacy Watchdog

Saskatoon’s city clerk is pushing Saskatchewan’s privacy commissioner to streamline reviews to deal with an increasing backlog of complaints after a report was released critical of the city’s handling of a six-year-old file. At issue is a review, released by the privacy commissioner, that says the city should release six emails from a freedom of information request on the south downtown in 2004. Such a long wait time is unfair to local authorities who may have changed practices in the interim, Mann said. Since 2004, the city has changed its policies regarding the release of emails as the interpretation of the Privacy Act has evolved. The privacy commissioner’s reports are complex legal documents that show wrongdoing when they should simply offer expertise to municipalities on the release of information, Mann said. The focus should be on offering advice instead of finding wrongdoing, Mann said. [Source]

CA – OPC Audit Report on the Protection of PII in Wireless Technology

An OPC audit of select federal institutions has made recommendations relevant to the private sector including fully assessing the threats and risks inherent with the use of wireless technologies (to ensure that material risks have been identified and appropriately mitigated), securely encrypt Wi-Fi networks, implement strong passwords and encryption for smartphones (passwords should be a mixture at least 8 characters, including upper and lower case letters, numbers and symbols); existing policies lacked key elements, including restrictions on the use of PIN-to-PIN messaging (this technology bypasses the corporate servers and is easily interceptible), documented procedures to mitigate the risk of data exposure from lost devices (processes could include erasing the data, disabling the device and removing the wireless user from the server), and education for users on how to use wireless devices in a manner that respects privacy (presentations, orientation guides and awareness campaigns can remind users of their responsibilities, the types of information that can be transmitted, and solutions to safeguard the device). Current controls for managing surplus wireless devices were not adequate as entities could not demonstrate assurances that data is wiped from smartphones prior to being sent for disposal; checklists can be used to verify that all steps in the disposal method have been completed. [Source

CA – OPC Audit Report on the PII Disposal Practices in Selected Federal Institutions

Recommendations relevant to the private sector include ensuring that terms and conditions in off-site destruction contracts are consistent with the organization’s own security standards (some contracts included less stringent standards than the organization’s requirements), implementing a monitoring protocol for off-site destruction companies (records destruction companies violated contractual obligations as staff did not meet the requisite security clearance, the size of shredded material were larger than the contract requirement, and documents were not disposed of in the prescribed timeframe of 72 hours), and requiring service providers to provide certificate of destructions stating date of destruction and the authorized personnel who witnessed destruction (there was no way of measuring compliance); where surplus computers are to be donated or sold, departments should provide a signed declaration certifying that the surplus assets have been cleansed of protected information. The Commissioner found that adequate safeguards were in place to protect personal information awaiting disposal, as designated employees verify that the removal vehicle’s door is padlocked and security sealed, all contracts stipulate that records are to be transported to the contractor’s facility without delay, upon arrival, a copy of the way bill and attached security seal are returned to the organization, and records are moved to a designated secure room for storing the organization’s records. [Source

CA – Niqab May Be Worn During Testimony: Court

The Ontario Court of Appeal has ruled that the victim of an alleged sexual assault may not have to remove her niqab while testifying as long as the fairness of a trial is not compromised. In the 3-0 ruling Wednesday, the court upheld an earlier decision by the Superior Court. A lower court had ordered the 32-year-old Muslim woman, identified only as N.S., to remove the traditional veil, which covers most of her face. Raheel Raza, director of interfaith affair at the Muslim Canadian Congress, had said wearing a face covering is not a religious requirement of Islam. “If this is passed and the woman is allowed to appear with her face covered, how’s this to stop anyone else to come into court with their identity and their face covered?” Raza said. [Source

CA – OBA Reveals Jennifer Stoddart as Recipient of Privacy Law Award

The Ontario Bar Association’s (OBA) Karen Spector Memorial Award for Excellence in Privacy Law was awarded to Jennifer Stoddart as Canada’s Privacy Commissioner for accomplishments this year. Ms. Stoddart will be presented with the award during a dinner ceremony in Toronto on October 18, 2010. “During her tenure as Privacy Commissioner of Canada, Commissioner Stoddart has transformed the Office of the Privacy Commissioner (OPC) into a pre-eminent privacy regulator in Canada and around the world,” said Laura Davison, chair of the OBA’s Privacy Law Section. “Under Commissioner Stoddart’s leadership, the OPC has become a strong and effective organization, and a driving force for ensuring privacy keeps pace with a rapidly changing environment. [Source] See also [Privacy Commissioner of Canada Jennifer Stoddart Honored with 2010 IAPP Privacy Vanguard Award

CA – IPC Releases Joint Paper on Privacy by Design and Online Targeted Advertising

A privacy-protective method of geotargeting IP addresses would have the ad server identify ad campaigns for specific regions with unique codes and the ISP return which campaign codes match which IP addresses; this model is double blind, in that the ad server would not learn the precise geographic location of IP addresses and the ISP would not learn the ad content being targeted. To ensure personally identifiable information cannot be inferred a minimum-match threshold is used (to ensure each ad campaign matches a sufficient number of individuals to mitigate the risk of reidentification) and an anti-interference algorithm randomly assigns IP addresses to only match one ad campaign where two ad campaigns overlap on a target region with a small number of residents. Other privacy-protective measures include dynamic IP address management (ISPs are notified to reassign IP addresses when one address is queried a disproportionate number of times) and persistent opt-out (the network-based opt-out avoids any accidental deletion of opt-out cookies). [Source] 

E-Government 

US – Univ. of Michigan Students Found More Security Issues in Online Voting System

Two weeks ago, the DC Council’s Board of Elections and Ethics (BOEE) tested an online voting system for overseas voters by challenging people to try to break in. University of Michigan computer science Professor J. Alex Halderman posed the offer to his graduate students, who gained control of the system. They had the ability change votes, and were inside the system for two days before being discovered. At a recent hearing of the DC Council, Halderman provided additional details about his students’ experience. Halderman told the Council that while inside the system, they had seen evidence that intruders who appeared to be from China and Iran were trying to access the system. The students modified the firewall and changed the password from its default state to help keep the intruders out. Halderman and his students were able to gain control of routers and switches that allowed them access to security cameras in a BOEE server room. Halderman also told the Council that his students found a document on the test server that contained information about 900 people who were eligible to use the system to vote; those data could have been used by unauthorized persons to request ballots and cast votes. [Washington Post] [NY Times

US – DC Suspends Online Voting System After Security Breach

The Washington, D.C. Board of Elections and Ethics has put on hold a system that would allow voters overseas to cast their ballots over the Internet. The Board believed the Digital Vote by Mail system to be secure and challenged hackers to test its security. A University of Michigan student found holes in the program and altered the system so it played the school’s fight song when a vote was cast. To make such changes, the intruders must have gained complete control of the system. The system appears to have stored a database username, password and encryption key on a vulnerable server. [ComputerWorld] [GCN] [Washington Post] [WIRED] [ComputerWorld] [The Register

UK – Council Spends £29,000 Grant on ‘Bin Snoopers’ to Check Your Waste – With Poll

A UK Council has employed two people to “snoop” inside bins in a move that residents have branded as “big brother gone mad”. The “recycling promotion officers” are tasked with checking what is being chucked away in South Derbyshire. The pair lift the lid on bins and have peek inside before jotting down what they see – but are not permitted to open bags or delve in deeper for health and safety reasons. South Derbyshire District Council is funding the two full-time positions with a £29,311 grant from the Government. It hopes the controversial move will boost the amount of recycling – despite the district already having the highest recycling rates in the county [Source

Electronic Records 

CA – Nunavut Electronic Health Record Concerns Raised 

Nunavut does not have laws in place to protect patient information when electronic health records are introduced, according to the territory’s information and privacy commissioner. Elaine Keenan Bengts said she does not have the power to investigate any privacy violations that might occur after patients’ medical records go electronic. “Unfortunately, the Access to Information and Protection of Privacy Act has privacy rules, but no oversight and no way to address breaches,” Keenan Bengts told a committee of MLAs in Iqaluit. Health officials are working toward introducing electronic health records in Nunavut in the next six months. Once in place, the electronic records will allow doctors and other medical staff to share patient charts digitally, rather than rely on cumbersome paper records as they do now. Keenan Bengts said while she is confident the electronic records will be secure and well-designed, the system will be in place before any privacy-related laws are passed to oversee it. “Legislation should precede the electronic record. That’s not going to happen here,” she said. [Source

Encryption

UK – UK Man Jailed for Refusing to Surrender Password

A 19-year-old man has been sentenced to four months detention for refusing to surrender the password necessary to decrypt content on his computer. Oliver Drage was found guilty of violating the Regulation of Investigatory Powers Act (RIPA) for refusing to provide police with a password that would allow them to access allegedly illegal content on his computer. Drage was arrested in 2009 as part of an investigation into images of child sexual abuse. [OUT-LAW] [The Register] [BBC

EU Developments 

UK – UK Facing Legal Action from EC Over Inadequate Privacy Protection

The European Commission said it would initiate legal action against the UK for failing to implement adequate online data privacy rules and for allowing ISPs to use behavioral advertising. EU rules require that EU member states “ensure the confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance,” and that ISPs must obtain consumer consent before gathering data for targeted advertising. The UK has not amended its data protection laws to comply with EU law. UK law punishes intentional interception, but allows communication interception when the interceptor “has reasonable grounds for believing” that users have consented. The legal action was spurred by reports that UK ISP BT had run online behavioral advertising pilot programs without notifying customers. [Guardian] [EU Observer

EU – Data Protection Law Applied to Social Networking in the EU

The European Data Protection Working Party’s Opinion on social networking applies to providers (“SNPs”) that have headquarters in the European Economic Area or that process personal in a non-European state, but use storage equipment located in a member state; the 3 categories of data controller defined in social networking are the SNP, third party applications providers (this determination requires a case-by-case analysis), and users if the “household exception” (i.e. data processing in the course of household or personal activity) under the Data Protection Directive does not apply – i.e. the use of a social network (“SN”) for commercial, political, or charitable purposes or to advance a company’s goals, when a large group of contacts can access a user’s profile information (e.g. all member of a SN via a search engine), and when users can process a third party’s data. The Opinion stresses the need for security, warning SNPs to be cautious about default settings that allow users to share information with unauthorized visitors without explicit consent; conservative default settings should be used. Data controllers should inform users of the controller’s identity, the manner in which data is used, and the risks involved when users upload private information including pictures; SNPs must inform users of any direct marketing associated to the data, disclosure to third parties, and any use of sensitive data. [Source

EU – French Senate Bill to Better Protect the Right to Privacy in The Digital Age

A French Senate draft bill amended the Law No. 78-17 of 6 January 1978 (the “DPA”) to state that processing of personal data carried out on behalf of the State is permitted if it is relevant to public safety, when the purpose is the prevention, investigation, detection or prosecution of crimes, the enforcement of criminal convictions or security measures and the categories of processing personal data meet the same purpose, target the same types of data and have the same categories of recipients; before any processing or disclosure of personal data an individual can object to his/her data being used for marketing purposes. The appointment of a data protection officer is mandatory where a public authority or private organisation processes personal data and more than fifty people have direct access to or are responsible for its processing; the Commission nationale de l’informatique et des libertés (“CNIL”) must be notified of the appointment of the data protection officer and the appointment must be brought to the attention of the staff representative bodies. Before any processing of personal data, the data subject must be told certain information such as the identity and address of the data controller, the purpose for which the data is intended, the retention period of the data and his/her rights of cancellation, access and correction; the data controller shall inform any user of an electronic communications network the purpose of any access of, or registration of, information stored in electronic terminal equipment, the nature of the information stored, persons or class of persons authorised to have access to such information and must obtain the user’s consent. [Source

EU – Swiss Courts Rule on Computer IP Address

Switzerland’s data protection authorities (“FDCIP”) asked a company to stop its peer-to-peer monitoring activities; it alleged the activities violated the Swiss Data Protection Act because they were unknown to computer users and circumvented telecommunications privacy rights. The administrative court ruled that IP addresses did constitute personal information but the company could continue its monitoring activities because the interests of copyright holders outweighed privacy interests; on appeal, the Federal Supreme Court stated that IP addresses are personal information and monitoring activity should be stopped because it involved a major invasion of privacy and could not be justified by any overriding interest. [Source

UK – Advertisers Given Checklist for Protecting Children’s Online Privacy

Companies which advertise to children can quickly find out if their campaigns break the law with the launch of a website which claims to draw together all UK laws and regulations on advertising to children. The Advertising Association has launched CHECK (the Children’s Ethical Communications Kit), a site which allows advertisers and agencies to compile their own list of regulatory demands depending on the kind of communications they are planning. The rules on advertising to children and on gathering data about them over the internet have been strengthened in recent months. The Committee of Advertising Practice (CAP) has revised its guidance on the collection of data on children this year, stipulating that data must not be collected on children under 12 and collection from those under 16 must not include the collection of data about third parties. Trade body the Direct Marketing Association (DMA) published a revised version of the Code Of Practice which binds its members, bringing rules for offline data collection into line with that for online collection. That Code now mirrors CAP’s by banning the collection of information from under 12s and information on others from those under 16. The website’s launch was welcomed by advertising trade body the Interactive Advertising Bureau (IAB). [Out-Law

UK – ICO Comments on the Current Data Protection Legislative Framework

Technology has lead to many different levels of “identifiability” of individuals and a simple “all or nothing” approach to applying data protection principles no longer suffices; given the variety of information that can fall within the definition of personal data, the requirements should be more clearly linked to the risk to individual privacy. The General Directive’s categories of sensitive data may not match what individuals consider to be sensitive; information is sensitive if its processing could have an especially adverse or discriminatory effect on individuals and may include financial or location data. Simple distinctions between data processors and data controllers no longer reflect the complicated relationships that exist, as processors are no longer passive entities acting on behalf of data controllers (the persons responsible for processing at any stage would carry responsibility and accountability for their own aspect of processing). When processing data fairly, it is not always clear where consent is necessary or where transparency suffices and this can lead to unrealistic presumptions about the degree of control that individuals should enjoy in cases where choice may not be realistic or individuals may neither expect nor want to choose; organisations should not rely exclusively on consent to legitimise its processing as valid consent may be withdrawn. Limits on the Information Commissioner’s powers are that in connection with investigations, the Commissioner has no power to compel information held by a third party, rather than the data controller, and in most cases the Commissioner can only audit data controllers if they provide their permission. [ICO Response

EU – Fr: Oui, Defamation Can be Automatic

A French Court this month found Eric Schmidt, as the Google.fr director of publication, guilty of defamation. The plaintiff in this case, a French citizen, had been convicted by a French Court of corrupting a minor and had been sentenced to prison and to a fine. The decision, however, was not yet final [The decision can be found in French] [Online Reputation and the Law

Filtering

US – T-Mobile Settles Short Code Case Out of Court

A lawsuit brought by a texting service against T-Mobile has been settled out of court. While the terms of the settlement have not been disclosed, the settlement does not resolve the question of whether wireless communication providers are subject to the same “must carry” rules that govern wired providers. The texting service, EZ Texting, said that T-Mobile blocked its clients after the service sent out messages pertaining to medical marijuana. EZ Texting provides short code services, which allow phone users to receive information by texting words to certain numbers. T-Mobile maintained that it had the right to require pre-approval of short-texting services offered over its network, and that EZ Texting failed to obtain approval. [WIRED

Genetics 

US – New DNA Law Sparks Controversy Over Privacy

Beginning October 1, Colorado will begin collecting DNA from anyone arrested for a felony and sending it to a state database. The so-called “Katie’s Law,” named for a New Mexico murder victim, takes full effect more than a year after it became law. Law enforcement and prosecutors say this new law puts Colorado on the cutting edge of using the latest DNA technology to solve crimes. The law is designed to help connect those arrested on a felony to other crimes they may have committed. But opponents call it an ‘assault’ on the fourth amendment. We’ll be looking at whether we can do a legal challenge to the law,” said Mark Silverstein, legal affairs director for the American Civil Liberties Union in Colorado. The ACLU calls taking DNA samples an illegal search. “This kind of search of innocent persons to see if they might have some connection with a crime not connected to the crime for which they’re arrested violates our constitution it violates the right of privacy,” Silverstein said. But those not charged with a felony within 90 days can ask to have their DNA removed from the state database. If the state fails to remove the DNA profile, it could be held liable for paying $25,000, funded by a five dollar fee charged to convicted offenders. [Source

Health / Medical 

EU – Spain: A Third of Hospitals Breach the Data Protection Act

One in three Spanish hospitals are in breach of the Data Protection behave, disturbing research has revealed. Some 30% of public hospitals have no measures in place to prevent the loss of, or unauthorized access to, patients’ data during transport or while filed. A further 40% of state hospitals, and 15% of private ones, have no register to record access to critical files, and 45% do not include the standard legal wording on their forms which explains how and why patients’ data is stored. Only a third of state hospitals carry out any kind of security audit in their files. Many of those found to be in breach of the behave will receive a written warning and information as to how they should conform, but those found to have dedicated serious omissions could be fined but as numerous as €600,000. [Source

US – Pharmacies Sue CVS Caremark Over Privacy Issues

Patient and physician privacy apparently are being compromised in all kinds of ways in Texas. In just the past few days, we’ve learned that:

  • The Texas Department of State Health Services (DSHS) has sold or given away hospital patient data on more than 27 million hospital stays since 1999.
  • Former state Rep. Bill Zedler (R-Arlington) “used his legislative authority to obtain a series of confidential records from the Texas Medical Board.”
  • A group of six independent pharmacies in the Lone Star State have sued CVS Caremark, charging that the company’s Caremark pharmacy benefits management arm engaged in racketeering and violated HIPAA by gaining too much control over patient data and squeezed competition out of the retail pharmacy market.

“The suit claims CVS Caremark violates the firewall between the retail pharmacy and the pharmacy benefit manager [PBM] entities as required when the Federal Trade Commission approved the CVS and Caremark 2007 merger. Instead, the combined company built an information technology platform that straddles all of CVS Caremark’s business segments, capturing in-depth patient data for marketing and other purposes in violation of HIPAA patient privacy laws,” reads a press release from American Pharmacies, a for-profit pharmacy buying group that claims to be financing the legal action. In an email to reporters, Austin, Texas-based patient privacy advocate Dr. Deborah Peel expresses support for the suit, and says pharmacy privacy violations are widespread. “It’s important to understand that CVS Caremark is not alone in ‘profiling’ patients or selling the records of everyone who fills a prescription at a CVS store,” Peel writes. “Daily data mining, theft and the sale of prescription records occurs in all 55,000 U.S. pharmacies. And every other corporation that that collects, stores, transfers or handles prescription records electronically [pharmacy chains, pharmacy benefits managers, hospitals, switching companies, data management corporations, etc., etc.] also steals and sells the records. This massive under-the-radar industry generates hundreds of billions/year in revenue.” [Source

CA – Health Professional Identity Theft: Prescription for Fraud

Health care professionals are being victimized by a brazen scheme that insurance investigators and professional regulators say is becoming increasingly common in Canada’s health-care system: the theft of medical professionals’ identity to obtain insurance payments for services that are either never rendered, or carried out by unqualified personnel. Experts say clinics, spas and private individuals are usurping the names and registration information of practitioners ranging from massage therapists to psychologists and doctors frequently, then filing bogus claims, often in cahoots with the named patients. They can make tens of thousands of dollars using one stolen identity, with relatively little chance of being caught and almost none of facing criminal prosecution. [Source

CA – Hacker Gets Confidential Info from MDs’ Website

Manitoba doctors are being warned their credit card information and patients’ complaints could fall into the wrong hands after an online attack a month ago. A hacker accessed confidential information on the College of Physicians and Surgeons of Manitoba website Sept. 11, said registrar Dr. Bill Pope. “Something attacked the website – everything on it was gone,” said Pope. He called it a “potential information breach” because there’s been no indication the information has been used or abused. In a letter to doctors Monday, the College said there was some irregular activity on its website last month, including significant crashes and data deletion. A security audit was conducted and it was determined the breach of the password-protected information occurred Sept. 11. That information includes credit card numbers and expiry dates for physicians who registered online starting in 2006 along with limited personal health information about doctors that relates to their fitness to practice. Information about patient complaints filed since April 2008 was also accessible, including the name of the doctor, patient, and the general nature of the complaint. The College is informing patients who filed complaints of a sensitive nature, Pope said. “Since there was no personal health information on the website, the Privacy Commissioner recommended direct notice to only those patients whose complaint classification is sensitive (such as a breach of trust and sexual behaviour),” Pope said. [Source

Horror Stories

CA – More Vets Emerge With Allegations of Privacy Breaches

More veterans are coming forward with claims their private medical information was distributed or widely accessed by federal bureaucrats in what some say were attempts to smear reputations. At least three new cases came to light Tuesday, widening a privacy scandal triggered by veterans activist Sean Bruyea who acquired hundred of pages of government documents that improperly divulge his confidential medical and psychiatric files. [Source

Identity Issues 

CA – Homeless Wary of Alberta’s New ID-Card Initiative

Next week, the Alberta provincial government will unveil a new system in which the more than 8,500 individuals in Alberta with the “no-fixed-address” label will be able to wave a card attesting to who they are. It has a bit of that Big Brother tinge, this new program that’s been earlier reported to incorporate biometrics as a way of confirming the identity of people who’ve managed to make it to adulthood and beyond without ever possessing a birth certificate or driver’s licence. Earlier this week, Housing and Urban Affairs Minister Jonathan Denis is on hand at McDougall Centre to welcome Gary Bowie as the new chairman of the Alberta Secretariat for Action on Homelessness, and also to hint of an upcoming good-news press conference to usher in the introduction of the voluntary ID cards – a first of its kind in Canada. But while he won’t confirm what the features are of the new cards, or what they’ll look like — the $12.30 cost is about all the detail he’s giving up for now – Denis is in a confident mood about the reception he’ll get on this newest initiative. “I’m quite excited about it; it’s one piece of the puzzle to dealing with homelessness,” Denis tells me after his news conference. “We’ve worked with the privacy commissions in getting it right, along with those who work with those facing homelessness.” [Source

CA – Canada Looks to Catch Up by Issuing Electronic Passports in 2012

Canada has begun the process of procuring millions of electronic passports and plans to start issuing them in 2012. Public Works and Government Services Canada invited potential suppliers to submit letters of interests this summer. It expects to notify qualifying firms within the next couple of weeks and tender for bids by late fall, a departmental spokesman said. Canada’s ePassport will contain a “proximity contactless chip” that can only be read if it’s held within 10 centimetres of a reader and the machine-readable zone on page two has been scanned first. The chip will have the holder’s name, sex and date and place of birth, along with a digital photo of the bearer’s face. After publishing the proposed changes and gathering more public feedback, Passport Canada will finalize the fee proposal and table it in Parliament before implementation. [Source

NZ – Privacy Commission says Online Identity Impersonation a Problem in Social Media

The Commission is supporting a review of the Privacy Act by the Law Commission which is considering the challenges posed to privacy by new technology. Assistant Privacy Commissioner Katrine Evans says online identity impersonation traditionally involves celebrities, but it is now being used by children for reasons such as cyber bullying. Ms Evans says fraud or serious harassment through online identity impersonation is dealt with by existing legislation.She says the Privacy Commission does not know whether online identity impersonation will become an offence, but any law would have to distinguish between malicious impersonation and genuine parody. Katrine Evans says social media websites like Facebook remove impersonated identities from its webpages if requested. She says the Privacy Commission wants to hear from anyone whose identity has been impersonated online. [Source

US – Consumers Ditching $2.4 Billion ID Theft Protection Market

As purse strings have tightened over the last couple of years, most consumers no longer think spending $200 a year on identity theft protection services makes sense. And they’re probably right. A study out Tuesday from identity-theft-focused Javelin Research shows that only about 25% of consumers now subscribe to an identity theft protection service, down a crushing 42% since 2008. That’s bad news for companies like Lifelock, TrustedID, and the rest of the firms in that $2.4 billion dollar market, who charge an average of $150 a year for credit monitoring and other fraud alerts. The decision to ditch identity theft protection stems partly from tight budgets, but also from the lack of major data breach headlines over the past year, argues Javelin analyst (and Forbes blogger) Robert Vamosi. The number of individual records breached in 2010 so far has in fact fallen by more than 90% compared to 2009, according to the Identity Theft Resource Center, although the number of breaches is still on track to rise for the year. [Forbes

Intellectual Property 

EU – Irish High Court Cannot Compel ISP to Implement Three-Strikes Anti-Piracy Policy

Despite an out-of-court settlement with Irish Internet service provider (ISP) Eircom which resulted in the implementation of a three-strikes anti-piracy policy at that ISP, a group of four major record labels cannot compel another ISP, UPC, to establish a similar policy. The High Court ruled that there are no laws in Ireland that allow Internet users who are suspected of illegal filesharing to be identified and have their service cut. While Justice Peter Charleton noted that the music industry was suffering significant financial losses due to online piracy, he also said there was not legislation in place in the country to enforce the system the music labels wanted. Justice Charleton also said that the nonexistence of the laws means that Ireland is not in compliance with EU law. UPC affirmed that it does not support piracy, and that its “whole premise and defence focused on the mere conduit principle which provides that an ISP cannot be held liable for content transmitted across its network.” [Independent] [Silicon Republic

UK – Court Grants BT Adjournment to Halt Requests for Customer Data

The UK High Court has granted a request from Internet service provider (ISP) BT to freeze new and existing applications for customer information. Law firms have been filing requests for information identifying computer users suspected of illegal filesharing. Last week, law firm ACS:Law was hit with a distributed denial-of-service (DDoS) attack launched by a group that opposes action taken against filesharers. When ACS:Law tried to restore its website after the attack, it accidentally exposed unencrypted sensitive personal information it had received from ISPs. BT said it would challenge the requests for information until it sees evidence that the allegations have “some basis.” BT also wants to ensure that the data it provides to firms like ACS:Law are adequately protected. [BBC] [Guardian

Internet / WWW 

US – New Web Code Draws Concern Over Privacy Risks

Worries over Internet privacy have spurred lawsuits, conspiracy theories and consumer anxiety as marketers and others invent new ways to track computer users on the Internet. In the next few years, a powerful new suite of capabilities will become available to Web developers that could give marketers and advertisers access to many more details about computer users’ online activities. Nearly everyone who uses the Internet will face the privacy risks that come with those capabilities, which are an integral part of the Web language that will soon power the Internet: HTML 5. The new Web code is already in limited use, and it promises to usher in a new era of Internet browsing within the next few years. It will make it easier for users to view multimedia content without downloading extra software; check e-mail offline; or find a favorite restaurant or shop on a smartphone. The new Web language and its additional features present more tracking opportunities because the technology uses a process in which large amounts of data can be collected and stored on the user’s hard drive while online. Because of that process, advertisers and others could, experts say, see weeks or even months of personal data. That could include a user’s location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited. Representatives from the World Wide Web Consortium say they are taking questions about user privacy very seriously. The organization, which oversees the specifications developers turn to for the new Web language, will hold a two-day workshop on Internet technologies and privacy. Ian Jacobs, head of communications at the consortium, said the development process for the new Web language would include a public review. “There is accountability,” he said. “This is not a secret cabal for global adoption of these core standards.” [The New York Times] See also: [Google Street View now in Antarctica

Law Enforcement 

AU – Cops Abandon Secret Information Sharing Deals

Ten secret deals between Victoria Police and bodies such as the AFL and Grand Prix Corporation have been dumped or cancelled. Since January 2008, police have signed 36 memoranda of understanding with external bodies, many of which allow sensitive information to be shared. A review of all agreements is under way after concerns were raised about privacy and poor procedures, but the Herald Sun can reveal nine MOUs were scrapped after their time frames expired and another was cancelled. The cancelled agreement was with Federal Government agency CrimTrac, for access to Victoria Police’s Law Enforcement Assistance Program database. Victoria Police said the agreement was cancelled after a review showed an MOU was not necessary. “We are stopping use of MOUs except when they are with government and/or state agencies and are deemed imperative to the core functions of police.” [Source

Location 

WW – Wheretheladies.at Highlights Social Networking Security and Privacy Fears

An opportunistic new website by the name of Wheretheladies.at should serve as a wake-up call to Foursquare and other social network users about the potential risks to their privacy and security – especially those who are crazy enough to publish such personal details as their home address. Wheretheladies.at uses publicly available information posted on social networking site Foursquare to find locations where a number of women are gathering – from nightclubs to coffee shops. When it finds there’s a correlation among a number of female Foursquare users it shows where they are and displays their Foursquare profile pictures so would-be stalkers – sorry admirers – can decide if it’s worth turning up to ‘meet’ them. It also sends the news out over a Twitter feed, for instance: “Bunch of ladies in yoga pants at The New Nail on Chestnut. They are talking about needing to find a man. Jackpot.” Indeed. But while Wheretheladies.at may raise some eyebrows among women who didn’t realise they were making quite so much information about themselves available to just anyone, what it actually highlights are the less obvious privacy and security risks of social networking sites in general. Many Foursquare users opt to link their account with other sites such as Facebook or Twitter. This is particularly risky, because it makes it likely that even if you are careful about how much you give away on one site, anyone scanning two or three of them might find some worrying details about you and your movements unless you are very careful. Adjusting the privacy settings so that they work in concert across more than one social networking site requires a degree in astrophysics as well as a great deal of patience. [New Statesman

Online Privacy

WW – Opinion: Poll Results Highlight Concerns, Need for Education

The results of recent research indicate that 92% of parents polled are concerned that their kids share too much information online. The nonprofit Common Sense Media commissioned the survey and has launched a campaign designed to raise awareness about children’s online privacy. But the poll does not necessarily reflect parents’ knowledge about the tools to protect their children’s privacy. Along with releasing the survey results, the organization is launching a “campaign“ with six main goals:

1. “Do Not Track Kids.”

2. The industry standard for all kids’ privacy should be opt-in.

3. Privacy statements should be clear and simple.

4. Parents, teachers and kids need to be educated about protecting privacy.

5. Industry must innovate to protect kids and families.

6. Government needs to update privacy policies for the 21st century. [San Jose Mercury News

CA – Canadians Prolific Sharers of Kids’ Digital Lives: Report

Canadian moms seem to have few qualms about the privacy risks of putting family photos on the Internet, according to a new study. Out of 10 regions surveyed by software maker AVG, Canadian mothers were also the most likely to post scans of their prenatal sonograms online. The study, which surveyed 2,200 mothers in Canada, the U.S., the U.K., Australia, France, Germany, Italy, Japan, New Zealand and Spain, suggests 81% of today’s kids have some kind of online presence before they turn two. The average age at which a child first appears online – through photos or text – was six months. Canadian moms were found to be the least concerned about the privacy implications of posting information about their kids online. “You are creating a digital history for a human being that will follow him or her for the rest of their life. What kind of footprint do you actually want to start for your child, and what will they think about the information you’ve uploaded in future?” [Source

WW – Data Removal Options Detailed

The Wall Street Journal reports on the array of people-search sites and data brokers that compile public records and social networking profiles. The sites harvest personal data using information that is publicly available, such as property records and telephone listings, as well as data on Web sites where users have posted information about themselves. A number of these data aggregators offer users options to remove information stored about them. The Wall Street Journal has compiled a list of most-visited people-search sites and information on how to seek data removal. [The Wall Street Journal] [Privacy Rights Clearinghouse list of Information Brokers] and: [Candidates’ Racy Photos Raise Sexism, Privacy Issues

WW – Bruce Schneier Warns ‘Profits Killing Personal Privacy’

Personal privacy is in danger of being killed off by the profit-making motives of firms which hold our data, security expert Bruce Schneier has warned. While the death of personal privacy had been predicted for a long time, rapid technological changes posed a mortal danger to it, he said. Mr Schneier urged lawmakers to do more to help preserve and protect privacy. The difference now, he said, was that the falling cost of storage and processing power made it far easier to keep data such as e-mail conversations, Tweets or postings to a social network page than it was to spend the time managing and deleting the information. The migration of human social interaction from ephemeral forms that took place face to face into data that never goes away and does not allow us to forget or leave behind our past actions was undoubtedly going to change society, he said. “Forgetting is a very powerful social tool that helps us get by and get along,” he said. As lives are lived more and more online or via the phone it has led, said Mr Schneier, to a situation in which everyone has to be the guardian of their own privacy policy. “That’s new and fundamentally unnatural,” he said. Deciding what data we are prepared to surrender would be fine if people were given a proper choice, he said. Unfortunately, he said, users of social networking sites or any online service were being presented with choices defined by priorities they did not choose. The choices are filtered through the law, which is being outstripped by technological change, leaving people with only what net firms give them or can get away with. “The social rules are being set by businesses with a profit motive,” he said. [Source

US – Ad Groups Band Together for Online ‘Do Not Track’ List

In a broad attempt by the online advertising industry to ward off federal privacy legislation, a coalition of industry groups announced a wide-reaching program that allows internet users to opt out of being tracked for the purposes of online marketing. The program has also enlisted with the Better Business Bureau to police marketers that are not in compliance. While some major digital advertisers, such as AT&T, have already offered a program that allows people to opt-out of being tracked, the Federal Trade Commission had expressed concern that there is not a comprehensive, single mechanism for people to unsubscribe from marketers. The coalition, which bills itself as the Digital Advertising Alliance, opened a registration program where any advertiser can sign up to be included in the self-policing program. [Source

WW – Facebook Allows Users to Download their Info

Facebook is attempting to answer critics who say it is maintaining a “walled garden” by adding a feature that lets users download all of their information from the social-networking website, to do with as they please. The company introduced the feature this week, saying it was one of the most requested capabilities by users. Users and competitors such as Google have criticized the social-networking website for keeping its members’ information largely inaccessible to the rest of the web. Allowing users to download their profiles, including photos, wall posts, status updates and messages, could clear the way for them to upload the information to a competing service. Third parties such as Google, however, will still not have access to profiles unless users make them available. The company also announced it was introducing a more granular Groups feature, as well a new dashboard for privacy and application settings. The revised Groups feature will allow users to create smaller clusters of friends by invitation from their overall list, and share information with only them. The update will also feature Group chat, allowing all members to message each other at once. The updated dashboard is intended to provide users with a simplified view of permissions granted to various applications and websites. Users can also see which applications last accessed their data, and when. They can also modify the level of access these applications have, or eliminate them entirely. [Source] See also: [Irony: Facebook’s New Groups Give Me Less Control, Not More] and [Why you’re losing friends on Facebook

WW – Why You’re Losing Friends on Facebook

If you’re thinking about telling all your pals on Facebook about the dust in your house or how gosh darn cute your chihuahua is, don’t. At least, not if you want to keep them as friends. A new study by researchers at the University of Colorado Denver Business School has discovered the top reasons for Facebook unfriending. After surveying more than 1,500 Facebook users on Twitter, Christopher Sibona, a PhD student in the computer science and information systems program, found that frequent, trivial posts were the No. 1 reason for unfriending on the site. The second most popular reason for losing friends on the site was posting about polarizing issues such as politics and religion. Making inappropriate posts, such as crude comments, was the third most common reason. The study will be published in January by the Hawaii International Conference on System Sciences. [Source

US – Complaint Alleges Facebook Shared Sensitive User Data with Advertisers

A Facebook update earlier this year resulted in the disclosure of users’ names and sensitive information to advertisers, two social networking site members assert in new court papers. David Gould and Mike Robertson allege that from February until May, Facebook leaked a host of data about users who clicked on ads via the referrer headers, which allegedly transmitted enough data to marketers that they could identify the people who landed on advertisers’ sites after clicking ads on Facebook. “This unauthorized disclosure of a person’s identity and what Facebook page they were viewing could have the effect of revealing to advertisers confidential and sometimes highly sensitive information, including a user’s private interests,” Gould and Robertson allege in an amended complaint filed in federal district court in San Jose. “For example, if a Facebook user who was gay and struggling to come out of the closet was viewing the Facebook page of a gay support group, and then clicked on an ad, the advertiser would know the exact identity of that person, and that s/he was viewing the Facebook page of a gay support group just before navigating to their site.” The plaintiffs allege that Facebook violated federal and state privacy laws as well as its own privacy policy – which, they allege, promised users that their personal information “will only be disclosed to advertisers in the specific ways and circumstances set out in Facebook’s privacy policy and with user consent.” They are seeking class-action status. The new complaint replaces two separate lawsuits that were filed in June. Last year, two computer scientists from AT&T and Worcester Polytechnic Institute published the report, “On the Leakage of Personally Identifiable Information via Online Social Networks,” which outlined how Facebook and other social networks could be leaking personally identifiable information by including it in the HTTP header information that is automatically sent to ad networks. At the time, a Facebook spokesperson said that referring URLs only provided information about the profile page a user had been on when he or she clicked on the ad, but didn’t reveal whether that user was the person featured in the profile or a friend of the member. But Facebook allegedly began embedding additional information in the referring URLs in February, according to the amended lawsuit. “Facebook caused Referrer Headers to include not just the URL of a web page a person was viewing (e.g. a person viewing the profile of Facebook user John Doe) but also confirmation of the specific identify of the person viewing a web page (e.g. that it is John Doe himself who is viewing his own profile),” the complaint alleges. Gould and Robertson also allege that Facebook revealed the names of users who clicked on ads displayed on Facebook pages other than their own profiles. Facebook allegedly stopped embedding that data in referring URLs in May, after being contacted by the press about the practice. [Source

US – The Privacy Landmine that is Duke Graduate Karen Owen’s ‘Senior Thesis’

Karen Owen, a 2010 Duke graduate, kept detailed notes on her sexual adventures with 13 members of Duke’s lacrosse, baseball and tennis teams over the last four years. She then put those notes, along with the athletes’ names and photos into a PowerPoint presentation, that concludes with a ranking of the 13 on what she calls her “F*** list.” According to Jezebel, Owen sent the “unofficial senior thesis” titled “An education beyond the classroom: excelling in the realm of horizontal academics” to three friends and did not intend for it to go further than that. But one of those friends forwarded it on and it went viral, going out on listservs and eventually winding up on Gawker sites, Jezebel (for women) and Deadspin (for sports addicts). Interestingly, Jezebel redacted the names of all those involved and blurred out the athletes’ faces. Deadspin, on the other hand, did not. [Forbes] [Jezebal – redacted thesis with photos] see also: [Minnesota: Debt collector broke the law by using MySpace photo to intimidate consumer

Other Jurisdictions 

UA – BlackBerry Grants Indian Government Access to Messenger Service

Blackberry parent company Research in Motion (RIM) has granted India’s government access to BlackBerry Messenger service. For now, the access is manual, but government officials say they expect to have automated access by the first of the year. India is also seeking access to encrypted email traffic sent over Blackberry Enterprise Servers, but RIM does not have the ability to grant access to those communications; access must be obtained from the organization sponsoring those servers. If RIM cannot come up with a workable solution for readable email interception by the end of the month, it faces a nationwide ban in India. The same is true in the United Arab Emirates, but there the ban could start as soon as October 11. [MSNBC] [The Register

UA – UAE Calls Off Planned Ban of BlackBerry Services

The United Arab Emirates (UAE) will not ban BlackBerry service within its borders. The UAE had threatened to ban the services as of October 11 if Blackberry’s parent company Research in Motion (RIM) did not provide access to BlackBerry communications. The UAE Telecommunications Regulatory Authority says that Blackberry services now conform to their regulations and that “all BlackBerry services in the UAE will continue to operate as normal and no suspension of service will occur on October 11.” Exactly what concessions RIM may have made to appease UAE authorities has not been clarified. [NY Times] [CNN] [BBC

RU – “Has Mommy Had Abortions?” – Russian School Questionnaire Sparks Outrage

A federal ministry questionnaire is asking the mothers of Russian schoolchildren if they have had abortions. This and other personal questions have sparked outrage among parents and the general public. Scandal has been growing around controversial questionnaire, entitled “Passport of a Pupil’s Health”, which the Russian Education and Science Ministry is planning to introduce in 2012. In the meantime, the ministry recently launched an experiment introducing the questionnaire in several schools in the Saratov region. The “Health Passport” immediately sparked a storm of controversy. The 43-page long document also requested details on the family’s income, details of their living conditions and other personal information. Special sections ask to evaluate the child’s character, including such traits as aggressiveness, tendency to hysterics, and level of conformity, to name just a few. [Source

CA – OICR Announces Equity Investment in Privacy Analytics

The Ontario Institute for Cancer Research (OICR) announced it has made an equity investment in Privacy Analytics Inc., an Ontario company that is developing a software platform to help organizations such as health centers disclose detailed disease and treatment data without compromising individual privacy. The software platform, called Privacy Analytics Risk Assessment Tool (PARAT), is currently being used by hospitals and patient registries in Canada. The funding from OICR will be used to extend the functionality of PARAT to include more powerful capabilities. [The Ontario Institute for Cancer Research

Privacy (US) 

US – Pennsylvania School Settles 2 Webcam Spy Lawsuits for $610K

A Philadelphia-area school district has agreed to pay $610,000 to settle two lawsuits over secret photos taken on school-issued laptops. The Lower Merion School District admitted it captured thousands of webcam photographs and screen shots from student laptops in a misguided effort to locate missing computers. The settlement calls for $275,000 to be placed in a trust for the 2 students who filed suit. Their lawyer, Mark Haltzman, will get $425,000 for his work on the case. The FBI investigated whether the district broke any criminal wiretap laws, but prosecutors declined to bring any charges. The district is no longer using the tracking program. [Source

US – Dept. of Energy: Data Access and Privacy Issues in Smart Grid Technologies

The Dept. of Energy released a report this week on access and privacy issues related to Smart Grid technologies. From the report, the Overview of Data Access and Privacy Concerns: “Advances in Smart Grid technology could significantly increase the amount of potentially available information about personal energy consumption. Such information could reveal personal details about the lives of consumers, such as their daily schedules (including times when they are at or away from home or asleep), whether their homes are equipped with alarm systems, whether they own expensive electronic equipment such as plasma TVs, and whether they use certain types of medical equipment. Consumers rightfully expect that the privacy of this information will be maintained. The proprietary business information of non-residential customers could also be revealed through the release of energy consumption data, resulting in competitive harm. Studies conducted by utilities and consumer advocates have consistently shown that privacy issues are of tremendous import to consumers of electricity. [Read the entire report here] [Source

Privacy Enhancing Technologies (PETs) 

US – Mobile X-Ray Anti-Terrorist Van Disturbs Privacy Advocates

The U.S. Homeland Security Department has introduced mobile X-ray vans, known as Z Backscatter Vans (ZBVs), as a counter-terrorist measure. American Science & Engineering, a company based in Billerica, Massachusetts, makes the vans and Forbes Magazine reported that the company sold in excess of 500 ZBVs to U.S. and other governments. A company representative told Forbes Magazine that while most of the vans bought by the U.S. government were intended for use in war zones, some have been used inside the U.S. In the course of a random “counterterrorism operation” last week, a ZBV was used by Department of Homeland Security teams on vehicles near Atlanta, GA. Privacy advocates have voiced deep concerns about the technology’s unconstitutional invasion of privacy, pointing out that the conceivable use of the X-ray technology to scan individuals and crowds is a violation of the Fourth Amendment. The recent reports on the use of Mobile X-ray Units inside the U.S. have also raised grave concerns about the potential serious health effects of ionized radiation. [Internet Bits

RFID 

US – Tracking Devices Used in School Badges

RFID is being used to track students in the Spring and Santa Fe school districts. Identification badges for some students in both school districts now include tracking devices that allow campus administrators to keep tabs on students’ whereabouts on campus. School leaders say the devices improve security and increase attendance rates. But some parents and privacy advocates question whether the technology could have unintended consequences. The tags remind them of George Orwell’s Big Brother, and they worry that hackers could figure a way to track students after they leave school. Identity theft and stalking could become serious concerns, some said. [Source] 

Security 

WW – Microsoft’s Scott Charney Proposes Public Health Model for PC Protection

Microsoft’s Corporate VP of Trustworthy Computing Scott Charney has published a report suggesting a plan that would prevent PCs infected with bot software from connecting to the internet. Comparing the proposal to the “public health measures like vaccinations and quarantines,” Charney called his idea “collective defense.” The idea calls for issuing PCs health certificates that provide information about how up to date its patches are, whether it is running security software and whether it is free of malware. Quarantine would be a last step after patching machines and updating antivirus programs. Critics have enumerated the proposal’s problems, including the possibility of abuse of information. [Ars Technica] [ComputerWorld] [USA Today] [BBC] [PC World] [Microsoft

Smart Cards 

US – Lindsay Lohan Sister ID Hacked by Government Employee

A US State Department clerk has been indicted for using her government computer to gather personal information on more than a hundred celebrities and their families — including Lindsay Lohan’s sister Ali. Ali Lohan was recently mailed a death threat at her Long Island home, her mom Dina said, but it was not clear if there was any connection between that and the compromised government computer system. Brooke Reyna, 28 viewed passport info on “various celebrities, actors, reality-television contestants, television personalities, musicians, models, athletes,” including “their children,” since 2005, the indictment charged. Authorities declined to say whether Reyna, who is charged with felonies including unauthorized computer access, was simply a crazed fan or had been selling the confidential information. “It’s horrible. I’m petrified,” said Dina. “I’m glad the FBI is on it.” [New York Post

Surveillance 

US – Student Finds Tracking Device on Car; FBI Demands it Back

When California college student Yasir Afifi took his car in for an oil change, he noticed an unexpected wire near the rear right wheel; the mechanic removed a tracking device and battery pack that had been attached to the chassis to his car magnetically. A friend of Afifi’s put pictures of the device online; it was quickly identified as an older tracking device issued only to law enforcement. Two days later, FBI agents showed up at Afifi’s home demanding that he return the device. Afifi is an American citizen whose father died in Egypt a year ago. Comments made by the FBI agents who visited his home suggested Afifi had been under surveillance for three to six months. A recent ruling from the 9th Us Circuit Court of Appeals, which covers California, said that law enforcement can place GPS devices on suspects’ cars without a warrant. Another court, the US Court of Appeals for the District of Columbia Circuit, ruled that placing a GPS device on a car for an extended period of time requires a warrant. [WIRED] [MSNBC] [TIME

UK – Privacy Concerns Raised Over Shoplifting Website

Internet Eyes, a UK website that pays viewers to report shoplifters has raised concerns about privacy among some people. Subscribers to Internet Eyes watch CCTV footage from shops and report criminals in order to earn cash rewards. Some people feel the idea encourages people to spy on one another. “What we don’t want is vigilante bounty hunters,” Sky News quoted James Welch, legal director at the civil rights group Liberty. “We’re all responsible citizens – if we see a crime we should report it to the police. “We shouldn’t be paying people to watch out for crimes. It should be done by proper professionals.” Although there are currently many surveillance cameras in use, there is often no-one watching the footage. “All we’re doing is trying to reduce shoplifting,” Internet Eyes’ boss Tony Morgan told Sky News. “There are no voyeuristic opportunities to be had.” People will not be able to watch footage from the area where they live and they must be over the age of 18. Internet Eyes reports that: “Shoplifting is at its highest recorded levels, £4.88 billion a year according to the Centre for Retail Research. Internet Eyes has been designed to combat this rise by detecting these crimes as they happen.” It is hoped the website will also act as deterrent to criminals. [Digital Journal

UK – Regular Citizens Get Paid for Fighting Crime from Home

Anyone who owns a laptop computer can now fight crime from the safety of their home and win cash prizes for catching thieves red-handed, under a new British monitoring scheme that went live this week. The service works by employing an army of registered armchair snoopers who watch hours of CCTV footage from cameras in stores and high street venues across the country. Viewers can win up to £1,000 pounds in cash a month from Devon-based firm Internet Eyes, which distributes the streaming footage, when offenders are caught in the act. The scheme immediately drew criticism from civil liberties campaigners who say it is more evidence that Britain has become a “Big Brother” surveillance society with CCTV on every corner. Participants, who pay a fee to subscribe, press an “alert” button which relays an instant text message notifying a shop keeper of suspicious behaviour. The SMS is followed up with a photographic image of the potential crime. [Source

Last year the Marshfield Police Department deployed more than a dozen video cameras in several high-risk public buildings to secure the town’s infrastructure. But these cameras aren’t your average 24/7 video surveillance recorders. Each one features an “eyelid” that opens and closes via remote control. The department has so far installed the cameras at the town hall, library, a recreation center and airport. Striking a balance between safety and privacy, this surveillance system helps police officers gain real-time video access during an incident while also easing concerns of citizens who don’t like to be watched by cameras constantly, according to Marshfield’s chief of police. The ACLU doesn’t oppose video cameras in specific high-risk locations, such as entrances to transit systems and stadiums. But no system is safe from questions. “Who’s at the controls and what policies are in place to control how they use the cameras? We all want to be safe, but there are serious concerns about surveillance cameras and their lack of effectiveness and control.” [Government Technology] See also: [Charges laid after spy cameras found in Toronto washrooms

US – Snuggly The Security Bear Makes Internet Wiretapping Fun

If you’ve been too busy to follow the recently rekindled privacy debate around the Communications Assistance For Law Enforcement Act, encryption backdoors, and the Electronic Communications Privacy Act, let Snuggly the Security Bear explain: “If you have nothing to hide, you won’t need privacy. And the Internet, phones, houses, cars, and streets will all be wiretap friendly, snuggly, and secure,” says Mark Fiore’s surveillance spokesanimal. “Besides, how do we know who to watch, unless we watch all of you.” [Forbes] [See Fiore’s video and work] See also: [Washington Post Editorial: Law enforcement’s limits in wiretapping the Internet] [Schneier: Web snooping is a dangerous move

Telecom / TV 

UK – ISP Wins Adjournment of File-Sharing Disclosure Case Amid Privacy Fears

Lawyers acting for record label Ministry of Sound had sought a court order ordering the handing over of the details, but internet service provider PlusNet said that it needed further assurance of better data protection before doing so. It has been granted an adjournment by the High Court, which will now look at its objections to the requests. The move follows the accidental online publishing by law firm ACS:Law of the details of thousands of people accused of infringing the copyright on pornographic material. Those details were provided to the law firm by ISPs, including PlusNet. Copyright holders can use technology that attempts to track the internet protocol (IP) addresses of people unlawfully sharing copyrighted material. To identify that person the copyright holder must ask an ISP to match the IP address with one of its account holders. ISPs generally only provide that information on the orders of a court. It was information provided in these circumstances that was revealed in the ACS:Law incident. PlusNet has, though, objected to a request on behalf of record label Ministry of Sound for information on alleged file sharers and has suspended co-operation with such requests. “The incident involving the ACS Law data leak has further damaged people’s confidence in the current process,” said a PlusNet spokeswoman. [OUT-LAW News]

US Government Programs 

US – DARPA Starts Sleuthing Out Disloyal Troops

The military is scrambling to identify disgruntled or radicalized troops who pose a threat to themselves or their buddies. So the futurists at Darpa are asking for algorithms to find and pre-empt anyone planning the next Fort Hood massacre, WikiLeaks document dump or suicide-in-uniform. The idea behind the Anomaly Detection at Multiple Scales, or Adams, effort is to sift through “massive data sets” to find the warning signs of looming homicide, suicide or other destructive behavior. “The focus is on malevolent insiders that started out as ‘good guys.’ The specific goal of Adams is to detect anomalous behaviors before or shortly after they turn,” the agency writes in its program announcement. Currently, Darpa says, the Defense Department doesn’t actually know how “a soldier in good mental health” actually comes to pose an “insider threat,” defined as “an already trusted person in a secure environment with access to sensitive information and information systems and sources.” Adams is supposed to fill the breach. [Source] See also: [Akamai Employee Convicted of Trying to Sell Data to Foreign Government

US – GAO: White House Slow to Implement Cyber Policy Review Recommendations

A report from the Government Accountability Office (GAO) says that the White House has fully implemented just two of the 24 recommendations made in the National Cyber Policy Review released in May 2009. The report acknowledges that the administration has partially implemented the remaining 22 recommendations, and suggests that the reason for the delay is the seven months it took to fill the post of national cyber security coordinator. Agency officials indicate that the incomplete implementation is due in part to “not [having been] assigned roles and responsibilities with regard to implementation.” The report recommends that the Special Assistant to the President and the Cybersecurity Coordinator designate roles and responsibilities for each of the recommendations and to also develop milestones and plans for the recommendations that are not already in place. [FCW] [Tech Daily Dose] [GAO

US Legislation 

US – Bill Would Protect Municipalities and School Districts from Bank Fraud

Proposed legislation in the US Senate would grant municipalities and school districts the same protections against financial loss through cyber theft that are already afforded individuals under the Electronic Fund Transfer Act (EFTA). The bill, introduced by Senator Charles Schumer (D-NY), would modify Regulation E of EFTA to exempt the entities from liability as long as the cyber theft is reported in a timely fashion. EFTA caps consumer liability for unauthorized EFTs at US $50. The legislation still would not provide relief for small and mid-sized businesses which have gone head-to-head with banks over hundreds of thousands of dollars in fraudulent transactions; the banks maintain that because the cyber thieves used valid credentials, they are not liable for the losses. [Krebs] [ComputerWorld] [SC Magazine] [Text of Bill

Workplace Privacy 

US – Supreme Court to Hear NASA Privacy Case

The Supreme Court is set to hear a privacy case against NASA. More than two dozen engineers and scientists at the NASA Jet Propulsion Laboratory sued in 2007, saying the background checks invaded their privacy. The 9th U.S. Circuit Court of Appeals had ruled that NASA should be blocked from conducting security checks on low-risk employees at JPL. The space agency appealed to the Supreme Court, which will hear the oral arguments this week. The high court’s decision in this case could throw into question the background checks routinely done on all federal government workers. [Source

EU – German Draft Law Regulating Employment Data Protection

A data protection bill would restrict the kinds of information employers could obtain in the recruitment process – applicant information could not be obtained from social networking sites used for communication (however, social networking sites designed for professional purposes and generally accessible sources, like the internet, would be allowed); medical examinations and aptitude tests can only be conducted if necessary to determine suitability of an applicant to the job (only whether or not an applicant is suitable for a job can be used, not diagnostic details). In the employment relationship, open video surveillance of employees can only be done for limited reasons, including entrance control, protection of property, and employee and site safety (secret video surveillance is prohibited), and monitoring of telecommunications is only allowed to ensure proper technical operation, for accounting purposes or performance monitoring; the collection of information without the employee’s knowledge is allowed when a concrete suspicion exists that the employee committed a crime or serious breach, and if the collection is necessary to uncover the acts (monitoring is inadmissible if it takes place over more than 24 hours without interruption or 4 days). Violation of prohibition on secret video surveillance can be punished as a misdemeanor (with a fine of up to €300,000) or a crime (subject to two years imprisonment or a fine); first reading of the bill in Parliament is expected in November 2010. [Source]

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: