16-30 November 2010



CA – OLG Announces Privacy-Protective Facial Recognition system

Tom Marinelli, Acting CEO of the Ontario Lottery and Gaming Corporation (OLG) and Ontario Information and Privacy Commissioner Dr. Ann Cavoukian, released a white paper announcing a major development in privacy-protective facial recognition technology. This critical system, to be rolled out in 2011 at OLG gaming sites across the province, embeds a design protocol based on Privacy by Design, that will enable the OLG to better support its customers who have enrolled in a completely voluntary self-exclusion program, while protecting the data of all OLG customers. Only when the live facial biometric of a self-excluded user is detected as present, will the system alert the OLG and “unlock” the necessary information, for security to do a manual check. No single key can unlock the complete database of enrolled persons. The new system, developed in collaboration with Oakville, Ontario video surveillance and biometric firm iView Systems and University of Toronto researchers Professor Kostas Plataniotis and Dr. Karl Martin, is scheduled to be implemented by OLG in gaming sites across Ontario in 2011, starting with OLG Slots at Woodbine Racetrack. [Source]

US – N.Y. Police Start Photographing Eyes of People They Arrest

The New York police department has begun photographing the irises of people who are arrested, in an effort to cut down on escapes as suspects move through the court system, a police official said. The program was instituted after two episodes early this year in which prisoners arrested on serious offences tricked the authorities into freeing them by posing at arraignment as suspects facing minor offences. With the new system, authorities are using a hand-held scanning device that can check a prisoner’s identity in a matter of seconds when the suspect is presented in court, said Paul J. Browne, the department’s chief spokesman. Officials began photographing the irises of suspects arrested for any reason Monday at Manhattan Central Booking and expect to expand to all five boroughs by early December, Browne said. [Source] See also: [Why ears could replace passport photos]

JP – Japanese Vending Machine Knows What You Want

A new Japanese canned drink vending machine uses facial recognition technology to “recommend” drinks based on the customer’s age and gender – and sales have tripled over those from regular vending machines as a result. The machines, developed by JR East Water Business Co, a subsidiary of railway firm JR East Co, use large touch-panel screens with sensors that allow the machine to determine the characteristics of an approaching customer. “Recommended” labels will then appear on specific drink products. Suggested products may also change depending on the temperature and time of day. The company has so far tested one machine at one Tokyo train station but plans to add five machines on Tuesday at central Tokyo Station, with the network to be expanded to othe major Tokyo stations and nearby suburban areas by early in 2011. Some 500 of the machines should be available in Tokyo and surrounding areas by March 2012. [Source]


CA – Divided Supreme Court Puts Limit on Privacy Expectations

The right to privacy in one’s home is not absolute, the Supreme Court of Canada said in a ruling that allowed police to conscript a Calgary power company to collect details of a customer’s electricity use to determine if he was growing marijuana. In a sharply divided decision, the court split into three camps on whether it violates a consumer’s constitutional right to privacy to force commercial service providers to help out police when they do not have search warrants. [Source]

CA – PM Nominates Privacy Commissioner for Reappointment

Prime Minister Stephen Harper announced the nomination of Jennifer Stoddart for reappointment as Privacy Commissioner of Canada for a three-year term. Ms Stoddart has been serving as the Privacy Commissioner of Canada since December 2003. The Leader of the Government in the House of Commons and Minister of the Environment will be tabling this nomination for consideration by the House of Commons. [Source]

CA – Toews Defends U.S. Demands for Air Passenger Info

The United States has a legal right to demand information about Canadians who fly through American airspace, Public Safety Minister Vic Toews said. Toews defended federal legislation that would clear the way to provide the passenger information required by the U.S. Secure Flight program. Wary opposition MPs quizzed the minister about what Washington might do with the personal details. Toews said that Canadian airlines will be expected to provide the information to the U.S. later this year or early in 2011. Such data is already given to the U.S. for flights that actually land there. The Canadian government has acknowledged that sharing the personal information of passengers who merely fly over the United States is “currently prohibited” under federal privacy law. Early this year, Canada’s major airlines said they would be forced either to break privacy laws or ignore the new American air security rules unless the government came up with a solution to U.S. demands for the additional passenger information. [Source] See also: [Privacy commissioner wants passenger data destroyed quickly]

CA – Ontario School Board Survey Delayed by Privacy Concern

The Ottawa-Carleton District School Board is delaying a controversial student survey after the province’s privacy commissioner received complaints. This week, the board said Ontario’s information and privacy commissioner wants to see some of the questions before the survey is handed out. The voluntary, confidential survey has 43 questions and was to be launched Nov. 22. Its questions cover a range of issues, including sexual orientation, religious affiliation, languages spoken at home, household income, and future career plans. It was to be distributed directly to 115,000 students in Grades 7 through 12. A similar survey was made for the parents of children in kindergarten to Grade 6. It isn’t clear which questions were the focus of the complaints to the privacy commissioner. The board said the questionnaire will be introduced once the investigation is complete. [Source]

CA – Supreme Court Ruling on Sexual Pre-Consent Could Affect Seniors

A question now before the Supreme Court of Canada as to whether a person can give advance consent for sex could have some unforeseen implications for people with dementia or other disabling brain injuries. The court is expected to rule in the next few months on whether an Ottawa woman voluntarily choked into unconsciousness before sex with her long-time partner could legally pre-consent or was in effect sexually assaulted. The case is ringing alarm bells among advocates for the elderly and raising concerns among those who care for them. [Source]

CA – Canadian Airport, Port Workers Soon May Have to Take it All Off

Canada’s border guards could soon get new powers to strip search employees in airport and ports across Canada in a bid to crack down on the smuggling of illegal drugs, such as marijuana, ecstasy and cocaine. CBSA officers also would be allowed to frisk employees and to use various types of scanners and detectors to examine goods in their possession. The proposed new regulations, which do not have to be passed by Parliament, would apply to everyone whose work requires them to be in proposed new customs-controlled areas, regardless of whether they are baggage handlers or ambulance attendants responding to an emergency. All that would be needed to frisk employees or trigger a strip search would be for a CBSA officer to have reasonable grounds to believe a worker in a customs-controlled area is smuggling something illegal. While the proposed regulations can require CBSA officers to require someone to open their mouth during a strip search, they also would have to conduct the strip search in a private area. Currently, border officers have limited powers to search employees as they leave a customs area. Under the proposed changes, they will have the power to search employees within a customs-controlled area and those areas will cover more of an airport or port than the current customs areas. [Source]


US – Insurers Test Data Profiles to Identify Risky Clients

Life insurers are testing an intensely personal new use for the vast dossiers of data being amassed about Americans: predicting people’s longevity. Insurers have long used blood and urine tests to assess people’s health-a costly process. Today, however, data-gathering companies have such extensive files on most U.S. consumers-online shopping details, catalog purchases, magazine subscriptions, leisure activities and information from social-networking sites-that some insurers are exploring whether data can reveal nearly as much about a person as a lab analysis of their bodily fluids. In one of the biggest tests, the U.S. arm of British insurer Aviva PLC looked at 60,000 recent insurance applicants. It found that a new, “predictive modeling” system, based partly on consumer-marketing data, was “persuasive” in its ability to mimic traditional techniques. A key part of the Aviva test, run by Deloitte Consulting LLP, was estimating a person’s risk for illnesses such as high blood pressure and depression. Deloitte’s models assume that many diseases relate to lifestyle factors such as exercise habits and fast-food diets. [Source]

Electronic Records

US – Court Overturns Rx Marketing Law

ModernHealthcare reports that the Second U.S. Circuit Court of Appeals in New York has overturned a Vermont law restricting the use of prescription drug data in the marketing of pharmaceuticals to physicians. The court, in a split decision, found that the 2007 law constituted “an impermissible restriction of commercial speech.” This decision contradicts an August ruling by the First U.S. Circuit Court of Appeals in Boston, MA, upholding a similar law in Maine. And, the U.S. Supreme Court refused to hear a similar appeal to a New Hampshire prescription drug marketing law in June of 2009. [Source]


IN – RIM to Give Indian Govt “Lawful Access” to BlackBerry Communications

A Research in Motion (RIM) spokesperson in India has said that the company will provide the Indian government with access to communications sent through BlackBerry Messenger on a case-by-case basis. The government will not have access to the communications at all times, but must adhere to legal processes to gain lawful access. RIM has repeatedly told the Indian government that it cannot provide access to communications sent through BlackBerry Enterprise Server (BES) because individual companies are the only entities with the encryption keys for those systems. The government is in talks with the companies to reach agreements about accessing communications. [Source] [Source] See also: [UAE Authorities Can Decrypt BlackBerry Communications With Court Order]

EU Developments

UK – Information Commissioner Issues First Data Protection Act Fines

Two bodies have been issued with substantial fines by the Information Commissioner, Christopher Graham, after breaching the Data Protection Act (DPA). Hertfordshire County Council is to be fined £100,000 after two successive data protection breaches. In both instances a fax containing sensitive personal information relating to a child sex abuse case and care proceedings were accidentally sent to the wrong recipients. The Commissioner ruled a monetary penalty of £100,000 was appropriate, given the council’s procedures had failed to prevent two serious breaches where access to the data could have caused substantial damage and distress. The Commissioner also ruled that after the first breach, the council did not take sufficient steps to reduce the likelihood of another breach occurring. The second body is A4e, an employment services company, which issued an unencrypted laptop to an employee working from home. The laptop, containing personal information on 24,000 people who had used community legal advice centres in Hull and Leicestershire was later stolen from the employee’s home and an unsuccessful attempt made to access the data. The Commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data it contained. As a result A4e is to be fined £60,000. [Source] [Source] See also: ICO Warns of Privacy Risks With New Laws And Technology] and [UK: Governments should have to justify privacy-affecting laws, says ICO]

EU – German DPA Issues €200K Fine for Access, Profiling

The German Data Protection Authority (DPA) has issued a €200,000 fine to the financial institution Hamburger Sparkasse AG for allowing customer representatives access to customers’ bank data and for profiling its customers, reports the Hunton & Williams Privacy and Information Security Law Blog. The bank reportedly allowed self-employed, mobile customer service representatives to access customer data, often without consent, and created character profiles on customers based on neurological research and customer data such as socio-demographic data and product usage, including direct deposit accounts and the number of transactions. The DPA said that the bank quickly amended its procedures and cooperated with its investigation. [Source]

EU – Google Fans Egg Homes of Privacy-Loving Germans

You can’t hide from Google. That’s the message of Web vigilantes who went on a real-world rampage in Germany this weekend, egging the homes of privacy-loving citizens who opted out of the search giant’s Street View service. Around 3 percent of German residents (about 250,000 people) asked for their homes to be granted online anonymity. But these concerned homeowners didn’t safeguard their privacy. Instead they attracted more attention, as blurred houses clearly stand out from their non-smudged neighbors on Street View. And on Saturday, a gang of renegade Google fans used the service to track down dozens of spotlight-shunners in the German city of Essen and then pelted their homes with eggs. To make their message clear, German news site Der Westen reports, they also glued notes declaring “Google’s Cool” to letterboxes. Google has sought to distance itself from the attacks. [Source] [Commentary: Opting Out Isn’t Socially Neutral Anymore] and also [Google Street View captures ‘sidewalk birth’ in Berlin]

Facts & Stats

US – Hospitals Fined $667K For Patient Privacy Breaches

California’s Department of Public Health has fined six hospitals $667,000 for failing to prevent patient privacy breaches. Kern Medical Center in Bakersfield was hit with the largest penalty, $250,000, for losing 596 patient records that were allegedly stowed in an outside, unlocked locker, Associated Press reports. Fines are typically $25,000 for the first breach and $17,500 for each additional breach of the same record. In another breach, Pacific Hospital of Long Beach was hit with a $225,000 fine after an employee used nine patients’ medical information to set up fake Verizon accounts.The employee admitted to memorizing personal patient information during a project to purge the hospital’s older ER records. Last year, California health officials issued the first penalty under the law to Kaiser Permanente’s Bellflower hospital, which had to pay a whopping $437,500 fine for failing to prevent employees from sneaking a peek at the medical records of Nadya Suleman, aka Octomom, according to the L.A. Times. [Source]


CN – Chinese Twitter Sentence: A Year in a Labor Camp for a Retweet

A retweeted joke has landed a Chinese woman in a labor camp for a year, Amnesty International reported. On the day of her wedding, Oct. 27, Chinese online activist Cheng Jianping disappeared. Only this week did her whereabouts surface: She had been detained and sentenced by police to a year of “re-education through labor” for retweeting a suggestion that Chinese youth attack the Japanese Pavilion at the Shanghai Expo. Her fiance Hua Chunhui made a satirical comment mocking youth demonstrators who smashed Japanese products in protest over a dispute with Japan over uninhabited islands in the East China Sea. “Cheng may be the first Chinese citizen to become a prisoner of conscience on the basis of a single tweet,” Amnesty International wrote. However, other Chinese activists on Twitter say that Cheng has been watched by police for her activism in support of imprisoned Nobel Prize Laureate Liu Xiaobo and imprisoned consumer rights advocate Zhao Lianhai. Twitter is banned in China, but users can circumvent the blocks implemented by the government. [Source]


US – Banks Want Careless Card Holders Held Liable

Banks are asking the federal government to shield them from liability for unauthorized transactions that occur when consumers are careless or negligent in protecting their PIN with new chip-based credit cards. Specifically, the Canadian Bankers Association is asking Ottawa to amend a key provision of the Cost of Borrowing Regulations during the 2012 financial services legislative review. In its submission, the CBA argues that consumers who are legitimate victims of fraud should still be protected by existing zero-liability rules. Nonetheless, it says more must be done to distinguish between genuine criminal activity and cases where consumers are simply irresponsible. The CBA contends that cardholders who are lax with their secret personal identification numbers should bear the entire cost of unauthorized transactions with new chip-based credit cards. [Source]

UK – U.K. Regulators Require Trader’s Cell-Phone Calls to be Recorded

The Financial Services Authority (FSA) proposed regulation that would require traders’ cell-phone calls to be taped in an effort to limit insider trading. More details on the rule scheduled to be published by the U.K. regulators as soon as this week. Originally, the FSA made an exemption for cell calls when it required banks and brokerage firms to record phone conversations in March 2008. But it has now decided to include such calls in its rules. As the result, from November next year firms will have to record and store for 6 months any “relevant communications made with, sent from or received on cell phones and other hand-held electronic communication devices.” A relevant communication is one where an employee discusses receiving, executing or arranging client orders for securities trading. It doesn’t apply to corporate finance business or corporate treasury functions. The rule will only apply to phones and devices that firms give their employees for business purposes. Firms will also have to record calls that employees make when overseas, unless local laws prohibit the recording. The regulators predict that the rule change would require the monitoring of 16,000 cell phones. [Source]


US – WikiLeaks Release Prompts Order to Review Data Protection Measures

The White House Office of Management and Budget (OMB) has ordered all federal agencies to review their procedures for protecting sensitive information in the wake of the release of tens of thousands of confidential State Department documents on WikiLeaks. The directive requires that the agencies examine what measures they have in place to restrict access to classified systems, and requires agency directors to implement measures to ensure that employees access only the information they need for their jobs. The directive does not provide deadlines for the reviews of the implementation of new security measures. [Source] [Source] [Source] [Memo] SEE ALSO: [WikiLeaks Targeted by DDoS Attack Just Before Release of Diplomatic Cable] and [WikiLeaks No Longer Being Hosted on Amazon Servers] and [The WikiLeaks Saga Heats Up] and [WikiLeaks Cable Release Prompts Last Minute Legislation | Text of SHIELD Act] and [US Could Seek Assange Extradition] and, finally: [US Military Implements Strict Data Transfer Rules]

Health / Medical

US – OPM Delays Launch of Federal Health Claims Database

The U.S. Office of Personnel Management (OPM) has decided to push back the planned launch of a controversial health claims database by one month. The new database, which will eventually contain detailed health information on millions of Americans, was originally set to launch this morning. But in a notice issued in the Federal Register, the agency said it was delaying the deadline to Dec. 15 so it can accommodate more comments from the public. The OPM also said it may revise its original systems of records notice (SORN) about the database to better explain its authority to maintain such a system and to clarify its intent to “significantly limit” how health claims data will be shared. The OPM may also provide a more detailed explanation of planned security and privacy controls for the new database, the notice said. It offered no details on when a revised SORN will be published. The decision to push back the launch comes after privacy groups expressed considerable alarm over the OPM’s planned Health Claims Data Warehouse. Much of the concern stemmed from what the groups said is a serious lack of details about why the new database is needed, with whom information will be shared, and how data will be protected. [Source]

CA – Health Info Bill Worries Psychologists

Nova Scotia psychologists are worried that proposed legislation on personal health information could jeopardize their patients’ privacy. Bill 89 allows information to be shared among the patient’s health-care providers without express consent. The legislation’s “implied knowledgeable consent” standard gives health-care providers too much discretion about who can see the patient’s information, the Association of Psychologists in Nova Scotia said in a recent news release. The act appears to give family physicians, for example, permission to share the information with anyone the doctor deems relevant. There are also worries that some terms used in the legislation, such as “circle of care,” are too vague to guarantee the proper control of a patient’s information. [Source]

US – N.C. Privacy Worry Halts Use of SIDS Checklist

The North Carolina medical examiner’s office says it is dropping a standardized checklist for suspicious infant deaths after learning the information in those reports must be made public. The change in policy comes after the attorney general issued an opinion that the information in those reports would be public. While admitting that the checklist is considered a best practice for investigating unexplained child deaths, the state’s new chief medical examiner, Deborah Radisch, says families might feel betrayed if the information isn’t kept private. The N.C. attorney general’s office said certain portions of the reports wouldn’t be public. At a meeting in Raleigh last week, lawmakers, child advocates and others were told that the state medical examiner’s office would no longer use the document because of privacy issues. [Source]

US – Groups Bring Complaint to FTC on Health Sites

The Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and the World Privacy Forum are asking the Federal Trade Commission to investigate the marketing used by a number of health Web sites. The New York Times reports that the groups’ complaint charges that some sites are not transparent enough about how they track people through online heath searches, create user profiles and market to users’ conditions. The main concern, said Ed Mierzwinski of U.S. PIRG, is that employers or health insurers could get hold of the profiles. “You could be searching for health information about your cat or your neighbor and it could end up harming your healthcare in terms of denial or increased cost,” said Mierzwinski. [Source]

US – For Teens, Privacy May Trump Health Care: Study

If teens’ desires for health care privacy aren’t respected, their care could be compromised, a new study suggests. Teens are cautious about revealing sensitive information to health care providers for fear of being judged, and are reluctant to talk to unfamiliar or multiple medical staff, according to researchers at Cincinnati Children’s Hospital Medical Center. Among the findings:

§         Teens of all ages said they would not discuss sensitive topics with health care providers if they thought the provider would judge them or “jump to conclusions.”

§         Younger teens said they did not have personal discussions with providers they didn’t know or like, or if they believed the provider did not need to know the information.

§         Only younger adolescents said they had concerns about violations of physical privacy.

§         Kids with chronic illnesses better understood and accepted the need to share information with health care providers.

The study was published online Nov. 22 in the journal Pediatrics. Doctors and other health care professionals need to make it as easy as possible for teens to share information, and need to respect their readiness or reluctance to disclose information, said lead author and adolescent medicine physician Dr. Maria Britto. [Source] See also: [Who is Seeing your Kids’ School Data?]

Horror Stories

US – Puerto Rico Breach Affects 400,000+

Triple-S Management, an insurer whose business includes acting as the Blue Cross and Blue Shield licensee of Puerto Rico serving 1 million members, has reported a data breach affecting more than 400,000 members. The intrusions occurred multiple times between Sept. 9-15 as the competitors’ employees downloaded protected health information of about 398,000 Blues members into the competitor’s information systems. During the investigation, Triple-S also learned smaller breaches affecting about 8,000 individuals covered under the state government’s health plan and Medicare occurred between October 2008 and August 2010. The competitor’s employees used one or more active user IDs and passwords specific to Triple-S’ database to access the information. Triple-S believes the likely target was financial information related to the government insurance plan rather than individuals’ information. [Source] See also: [US: Possible hospital privacy breach tied to failure to shred reports]

CA – Laval Transit Card Disposal Breaches Privacy

The Laval Transit Corporation has launched an investigation after more than one hundred expired student transit cards were found lying on the ground near the Longueuil metro station on Montreal’s South Shore. Unlike the regular-fare “Opus” smart cards, the student cards contain private information including a person’s name, photo and school. A spokesperson at the privacy commission confirms companies must have a disposal policy in place, such as shredding, so that personal information is destroyed and nobody has access. [Source]

US – Identity Theft Ring Breaches Holy Cross Hospital

An identity theft ring managed to breach emergency room files at Holy Cross Hospital to steal Social Security numbers and personal details of about 1,500 patients, officials said. Emergency room employee Natashi Orr was among four people arrested as part of an investigation that began before June, U.S. postal inspectors and prosecutors said. After federal agents uncovered the scheme, hospital technicians spent months tracking Orr’s computer activity but cannot be sure which 1,500 patients she compromised while working there from April 2009 to September. That’s when she was fired. As a precaution, Holy Cross is notifying all 44,000 patients who visited the emergency room during that period, so they can take steps to make sure their identities were not misused, hospital Chief Executive Dr. Patrick Taylor said in a statement. [Source]

Intellectual Property

US – Senate Anti-Piracy Bill Provokes Battle Between Hollywood And Web Giants

A Senate Judiciary committee will consider legislation to combat Internet counterfeiting that has pitted Hollywood and television networks against Web giants Amazon, Google and Yahoo over how law enforcement authorities should prevent digital theft. The bill, sponsored by Senator Patrick Leahy (D-Vt.) with the backing of 17 senators, would allow law enforcement to scrap infringing sites by taking down the domain names of the most egregious copyright offenders. If approved by the subcommittee, the measure would proceed to the full Senate for vote. The controversial legislation has attracted powerful supporters and detractors who have ramped up lobbying campaigns around the bill this week. On one side, the music, movie and television industries have supported the bill, saying that counterfeiting of their products won’t cease unless there are stronger sanctions in place. They say that existing rules have done little to curb counterfeiting and piracy. On the other side, Internet networking engineers and privacy advocates such as the Electronic Frontier Foundation argue that the takedown of domain names could destabilize the structure of the Web. They are joined in opposing the measure by companies such as eBay, Amazon.com, Bloomberg, Google and Wikipedia, who wrote Leahy on Monday, cautioning against provisions in the bill that they say would give federal law enforcement too much power to police infringing activity. [Source]

Internet / WWW

WW – Creator of the Web calls for Continued Open Web

Almost 20 years ago, the World Wide Web went live on the computer of Tim Berners-Lee in Geneva. “The simple setup demonstrated a profound concept: that any person could share information with anyone else, anywhere,” he writes. Now Berners-Lee is fighting to keep that setup still in existence. One of the creators of the Web took to Scientific America to write an impassioned plea in support of an open Web, calling it a vital tool for democracy, a public resource owned by everyone and critical to free speech. Berners-Lee is among a number of top technology thinkers fighting against a possible tiered Internet system. [Source]


AU – Go Card Privacy Probe Due

Police are set to face changes to the way they access commuter travel records following an investigation by the Australian Privacy Commissioner Linda Matthews, who will hand the parliamentary speaker a report outlining her findings on the use of Go Card journey data in criminal investigations. The probe was triggered by a brisbanetimes.com.au report in July revealing police were using Go Cards to pinpoint the movements of not only suspects but also potential witnesses. Police can apply to Translink for information about the passenger journeys of Go Cards whose owners have registered their details, under an exemption to privacy laws. In July, police confirmed 46 such applications had been made but sought to allay public concerns over privacy. Police yesterday were unable to say if any more applications had been made since then. [Source]


WW – Researchers: Study Your Cloud Computing Contracts

Computerworld reports on a recent study by UK academics which found that cloud computing contracts may contain clauses posing risks to users. The Cloud Legal Project at Queen Mary University of London studied 31 cloud computing contracts from 27 providers and found that the contracts sometimes can be terminated for lack of use or sometimes for no reason, contain disclaimers denying responsibility for keeping user data secure and can be revoked for violations of the provider’s “acceptable use” policy. Claims against a provider for data loss or a privacy breach may be difficult in cases where the provider seems local but, in fact, is hosted on another continent, the report warns. [Source]

AU – Cloud Could Be ‘Privacy Enhancing’: Pilgrim

Australia’s Privacy Commissioner Timothy Pilgrim is cautiously optimistic about the cloud’s potential to increase personal privacy, but has put organisations on notice that new laws will require them to take more responsibility for the information they collect. Using the cloud doesn’t alter an organisation’s responsibilities under the Privacy Act. “Data security applies to personal information in a filing cabinet as much as it does to information on the cloud,” Pilgrim told the conference. “The challenge lies in identifying where the privacy risks lie and how best to mitigate them.” Currently, Australia’s privacy laws require an organisation to be “undertaking a business in Australia” before the privacy commissioner can investigate. This will change. Australia’s Privacy Act is being reviewed. “Businesses are going to have to take on a greater degree of accountability,” Pilgrim said. “If they undertake to collect someone’s information in Australia but they want to get it processed overseas, they’re going to have to ensure — either through sending it to a country with similar protections [to Australia] or putting into place contractual clauses — that [they] will give it the same level of protection before they can send that information out of Australia and therefore they must remain responsible for it.” Those changes to the Privacy Act are currently being considered by a Senate committee. That committee is expected to report by 1 July 2011, with legislation to be introduced into parliament by the end of the year. [Source]

Other Jurisdictions

IN – Legal Action on Personal Data Misuse

New Delhi: In what may change the way banks and cellphone companies as well as official agencies collect and process information about individuals, the government is proposing legislation that will empower citizens with sweeping rights to legal recourse against any misuse of personal data. The first draft of the proposed legislation has been released for public debate by the department of personnel and training (DoPT). The main aim of the umbrella legislation will be to make sure that confidential personal information disclosed by any individual is not revealed to third parties without the person’s consent. The legislation will ensure that sufficient safeguards are adopted in the process of collecting, processing and storing such information. The proposed legislation was drafted after a group of officials was constituted to develop a conceptual framework around concerns on privacy, data protection and security, as reported by Mint on 20 June. However, the privacy legislation will provide for exceptions in the event of a likely conflict between the need to protect individual privacy and the interest of national security, which will take precedence. [Source]

Privacy (US)

US – FTC Backs Do Not Track List

A report from the US Federal Trade Commission (FTC) describes a series of revisions of online privacy rules to protect consumers, including the creation of a Do Not Track framework analogous to the Do Not Call list that bars telemarketers from phoning numbers that consumers have registered. The policy would affect all organizations that collect and store consumer information. The FTC made the proposal because the current “notice and choice” system, which has organizations voluntarily notifying consumers of data collection policies and determining their own policies, is not effective. [Source] [Source] [Source] [Source] See also: [NYT: Do Not Track Recommendation Raises Questions and Concerns]

US – Connecticut AG Demands Google Street View Data

Connecticut Attorney General Richard Blumenthal is demanding that Google turn over to his office the personal data gathered from unprotected Wi-Fi networks while the company was obtaining images and other information for Street View. Blumenthal issued a civil investigative demand, which is like a subpoena. Blumenthal says that his office needs the data to determine what penalty to impose on Google. Google has until December 17 to turn over the data. [Source]

US – Father Files Complaints After Son Denied Vaccines Due to Privacy Concerns

The father of a 17-year-old from northwest Indiana is challenging the record-keeping requirements for the state’s student immunization program on grounds it doesn’t safeguard privacy. The Times of Munster reports that William Dittman of St. John’s Township said his son was denied immunizations by the Lake County Health Department and a private clinic when Dittmann objected to them wanting to include some of his son’s personal information in a state database. Dittmann has filed complaints with the U.S. Department of Health and Human Service and the Indiana attorney general’s office. State Health Department spokeswoman Jennifer Dunlap said Indiana doesn’t deny vaccines to anyone who doesn’t want to be included in the registry. [Source]

Privacy Enhancing Technologies (PETs)

WW – Privacy-Protecting Social Network Opens Up

Diaspora, the open-source based social network touted as a privacy-conscious alternative to Facebook, has opened up for business. For now, stepping aboard the alpha-version of the decentralised service is strictly on an invitation-only basis. Although anyone can request to join the alpha test, the numbers are limited. The closest that most members of the great unwashed will get to joining the site is inclusion on a mailing list. Diaspora aims to address some of the multitude of privacy and content-control issues that have arisen over Facebook in recent months. The social network software is designed so that users only share photos and comments among a group they define. Users retain the copyright of anything uploaded onto Diaspora. The developers behind the software also promise to make privacy controls both clear and straightforward. [Source]

WW – Scientists Say They Have Solution to TSA Scanner Objections

A cheap and simple fix in the computer software of new airport scanners could silence the uproar from travelers who object to the so-called virtual strip search, according to a scientist who helped develop the program at one of the federal government’s most prestigious institutes. The researcher, associated with the Lawrence Livermore National Laboratory in California, said he was rebuffed when he offered the concept to Department of Homeland Security officials four years ago. The fix would distort the images captured on full-body scanners so they look like reflections in a fun-house mirror, but any potentially dangerous objects would be clearly revealed. TSA spokesman Nick Kimball said he could not immediately confirm Wattenburg’s 2006 conversation with federal officials. “That was another administration.” [Source] See also: [Lee Tien: Common Sense and Security: Body Scanners, Accountability, and $2.4 Billion Worth of Security Theater] and [US: Video of pat down at airport goes viral] and [US: Those Refusing TSA Search May Face $11K Fine] and [US: New underwear protects privacy during airport scans] and [AU – Privacy fears after ‘revealing’ scans leaked online] and [Canadians bristled at intrusive airport searches, complaint records show] and [All quiet in Canada as U.S. travelers prepare to protest] and [US: Audit Faults TSA’s Training of Airport Screeners as Rushed, Poorly Supervised]

WW – PETs and Their Users: A Critical Review of the Potentials and Limitations

An article by Seda Gürses, “PETs and their users: a critical review of the potentials and limitations of the privacy as confidentiality paradigm,” published in Identity in the Information Society, is available online. Here’s the abstract: “Privacy as confidentiality” has been the dominant paradigm in computer science privacy research. Privacy Enhancing Technologies (PETs) that guarantee confidentiality of personal data or anonymous communication have resulted from such research. The objective of this paper is to show that such PETs are indispensable but are short of being the privacy solutions they sometimes claim to be given current day circumstances. Using perspectives from surveillance studies we will argue that the computer scientists’ conception of privacy through data or communication confidentiality is techno-centric and displaces end-user perspectives and needs in surveillance societies. We will further show that the perspectives from surveillance studies also demand a critical review for their human-centric conception of information systems. Last, we rethink the position of PETs in a surveillance society and argue for the necessity of multiple paradigms for addressing privacy concerns in information systems design. [Source]


CA – Flash Debit Cards Coming to Canada

Contactless flash debit cards will be available in Canada starting in the summer of 2011, the Interac Association said. The technology gives cardholders the choice of paying for smaller value items simply by waving the card in front of a supported reader rather than inserting the card in the terminal and entering a pin number. Scotiabank and Royal Bank of Canada will be the first banks to offer new Interac Flash debit cards this summer, Interac said. An estimated $90 billion in cash payments are for purchases under $20 and Canadians are increasingly willing to pay with plastic, Interac said. [Source]


AU – Govt Promises X-Rays Won’t Be Naked Scanners

New X-Ray body scanners could be rolled out at Australian airports in just a few months, but the Federal Government has promised they will not be the same as the ‘‘naked scanners’’ which have caused outrage in the US.The Government is to install the new equipment early next year, as part of a $200 million security upgrade, but has not made a decision about the kind it will buy. [Source]

CA – Privacy Czar Probing Rules on Strip Searching Airport, Port Workers

Canada’s privacy commissioner is studying the government’s plan to give Canada Border Services Officers more power to strip search airport and port employees suspected of smuggling drugs, arguing it could impact workers’ privacy. Valerie Lawton, spokeswoman for privacy commissioner Jennifer Stoddart, said Stoddart was given a privacy-impact assessment of the government’s customs-controlled areas initiative but had not known of the regulations until they were reported by iPolitics.ca. Stoddart is examining the initiative and has asked the CBSA for more information. [Source]

WW – Ransomware Makes a Comeback

Security firms are noting the resurgence of ransomware, malware designed to hold users’ data hostage on their own computers in return for payment. The newest variants demand payment of as much as US $120 to return control of data to their rightful owners. One of the variants used infected PDF files to exploit known vulnerabilities in Adobe Reader. Users whose patches are up to date are protected. Another variant targets the master boot record of Windows PCs’ hard drives. [Source] [Source] See also: [Online Ad Networks Serving Up Malware]


CA – Government to Tap Inmates’ Calls

Inmates in Saskatchewan’s jails may soon have their calls monitored by jail officials — without the need for a court warrant. The government is introducing a new law which will legalize warrantless phone surveillance. The idea is to discourage calls which could be involved in criminal activity, according to Corrections Minister Yogi Huyghebaert. Although the jails will be wired to monitor and record calls, officials won’t be listening to everyone, he said. “It’s to monitor phone calls from people that are very high suspects of conducting illegal activity or harassing people on the outside — that’s what it’s for,” he said. “Now, if somebody is a low-suspect individual there’s no reason to be monitoring.” The government says similar systems are in place in British Columbia and Alberta. Under the proposed law, calls between inmates and their lawyers will not be monitored. The bill is being introduced this fall and could be passed into law by next spring. [Source]

CA – Condos Rethink Cameras Over Privacy Concerns

“Condo TV” is fading to black in condo buildings around the province as strata councils draw a line between security and surveillance. Many condominium buildings feature high-tech security systems, some with live feeds to every unit of the comings and goings in entranceways, parkades and common rooms. The B.C. Office of the Information and Privacy Commissioner has long had guidelines covering audio and video surveillance in condominiums. But an order last year is prompting strata councils to take another look. How cameras were being used in the Shoal Point condo in James Bay brought the issue into sharper focus. In that case, argued before adjudicator Jay Fedorak, some residents of Shoal Point complained that cameras, in addition to security, were being used to collect evidence of minor bylaw infractions — such as not carrying their dogs through the lobby or propping open doors. Video cameras, including those in the common areas such as the amenity room or the pool, were being monitored regularly by members of the strata council and were intrusive, they said. [Source]

Telecom / TV

US – CIOs See Smartphones As Data Breach Time Bomb

Eight out of 10 CIOs think that using smartphones in the workplace increases the business’s vulnerability to attack, and rank data breaches as their top related security concern. Yet half of organizations fail to authenticate their employees’ mobile devices, among other basic security measures. The study found that the so-called consumerization of enterprise IT, meaning employees who bring ostensibly consumer devices to work, continues at full pace. According to the report, 48% of employees are allowed to use mobile devices that they own to connect to corporate systems. Interestingly, 90% of organizations provide — or will soon offer — mobile devices to their employees. A majority said those devices would be BlackBerry smartphones, which mirrors the continuing market dominance of the BlackBerry platform — with a 37% market share, ahead of Apple (24%) and Android (21%). But mobile device security controls remain a weak point, with only half of organizations authenticating their mobile device users. Among those, about two-thirds rely on usernames and passwords, while 18% use public key infrastructure (PKI) certificates, and only 9% employ two-factor authentication with one-time passwords. Furthermore, only about 25% of organizations ensure that employees’ mobile devices are running antivirus and anti-malware software. According to Titterington, “organizations must establish a holistic security strategy that addresses the consumerization of this fast-growing channel into corporate networks and data.” [Source]

US Legislation

US – Lawmakers Seek to Halt Full-Body Scanners Over Privacy, Health Concerns

Airport screening procedures have become so intrusive that scanning amounts to a virtual strip search and patdowns feel like a grope. So say a group of New Jersey legislators who joined with civil liberties advocates to announce their opposition to the Transportation Security Administration’s latest screening measures — and to call upon Congress and President Obama to reign in the Transportation Security Adminstration. “Enough is enough,” state Sen. Michael Doherty (R-Warren) said during a press conference at the Statehouse. “We believe there are constitutional violations taking place. We believe there are violations of New Jersey state law taking place.” [Source]

US – Bill Would Give DHS Authority to Fine Companies for Inadequate Security

Proposed legislation would give the US Department of Homeland security (DHS) the authority to impose fines of up to US $100,000 a day on organizations that are responsible for elements of the country’s critical infrastructure if they have not complied with cyber security directives imposed by DHS. The Homeland Security Cyber and Physical Infrastructure Protection Act would have DHS create a list of companies whose operations are critical to the continuing operation of the country’s infrastructure. Those companies will be required to comply with DHS established regulations, which could include submitting their cyber security plans to DHS for approval and having “announced or unannounced audits and inspections.” It would also call for DHS Secretary Janet Napolitano to appoint a cyber security chief. The bill has raised concerns among many who say that DHS lacks the expertise to establish cyber security requirements and evaluate their effectiveness. [Source]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: