23-31 October 2010

Privacy News Highlights:
23-31 October 2010 


WW – International Privacy Commissioners Approve PbD Resolution

At their annual conference in Jerusalem, international data protection and privacy commissioners approved a landmark resolution recognizing privacy by design (PbD), a concept coined by Ontario Privacy Commissioner Ann Cavoukian. The resolution, co-sponsored by Canadian Privacy Commissioner Jennifer Stoddart and commissioners from Berlin, New Zealand, the Czech Republic and Estonia, encourages privacy as the default and invites commissioners to promote that privacy be built into companies as the default mode. It also encourages commissioners to foster PbD’s foundation principles into privacy policies, and to push for legislation and research on PbD in their jurisdictions, the report states. At the event, Cavoukian called the current moment a tipping point for privacy. [Source] [Press Release

CA – OIPC BC Privacy Guidelines for Landlords and Tenants

A tenant may refuse to provide information or give consent to a landlord when the information is not reasonably required to establish or manage the tenancy; an individual may not withdraw consent if doing so would frustrate the performance of a legal obligation – including the tenancy agreement. If a landlord has legitimate concerns about a tenant’s ability to make regular payment of rent then it may be reasonable for the landlord to request proof of financial capacity from the tenant; (tenants may consider removing information from the application form that the landlord does not require – e.g. a social insurance number); a landlord should not demand a tenant’s banking information or credit card information and cannot collect, copy or use a person’s driver’s licence information. Video equipment can be installed only for reasonable purposes – such as to address real security concerns; adequate notice and signs warning tenants and visitors that the premises are being monitored by a video surveillance system for security purposes must be posted. When a tenant’s account is in arrears, the landlord can use personal information without consent for the purposes of collecting a debt (e.g. unpaid rent, fees and utilities and costs to repair damage caused by tenant); a landlord must have a tenant’s consent to disclose information about the tenant to a collection agency collecting a debt on behalf of an organization other than the landlord. [Source

CA – Privacy Commissioner Makes Public Draft Report on 2010 Consultations

In the spring of 2010, the Office of the Privacy Commissioner of Canada held public consultations on online tracking, profiling and targeting, and cloud computing. The Office received 32 written submissions and held three public events in Toronto, Montreal and Calgary. These events were attended by representatives of industry and government, academics, and advocates, as well as members of the public. The OPC has now posted the draft consultations report for comment on trheir website. The draft report summarizes the input gathered during the course of the consultations and proposes specific actions that the Office will undertake going forward. It also identifies issues for which we are seeking further input. We would like to encourage any interested parties to read the report and submit feedback via our website. The deadline for feedback is November 26, 2010. [Source]


EU – 2.9% of German Households Opt Out of Street View

More than 244,000 Germans have opted out of having images of their homes accessible on Google Street View. That figure is about 2.9% of households in Germany’s 20 largest cities. Google has been highly attuned to Germany’s privacy concerns since an audit of their Street View data collection practices in that country revealed that they were collecting data packets from unprotected wireless routers. [CNET] [NYTimes] See also: [U.S. ends inquiry on Google’s Street View data grab]


US – Real Privacy Scandal on Social Networks: Feds Are Spying on “Friends”

All the hoopla over the Wall Street Journal’s so-called Facebook “privacy breach” article, it’s subsequent and curiously-timed MySpace followup, and also the New York Times’ take on the ability of Facebook advertisers to target ads for nursing schools to gay men is unwittingly creating cover for a social networking privacy issue that’s much bigger. It might be surprising to some, but it turns out that U.S. federal agents have been urged to “friend” people in order to spy on them. The feds operate such social sting operations aided by the fact that there are very few individuals that actually know every single person in their “friend” list on Facebook. For instance, it is typical to connect to someone because one thinks they might have met them. Or, a connection might take place because two people share common interests and want to view each other’s news posts going forward. But that’s not how the government sees it. In a memo obtained through the Freedom of Information Act, the Electronic Frontier Foundation (EFF) discovered that the Feds see Facebook as a psychological crutch for the needy. Here’s a direct quote from a U.S. Citizenship and Immigration Services (USCIS) memo: “Narcissistic tendencies in many people fuels a need to have a large group of “friends” link to their pages and many of these people accept cyber-friends that they don’t even know.” The memo explains that these “tendencies” provide “an excellent vantage point for FDNS to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities.” [Source] See also: [Mass Surveillance and State Control: The Total Information Awareness Project]


UK – 1 in 10 Websites Spews Spam

The spam research firm revealed spam created by websites has risen by 110% since October last year. Furthermore, one in five websites automatically opt-in consumers when it comes to sharing their details with third-parties, despite the fact its breaches e-mail marketing best practice. Spam Ratings said Argos, Ticketmaster and Money Supermarket were among the offenders. Two in five of spam e-mails that contain malware feature pharmaceutical or sex-related content, while 35%% are related to finance and 15% are phishing emails that impersonate bona fide sites in a bid to steal log-in details. Three-quarters of emails from the UK’s top 10,000 websites are either unwanted, nuisance or dangerous spam e-mails. Andy Yates, co-founder of Spam Ratings, urged consumers to web users to be when shopping online or signing up to websites. The research firm has also started a Stop Spam Abuse campaign on Facebook. [Source]

Electronic Records 

US – FTC/HHS to Hold December Roundtable on PHR

The Department of Health and Human Services and the FTC will hold a daylong roundtable discussion on December 3 in Washington, DC, to solicit industry input on privacy and security requirements for personal health records and related service providers. The event, to be held at FTC headquarters, will include four panel discussions between researchers, legal scholars and industry stakeholders, the report states. The discussion aims to address the “current state and evolving nature of PHRs…consumer and industry expectations and attitudes toward privacy and security practices,” among other topics. A public comment period will begin in November. [Health Data Management] [Event registration Info

US – Push for Better Ways to Share E-Health Records

The country’s largest network for paperless prescribing is poised to help tackle the problem of e-charts stored in one doctor’s computer that often can’t be read by another’s across town. Surescripts is expanding so that doctors around the country can choose to share medical reports, X-rays and other health data over its network much as they send e-prescriptions to drugstores today, regardless of what competing brand of computerized health records they use. With 200,000 doctors already using Surescripts for e-prescribing, the move is among the largest of a growing number of efforts to connect electronic medical records – including work to link Veterans Affairs hospitals with private physicians in certain cities, and half a dozen soon-to-start pilot projects in a government-industry partnership. And that push comes just as doctors and hospitals are scrambling to qualify for some of the billions in federal money available starting next year to help defray the costs of investing in e-health, if they meet requirements that include being able to share some records. [Source]


WW – Facebook to Employ Encryption to Protect User IDs

Facebook says it will use encryption and other data protection measures following reports that users’ data were being shared with third parties. Facebook policy forbids application developers from sharing Facebook User IDs (UIDs) with third parties, but the company said that “some developers were inadvertently sharing [the data] via the HTTP Referrer header.” In related news, a Minnesota woman has filed a class-action lawsuit against Zynga, the company responsible for the popular FarmVille and Mafia Wars games on Facebook, for sharing user information with third parties, and data aggregator Rapleaf said it is no longer sharing user identifiers with advertising networks. [Source] [Source] [Source] [Source] [Fast Company]

EU Developments 

EU – Europe Amplifies Objections to U.S. Data-Sharing Demands

The Obama administration has encountered mounting resistance in Europe to its demands for broad sharing of airline passenger data and other personal information designed to spot would-be terrorists before they strike. European privacy advocates have long criticized the U.S. effort to scoop up as much information as possible on U.S.-bound travelers, saying it violates Europe’s traditionally stringent data privacy laws. But their power to criticize was boosted recently to the power to block. Since Dec. 1, the Lisbon Treaty has given authority over such accords to the European Parliament, where privacy concerns are embraced. As a result of lawmakers’ concerns, the European Union executive has demanded a renegotiation of the four-year-old agreement laying out the conditions under which European airlines can supply passenger data. The move amounts to a recognition that the current accord, renegotiated after the European Court of Human Rights struck down the first version, could never be approved in the European Parliament as it stands. The negotiations for a new deal, due to get underway in coming weeks, will be conducted by the European Union’s executive commission, which in the past has been more amenable than the parliament to U.S. concerns. The 27 E.U. heads of state are scheduled to approve the commission’s negotiating mandate at a summit conference in December. But privacy advocates have said that regardless of what the heads of state decide, there is a majority in parliament that will reject any accord that does not meet their concerns. The United States would oppose any attempt to make the new agreement invalidate the dozens of agreements, most of them secret, that the United States has concluded with individual European governments. But several European Parliament members said that leaving those accords intact would make no sense if they violate the pan-European agreement, insisting they would have to be updated. [Source

EU – Austria to Go to Court on Data Protection Directive

In the latest of a series of actions meant to bolster the E.U.-wide, 1995 Data Protection Directive, the European Commission announced that it is taking Austria to court for failing to establish a completely independent data protection authority. The news comes as the Commission reviews the directive, the cornerstone of legal data protection in the E.U. In June, the Commission went to court against Luxembourg for failing to transpose the Data Retention Directive. And in March, Germany was declared in breach of E.U. rules on the independence of the data protection authority by the European Court of Justice. The ruling in that case stated that those bodies responsible for supervising personal data processing must remain free from any external influence, including the direct or indirect influence of the state. Even the risk of political influence through state scrutiny could hinder this independence, the court said. In the current Austrian situation, the Commission believes that independence is not guaranteed because the authority is under the supervision of the Federal Chancellery, is run by a senior Chancellery official and does not control its own staff nor have its own budget. With the directive currently under review, the move to take Austria to court sends a clear signal that the Commission wants to see the rules applied properly across all E.U. countries. A criticism leveled at the directive by the Commission’s own Article 29 Working Party (WP29) in July was that the directive is not applied in a homogenous manner by all member states. In a recent Commission Communication, it conceded that further harmonization and approximation of data protection rules need to be provided at E.U. level. Following reactions to this Communication there will be an impact assessment and legislative proposals presented in 2011. [Source

EU – Israel to Join List of ‘Adequate’ Data Protection Nations

Israel will become just the seventh country to have its data protection laws approved by the European Union. The approval means that companies can transfer personal data to that country freely, without breaking EU law. Uruguay’s application for the same treatment has been backed by a technical committee but still requires political approval before making it on to the list of approved nations. The Data Protection Directive generally prevents personal data being sent outside of the European Economic Area except to countries whose data protection regimes are deemed to give ‘adequate’ protection, unless the transfer can be justified by other means. A European Commission list of countries (54-page PDF) deemed to be adequate consists of Switzerland, Argentina, the Bailiwick of Guernsey, the Isle of Man, the Bailiwick of Jersey and Canada, as long as the recipient of the information is subject to the Canadian Personal Information Protection and Electronic Documents Act. Data can also be transferred to the US if the organisation receiving the material subscribes to the US Department of Commerce’s Safe Harbor Privacy Principles. Israel will join the approved list in a month. Though the European Parliament has a month to scrutinise the decision, it cannot change it, a European Commission spokeswoman said. [Source]

Facts & Stats 

UK – No Terror Arrests From Stop and Search, Says Government

Not one person stopped and searched under anti-terrorism powers in Britain was arrested for terrorism-related offences last year, figures show. The Home Office statistics also showed no terror suspects had been held in custody before charge for longer than 14 days since 2007. In all, 101,248 people were stopped and searched in England, Wales and Scotland under Section 44 of the Terrorism Act. Of the 506 arrests that resulted, none was terrorism-related. Since July, police are not allowed to stop and search people unless they “reasonably suspect” them of being a terrorist. The use of stop-and-search powers fell by 60% compared with 2008-09. The latest figures are likely to raise questions about the future of controversial powers which allow police to detain terror suspects for between 14 and 28 days before charging them. Detention and stop-and-search powers are being looked at as part of a review of the government’s counter-terrorism policy by the Liberal Democrat peer Lord Ken Macdonald, whose findings are due to be published shortly. Alex Deane, director of Big Brother Watch, which campaigns against intrusions into privacy, said the figures were not surprising. “Rather than a genuine counter-terrorism tool, random stop and search has been a way of bullying and hassling our increasingly abject population,” he added. “We have to decide what kind of society we want to live in. Random stop and search allows the state to confront the individual in the street, without cause, and demand your papers. It’s wrong.” [Source] [Police stopped 101,248 under anti-terror law last year – but didn’t make a single arrest]


WW – PCI-DSS Standards Version 2.0 Released

The Payment Card Industry data-security standard (PCI DSS) 2.0 was released this week. Some of the notable revisions include more responsibility on merchants to find cardholder data in their computer systems ahead of their PCI audits and steps taken by the council to help small merchants meet PCI duties, but overall, the standard is largely unchanged from its previous version. The PCI Council’s European regional director called the changes “steady as she goes.” However, the new standard does include additional guidance on the scope of PCI compliance, best practice on risk ranking and guidance on potential “rogue access points” in computer systems that could allow for data hacking. [Digital Transactions] [PCI-DSS Documents]


CA – Skeptical Voters Wary of Federal Liberals’ Transparency Plans

Canadians have become so used to Stephen Harper’s tight control over government that it’s hard to remember he won the 2006 election on a promise of transparent, accountable government. Now, Michael Ignatieff’s Liberals are lining up with the same campaign pledge, pitching a promise “to create a new era of accountability.” “A Liberal Government will launch the single largest effort of government openness and transparency in Canadian history through the Liberal Open Government Initiative.” The party says it will create three websites that would allow citizens a peek inside all government programs and processes.

  • Opendata.gc.ca would make government data available online and at no cost.
  • Accesstoinformation.gc.ca would list access requests, responses and response times.
  • Accountablespending.gc.ca would detail government grants, contributions and contracts.

The only constraints on the material would relate to privacy and legal concerns. “The default position should always be to provide information to the public,” asserts a Liberal report on the initiative released last week. In making information more accessible, Canada would be moving in the direction of other progressive governments. [Source] See also: [Name researchers who fake results, academics urge

US – Alaskan Senate candidate Miller Loses Privacy Ruling

Senate candidate Joe Miller’s onetime employer must release most records about his tenure as a part-time lawyer for a local government, an Alaska superior-court judge ruled. “Mr. Miller is a public figure by virtue of the fact that he’s a candidate for the U.S. Senate,” said Superior Court Judge Winston Burbank at a hearing. He continued, “The court concludes that the public’s need to know is more compelling than Mr. Miller’s right to privacy.” He ruled some information shouldn’t be disclosed for reasons including the privacy of the people involved and client-attorney privilege. [Wall Street Journal Blogs] See also: [Canadian Forces won’t change access to staff records despite Williams case]


WW – Google: We Collected e-Mails, Passwords – Sorry!

Google collected e-mails, passwords, and URLs while the company was snapping images for its Street View service, it admitted in a blog post. However, Google’s senior VP of engineering and research, Alan Eustace was quick to point out that “most of the data is fragmentary,” and the company will delete the information “as soon as possible.” Google’s admission that it collected passwords and e-mails adds further detail to the comments it made back in May when it first announced it had been collecting data from Wi-Fi networks. At the time, the company said that it inadvertently collected “publicly broadcast SSID information and Mac addresses using our Street View cars.” Eustace acknowledged in today’s blog post that at the time of the original announcement, Google had not “analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained.” However, several government regulators have. In fact, the Canadian government revealed findings this week that matched much of what Google admitted to today. The government found that a password and username “were included in an e-mail message that a person was sharing with others.” In addition, the government’s privacy officials found 678 phone numbers, 787 e-mail headers, and “at least five” complete e-mail messages. Although the Canadian government said that Google’s data collection broke the law, Jennifer Stoddart, the country’s privacy commissioner, closed the investigation, saying that it was the “result of a careless error.” Canada wasn’t alone. Earlier this year, French privacy officials who analyzed Google’s data also said that passwords and e-mails were collected by Google. But U.K. watchdogs said back in July that they had not found “meaningful personal details” in the data they analyzed. Regardless, Google seems committed to ensuring it doesn’t suffer a similar embarrassment in the future. The company said that its director of privacy, Alma Whitten, will help “build effective privacy controls” into Google products and practices. In addition, the company will initiate a new “information security awareness program” in December that will require all employees to be trained on the importance of privacy and security. Finally, Google will require all project leaders to have a “privacy design document” that will detail how user data is kept private in a particular product. The company said those documents will be reviewed by the project leaders’ managers, as well as the company’s internal audit team. [Source] [Google apologizes for privacy lapses] See also: [ICO Announces Investigation Into Street View Wi-Fi Blunder] AND ALSO: [Google Names New Privacy Director Alma Whitten] 

EU – Italy Orders Street View Cars Marked & Itinerary Posted

Italy’s privacy regulator has told Google Inc it will have to make sure its “Street View” photo-collecting cars are clearly marked and their itinerary is publicized. Under the regulator’s decision, Google has to publish three days in advance on its website, in local newspapers and on radio in which locality, including which area of a large city, the cars will be operating. [Source]

Health / Medical 

US – Tuberculosis Privacy Suit Revived; Patient says CDC Leaked Information

The Atlanta man who was thrust into the center of a 2007 international tuberculosis scare won a major legal victory when a federal appeals court revived the lawsuit he filed claiming health officials publicized his condition to make an example out of him. The 11th U.S. Circuit Court of Appeals reversed a lower court’s decision to dismiss the lawsuit on grounds that Andrew Speaker didn’t show enough evidence that the Centers for Disease Control and Prevention was to blame for the breach in Speaker’s privacy. The three-judge panel found that there was enough evidence to “raise a reasonable inference, and thus a plausible claim, that the CDC was the source of the disclosures at issue.” Speaker claimed in the lawsuit that the CDC revealed his private medical condition at news conferences beginning in May 2007 to dramatize the possibility that diseases such as TB can be transmitted worldwide. Government attorneys countered that there was no proof the CDC leaked his name to the press, and noted that Speaker, who is himself an attorney, wrote about parts of his ordeal online. [Source

US – Online “Data Scraping” Sparks Debate About Patient Privacy

After a company collected information from a health website where intimate details of illnesses are shared, a question arises: How much confidentiality can users expect? A recent “data scraping” incident involving a patient advocacy site ignited a discussion about the value of patient data and efforts to protect it. Social networking health site PatientsLikeMe became aware in May that the Nielsen Co. was using its automated data collection tool, BuzzMetrics, to obtain data on its community members who often share intimate details of their illnesses, treatments and medication history online. Nielsen’s automated system, which scrolls websites looking for specific keywords and topics, is used to monitor online “buzz” on services and products for clients, which include major drug manufacturers. Patients must create a unique login to participate in discussions on the PatientsLikeMe website, and Nielsen’s system was creating member accounts to gain access to the discussion boards. After The Wall Street Journal published an article about data scraping in which members of PatientsLikeMe were quoted as feeling violated after they discovered what Nielsen was doing, the company announced that it was no longer scraping sites for which a login is needed without the website operators’ permission. [Source]

Horror Stories 

US – Medical-Data Breach Said to Be Major

A computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing – one of the largest recent security breaches of personal health data in the nation. “We deeply regret this unfortunate incident,” said Jay Feldstein, the president of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. The breach, which involves the records of Medicaid recipients, is the first such Medicaid data breach in Pennsylvania since at least 1997, according to the state’s Department of Welfare, which has oversight. The security failure, one of the several largest in nearly two years, involves nearly two-thirds of the insurers’ subscribers. The insurers said the drive was missing from the corporate offices on Stevens Drive in Southwest Philadelphia. It noted that the same flash drive was used at community health fairs. “That seems grossly irresponsible,” said Dr. Deborah Peel, a Texas psychiatrist who heads Patient Privacy Rights, an advocacy group. “Why would you be hauling around private patient information to a health fair,” she said. “I can’t imagine what they were thinking, taking this data out of a locked room at company headquarters. “What’s tragic is that this is a particularly vulnerable group of people,” Peel said. “They tend to be vulnerable to identity theft, vulnerable to discrimination.” Medicaid recipients are low-income people. [Source] [Expert: Medicaid Data Breach Illustrates Need for Encryption] See also: [Medical Identity Theft a “Significant Problem”

US – Private E-mail Reaches 2,400 Students

A Delaware college has apologized to 18 students for distributing an e-mail outlining their academic failures to the student population. The e-mail named students at risk of failing and was sent by a high-level administrator at Wesley College who had intended to send the e-mail to a dozen fellow academic advisers but inadvertently used a listserv that sent it to Wesley’s 2,400 students, the report states. A Wesley spokesman said the college will now require those with access to sending campus-wide e-mail to gain approval from a second administrator before sending. [The News Journal] See also: [UH’s Third Breach This Year Exposes Info on 40,000

CA – Dumpster Diving Turns Up Personal Information in Toronto Area

People and businesses, particularly the health-care sector, are improperly discarding sensitive personal information, putting Canadians at risk of fraud and identity theft, according to results of a study released this week. Seven out of 50 commercial Dumpsters and recycling bins surveyed by the National Association for Information Destruction, an international industry group, contained documents with easily-accessible personal information. This included full names, addresses, telephone numbers, medical conditions, driver’s licences and health card numbers. The results were from a random sample in September of Dumpsters in Toronto and in Brampton, Ont. In all, investigators discovered information on more than 100 patients. All of the documents collected for the study have been disposed of. The organizations involved have not been contacted and were not named. The group says this is the first year it has conducted this study, which it plans to repeat annually. [Source]


Identity Issues 

US – ID Theft: SARs On the Rise

The majority of identity theft incidents reported by U.S. financial institutions don’t relate to phishing attacks and spoofed website pages. According to a new ID theft report from the Financial Crimes Enforcement Network, most cases of ID theft are linked to a victim’s family members or coworkers. John Summers, a lead in FinCEN’s report, “Identity Theft: Trends, Patterns and Typologies Reported in Suspicious Activity Reports”, says ID theft perpetrated by family, friends and business partners ranked No.1 among SARs filed by U.S. depository institutions in 2009. “In 27.5% of the filings, this was the highest,” he says. “It basically means someone close to them was getting access to their files and using their information.” Summers says only 3.5% of the ID theft incidents reported in SARs related to computer viruses and Trojans, such as Zeus. For vishing and phishing, the incidents reported were even fewer. “The only ones I found were in new data, and it would only come out to .15%,” he says. “That does not mean those types of attacks did not occur and account for theft and losses. It just means that the victim was not aware and did not report it as a phishing (or vishing) attack.” [Source

CA – New Electronic Passports Unveiled

The federal government rolled out some details of its new 10-year electronic passport this week, saying that Canadians who know about the new document seem to like it. The new passport will contain a photograph but not biometric data such as fingerprints or iris scans. Adults will be able to choose between a five-year passport and one valid for 10 years but children will be able to get only the five-year document. About 80 countries issue e-passports and Canada is the only G8 country not to issue electronic passports to the general public. Canada chose not to include fingerprints and iris scans, which weren’t needed to comply with the standards of the International Civil Aviation Organization. Right now the ICAO standard is the facial image. The Passport Canada survey said about 55,000 Canadian passports were lost or stolen in 2008-2009. The country issued 4.38 million passports in the same period. However, some people have raised concerns about privacy issues. The Canadian Civil Liberties Union worried about the confidentiality of information contained on the passport’s microchip. [Source] See also: 

US – Emergency Access Granted in Test of Interoperable ID system “Autumn Blend”

A recent national emergency preparedness exercise successfully demonstrated an interoperable, electronic identity authentication system for government and private-sector personnel. Known as Autumn Blend, the event was coordinated by the Homeland Security Department’s Federal Emergency Management Agency and Northrop Grumman. It included federal, state, local and private-sector emergency response and recovery officials. Autumn Blend participants used standardized personal identity credentials across multiple networks, such as government and corporate authentication systems. According to Northrop Grumman, the automated authentication process allowed officials to quickly make decisions about access management, provide situational awareness, begin post-event reconstruction and maintain cybersecurity capabilities. The variety of credentials included the Defense Department’s Common Access Cards, DHS’ First Responder Authentication Credentials, governmentwide Personal Identity Verification cards, and PIV-Interoperable credentials for nonfederal government partners. Mobile and fixed devices electronically validated participants’ identities through personal identification credentials, ID numbers and biometrics. Logical access through personal identification allowed personnel to use computers for secure e-mail collaboration. As the authentication systems cleared individuals for access to the venue, the Virginia Interoperability Picture for Emergency Response geospatial application tracked and displayed their locations in near real time at fusion and emergency operations centers across the country. [Source]

Intellectual Property 

US – IT Worker Gets Prison After Stealing Data for Online Surveys

A former IT staffer has been sentenced to a year and a day in prison for stealing sensitive information belonging to his co-workers and using the data to make money filling out online health surveys. Cam Giang, 31, was fired from the University of California San Francisco Medical Center earlier this year after investigators discovered that he’d been using the names, birthdays and Social Security numbers of other UCSF employees to fill out hundreds of online surveys. The point was to collect online vouchers, worth US$100 each. He had worked at the medical center’s IT department for five years and had access to the sensitive information through his job, according to court records. In early May, the UCSF warned 486 people that their information had been accessed. [Source]

Internet / WWW 

CA – Online Privacy Fears Raised

The Alberta provincial government and the University of Calgary must do a better job of protecting against unauthorized access to confidential online information, warns Alberta’s auditor general. Service Alberta and the U of C each came under fire in Merwan Saher’s latest report, released this week, for not demonstrating they’ve implemented adequate security policies, despite previous warnings. The provincial government manages a large volume of information — including corporate financial data and personal health and driver’s licence records for Albertans — which is stored online on servers across the province, Saher noted in the report. Despite progress on an “IT governance and control framework” begun in 2008, Service Alberta can’t yet demonstrate the plan is being applied in all government departments, Saher said. “The possibility, the risk of there being corruption of the system, inappropriate entry into a system, is real, it’s not imaginary, so Albertans should be concerned,” he told reporters.[Source]

Law Enforcement 

US – Thousands of Street Stops by New York Police Legally Unjustified

Tens of thousands of times over six years, the police stopped and questioned people on New York City streets without the legal justification for doing so, a new study says. nd in hundreds of thousands of more cases, city officers failed to include essential details on required police forms to show whether the stops were justified, according to the study written by Prof. Jeffrey A. Fagan of Columbia Law School. The study was conducted on behalf of the Center for Constitutional Rights, which is suing the New York Police Department for what the center says is a widespread pattern of unprovoked and unnecessary stops and racial profiling in the department’s stop-question-and-frisk policy. The department denies the charges. The study examined police data cataloging the 2.8 million times from 2004 through 2009 that officers stopped people on the streets to question and sometimes frisk them, a crime-fighting strategy the department has put more emphasis on over the years. But as the number of stops has jumped — to more than 570,000 last year from 313,000 in 2004 — the practice has come under increasing scrutiny, from lawmakers at City Hall and Albany and from civil libertarians including the constitutional rights center and the New York Civil Liberties Union. Professor Fagan found that in more than 30% of stops, officers either lacked the kind of suspicion necessary to make a stop constitutional or did not include sufficient detail on police forms to determine if the stops were legally justified. The study also found that even accounting for crime patterns in the city’s various neighborhoods, officers stopped minorities at disproportionate rates. Nearly 150,000 of the stops — 6.7% of all cases in which an officer made a stop based on his own discretion, rather than while responding to a radio call in which some information had already been gathered — lacked legal sufficiency, the study concluded. Stops were considered unjustified if officers provided no primary reason articulating a reasonable suspicion for the stop. An additional 544,000 cases, or 24% of all discretionary stops, did not have enough information on the forms that officers are required to fill out after such encounters. [NY Times

EU – Sweden to Extend Police Powers on Data Access

The Swedish government wants to extend the powers of police and prosecutors to access personal details from internet service providers in cases of less serious offences such as filesharing, libel and grooming. Currently, ISPs may be required to hand over IP address and personal details of customers suspected of crimes subject to custodial sentences, but the government wants to extend the law to cover offences that are punishable only by fines. The proposals are including in a justice department memorandum read by the TT news agency, in which is stated, “Procurement is proposed to be possible for all crimes, namely the requirement that imprisonment should be prescribed for the offence, and that according to the authority’s judgement could result in penalties other than fines, should be removed.” Furthermore, it is proposed that the police be given access to information from mobile telephone operators detailing the location of missing persons if there is an established risk to their life or well-being. The changes are proposed to be introduced in connection with the adoption of the EU Data Retention Directive. Sweden has previously been reluctant to implement the directive, which was approved by Brussels in March 2006. The Swedish government was instructed by the European Court of Justice in February to adopt the measure and assured the court that the directive would be expected to pass into Swedish law on April 1st. [Source]

Online Privacy 

WW – MySpace, Apps Leak User Data

MySpace and some popular applications on the social-networking site have been transmitting data to outside advertising companies that could be used to identify users, a Wall Street Journal investigation has found. The information was primarily sent by MySpace when users clicked on ads. The website had pledged to discontinue the practice of sending personal data when users click on ads after the Journal reported it in May. A MySpace spokesman said the data identify the user profile being viewed but not necessarily the person who clicked on the ad. MySpace is owned by News Corp., which also owns The Wall Street Journal. The data being transmitted were MySpace user IDs. These unique numbers can be used to look up a person’s MySpace profile page, which sometimes includes their real name, photographs, location, gender and age. The advertising companies being sent the data, which included Google Inc., Quantcast Corp. and Rubicon Project, said they didn’t use the information. [Wall Street Journal] SEE ALSO: [Is Facebook outing its gay users?] and [Social net posts and evidence in legal proceedings] and also: [California: Facebook spent $6,600 to help kill Social Network Privacy Act

WW – Study Shows Most Proactive Countries for Privacy Settings

The Unisys Security Index surveyed 10,575 consumers in 11 countries and found that 80% of social networking users in the U.S.—more than in any other country studied—said they regularly limit the personal information they post and restrict others’ access to it. Brazil and Germany were the next in line, with Brazil the most concerned with overall security, the report states. Patricia Titus, global chief information security officer at Unisys, says that the U.S. may be more proactive because it has “better reporting on social media issues here because Facebook is a U.S.-based company.” [InformationWeek]

Other Jurisdictions 

CN – China’s Real Name Register Targets “Improver” Web Use

Internet users in China will soon be required to reveal their identities before they surf the web. This, Chinese government officials have told FutureGov, will enable China’s netizens to “speak freely” in a secure environment. The Real Name Registration (RNR) project, known as Wang Luo Shi Ming Zhi in Chinese, will require China’s 400 million internet users to enter their national ID card number, or other official ID number, before they can use popular news and commercial web sites. Posting on a blog, forum, or commenting on social media would require use of a real name, or at least the deletion of an anonymous comment. The RNR project is “still in the discussion stage”, and officials admitted that convincing China’s vast internet community to use the system would be a challenge. China has already implemented a real-name registration system targeted at the country’s 800 million mobile and 300 million fixed line phone users. The phased programme will see new customers register with their identity card numbers or other valid documents when buying a pre-paid SIM card from mobile phone operators. Foreigners living in China are also required to register with their passports or ID cards to sign up to services. [Source] See also: [Indian Authorities Seeking More Control Over Internet]

Privacy (US) 

US – Privacy Report Card: Obama Admin Is All Over Map

The Obama Administration didn’t fare as well in the 2010 privacy report card from public interest research center Electronic Privacy Information Center (EPIC), compared with last year’s grades. Compared to 2009’s A- grade for medical privacy, the administration dropped to a B in 2010. The Washington, D.C.-based organization attributed this grade to actions including the White House preparing to endorse a “weak data breach notification rule but [then backing off].” In addition, EPIC stated that privacy experts are underrepresented on key committees and the willingness of the White House to press for strong safeguards for patients remains unclear. The Obama administration didn’t change its B grade from 2009’s report card in the subject of cybersecurity. “One of the most difficult subjects for any administration is preserving the openness of the internet while protecting the country against genuine cyber threats. … [We] see a continued effort by the administration to safeguard privacy rights for internet users, but we also note the growing influence of the National Security Agency (NSA).” EPIC additionally gave the administration a grade of C in consumer privacy (compared with 2009’s “Incomplete”) and a D in civil liberties, down from last year’s C+. [Source

US – White House Forms Federal Committee On Internet, Privacy Policy

The Obama administration has formed a subcommittee drawn from various parts of the federal government to advise the White House on regulatory and legislative issues for the Web. The panel, which will focus on the Internet privacy, comes as consumer advocacy groups have complained that Internet users need more protection from social media, advertising and other sites that collect user information. A blog post last Sunday on the National Science and Technology Council Web site said the subcommittee will include members of several federal agencies, such as the Commerce, Justice, Homeland Security and State departments. Cameron Kerry, general counsel at the Commerce Department, and Christopher Schroeder, assistant attorney general at the Justice Department, will head the group. Representatives of the Federal Trade Commission and Federal Communications Commission were also invited. And the White House will have representatives from its Domestic Policy Council, National Economic Council, U.S. Trade Representative office and National Security Staff Cybersecurity Directorate. The idea of the subcommittee is to develop consensus on the direction of U.S. laws and regulations on Internet privacy, but consumer advocacy groups wondered how much emphasis the group would place on protecting consumers. The committee said it would work closely with private companies to make sure their interests are considered in order to “promote innovation and economic expansion.” Online advertisers such as Amazon, Google and the Interactive Advertising Bureau have argued that some collection of user data helps them serve up more relevant ads to users. [Source

US – Amazon Wins Fight to Keep Customer Records Private

In a victory for the free speech and privacy rights of Amazon.com customers, a federal judge ruled that the company would not have to turn over detailed records on nearly 50 million purchases to North Carolina tax collectors. The state had demanded sensitive information including names and addresses of North Carolina customers–and information about exactly what they had purchased between 2003 and 2010. U.S. District Judge Marsha Pechman in Washington state said that request went too far and “runs afoul of the First Amendment.” She granted Amazon summary judgment. The Tar Heel State’s tax collectors have “no legitimate need” for details about the literary, music, and film habits of so many Amazon customers,” Pechman wrote. “In spite of this, (North Carolina) refuses to give up the detailed information about Amazon’s customers’ purchases, while at the same time requesting the identities of the customers and, arguably, detailed records of their purchases, including the expressive content.” Amazon has provided the state tax collectors with anonymized information about which items were shipped to which ZIP codes. But North Carolina threatened to sue if the retailer did not agree to divulge the names and addresses linked to each order–in other words, by providing personally identifiable information that could be used to collect additional use taxes that might be owed by state residents. North Carolina’s legal setback comes as other states experiment with new ways to collect taxes from online retailers. California may require retailers to report the total dollar value of purchases made by each state resident. A decision is expected at any time in a related case that Amazon filed against New York state. [Source

US – Memphis Pilot Files Lawsuit Over Airport Body-Scans

A Mid-South pilot who refused a full-body scan at Memphis International Airport is suing the TSA. Michael Roberts and attorneys at the Rutherford Institute are suing the federal government over air passenger screening procedures. “We’re basically challenging the constitutionality of the new policies under the 4th Amendment,” Roberts said. The TSA released a statement that said, “Advanced imaging technology is optional for all passengers. Passengers who decline to be screened using advanced imaging technology will receive alternative screening to ensure the safety of the traveling public. Anyone who refuses screening will be denied access to the secure area.” “I’m not against airline security, but this is not security in any stretch of the imagination,” Roberts said. Instead, Roberts would like to see a better system be implemented. “It’s not reasonable when you walk into the airport, and just because you want to fly on an airplane that they should strip search you, or physically put their hands on your crotch or feel your body from top to bottom,” he said. [Source]


WW – Facebook, Twitter Easily Hacked over WiFi

A software developer is hoping to educate users about the dangers of using unsecured WiFi networks with a computer program that makes it easy to hack into Facebook and Twitter accounts. With a download of Firesheep, a plug-in for Mozilla’s FireFox web browser, all it takes is patience and a couple clicks to access someone’s profile on a variety of websites, also including the photo-sharing site Flickr and the WordPress blogging platform. The program sniffs out logons over the network and connects Firesheep users with those accounts. “Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web,” wrote Seattle-based Eric Butler in a blog post explaining his program. Butler, who declined interview requests, said that not all websites are vulnerable to Firesheep, but too many sites aren’t secure enough to thwart hackers. While typed-in login information may be protected, the user-identifying information in cookies – small text files that websites access on a user’s computer – are not. “On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy,” Butler wrote. To protect against getting hacked while using open WiFi, Butler recommends another FireFox plug-in called HTTPS-Everywhere, created by the Electronic Frontier Foundation. It protects against data leaking out while using sites like Facebook, Twitter, Amazon, WordPress.com blogs and PayPal. [Source] [Source] [Source] [Source]

Smart Cards 

US – City Launches Student Data Cards

Civil liberties advocates are voicing concern about a pilot program that will assign Massachusetts public school students a single card to be used for access to multiple city services. The BostONEcard, launched this week, will be used to take school attendance and for access to public transportation, library books, school meals and after school programs, among other applications. The program aims to raise school attendance and give children access to city services, but the executive director of the American Civil Liberties Union questions whether the card data could be subpoenaed by law enforcement agencies or given to marketing companies. “This may not be Big Brother, but it certainly feels like Little Brother,” she said. [Boston Globe]


UK – Govt slammed for Revival of Email Tracking

The UK government’s revival of a multibillion pound plan for communications companies to store data on UK emails, web traffic and phone calls has been attacked by the Information Commissioner. Christopher Graham said that the plan, which would effectively give the government access to a huge store of data, was “disproportionate” considering the concerns over people’s information. His stance could pose a major obstruction to the scheme, which was formerly launched by the Labour administration and had been opposed by a number of internet service providers. [Source

EU – EFF calls for repeal of Data Retention Directive

Digital rights campaign group the Electronic Frontier Foundation (EFF) has called for the abolition of the European Union’s Data Retention Directive, the law that demands that telecoms companies retain logs of subscribers’ use of their networks. The EFF wants the EU’s data protection watchdogs to pressure the European Union’s governing bodies to repeal the law, claiming that it is disproportionate and unpopular with citizens. “The Data Retention Directive is highly controversial, if not wildly unpopular throughout the European Union,” said the EFF’s Eva Galperin in a blog post. “The directive was strongly opposed by European privacy activists … as each country in the EU has implemented the Data Retention Directive in their own law, they have faced challenges in state courts.” The EU committee of data protection watchdogs, the Article 29 Working Party, published a report on the Directive earlier this year calling for a restriction in the period of retention. It said that the Directive had not been consistently applied by EU member states It said that there should be closer harmonisation in the implementation of the Directive in EU countries, and that the period of retention should shorten. It should not be up to countries to order the retention of more data than mandated in the Directive, it said. [Source]

Telecom / TV 

AU – Telco Sends Wrong Info to 220,000

Australian Telco Telstra discovered that it has sent 220,000 letters containing customers’ personal details to incorrect recipients. The letters included names, phone numbers, telephone plan details and, if applicable, references to pensioner discounts. Telecommunications watchdogs are looking into the breach. Teresa Corbin of the Australian Communications Consumer Action Network said that Telstra must ensure “every customer affected has the problem resolved to their complete satisfaction,” while Australian Communications and Media Authority Chairman Chris Chapman said the “incident appears to be a mistake on Telstra’s part,” adding, “criminal provisions are very unlikely to apply.” Privacy Commissioner Timothy Pilgrim has also launched an investigation. [AAP]

US Legislation 

US – Media Content Groups Urge Quick Passage of Anti-Piracy Legislation

Proposed legislation in the US Senate would make it easier to go after websites believed to be promoting piracy. The bill has the support of the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA) and other prominent media content organizations. The groups signed a letter to Senator Patrick Leahy (D-Vermont), who is one of the bill’s sponsors. The Combating Online Infringement and Counterfeits Act does not allow the government to shut down the websites, but allows the US Justice Department to seize the sites’ domain names and impose restrictions on credit cards and banks that would prohibit them from conducting further business with the alleged pirates. [Source] [Source]

US Government Programs 

US – Government Department to Track Federal Employees

The U.S. Office of Personnel Management has announced plans for a database to track cost and quality of service under the Federal Employees Health Benefits Program. The system would collect Social Security numbers and employment details. Information sharing aims to improve mission delivery and boost transparency but can also threaten privacy, the report states. A Federal News Radio discussion aimed to explore the balance between privacy and security, featuring the assistant general counsel at the National Archives and Records Administration and the deputy director for information services at the Centers for Medicare and Medicaid Services. [Federal News Radio]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: