16-22 October 2010

16-22 October 2010 


NZ – Trial Biometric Scans to Commence for New Zealand Visa Applicants

A test biometric program to confirm the identity of New Zealand Visa applicants and first time travellers to the country will commence shortly, Immigration New Zealand has said. The New Zealand Immigration department plans to incorporate biometric technology in its new immigration management system that is expected to cost more than $60 million. The trail will last 10-months and any decision to buy biometric systems would not be made for at least 12 months. “Any technologies adopted will have substantial privacy safe-guards, in accordance with New Zealand privacy laws.” The Immigration Act 2009, which will come into effect in November, allows the department to collect biometric data to verify identities and prevent immigration and visa fraud. [New Zealand Visa Bureau

UK – Anger as Store Chain Uses Fingerprint Technology

Shoppers are being asked to scan their fingerprints to buy booze and cigarettes at a minimarket. Staff invite them to join a database that stores their details in a crackdown on under-age drinking. Customers then scan their finger on future visits instead of showing proof they are over 18. But civil liberties campaigners claim the move at 25 Scots Spar stores breaches people’s privacy. Anna Fairclough, legal officer at Liberty, said: “Collecting customers’ biometric information is completely over the top. “We hope people vote with their feet and send a message that intrusive technology has no place in our everyday lives.” A computer at each store keeps shoppers’ date of birth, country of origin and hair and eye colour in a database. Customers who want to buy alcohol or tobacco show their passport or driving licence to a shop assistant, who takes down their details. [Source


CA – PEI Regulator Invading Privacy: Commissioner

P.E.I.’s Island Regulatory and Appeals Commission has been ordered to remove the names of many witnesses from 20 years worth of hearings published online. The province’s privacy office ruled IRAC is violating the privacy rights of the witnesses. IRAC, a quasi-judicial body with jurisdiction over a wide variety of matters — gas prices, municipal zoning, property rental — has asked for a judicial review of the decision by former privacy commissioner Judy Haldemann. The decision stems from a case brought forward by former UPEI professor Bertrand Sandjong. His concern over privacy began when he typed his name into Google and up popped an old IRAC decision involving his dispute over rent. Sandjong complained to the privacy office. Haldemann ruled because the hearing was public, his name should also be public. But she went further than asked in the case, and ruled publishing the names of third-party witnesses was an invasion of privacy. As for the names of secondary witnesses who testified at the hearing, Haldemann ordered IRAC to remove them from the internet. Haldemann suggested that when personal information is published on the web, people are at greater risk of identity theft and of being stalked. She ordered IRAC to remove the names of all minor witnesses, not just from the Sandjong case, but from 20 years worth of IRAC decisions now posted online. IRAC has filed a judicial review of the decision. Its lawyers argue, among other things, the issue of third-party witnesses was not even raised by Sandjong in his complaint. Haldemann’s decision could have implications for all quasi-judicial bodies on P.E.I., such as the P.E.I. Human Rights Commission. [Source]

CA – BC Moves to Make Voluntary Charities Agents of the State

There are still people in society willing to join together and voluntarily contribute their own money to aid fellow citizens in need. These groups have been so successful that government decided to join in and hand them non-voluntary contributions from taxpayers. It seems this “free” money comes with strings attached and now, people who had voluntarily joined together to solve a social problem may soon be turned into data collection agents of the state. What’s going on here? The B.C. government hands out more than $1.8 billion in tax dollars per year to a wide range of independent, non-profit organizations and charities. It now wants some of them to turn over the personal information they’ve collected about their clients, including mental-health and addiction information. The government plans to share this information across a variety of social service ministries to build, they say, a more efficient support system for people in need. [The Province]

CA – Local MADD Chapter Joins Push for Random Breath Testing

Police may be able to stop drivers for random breath testing if Mothers Against Drunk Driving (MADD) is successful in its latest campaign. MADD Canada is pushing the federal government to pass legislation that will allow officers to stop and ask anyone for a breath sample. The past president of MADD Canada Margaret Miller said random breath testing would give police the express power to stop vehicles in a sobriety-type checkpoint. She admitted not everyone is supportive of the idea and that there are critics of the move to what some deem as an invasion of their privacy. “The only ones who aren’t behind this are those who think this is violating their right,” Miller said. “Driving has never been a right. It’s always been a privilege. It’s a heavily-regulated activity that the infringement is no greater than what you will get on a plane. She said as the law stands an officer must have reasonable grounds to believe a person is impaired in order to be able to request a roadside screening device or breath test. [Source

CA – Privacy Commissioner Launches Enhanced Privacy Tool for Businesses

The OPCC is marking Small Business Week (October 17-23) by launching an enhanced on-line tool to help businesses protect their customers’ privacy. The tool helps businesses figure out how much information they should have about their customers and how to protect it. [Source] [Privacy for Small Business online tool] See also: [Appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on the 2009-2010 Annual Report to Parliament on the Privacy Act and the 2009 Annual Report to Parliament on PIPEDA – Opening Statement by Jennifer Stoddart, Privacy Commissioner of Canada (October 19, 2010) ]


CA – New Court Challenge to Government’s Census Decision

A coalition representing a broad range of interests has filed a new court challenge to the federal government’s decision to scrap the mandatory, long-form census. The Canadian Council on Social Development is spearheading the case in Federal Court to defend what it calls “the equal right of all Canadians to be counted.” The Conservative government announced last spring it would do away with the mandatory, long-form census, claiming it was an unjustifiable imposition on privacy. Its decision to replace it with a voluntary questionnaire has been widely panned by experts and others who say an optional survey would be inaccurate and unreliable. The 90-year-old council says it’s “responding to the overwhelming and very real concerns about the consequences of this catastrophic decision.” Papers were filed with the court on Thursday and no dates have been set for hearings. The council is joined in its challenge by a dozen social, community and legal organizations. “Just over 100 days have passed since the Harper government launched its assault on Canada’s fundamental data source with a sneak attack on the long-form census,” said a group statement. The council says Canadians’ response to the decision has been unequivocal: “Why would the government shut down Canada’s navigation system?” Despite an outcry from more than 370 organizations and “tens of thousands of Canadians,” the government refuses to reconsider its decision. [Source] [Source]


UK – Every Email and Website to be Stored

Every email, phone call and website visit is to be recorded and stored after the Coalition Government revived controversial Big Brother snooping plans. It will allow security services and the police to spy on the activities of every Briton who uses a phone or the internet. Moves to make every communications provider store details for at least a year will be unveiled later this year sparking fresh fears over a return of the surveillance state. The plans were shelved by the Labour Government last December but the Home Office is now ready to revive them. It comes despite the Coalition Agreement promised to “end the storage of internet and email records without good reason”. But Isabella Sankey, director of policy at Liberty, said: “One of the early and welcome promises of the new Government was to ‘end the blanket storage of internet and email records’. “Any move to amass more of our sensitive data and increase powers for processing would amount to a significant U-turn. The terrifying ambitions of a group of senior Whitehall technocrats must not trump the personal privacy of law abiding Britons.” Guy Herbert, general secretary of the No2ID campaign group, said: “We should not be surprised that the interests of bureaucratic empires outrank liberty. [The Telegraph] [Data collection u-turn angers privacy campaigners]


WW – PCI Supports Encryption

The Payment Card Industry (PCI) Security Standards Council has released new guidance on card security standards, including the use of point-to-point encryption, InformationWeek reports. Troy Leach of the PCI Security Standards Council said the goal is to help organizations “understand how they can better secure their payment card data and how specific technologies may assist them in meeting the requirements of the PCI Data Security Standard.” The guidance also discusses EMV card security, which requires consumers to enter a personal identification number when paying with a credit or debit card in person. Jeremy King, European regional director for PCI, said “the devil is in the details” when it comes to introducing PCI changes. [Source] [Source]

EU Developments 

EU – EU May Propose Criminal Sanctions, Fines for Data Privacy Cases

EU regulators may propose expanded criminal penalties to enforce data protection rules that limit what companies and governments can do with personal information. People should also have the right to have their details deleted and to remove lists of friends, photos or medical records, according to a European Commission document obtained by Bloomberg. The proposals may also make it easier for data protection authorities and consumer groups to file lawsuits over privacy breaches. EU Justice Commissioner Viviane Reding has called for Internet users to have “effective control of what they put online and be able to correct, withdraw or delete it at will.” Changes could be made to the commission’s document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011. [Bloomberg

EU – EDPS Opinion of Info Mgmt in the Area of Freedom Security and Justice

The European Data Protection Supervisor (“EDPS”) reviewed the European Commission’s Communication entitled “Overview of information management in the area of freedom, security and justice“ (the “Communication”), covering EU-level measures regulating the collection, storage or crossborder exchange of personal information for the purpose of law enforcement and migration management. The Communication describes the purpose limitation principle as a key consideration only “for most of the instruments covered in this communication”; the EDPS recommended that (to avoid any uncertainty) any new instrument relating to information exchange in the EU must be adopted only if the purpose limitation principle has been duly considered and that any possible exceptions are decided on a case-by case basis. Other recommendations include the need to conduct a more specific and rigorous impact assessment on privacy and data protection (specific indicators and features should be developed), the alignment of data subjects’ rights (ensure that citizens benefit from similar data protection rights across all different EU systems and instruments dealing with information exchange), biometrics and system interoperability (develop a more coherent and consistent policy on the prerequisites for use of biometrics and a policy on systems interoperability), and accountability (put in place audit control systems to demonstrate compliance to external stakeholders, including supervisory authorities). [Source

EU – DPS: Justification, Safeguards Needed for PNR Use

European Data Protection Supervisor Peter Hustinx is speaking out against the use of passenger name records (PNR) to profile the potential risk of international travelers to their destination country. In an opinion issued this week, Hustinx said, “The proactive use of PNR data of all passengers for risk assessment purposes requires more explicit justification and safeguards,” calling for strict conditions on the processing, transfer and retention of sensitive data. He is also recommending that conditions for collection and use of PNR data “be considerably restricted” and EU-U.S. talks focus on “a consistent and harmonized approach on data protection.” [Source] [EDPS Press Release] [EDPS Opinion]

Facts & Stats 

WW – Number of Internet Users Doubles, U.N. Reports

According to a U.N. report, the number of people worldwide with access to the Internet has doubled within the past five years and is expected to surpass 2 billion by the end of 2010. The report comes from the International Telecommunication Union, the Geneva-based telecommunications division of the U.N. [Miami Herald

UK – ID Theft Costs UK US $4.3 Billion A Year

A study released by the United Kingdom’s National Fraud Authority highlights that ID Fraud affect 1.8 million Britons each year at a cost of £2.7 Billion. The study was released to coincide with the UK’s Identity Fraud Prevention Week and reveals that fraudsters were able to defraud more than GBP 1,000, or US $1,600, from each stolen identity. The Chief Executive of the National Fraud Authority, Dr Bernard Herdan, said “Stolen and false identities are a significant enabler of crime and this issue demands a co-ordinated response across government and the private sector.” The study also shows that victims can face up to 200 hours of effort in order to repair any damage caused to their credit rating due to identity theft. [The Register] [BBC]


US – Will 400,000 Secret Iraq War Documents Restore WikiLeaks’ Sheen?

After a brief quiescence, the secret-spilling website WikiLeaks is about to explode again onto the global stage with the impending release of almost 400,000 secret U.S. Army reports from the Iraq War, marking the largest military leak in U.S. history. Measured by size, the database will dwarf the 92,000-entry Afghan war log WikiLeaks partially published last July. “It will be huge,” says a source familiar with WikiLeaks’ operations, who spoke on condition of anonymity. Former WikiLeaks staffers say the document dump was at one time scheduled for Monday, October 18, though the publication date may well have been moved since then. Some large media outlets were provided an embargoed copy of the database in August. In Washington, the Pentagon is bracing for the impact. The Defense Department believes the leak is a compilation of the “Significant Activities,” or SIGACTS, reports from the Iraq War, and officials have assembled a 120-person taskforce that’s been scouring the database to prepare for the leak. [Source

CA – Mounties End Probe Into Destruction of Emails With No Charges Laid

The Mounties have decided not to lay charges in a case in which sensitive government emails were deliberately destroyed, ending a two-year probe regarded as an overdue test of Canada’s information law. The file, involving a nasty internal scrap at the National Gallery of Canada, was first referred to the Mounties by gallery officials in 2008. And earlier this year Canada’s information watchdog alerted justice officials after her own investigation found “records responsive to an access to information request were destroyed and individuals were counselled to destroy records.” The RCMP’s review of the case focused on Section 67.1 of the Access to Information Act, which provides penalties of up to two years in jail and a $10,000 fine for destroying government records or even counselling someone to conceal them from a requester. The section was added to the Act in 1999, after several high-profile cases in which military documents about Somalia, as well as Red Cross records, were shredded to prevent embarrassing public disclosures. But in the 11 years since, no one has ever been convicted or even charged under the section — and the RCMP probe was being watched closely to see whether the law was effective. The National Gallery case marks the first time the office of the information commissioner has ever referred a file to the attorney general of Canada for possible prosecution under Section 67.1. [Source]


CA – Privacy Commissioner Says Google Violated Privacy:

Google Inc. violated Canadian privacy law by collecting personal information from unsecured wireless networks across the country for its Street View service, Canada’s Privacy Commissioner said. “Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete emails,” said Jennifer Stoddart, the Privacy Commissioner of Canada, in a statement. “This incident was a serious violation of Canadians’ privacy rights,” she said. Noting that thousands of Canadians were likely affected, Ms. Stoddart said personal information collected by Google’s iconic Street View cars included complete emails, email addresses, user names and passwords, names and residential telephone numbers and addresses. Some particularly sensitive information was also inadvertently captured, such as a list of people suffering from certain medical conditions complete with their full names and contact information. Ms. Stoddart has given the world’s largest search engine a deadline of Feb. 1 to delete all offending Canadian data. She said her office will allow Google to keep any data relevant to ongoing legal proceedings as long as the data are secured and access is restricted. The company, which has already secured and restricted access to the Canadian payload data, is facing a number of lawsuits in the United States related to its Street View data-collection methods. [Source] [OPC Canada – Preliminary Letter of Findings – Google Inc.

CA – Google Ditches All Street View Wi-Fi Scanning

Google has no plans to resume using its Street View cars to collect information about the location of Wi-Fi networks, a practice that led to a flurry of privacy probes after the company said it unintentionally captured fragments of unencrypted data. The disclosure appeared in a report on Street View released this week by Canadian privacy commissioner Jennifer Stoddart, who said that “collection is discontinued and Google has no plans to resume it.” Assembling an extensive list of the location of Wi-Fi access points can aid in geolocation, especially in areas where connections to cell towers are unreliable. Google had said in a blog post in July that it had halted Wi-Fi data collection through its Street View cars, but had not said whether it would be resumed or not. [Source: CNET] [244,000 Germans say ‘no’ to Street View] [Here are instructions for mobile users on how to disable this feature] and [Digital photos can reveal your location, raise privacy fears] and [Privacy Rights Clearninghouse: Geotag, You’re It! What Your Smartphone Might Be Saying Behind Your Back] and [Cybercasing the Joint: On the Privacy Implications of Geo-Tagging] and [http://icanstalku.com] and [EFF. On Locational Privacy, and How to Avoid Losing it Forever] and also [CNIL Voices Concerns Over Facebook “Places” Feature] and [Spain’s Agencia Española de Protección de Datos (AEPD) has initiated a criminal sanction procedure and plans to impose a fine of over €2.4 million against Google, based on the outcome of its investigation into the collection of WiFi data 

US – Government Calls for Self-Regulatory Code

Following its September meeting on the “Digitization of Cities and States–Opportunities and Limits of Private and Public Geo Data Services,” the German government is recommending that industry propose a self-regulatory code for geo data services. Once the code is developed, it would then be agreed upon with the Federal Commissioner for Data Protection and Freedom of Information as well as state data protection authorities. The code would be expected to include privacy standards and rules applicable to the collection and use of geo data, the report states. A draft law to regulate the use of geo data services will be issued by December 7. [Hunton and Williams Privacy & Information Security Law Blog]

Health / Medical 

US – Gov’t Agencies Discussing HIPAA Requirements

A Department of Health and Human Services (HHS) advisory panel is recommending that healthcare providers supply patients with easy-to-understand notices of how their information will be used and protected when it is exchanged, while the Substance Abuse and Mental Health Services Administration continues to study whether HIPAA privacy protections for mental health information should include test data. HHS is recommending physicians discuss face-to-face information sharing practices with their patients and include a description of how their information will be used in their HIPAA-required privacy practices notice that is “written so that 90% of patients can understand it.” [Government Health IT]

Horror Stories 

US – Pennsylvania: Major Medical-Data Breach, 280K Affected

A computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing – one of the largest recent security breaches of personal health data in the nation. The breach, which involves the records of Medicaid recipients, is the first such Medicaid data breach in Pennsylvania since at least 1997, according to the state’s Department of Welfare, which has oversight. The security failure, one of the several largest in nearly two years, involves nearly two-thirds of the insurers’ subscribers. The insurers said the drive was missing from the corporate offices on Stevens Drive in Southwest Philadelphia. It noted that the same flash drive was used at community health fairs. “That seems grossly irresponsible,” said Dr. Deborah Peel, a Texas psychiatrist who heads Patient Privacy Rights, an advocacy group. “Why would you be hauling around private patient information to a health fair,” she said. “I can’t imagine what they were thinking, taking this data out of a locked room at company headquarters. “What’s tragic is that this is a particularly vulnerable group of people,” Peel said. “They tend to be vulnerable to identity theft, vulnerable to discrimination.” Medicaid recipients are low-income people. [Philadelphia Inquirer

US – VA Posts Latest Breaches, Improvements

The Department of Veterans Affairs (VA) is offering about 4,000 vets free credit monitoring services because in August their Social Security numbers were mailed to the wrong person, says a Gov Info Security report. The VA blames the breach on a mail merge error. The incident has been posted to the VA’s Web site in accordance with its new policy aimed at increasing transparency. The VA also announced that, due to increased technology funding, it is now able to identify all computers and other devices on its network and determine whether they are encrypted, says the report. [Source]

US – Survey Reveals That Data Theft is Biggest Loss for Businesses.

According to the latest edition of the Kroll Annual Global Fraud Report theft of data assets has risen by more than 50% in the past year to surpass physical property losses for the first time. Of the companies surveyed 27.3% stated that they had suffered losses due to theft of information or assets, which is an increase from 18% in 2009. In contrast the report highlighted that theft of physical assets or stock dropped from 28% in 2009 to 27.2% in 2010. The theft of computers, information being stolen via portable storage devices and attacks by cyber criminals using stolen login credentials were the most common causes for loss. The report also highlighted that despite the increase in fraud only 48% of the companies surveyed plan to increase their information security budget over the next 12 months, down from 51% in the previous year. [Financial Times] [ComputerWeekly]

Identity Issues 

WW – Facebook Launches One-Time Password Service

Facebook has begun a one-time password service to allow users to log in to their accounts on public computers without having to use their established passwords. The system works by users registering a certain mobile phone number with Facebook. When they text “OTP” to a number provided by Facebook (32665), they will receive back a one-time password that is good for 20 minutes. The idea is to prevent users’ regular passwords from being captured by keystroke logging software on public computers. Facebook has also launched a feature that allows users to log out of their accounts remotely and a service that prompts users to update their security information. [The Register] [BBC] [Heise Online

CA – Ontario Driver’s Licence Online Change of Address Subject to Fraud

An individual had discovered that the address associated with his driver’s licence and vehicle registration had been fraudulently changed to an incorrect address and subsequently that a credit application had been commenced in his name by providing a copy of his driver’s licence and Social Insurance Number (“SIN”) card; the organisation voluntarily shut down the address change function available on its website and kiosk. To authenticate that the individual requesting an address change was the actual licence holder, the website and kiosk only required a driver’s licence number as well as their current postal code – both of which appear on the driver’s licence; the Office of the Information and Privacy Commissioner found that the information required to access the change of address function should not be available on the driver’s licence itself or through other publicly available sources and the organization should create and implement protocols to detect and report suspicious address changes to individuals’ driver’s licences that have been completed through the website. [IPC ON Privacy Complaint Report PC10-36, PC10-42 and PI10-3 – Ministry of Government Services]

Internet / WWW 

WW – Data Protection Laws Expanding Worldwide

Dark Reading reports on the expansion of data protection laws across the globe as detailed in the report “A New Era of Compliance: Raising the Bar for Organizations Worldwide“ from the RSA and the Security for Business Innovation Council (SBIC). The report analyzes how new legislation and strengthened regulations are forcing businesses to change their approaches to compliance. In the report, which includes recommendations from SBIC for enterprise security teams, Art Coviello of the RSA notes, “Regulators are making it clear that you’re on the hook for ensuring the protection of your data at all times, even when it’s being processed by a service provider.”

Among the recommendations by the SBIC:

1.       Embrace risk-based compliance. Set up a program where everyone, from business-process owners and the board of directors, get the information needed to make risk decisions;

2.       Establish an enterprise controls framework. Create a consistent set of controls across the organization that maps to regulatory requirements and business needs;

3.       Set/adjust threshold for controls. Decide the proper level of security controls and ensure that you meet the legal requirement for “reasonable and appropriate” security;

4.       Streamline and automate compliance processes. Formulate an enterprise governance, risk, and compliance strategy that manages risk and compliance and includes appropriate visibility into controls;

5.       Fortify third-party risk management. Ditch “boilerplate” security agreements and adopt a strategy that covers “diversification, due diligence, rigorous contractual requirements, consequence management and governance”;

6.       Unify the compliance and business agendas. Incorporate compliance into the business and align it with the organization’s main goals; and

7.       Educate and influence regulators and standards bodies. That prevents overly prescriptive rules that can hurt businesses. “You need a broad perspective of all of the various legislation in the U.S. and elsewhere.” [Dark Reading] [Report]

Online Privacy 

WW – Facebook Faces Another Privacy Breach

The privacy of many users on Facebook has been compromised by a number of popular applications, or apps, used on the social networking site. An investigation by the Wall Street Journal identified a number of apps that access Facebook members’ personal details, even if their privacy settings were set to the most restrictive allowed within the social network. According to the report, up to 25 advertising and data gathering firms were exploiting the issue to enable them access the name of the persons using certain apps, and in some cases the names of those persons’ friends. One company, Rapleaf, was also found to have combined the user data accessed in Facebook with its own database of internet users. Rapleaf admitted that some of this information was also transmitted to other third parties, but claimed that this transmission was accidental. Facebook has responded by saying it will implement a solution to prevent this type of access to user data. [WSJ] [The Register] [BBC] [Net-Security

WW – Advocates Pleased with Facebook Changes

Privacy advocates are voicing approval of Facebook’s new privacy features, which will allow users greater control over their personal data. The changes include a “dashboard,” which will display to users which applications are active and the data they collect. The Electronic Frontier Foundation welcomed the change, the report states. “We think that this is an important step forward in terms of providing more transparency to users about where their Facebook data is going and who is using it.” Additional features will allow users to export all of their uploaded data from the site and create private groups for communications. [OUT-LAW.com] [Zuckerberg blog posting] Meanwhile: [Lawsuits Filed Against Facebook, Zynga] and [[US Reps. Edward Markey (D-MA) and Joe Barton (R-TX) have written to Facebook CEO Mark Zuckerberg following an investigation into third-party apps sharing user IDs with advertisers

WW – Facebook Vows to Fix a Flaw in Data Privacy

A WSJ report that some of Facebook’s most popular applications have been transmitting user information to Web tracking companies has privacy advocates and legislators sounding an alarm. While Facebook issued a statement that there is “no evidence that any personal information was misused or even collected,” The New York Times reports that the company plans to introduce “new technical systems that will dramatically limit the sharing of user IDs.” Meanwhile, Canadian Privacy Commissioner Jennifer Stoddart is considering launching a new investigation into Facebook’s privacy policies, and U.S. House Bipartisan Privacy Caucus Chairmen Edward Markey and Joe Barton have sent a letter to the company seeking more information on the way “third-party applications gathered and transmitted personally identifiable information about Facebook users and those users’ friends. [The New York Times

EU – Social Networks, Others Sign Data Protection Charter

French social networks, blogs, search engines and consumer protection associations are among those who have signed a charter on the right to personal data destruction. The charter is part of an initiative launched a year ago by French Secretary of State Nathalie Koscuisko-Morizet, the report states, and companies including Microsoft France have signed on, stating their commitment to put into practice principles of consent and not to hold data that is subject to requests for withdrawal or is found in “personal spaces.” A “virtual complaints office” is being established, the report states, along with measures to facilitate account closings. [Telecompaper

US – US Government Using Social Networks for Spying

The privacy watchdog the Electronic Frontier Foundation (EFF) has highlighted that a number of documents obtained from various US government agencies demonstrates that those agencies are actively using various social networking sites to spy on people. Some of the agencies involved include the U.S. Citizenship and Immigration Services which monitored the activity of people who applied for U.S. citizenship and the Department of Homeland Security which monitored commentary on various social networks during President Obama’s inauguration. The EFF highlighted that while the DHS attempted to ensure its monitoring of social networks was appropriate, the EFF had a number of concerns, “While it is laudable to see DHS discussing the Fair Information Practice Principles as part of the design for such a project, the breadth of sites targeted is concerning”. [V3.co.uk] [Net-Security] See also: [Obama Admin. Council Pushes to Reinforce Domestic Wiretapping]

Privacy (US) 

US – EPIC Privacy Report Card: Obama Gets a “D” in Civil Liberties

It’s grade card time and President Obama earned a big fat D as is doomed civil liberties, as in does have unchecked authority to kill you, and as in dangerous and overreaching state secrets arguments. It’s sad how our right to privacy seems to be decreasing while the government’s right to keep secrets seems to be growing. EPIC released the 2010 Privacy Report Card for the Obama Administration, giving Obama a “D” grade in Civil Liberties. Why? For the same reasons that the ACLU argues that the president does not have the unchecked authority to kill you, and EFF warns that the government is singing the same old state secrecy tune about wiretapping. President Obama ran his candidacy on change, and restoring the civil liberties and human rights that we had lost in the War on Terror. As PogoWasRight wrote, “Change we can believe in” was not supposed to be a harbinger of change for the worse. Jon Stewart collected some video clips to remind us that while running for President, Barack Obama promised to: (at 1:20) “Close down Guantánamo, restore habeas corpus, say no to rendition(s), say no to wireless wiretaps.”…(1:44) “Part of my job as the next president is to break the fever of fear that has been exploited by this administration.”…(3:22) “By giving suspects a chance, even one chance, to challenge the terms of their detention in court, we could solve this problems without harming our efforts in the War on Terror one bit.”…(5:22) “We are going to lead by example, by maintaining the highest standards of civil liberties and human rights.”…(5:32) “No more ignoring the law when it is inconvenient, that is not who we are….We will again set an example for the world that the law is not subject to the whims of stubborn rulers and that justice is not arbitrary.”…(6:15) Whether it was the run up to the Iraq war or the revelation of secret programs, Americans often felt like part of the story had been unnecessarily held from them.”…(7:08) “I know a little about whistle blowing and making sure those folks get protection.” If you watch Stewart’s video at the end of this article, you will see that each and every one of these presidential promises (and more) have been broken. A politician breaking promises? Imagine that. EPIC handed out this report card. When it comes to a grade in Civil Liberties, EPIC stated, “The Obama administration has aggressively asserted the ‘state secrets’ doctrine, expanded Fusion Centers and watch lists, and subjected all American air travelers to unconstitutional body searches in airports. Incredibly, the White House allowed the President’s Civil Liberties and Privacy Oversight Board to languish. Even the Bush administration made this a priority.” The ACLU is fighting against targeted killing and death without due process. Due to state secrets privilege, if you even found out that you were targeted by the CIA to be killed, you couldn’t even fight it in court because to mention state secrets jeopardizes national security. You see, the government keeps secret “kill lists,” but the Obama administration says that it’s a state secret who they plan to assassinate. Former Director of National Intelligence agreed that the government has a license to kill Americans that are secretly labeled terrorists. Since the Obama administration has asserted its authority to carry out “targeted killings” of U.S. citizens outside armed conflict zones, the ACLU is arguing that President Obama does not have unchecked authority to kill you. The ACLU said, “targeting individuals for execution who are suspected of terrorism but have not been convicted or even charged – without oversight, judicial process, or disclosed standards for placement on kill lists – also poses the risk that the government will erroneously target the wrong people.” The state-secrets doctrine seems as out of control as does what is happening to privacy, civil liberties and human rights during the War on Terror. Just look at how many people in peace groups or activists that have wrongfully been put on watchlists or been labeled as a terrorist. Spying on free speech is at Cold War levels! How soon before speaking out for civil liberties, privacy, freedom is also considered low level terrorism? At the rate things are going, could people who are activists, who are considered “low level terrorist” start to be targeted? In 2009, research showed that 10 or more civilians die for every terrorist killed by drone missiles. If the “CIA’s Predator drones targeting software was pirated” and faulty, so that it might “possibly miss its target by as much as 40 feet,” could the government then say oops, the software steered it wrong and take out even more alleged enemies of the United States? Would that too be considered a “state secret?” That sounds close to a conspiracy theory, but so does this: Media With Conscience reported on a dark secret that has been brought to light. Around 1948, when “U.S. officials were prosecuting Nazi officials for subjecting human beings to gruesome medical experimentation,” U.S. federal officials committed syphilis experiments at Tuskegee and on unsuspecting prisoners in Guatemalan jails. Yet none of those people could have their day in court even if they wanted to because of state secret doctrine. In fact, prisoners or detainees who were tortured during the “war on terrorism” have had their torture case dismissed for fear of revealing state secrets. EFF wrote that the state secrets privilege amounts to an immunity for government law-breaking. The “government has made the same dangerous and overreaching state secrets arguments in the domestic warrantless wiretapping cases.” The court had dismissed the legality of the NSA’s warrantless dragnet surveillance program “because so many Americans have had their communications and communications records illegally obtained by the government, no single person has legal ‘standing’ to challenge the ongoing program of government surveillance. In other words: if everyone is being spied on, no one can sue.” EFF argued,”that ruling risks creating a perverse incentive for the government to violate the privacy rights of as many citizens as possible in order to avoid judicial review of its actions.” The government says “the same thing it has been arguing for the past five years in every other warrantless wiretapping case: that any attempt by the courts to judge the legality of the alleged surveillance would violate the state secrets privilege and harm national security.” And now the government wants to wiretap the web. As was stated on Salon, “If the President has the power to order American citizens killed with no due process, and to do so in such complete secrecy that no courts can even review his decisions, then what doesn’t he have the power to do?” [NetworkWorld.com

US – FTC Commissioner: Report Won’t Recommend Laws

At an event in Washington, DC, Federal Trade Commission (FTC) member Julie Brill confirmed that the FTC’s soon-to-be-released report about behavioral advertising will not recommend the enactment of new laws, MediaPost News reports. Instead, Brill said, “We’re talking about a new self-regulatory framework.” Companies should improve the ways they provide notice to consumers, Brill said, adding that so-called Schumer boxes and nutritional labels are methods of notice that the commission would support. Brill also indicated that she would support the development of a do-not-track mechanism, the report states. [Source

US – NJ Copy Machine Law Moves Forward

A New Jersey Assembly panel has released legislation requiring data held on digital copy machines be destroyed before the machines are re-sold or thrown out. The bill, sponsored by Linda Greenstein (D-Mercer/Middlesex), aims to protect people from identity theft. “Consider all of the highly sensitive information stored on copiers used by both the public and private sector,” said Greenstein. “In today’s global economy, a copier used in a doctor’s office in Trenton could be re-sold to someone in South America, sending thousands of sensitive documents into the realm of the unknown…” Earlier this year, the FTC announced that it was working with manufacturers to make consumers more aware of these privacy risks. [TMCnet

US – Smart Grid Standards Released

The National Institute of Standards and Technology (NIST) has released five sets of smart grid interoperability and cyber security standards for consideration and adoption by state and federal regulators. [Information Week] [GCN] See also: [EU Expert Group 2: Regulatory Recommendations For Data Safety, Data Handling and Data Protection – Task Force On Smart Grids

US – DOE Warns over Smart Grid Privacy

The Department of Energy (DOE) has published a report on the rollout of smart grid technologies and their impact on privacy. The smart grid will collect and measure energy consumption data from residences, disclosing “fairly detailed information about the behavior and activities of a particular household,” the DOE report states. The DOE says lawmakers need to recognize and address the concerns. In particular, the DOE says that consumers should have control over whether third-parties may access or receive their energy data and calls for the creation of policies to ensure that utilities refrain from sharing customers’ energy usage data with third-parties without their authorization. [ComputerWorld] [Report] See also: [CDT Details Smart Grid Privacy Recommendations to California Public Utilities Commission] [CDT Submission

US – California Launches Online Inmate Locator

The California Department of Corrections and Rehabilitation (CDCR) has launched a new online database that will for the first time allow the general public to locate each of California’s 170,000-plus inmates who are housed in state penitentiaries. The Inmate Locator website is searchable by last name and first name, as well as corrections identification number. For each prisoner, the database lists the person’s age, admission date and the facility in which he or she is incarcerated, and also includes driving directions to the facility. The database is updated weekly. Correction officials said the online database was designed to help family members and friends stay in touch with their loved ones. The database doesn’t include release dates for the prisoners. Other government entities already offer inmate locators, including the Federal Bureau of Prisons, which tracks federal inmates who were incarcerated as far back as 1982. Many states, and police and sheriffs’ departments also offer similar online tools. California already put a detailed database online of the 63,000-plus registered sex offenders living in the state; half of the entries include the person’s home address. For each offender, a photograph and a list of known offenses is included. [Government Technology

US – Author Sues DHS to Make It Obey the Law With Its Vast Traveller Databases

In a post from last August, author Edward Hasbrouck explains why he and the ACLU are suing the US Department of Homeland Security to force them to disclose traveller records in response to Freedom of Information Act requests: “I’m suing the government because of the significance of commercial airline reservations and the DHS “Automated Targeting System” as one of the largest post-9/11 U.S. government surveillance programs, and one of the largest collections of Federal government dossiers about the lives of innocent civilians after the IRS (tax) and Social Security (retirement) databases. I’m suing the government because of the intimate personal details and the sensitivity of the information contained in airline reservations and the government’s records, which I’m familiar with from 15 years of travel industry experience with airline reservations and from the censored excerpts from its travel dossiers that the DHS has released to some other people who’ve brought them to me for help in understanding their coding and significance: not just credit card numbers and IP addresses but also friends’ telephone numbers, whether two people asked for one bed or two in their hotel room, and what book someone was carrying when they entered the country. I’m suing the government now, while I still can, because they have already tried to change the rules to exempt much of the information in PNR’s from disclosure, and to exempt themselves from any obligation to provide an accounting of what other government agencies, foreign governments, commercial entities, or other third parties they have “shared” this data with. (My requests were all made before these changes to the DHS Privacy Act regulations, so I’m entitled to this information regardless of whether the new rules are upheld.) [Source]

Privacy Enhancing Technologies (PETs) 

CA – Privacy Watchdog Mulls Fresh Facebook Probe

Canada’s Privacy Commissioner is considering launching a fresh investigation into the privacy policies of Facebook Inc. after it was revealed that some of the most popular applications, or “apps,” on the world’s largest social network have been transmitting the personal information of users to dozens of Web tracking firms. Raising the worst fears of privacy advocates around the world, The Wall Street Journal reported Sunday that dozens of Facebook apps — including all 10 of the most popular games on the site — have been secretly transmitting the personal information of Facebook users to advertising and Internet tracking companies, violating the site’s privacy guidelines. News of the privacy breach comes less than a month after Canada’s Privacy Commissioner, Jennifer Stoddart, announced that Facebook had solved a series of privacy problems raised in a landmark 2008 investigation by her office. Among the concerns raised in that investigation was the degree to which apps developed by third parties outside Facebook could access the information of the site’s users and their friends. Ms. Stoddart’s office is already investigating whether Facebook’s “Like” button and the service’s invitation feature, which suggests new friends to users, are on side with Canada’s privacy laws. [Source]


UK – Government States Cyber Attacks Are Amongst Biggest Emerging Threats

In its new national security strategy the UK government has identified that attacks on computer networks are amongst the biggest emerging threats to the security of the United Kingdom. Citing that cyber warfare is “one of the highest priority national security risks to the UK”, the UK government promised it will develop a programme to address threats “from states, criminals and terrorists”. Stating that the Beijing Olympics held in China received over 12 million cyber attacks each day, the document highlighted the 2012 London Olympics as being a “huge vulnerability” and that it was at serious risk of cyber attacks from those attempting to “defraud and possibly disrupt”. To deal with this emerging threat the UK government will be allocating a budget of GBP 500 million and the strategy will be managed by the recently appointed Office of Cyber Security. [BBC] [Independent] [ComputerWorld] See also: [Chertoff: Cold War Doctrines Needed for Cyber Warfare] and [DHS and NSA Announce Cyber Defense Partnership]

Smart Cards 

HK – Privacy Watchdog Completes Investigation on Octopus, Seeks Tighter Law   

The city’s leading e-payment operator Octopus holdings, which had admitted to sell about 2 million customers’ personal data to business partners, violated the principles of personal data protection, said Hong Kong’s privacy watchdog, which is seeking tighter law and larger power to protect the public’s privacy. Releasing his investigation report on the issue, the city’s Privacy Commissioner for Personal Data Allan Chiang said the company collected excessive and unnecessary personal data, and did not take appropriate measures to inform customers where their personal data will be transferred to. The company also sold the data to its business partners without obtaining customers’ clear and voluntary consent, he added. Octopus promised to delete excessive and unnecessary data collected under the program in two months’ time. Personal data which has been sold to the company’s five business partners will also be deleted. It will redesign the customer declaration form to make it more readable and give clearer definitions of data transferees. Chiang said he decided not to issue an enforcement notice to Octopus because the company pledged not make the same mistakes again. He also noted that the existing ordinance is inadequate to protect privacy because the commissioner has no power to penalize people or organizations violating the Personal Data (Privacy) Ordinance. Noting the Hong Kong government will soon propose amending the ordinance, the commissioner called on stakeholders and the public to discuss the issue. [Xinhua

US – Credit Cards Soon to Get a Makeover

The simple credit card is about to get a makeover. Next month, Citibank will begin testing a card that has two buttons and tiny lights that allow users to choose at the register whether they want to pay with rewards points or credit, at most any merchant they please. Other card issuers are testing more newfangled cards, including some that can double as credit and debit cards, and cards with fraud protections baked right into the plastic. One, for instance, shows a portion of the account number only after the cardholder enters a PIN. [The New York Times]


US – Parents Monitor Children’s Social Network Use

A recent TRUSTe survey found that nearly 72% of parents monitor their children’s social networking accounts and even more know how much time their teens spend online and the types of photos they share. “The data clearly shows that parents place the utmost importance on their teens’ online privacy and control of their personal information,” said Fran Maier of TRUSTe. Meanwhile, 80% of teens responding to “The Kids Are Alright,” as the study is called, said they use their privacy settings to hide content from parents or friends, the report states. [Source]

Telecom / TV 

WW – Information Warfare Monitor Announces RIM Monitoring Project

Recently a number of governments have threatened to ban Research in Motion’s BlackBerry services if the company does not make encrypted BlackBerry data and other content available to state authorities . A major concern of these regimes is that BlackBerry data can be encrypted and routed through servers located outside of their jurisdictions. Unconfirmed reports have circulated that RIM has made data sharing agreements with India, Saudi Arabia, and United Arab Emirates. Other countries are also requesting the company locate data centres within their jurisdictions. The RIM Check Web site is a research project designed to gather information on how traffic exits the BlackBerry network depending on the country in which the user is located. The findings from this project will be published and made publicly available. This project is being conducted by the Information Warfare Monitor and the Web site is maintained by the (Citizen Lab at the Munk School of Global Affairs, University of Toronto). The RIM Check project is inspired by a broad need to monitor the activities of private sector actors that own and operate cyberspace, particularly as they come under increasing pressure to cooperate with governments on national surveillance and censorship laws, policies, and requests. Decisions taken by private sector actors, often at the behest of governments seeking access to their data or assistance blocking Web sites, can have major consequences for human rights. These decisions can lack transparency and public accountability. This project is meant to address that lack of transparency. [Source] [Canada project aims to track BlackBerry traffic] [U of T researchers to study BlackBerry security deals] [RIM BlackBerry Data Studied Amid Government Pressure] See also: [India – Govt Asks BlackBerry to Provide Access to Services by Dec 31]

US Legislation 

US – Introduces Legislation to Prevent Privacy Abuse of Cell Phone Tracking

Senate Majority Leader Barbara Buono (D-Middlesex) has introduced legislation to require cell phone companies to disable a cell phone’s global positioning system (GPS) function at the customer’s request – a concern highlighted by a recent Wall Street Journal article reporting on instances of misusing cell phone tracking technology. Global positioning systems used by cell phone companies have made it significantly easier for stalkers to track their victims. According to a U.S. Justice Department report last year, more than 25,000 adults in the U.S. are victims of GPS stalking annually. “The Wall Street Journal article outlines numerous examples in which women have escaped abusive relationships only to be tracked down and murdered using this technology.” said Senator Buono, whose bill would also direct cell phone companies to inform customers who purchase a new cell phone, both verbally and in writing, that the phone’s GPS capability may be disabled. Additionally, a text message would be sent to current subscribers providing the customer with information on how to disable their phone’s GPS function. [Source] See also: [US: GPS Tracking Ignites Privacy Outcry]

Workplace Privacy 

US – Veteran’s Agency Tracking Computer Security

As part of its ongoing initiative to ensure the security of its data, the Department of Veterans Affairs (VA) has implemented the Visibility to Desktop Initiation, reports the Federal Times. The program gives the department the “ability to, at any given time, look at the status of all 333,000 machines in the network from a central location. This includes the hardware, software, patch level, level of security compliance and membership of the administrative group,” said Jerry Davis of the VA Office of Information and Technology. In addition, the VA has installed automatic encryption software on tens of thousands of computers, among other improvements. [Source

EU – French Court Rejects Geolocation Evidence in Employee Privacy Case

A French court rejected a company’s GPS evidence used for an employee termination on the basis that the company failed to provide proper notice to employees regarding the use of GPS in company vehicles and to register the data processing with the French data protection authority (the “CNIL”). According to the Labour Code and CNIL recommendations, companies must notify employees individually when geolocation devices are used for tracking purposes, works councils must be consulted prior to program implementation, and employees must have the ability to deactivate the system when driving company vehicles after working hours; the CNIL-issued standard (“Norm 51”) exempts companies from registration if they self-certify to Norm 51 (they must comply with Norm 51’s stipulations) or they must file the usual notification. [Hunton & Williams LLP] See also: [New York to release teachers’ ratings]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: