01-15 November 2010



EU – Brussels Blocks UK from Biometric Superdatabase

European judges have rejected an attempt by British security officials to gain access to a huge new store of visa application data being set up to combat illegal immigration, organised crime and terrorism. The government went to court to force the EU to allow agencies such as MI5, SOCA and the UK Border Agency to use the Visa Information System (VIS), which will store details of every foreigner who applies to enter the bloc, including their fingerprints and photograph. Intelligence on those who have previously been refused a visa by another country is seen as particularly valuable. Once it covers all visas, the VIS is set to become the world’s largest store of biometric data. The data will be shared among intelligence and law enforcement agencies of every signatory to the Schengen Agreement, which allows their citizens of member countries to cross EU borders freely. Because Britain is not a member, however, and requires EU visitors to carry a passport, UK authorities will be excluded following a ruling by the European Court of Justice in Luxembourg. The court agreed with the Schengen members and the European Commission, however, that Britain’s rejection of the Schengen Agreement means it cannot share the new database. There is no possibility of an appeal. Europol, the EU’s criminal intelligence agency, will have direct access to VIS, and may pass information to Britain via SOCA. However, without direct access, VIS data cannot be used as part of the mass passenger profiling announced by Home Secretary Theresa May in the wake of last week’s foiled airline bomb plot. [Source]

CA – OLG and Cavoukian announce Privacy-Protective Facial Recognition system

Tom Marinelli, Acting CEO of the Ontario Lottery and Gaming Corporation (OLG) and Ontario Information and Privacy Commissioner Dr. Ann Cavoukian, released a white paper announcing a major development in privacy-protective facial recognition technology. This critical system, to be rolled out in 2011 at OLG gaming sites across the province, embeds a design protocol based on Privacy by Design, that will enable the OLG to better support its customers who have enrolled in a completely voluntary self-exclusion program, while protecting the data of all OLG customers. Only when the live facial biometric of a self-excluded user is detected as present, will the system alert the OLG and “unlock” the necessary information, for security to do a manual check. No single key can unlock the complete database of enrolled persons. “Facial recognition technology will enhance OLG’s current ability to spot self-excluded patrons who fail to stay away from gaming sites. This system helps to strengthen the deterrent for self-excluders to return to our gaming sites,” said OLG’s Marinelli. The paper, entitled Privacy-Protective Facial Recognition: Biometric Encryption Proof of Concept, is available at http://www.ipc.on.ca. [Source]


CA – PIPEDA Amendments Getting Closer to Reality

Bill C-29, An Act to Amend the Personal Information Protection and Electronic Documents Act, went through second reading in the House of Commons last week. This brings it one step closer to becoming law. Anticipated amendments to PIPEDA include:

  • a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada;
  • amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
  • modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions. [Source]

CA – Canada Introduces Legislation to Fight Crime in Today’s High-Tech World

The Minister of Justice and Attorney General of Canada has re-introduced in the House of Commons two bills that would provide law enforcement and national security agencies with up-to-date tools to fight crimes such as gang- and terrorism-related offences and child sexual exploitation. The proposed Investigative Powers for the 21st Century Act would provide law enforcement agencies with new, specialized investigative powers to help them take action against Internet child sexual exploitation, disrupt on-line organized crime activity and prevent terrorism by:

  • enabling police to identify all the network nodes and jurisdictions involved in the transmission of data and trace the communications back to a suspect. Judicial authorizations would be required to obtain transmission data, which provides information on the routing but does not include the content of a private communication;
  • requiring a telecommunications service provider to temporarily keep data so that it is not lost or deleted in the time it takes law enforcement agencies to return with a search warrant or production order to obtain it;
  • making it illegal to possess a computer virus for the purposes of committing an offence of mischief; and
  • enhancing international cooperation to help in investigating and prosecuting crime that goes beyond Canada’s borders.

The Investigating and Preventing Criminal Electronic Communications Act would address challenges posed by today’s technologies that did not exist when the legal framework for interception was last updated nearly 40 years ago. The Act would require service providers to include interception capability in their networks, thereby allowing law enforcement and national security agencies to execute authorizations for interception in a more timely and efficient manner with a warrant. The proposed Act also calls for service providers to supply basic subscriber information upon request to designated law enforcement, Competition Bureau and national security officials. Requirements to obtain court orders to intercept communications will not be changed by this Act. [Source]

WW – Landmark Resolution Passed to Preserve the Future of Privacy

A landmark resolution by Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, was approved by international Data Protection and Privacy Commissioners in Jerusalem at their annual conference. The resolution recognizes Commissioner Cavoukian’s concept of Privacy by Design as an essential component of fundamental privacy protection. The resolution, which was co-sponsored by Canadian Privacy Commissioner Jennifer Stoddart and Commissioners from Berlin, New Zealand, the Czech Republic, and Estonia, also encourages the adoption of the principles of Privacy by Design as part of an organization’s default mode of operation; and invites Data Protection and Privacy Commissioners to promote Privacy by Design, foster the incorporation of its Foundational Principles in privacy policy and legislation in their respective jurisdictions, and encourage research into Privacy by Design. [Source] [Video Rewind: ‘Privacy by Design’ approach gains international recognition]

CA – Court of Appeal Hears E-Privacy Case

In a potentially groundbreaking case for Canada, the Saskatchewan Court of Appeal is grappling with the privacy of Internet addresses.  Although similar cases have been decided by lower courts here and across Canada, the appeal launched by Saskatoon resident Brian Arnold Trapp, who was convicted of three child pornography-related charges, is the first to be heard at this level of court. The issue in Trapp’s case has “more to do with remaining anonymous on the Internet rather than privacy.”.Justices Stuart Cameron, Georgina Jackson, and Ralph Ottenbreit reserved their decision. Piche argued Saskatoon police violated Trapp’s Charter rights when an officer used the Freedom of Information and Protection of Privacy Act (FIPPA) to get identifying information from SaskTel, Trapp’s Internet provider. After learning someone with a certain Internet Protocol (IP) address was sharing child pornography on the Internet, an officer wrote a letter to SaskTel in the summer of 2007 to seek the identity of the person with that address. SaskTel provided Trapp’s name, home address, phone number and e-mail address. FIPPA states personal information “may be disclosed” by government institutions to a law enforcement agency or investigative body. [Source] See also: [Bureaucrats say they’re being unfairly tarred over veterans privacy scandal]


US – Call to Boycott Barbie With Built-In Camera

Mattel’s trademark vinyl doll is getting older but she has embraced technology – Barbie’s new built-in camera abilities are worrying some privacy advocates and psychologists. The Barbie Video Girl doll has been criticised for enabling children to film themselves and others using a hidden camera in Barbie’s necklace. The doll, which retails for about $110, also has a small colour LCD screen in her back and the capacity to record 30 minutes of video, which can be transferred to a computer. A clinical psychologist, Sally-Anne McCormack, said the doll had the potential to be used unwisely online and called on parents to boycott the product. “Essentially, it’s a hidden camera,” the mother of four said. “Children don’t look at video clips the way that adults do, and there might be inappropriate shots that they upload onto YouTube.” [Source]

CA – Website lets Parents Review Daycares, Schools

When Karen Young Chester started looking for daycares and preschools for her children, now three and four, she found little online to help in her search. Most parents might ask around among their friends, but Young Chester took her quest further. This week, she launched The Shorty List, a listing and review website for daycares, preschools and elementary schools in Metro Vancouver. Parents can weigh in to the website, theshortylist.ca,with their ratings and opinions. Young Chester has been collecting reviews for several months but the site was officially launched Monday, listing more than 1,000 licensed daycares and preschools and close to 600 elementary schools in Metro Vancouver. Young Chester said that for privacy and security for parents who are posting about places their children attend, names of the reviewers are not posted on the site. However anyone adding a review must register and give their contact details. She said there are technical barriers in place to prevent people from posting more than one review a month about a particular facility. [Source]


CA – CAS Under Threat Over List of Members

A former Crown ward is threatening to drag the Children’s Aid Society of Ottawa into court unless it hands over a copy of its membership list. John Dunn, founder and volunteer director of the Foster Care Council of Canada, wants to lobby CAS members to cr eate a new membership class for the society’s former wards, regardless of where they live. Dunn, an activist who has been pushing for improved transparency and accountability of children’s aid societies in Ontario for years, asked for the membership list in June 2009. But the Ottawa CAS has steadfastly refused to give it to him. [Source]

UK – Government Pushes for Data Deletion System

Britons keen to remove inaccurate information held about them online could soon turn to a mediation service set up to deal with data disputes. The idea for the service was floated by business minister Ed Vaizey during a debate on the net and privacy. He said the service would be an easy way for citizens to change data that is wrong or invades their privacy. The UK’s Internet Service Providers Association (ISPA) was wary about the proposal saying that there were already many routes available to people wanting to complain about data online. Jim Killock, chair of the Open Rights Group which campaigns on digital liberties issues, said the idea needed a re-think. “What we need to hear is that the government is committed to strong data protection rules, rather than suggesting off the cuff ideas,” said Mr Killock. “The UK is still being taken to court by the EU for lack of proper privacy protections,” he said. “We will be asking Ed Vaizey if he will take action to bring the UK up to the data protection standards we deserve.” [Source]

AU – Don’t Trust Google With Anti-Terror Database, Privacy Watchdog Warns

Google cannot be trusted to help manage Britain’s new anti-terror database, the UK Government’s privacy watchdog said. Records of all communications, including e-mails, text messages and the use of Facebook, Twitter and Skype, will kept by the company and internet service providers for at least 12 months under a scheme being drawn up by the Home Office. Christopher Graham, the Information Commissioner, said that involving Google would be flawed after he found the company responsible for a “significant breach” of data protection rules. The Government wants a record of all private communication after the police and security services insisted that it was essential in the fight against terrorism and organised crime. But it has dropped Labour’s proposals for a central government database and has decided that individual companies will be required to keep details of customers’ internet and telephone use but not the content of calls or messages. Mr Graham, who enforces laws protecting the use of private information, warned that any system that involved major companies holding such details would be flawed. Google is used for about 90% of internet searches in Britain and millions of computer owners have signed up for its e-mail services. The Information Commissioner’s Office ruled last week that the company broke the law when its Street View mapping service collected personal information such as e-mails and passwords from unsuspecting internet users. Mr Graham, a former BBC journalist who was appointed Information Commissioner in June last year, said that he would be auditing Google’s practices and could take the company to court or enforce a penalty of pounds 500,000 if it did not change its ways. [Source]

EU Developments

EU – European Commission Releases Significant Proposals for Privacy Changes

The European Commission has released a document setting forth its proposed strategy for revisions to EU data protection rules. The proposed changes were introduced this way in the Commission’s news release: setting out a strategy to modernise the EU framework for data protection rules through a series of key goals: Strengthening individuals’ rights; Enhancing the Single Market; Revising data protection rules in the area of police and criminal justice, and more effective enforcement. Finally, the Commission described “the way forward” which allows input from affected stakeholders and interested persons: “The Commission’s policy review will serve as a basis for further discussion and assessment. The Commission is calling on all stakeholders and the public to comment on the review’s proposals until 15 January 2011. Submissions can be made on the Commission’s public consultation web site. Building on this, the Commission will present proposals for a new general data protection legal framework in 2011, which will then need to be negotiated and adopted by the European Parliament and the Council. In addition, the Commission will examine other measures, such as encouraging awareness-raising campaigns on data protection rights and possible self-regulation initiatives by industry.” [Source]

EU – EU Parliament Worried About Behavioral Advertising

Members of the European Parliament have hit out at online behavioral advertising, saying it could be a breach of consumers’ privacy rights. The Parliament’s Internal Market Committee approved a report by French member Philippe Juvin that called for “behavioral advertisement” warnings to alert consumers to this new type of advertising. The report highlighted the intrusive techniques used by some advertisers that pose as consumers on Internet forums or abuse data privacy to target individual consumers’ interests. Parliamentarians voiced concern about practices such as geolocation, individual profiling and cookies. The rise in social networking has made this type of invasive advertising much more profitable and parliamentarians warn that the current Unfair Commercial Practices Directive of 2005 for combating misleading and aggressive advertising is not equipped to cover such new technologies.The Juvin report was approved in committee with 30 votes in favor, one against and two abstentions, and is scheduled for a plenary vote in December. [Source]

EU – European Commission Issues FAQ on Data Protection Reform

The European Commission (“EC”) published Frequently Asked Questions in support of its recently published data protection reform document “A Comprehensive Approach on Personal Data Protection in the European Union.” The FAQ’s outline the reasons why reform is required (new technologies and globalization, the current Directive does not cover police and criminal justice cooperation and the need for harmonization throughout the EU), that the EC will be reviewing the Data Retention Directive, and that reforms will consider extending the mandatory breach notification requirement to other sectors, such as the financial industry. Public response to the Communication will be accepted until January 15, 2011 after which the EC will develop legislative proposals; the EC will also pursue non-legislative measures, such as self-regulation and privacy seals. [Source]

UK – ICO Slams Companies’ Data Protection Awareness

Public sector bodies scored low on awareness of data protection principles, with the private sector coming out only a little better. Awareness of data protection principles amongst large organisations continues to be low, with private sector organisations lagging behind public bodies, while the protection of personal data is more important than ever for individuals, according to a survey published by the Information Commissioner’s Office (ICO) last week. Just under half (48%) of private sector firms said, unprompted, that they should store personal information securely, compared with 60% of public sector organisations, the survey found. The ICO said the low awareness of data protection principles puts organisations at risk. “Businesses need to show they are taking data protection seriously,” said Information Commissioner Christopher Graham (left), in a statement. “Failing to do so could not only lead to enforcement action, it could also do significant damage to their reputation. Ignoring data protection obligations is ignoring a key customer concern.” [Source]

Facts & Stats

US – Data Spills Cost U.S. Hospitals $6 Billion A Year

It turns out that patients don’t appreciate having their medical information wind up in the hands of strangers. And when a healthcare organization loses that sensitive information en masse, it gets hit with customer losses and legal bills adding up to a hefty sum: an average of about $1 million per U.S. hospital per year, or about $6 billion annual for the entire industry. That’s one harsh finding of a study to be released this week by the privacy-focused non-profit Ponemon Institute, which interviewed executives at 67 American healthcare organizations about their data breach incidents over the last two years. On average, those hospitals and clinics experienced 2.4 breaches in the last two years, and lost about 1,769 patients’ records in each data spill. That’s a relatively low number of records compared with data breaches on average. In broader studies, Ponemon has shown that data breaches tend to involve more than 30,000 records. But Ponemon’s interviewees say that medical patients are less forgiving than other industries’ customers when their data leaves their healthcare provider’s control: the ensuing customer losses and brand damage end up costing $471 per customer record on average, more than twice the $204 per compromised record of all industries’ breaches. The most common culprits for hospitals’ data breaches were the usual suspects: lost hard drives, USB sticks and laptops, along with improperly disposed paper records. Only about 20% of incidents involved any criminal intent. [Source]

CA – Why Data Breach Costs Are Really Going Down

A new joint study by Telus Corp. with the University of Toronto’s Rotman School of Management reveals that while Canadian organizations reported 29% more data breaches in 2010 versus the previous year, the annual cost of these security issues has dropped substantially. Yogen Appalraju, vice-president of Telus’ security solutions division, said better detection and protection technologies have not only led to more reporting across the board, but also to better containment techniques. This, he said, starts to explain why reported breaches have jumped 30 per cent in 2010, while breach costs dropped from an average of $834,000 in 2009 to $179,508 in 2010. Appalraju added, however, that targeted attacks have been on the rise during the same period, which might be contributing to the underreporting of data breach losses at some firms. “In a lot of cases, organizations might not know that they’ve been breached for a long time,” he said. For Walid Hejazi, professor of business economics at Rotman, the massive 78 per cent decrease in breach costs underscores a drastic change in the way hackers and cyber criminals are going about their trade. “They’re not trying to bring down the network anymore,” he said. [Source]

WW – Checked in? 96% of Web Users Haven’t

Location-based mobile apps such as Foursquare might be among the fastest-growing trends for plugged-in technophiles, but the vast majority of Americans still haven’t used them. That’s the finding of a report released by the Pew Research Center’s Internet & American Life Project. Only 4% of adults who use the internet also use mobile apps to share their location and activities with their friends, according to the report. Just 7% of adults who access the Web on their mobile phones “check in” using the apps. And, on any given day, only 1% of internet users use the services, the report says. In the report, the Pew Center said that, not surprisingly, younger Web users are more likely to use the apps than older ones. About 8% of users 18 to 29 use check-in apps, compared with 4% of those 30 to 49, 2% of those 50 to 64 and just 1% of those 65 and up. This was the second study Pew had done on place-based apps. The findings showed very little change from a May 2010 survey, when 5 percent of respondents said they’d used the apps. A Pew report in September suggested that fewer than one in four adults who have phones that run mobile apps use any of them. [Source]


TK – Turkey Reinstates YouTube Ban

A Turkish court has reinstated a 30-month ban on the popular video-sharing YouTube website just days after it was removed, deepening a dispute over online free expression in the European Union candidate country. Access to YouTube, a unit of Google Inc, has been blocked by the Turkish government since May 2008 after users posted videos Turkey says are insulting to the republic’s founder, Mustafa Kemal Ataturk. A court in Ankara on Saturday lifted the ban, which had drawn widespread criticism of Ankara’s restrictive Internet laws, after a German-based firm at the request of Turkish authorities removed the videos by using an automated copyright system designed by Google to protect copyrighted material. YouTube later said it had reinstated the videos, arguing such videos did not violate users’ copyright. But a separate court in Ankara ruled that the ban should be reinstated, this time over a secretly taped video purportedly showing the former chairman of the opposition, Deniz Baykal, in a bedroom with a female aide, state news Anatolian said.  Turkish visitors to the YouTube site have been able to circumvent the ban by using proxy websites. The YouTube ban has attracted particular criticism, and even President Abdullah Gul has used his Twitter page to condemn it, urging authorities to find a solution. Google Inc’s legal chief has called for pressure on governments that censor the Internet, citing China and Turkey, arguing that their blocking access to websites not only violates human rights but unfairly restrains U.S. trade. [Source]

WW – YouTube Withdraws Cleric’s Videos

Under pressure from American and British officials, YouTube removed from its site some of the hundreds of videos featuring calls to jihad by Anwar al-Awlaki, an American-born, Yemen-based cleric who has played an increasingly public role in inspiring violence directed at the West. Last week, a British official pressed for the videos to be removed and a New York congressman, Anthony Weiner, sent YouTube a letter listing hundreds of videos featuring the cleric. The requests took on greater urgency after two powerful bombs hidden in cargo planes were intercepted en route from Yemen to Chicago on Friday, with the prime suspect being the Yemen-based group Mr. Awlaki is affiliated with, Al Qaeda in the Arabian Peninsula. [The New York Times]


CA – Public has Right to Court Exhibits, Appeal Judges Rule

The Ontario Court of Appeal has knocked down a long-standing barrier to full public access to the courts, ruling the CBC could see and make copies of exhibits in the Ashley Smith case, including a videotape of the teen’s dying moments in a Kitchener prison cell. Court exhibits have been guarded like state secrets in Ontario’s justice system and reporters are routinely denied access to documents, videotapes and other material that could assist in explaining a case — everything from a summary of the facts surrounding a guilty plea to, in one case, something as innocuous as a photo of a dog. When the CBC applied for access to exhibits filed at the preliminary hearing of four prison guards charged in Smith’s 2007 death, the Correctional Service of Canada argued an open justice system only entitles the public and media to attend court and report on what is said, not access to exhibits filed in a case. Writing for a 3-0 appeal panel Monday, Justice Robert Sharpe squarely rejected that argument, saying the open court principle and the media’s right to access judicial proceedings “must extend to anything that has been made part of the record.” [Source]

CA – Federal Agency Alleged to Have Altered Records

Officials at a controversial federal agency allegedly destroyed and doctored documents that had been sought recently by opposition politicians, according to a complaint filed with the Information Commissioner for investigation. The MP who lodged the complaint about Assisted Human Reproduction Canada (AHRC) said a handful of different sources conveyed to her similar charges of tampering with records, an action that can lead to criminal charges. Megan Leslie, the NDP health critic, stressed that the allegations are just that now, but said document shredding or altering, if proven true, would represent a serious breach by the agency that regulates Canada’s burgeoning fertility industry. [Source]

CA – The Coordination of Access to Information Requests System (CAIRS)

The Coordination of Access to Information Requests System (CAIRS) was created in 1989 to facilitate the identification and coordination of access to information requests raising interdepartmental issues or involving significant legal or policy issues. CAIRS was a central registry containing the text of requests received by federal institutions covered by the Access to Information Act (Act). Over time, even though CAIRS was not publicly available, external users recognized the usefulness of the information contained in the system and started making access requests for the list of requests. We note that a number of federal institutions are already posting lists of completed access requests on their websites, notably National Defence, Atlantic Canada Opportunities Agency, as well as the Office of the Information Commissioner. In response to recommendations, the President of the Treasury Board indicated that TBS would consult federal institutions and assess the associated resource implications. Consultations have commenced. Based on its discussions with TBS, the Office has noted a willingness to introduce a practice leading to the publication of access requests. TBS has taken a leadership role among federal institutions in posting the list of summaries of requests completed by TBS every month. The Office is confident that TBS will follow up on the recommendations on a government-wide basis. The Office has therefore concluded its investigation and will continue to monitor TBS’s progress in seeking an acceptable alternative to CAIRS. [Source]


US – Genetic Nondiscrimination Rule Unveiled

Federal regulators have published a final rule carrying out the Genetic Information Nondiscrimination Act, which prohibits the use of genetic information to make decisions about health insurance and employment. The Act, enacted in 2008, restricts employers from requesting, requiring or purchasing genetic information and strictly limits them from disclosing genetic information. The final rule is effective Jan. 10, 2011. [Source] [Health records privacy breach affects more than 100 in Sarnia, Ont., area]

Horror Stories

US – GSA Workers Informed of Personal Data Breach

The personal information of thousands of federal workers is at risk after a General Services Administration worker mistakenly sent the names and Social Security numbers of all of the agency’s 12,000 workers to a private e-mail account. The incident occurred Sept. 16, and GSA security officials learned about it Sept. 22 in a weekly e-mail security report, a spokeswoman said. Workers first learned of the data breach in an agency-wide e-mail sent Sept. 28. GSA would not say why it waited 12 days to inform workers of the breach. The agency is offering free credit monitoring for a year and $25,000 in identity theft insurance coverage to all workers, according to a letter sent to employees Oct. 25. The incident was not caused by a system-wide security failure, but by “one person who didn’t make a good decision,” said GSA spokeswoman Sara Merriam. She could not immediately say if the worker who mistakenly sent the e-mail faced any disciplinary action. [Source]

Identity Issues

EU – Germany’s New e-ID Cards Raise Hackles Over Privacy

Germany has introduced electronic identity cards that store personal data on microchips, raising fears over data protection in a country especially wary of surveillance due to its Nazi and Stasi past. The so-called eIDs enable owners to identify themselves online and sign documents with an electronic signature, which the government says should “increase the safety and convenience of e-business and e-commerce.” Yet many Germans fear the eIDs — which store the owner’s date and place of birth, address and biometric photo, with fingerprints voluntary — could expose them to data theft. In a country where historical memories of the Nazi Gestapo and old Communist East Germany’s Stasi security police linger, there are also worries about an invasion of privacy. Around 44 percent of Germans remain skeptical about the eIDs, according to a survey by German tech industry body Bitkom. [Source

CN – China Begins Recording of First Census in a Decade

More than five million census workers will spend 11 days conducting the first census in a decade of China’s approximate 1.3 billion people. It is the sixth time China has carried out a national census but the first time it will count people where they live and not where their resident certificate, or hukou, is legally registered. Despite a television advertising blitz and thousands of propaganda banners exhorting residents to co-operate with census-takers, officials have admitted that collecting accurate data is increasingly difficult in the world’s largest autocratic state. Chief among those avoiding officials are China’s estimated 200 million migrant workers, couples who have had an illegal birth under the one-child policy and property-owning middle classes anxious not to reveal their true assets to the taxman. The reluctance to co-operate has highlighted changing attitudes to individual privacy in China where a growing percentage of people no longer rely on the government for their housing, healthcare and the education of their children. n online poll on the popular sina.com website showed that a third of respondents said they were not comfortable letting census-takers into their homes, with other websites and chat forums dispensing tips on how to avoid giving up information. [Source]

Internet / WWW

EU – German Street View Goes Live With Enhanced Privacy

The first images via Google’s Street View service in Germany are live after months of wrangling over privacy. The first town to be mapped on the service is Oberstaufen, in Bavaria. Germany is the first country to have negotiated with Google to allow citizens to opt out before the service goes live. Almost 250,000 Germans have requested that their properties be pixellated in the final imagery. But in a recent blog on the German roll-out the search giant warned that it would not be able to respond to all requests immediately. Oberstaufen’s mayor and tourist board publicly invited Google to put their town on the map and even baked a cake for the occasion. Google plans to launch Street View in 20 German cities in the near future. [Source] See also: [German Street View error lets iPhone users see hidden images]

Law Enforcement

UK – Over 100,000 Stops-And-Searches: Zero Terrorists

When it comes to wasting police time, the biggest offenders appear to be…the police. That, at least, appears to be the conclusion of the Home Office. Its official statistics, published this week, show that while police stopped over 100,000 individuals last year to “prevent acts of terrorism”, there was not a single arrest for a terror offence as a result of these stops. This perhaps is the final nail in the coffin for the widely criticised section 44 of the Terrorism Act 2000, which gives police forces powers to stop and search individuals – in so-called “designated areas” – to prevent acts of terrorism without the need for reasonable grounds of suspicion. According to today’s report: “In 2009/10, 101,248 stops-and-searches were made under this power. The report continues: “[This] represents a 60% decrease since 2008/9. Compared with the same quarter of 2008/9, the number of searches carried out in Jan-March 2010 fell by 77%, down to 14,214.” One reason for the decline may be the fact that in July of this year – following a European Court ruling that finally established that the power granted under s44 was too wide and therefore unlawful – the Home Secretary herself required police forces to stop using it. By contrast, s43 of the Terrorism Act 2000, which enables a police officer to stop and search someone where that person is reasonably suspected of being a terrorist was used in respect of 1,224 stops-and-searches carried out by the Metropolitan Police Service in 2009/10 under this power. This represents a 24% decrease since 2008/9 – even though ACPO reacted to the Home Secretary’s jettisoning of s44 by urging police forces to make greater use of s43. [Source]

US – Thwarting Terror Attacks, From the Ground Up

It turns out that the heroic reaction of New York City vendors who helped to thwart the Times Square bombing this year is fairly typical of Americans’ reaction to potential terrorism – and that the involvement of ordinary citizens is essential to keeping the country safe. Between 1999 and 2009, it wasn’t anti-terrorism intelligence work, but tips from the public or routine law enforcement work that foiled more than 80 percent of the terrorism plots known to have been headed off in the United States, according to a study by the Institute for Homeland Security Solutions. The North Carolina-based institute, which is partially funded by the Department of Homeland Security, studied 86 terrorism attempts during that decade; the cases included al-Qaeda and al-Qaeda-affiliated suspects and groups, as well as white supremacists, anti-government organizations and individuals working alone. Information from alert citizens or discoveries made by police officers during routine and unrelated law enforcement operations were responsible for stopping the vast majority of the 68 plots that were thwarted. [Source]


US – Court Rules on Use of Tracking and Location Devices, Disclosure to Authorities

Court finds that records reflecting the historic location of a cell phone for a 60 day period (“cell site information”, including when the mobile phone is used to obtain service for a call or in an idle state) are more invasive than GPS data obtained from tracking a vehicle; the historical cell site records provide a level of detail approaching GPS (can pinpoint a location up to a 40 foot radius), is more reliable than GPS in obtaining a location fix (individuals can be located when indoors and outdoors), and the tracking is more revealing as the cell phone is carried on the person and can be monitored indoors where the expectation of privacy is greatest. The user has not “knowingly exposed” or “voluntarily conveyed” the information to the provider, such that protections from unreasonable searches and seizures do not apply; cell site data is neither tangible nor visible to a cell phone user – when a user makes a call, she is not required to enter a zip code or other location identifier and none of the digits pressed reveal her own location, as well, cell site data is generated automatically by the network, conveyed to the provider not by human hands, but by invisible radio signal. The tech-savvy user may understand that there is a risk that the provider can calculate his location and movements very precisely, however, the bare possibility of disclosure by a third party cannot by itself dispel all expectation of privacy. [Source

AU – New Guidelines Set for Location Privacy on Mobile Phones

The Australian Mobile Telecommunications Association (AMTA) has released new industry guidelines to help promote the privacy of people using location-based services (LBS) on mobile devices. The association also released a number of tips for consumers that would help them maintain privacy when using the technology, which targets services to users based on their mobile phone location. Location service providers (LSPs) include phone companies, which offer LBS services directly to consumers or provide services through third parties on their networks. The guidelines specify that every LBS must be provided on an opt-in basis with a specific request from a user for the service, must conform with all relevant privacy legislation, must be designed to guard against consumers being located without their knowledge, and must allow consumers to maintain full control. They specify that customers must be able to control who uses their location information and when that is appropriate, and be able to stop or suspend a service easily should they wish. [Source]


TH – Thailand: Call for Legal Body

In the absence of a Data Protection Law, it has been suggested that Thailand needs an independent commission responsible for protecting the privacy of its citizens. Surankana Wayuparb, of the security sub-committee under the Electronic Transaction Commission, noted how, in countries with Data Protection Laws, evidence gathered through illicit means cannot be used in court, while anyone caught violating privacy laws can face legal action. However, she said the lower house is considering a Data Protection Act draft which would help to protect the privacy of individuals and define the repercussions on companies who improperly dealing use personal data. Surankana said any such commission under this law should be an independent body comprising experts from private organisations and human rights bodies rather than the Office of the Information Commission. [Source]

Online Privacy

US – Google settles Buzz Lawsuit With No Payout to Gmail Users

Google said it won preliminary approval to settle a class-action lawsuit related to alleged privacy violations caused by its Buzz service. The company will pay US$8.5 million into a fund, which will go to organizations focused on Internet privacy education and policy, it said in a statement. The company will also make additional efforts to educate users about the privacy aspects of Buzz. Despite the cash settlement, the people represented in the class-action lawsuit, U.S. Gmail users, won’t see a penny of the funds. “Just to be clear, this is not a settlement in which people who use Gmail can file to receive compensation,” the company said in an e-mail to Gmail users. Everyone in the U.S. who uses Gmail was included in the settlement, unless the user opts out prior to December 6, 2010. Google said the settlement acknowledges that it quickly changed the Buzz service to address users’ concerns.[Source

WW – Facebook Says User Data Sold to Broker

The Wall Street Journal reports that Facebook said that a data broker has been paying application developers for identifying user information, and that it had placed some developers on a six-month suspension from its site because of the practice. The announcement, which Facebook made on its developers’ blog, follows an investigation by Facebook into a privacy breach that The Wall Street Journal reported in October. Some “apps,” the small programs that let users play games or share information with each other on the social-networking site, were sending users’ Facebook ID numbers to third-party marketing or data firms, in violation of Facebook’s privacy policies. An ID can be used to look up a user’s name and other publicly available information on the social network and link it to their use of the app. Such information can be used by companies that build profiles of Internet users by tracking their online activities. Facebook didn’t identify the data broker that was buying user IDs. But it said it had reached an agreement with RapLeaf Inc., which it described as “the data broker who came forward to work with us on this situation.” It’s unclear whether Facebook is implicating RapLeaf and neither company responded to questions. Under the agreement, Rap Leaf agreed to delete all Facebook user IDs in its possession, and also agreed “not to conduct any activities on the Facebook Platform” in the future, according to Facebook. The Journal investigation also found that MySpace and some of its popular apps were transmitting identifying information to outside advertising companies. Asked whether MySpace had found any app developers were selling user IDs, a MySpace spokesman said the company was “taking appropriate action” against developers that break its privacy rules.[Source]

Other Jurisdictions

UG – Ugandan Court Orders Paper to Stop Publishing Names, Photos of Gays

Uganda’s high court has ordered a controversial newspaper to stop publishing the names and photographs of people it says are gay, ruling that the publication is violating their right to privacy. A gay rights group, Sexual Minorities Uganda, sought the injunction after the paper published its second straight edition with names and photos. The first edition, published in early October, sparked attacks against at least four gay Ugandans, Sexual Minorities Uganda said. Justice Vincent Kibuuka Musoke ordered Rolling Stone on Monday to stop publishing the names and photos of gay Ugandans at least until Nov. 23, when Musoke said a final ruling will be made. Musoke said he ordered the injunction because publishing names and photos “is an infringement of the right to privacy of those whose photos appear in it.” Publishing photos of gay Ugandans can help police find them. Homosexuality is illegal in Uganda and anyone caught in a homosexual act can face up to 14 years in prison. Gays in Uganda say they have faced a year of attacks and harassment since a lawmaker introduced a bill in October 2009 that would impose the death penalty for some homosexual acts and life in prison for others. The bill has not come up for a vote. The legislation was drawn up following a visit by leaders of U.S. conservative Christian ministries that promote therapy they say allows gays to become heterosexual. The bill became political poison after international condemnation, and many Christian leaders have denounced it. [Source]

Privacy (US)

US – Privacy Advocates Blast FTC’s Inaction Over Street View Spying

In the wake of the FTC’s decision to turn its attention away from the Google Street View data collection debacle, privacy advocates are crying foul, hinting that a Google-friendly Obama administration may have applied undue influence in the matter. “We’re not sure exactly why the FTC failed to act, but we intend to find out,” said Marc Rotenberg, president of the Electronic Privacy Information Center.  Consumer privacy advocates are outraged that the Federal Trade Commission (FTC) has decided to stop investigating why Google was collecting personal information transmitted by users over private WiFi networks. Google has admitted to collecting such data – which in some cases included individual emails and user passwords – in the course of mapping WiFi networks as a means of improving the accuracy of its Google Maps service. Google also contends the gathering of personal information was unintentional, and that the practice stopped as soon it was brought to the attention of company management. The measures Google has taken — which include appointing a director of privacy for engineering and product management and instituting privacy training for key employees — were good enough to warrant an end to the commission’s investigation, said David Vladeck, director of the Bureau of Consumer Protection of the FTC. “The FTC never undertook an independent investigation. It never examined the data collected by Google. It never determined whether any violations of law occurred. And most incredibly, it failed to respond to questions raised by members of Congress regarding this matter,” Marc Rotenberg, president of the EPIC, said. [Source]

US – Amazon Customer Privacy Rights Upheld, But Battle Likely to Continue

Reports by some media outlets in North Carolina suggest that up to 450 top out-of-state retailers may face audits of their books as the state tries to collect current and back sales taxes from the firms. In late October, however, a federal court judege in Seattle ruled that government requests for detailed information about Amazon.com customers purchases violates their rights of free speech, anonymity and privacy. The ruling evolved from a lawsuit Amazon filed to stop the NC Department of Revenue (NCDOR) from gathering personally identifiable information about customers that could be linked to their specific Amazon buys. The case has already disrupted the Internet sector startup community and some established online retailers in North Carolina, who lost their associate status as a result of North Carolina’s attempts to establish “nexus,” a retailer’s physical presence in a state via brick and mortar stores or warehouses and so on, that allows a state to collect sales taxes from the business. North Carolina argued that by having associates in NC, Amazon established nexus. Amazon responded by firing all of its NC associates, spurring some larger sellers to pull up stakes and leave the state. American Civil Liberties Union, ACLU of North Carolina Legal Foundation and ACLU of Washington intervened in the Amazon lawsuit on behalf of several Amazon.com customers. [Source]

UK – U.K. Finds Google Broke Privacy Laws Through Street View Cars

British regulators said that Google broke its data protection laws when the search giant’s cars that swept through that country’s neighborhoods scarfed up Internet data from residential Wi-Fi networks. In a release, the U.K. Information Commissioner’s Office said Google won’t be subject to fines but the regulator will audit the company’s data protection practices. Google also will have to promise that another data breach like that won’t occur again. [Source] See also: [Firesheep Wi-Fi snooping tool drills gaping holes in security] and then [Zscaler develops free tool to detect Firesheep snooping]


FR – Plan to Tag New Babies Causes Outcry

A French company, Lyberta, has just dropped plans to fit children in several nurseries in Paris with electronic tags, after a newspaper revealed the scheme. Trade unions, councils and civil liberties groups were indignant at the invasion of privacy. But the response to the idea in online forums was much more divided. [Source]

WW – Companies Team to Push RFID Into Apparel Supply Chains

Trade associations and technology companies have come together as part of an “Item Level RFID Initiative” to develop guidelines and standards to support the push for RFID technology across the apparel supply chain, reports just-style. The group plans to list guidelines for RFID usage at the item level, and identify a strategy for its phased introduction – raising awareness for the value RFID technology in the retail supply chain. They also intend to support the need to protect consumer privacy when using the technology. Associations and technology companies already signed on include the National Retail Federation, Retail Industry Leaders Association, Voluntary Interindustry Commerce Solutions, American Apparel & Footwear Association, and Council of Supply Chain Management Professionals. Standards organizations GS1 Canada and GS1 US are also involved. Popular retailers, brands and suppliers including The Jones Group, Macy’s, Walmart, VF Corporation and Li & Fung have all already made the switch to RFID technology across their respective apparel supply chains. [Source]


US – Regs Haven’t Made Patient Records Safer, Study Says

While the government has passed laws to better protect private health information, most data health-care providers say that information isn’t any safer than it was before, according to a survey by the Ponemon Institute. Most in the U.S. health care industry say their organizations have inadequate policies, lack resources and don’t have enough properly trained staff to safeguard patient records “Federal regulations have not improved the safety of patient records,” the survey concludes. Most respondents (56%) say they need help to even figure out if they are in compliance. Among the respondents, the most common means by which data breaches were discovered were by an employee, via an audit or because a patient complained, the survey says. Most of the breaches were caused by unintentional actions such as inadvertently e-mailing data, lost or stolen devices contained the data and glitches by third parties that jeopardized data. The study also finds:

  • The average cost of a breach is $2 million.
  • More than half say it takes one to six months to clean up after a breach.
  • Most data breaches are small – 61% involve 1 to 100 records.
  • Only 14% have had no data breaches in the past two years. 29% have had more than five.
  • In about a third of cases no patients were notified of breaches; in about a third of cases all patients were notified. [Source]

WW – Most Smartphone Users Breach Employers’ Security, Says Survey

More than half of mobile device users access their employer’s networks every day without permission, a survey has found. More than 80% of users of mobile devices, whose security is not controlled by a company, say they have accessed work information. Network systems company Juniper Networks surveyed 6,000 mobile device users and found that the use of smartphones and tablet computers poses a potentially major security risk to corporate information. Consumer-focused devices are often far less well protected than laptops or secure email devices which are designed and configured by a company’s own IT department. The survey found that, despite citing information security as a major concern, device owners are using the machines to bypass corporate data protection measures. “Almost 44% of respondents use their devices for both personal and business purposes,” said a Juniper statement. “81% admit using their devices to access their employer’s network without their employer’s knowledge or permission and 58% do so every single day.” [Source]

Workplace Privacy

CA – B.C. Public Servants Can Use Facebook, Twitter as Long as They Follow Rules

The B.C. government says it will allow public servants to use social networking tools such as Facebook and Twitter to do their jobs–so long as they follow seven pages of guidelines. Allan Seckel, head of the B.C. public service, said the government trusts civil servants not to violate their oaths of confidentiality or privacy law in using the tools to do their jobs. “We are the first provincial public service embracing guidelines that actually allow the use of Facebook and Twitter, and other tools where appropriate,” Mr. Seckel said. The seven pages of guidelines would be a two-paragraph statement if not for the mountain of privacy concerns, he said. The government’s Public Affairs Bureau started using Twitter and Facebook in 2009, and social networking was used extensively during the Olympics. “Instead of saying you can’t use [social networking tools], we are now saying you can use them where appropriate,” Mr. Seckelsaid. [Source]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: