16-31 December 2010


EU – Europe tells Britain to Justify Itself Over Fingerprinting Children in Schools

The European Commission has demanded Britain justifies the widespread and routine fingerprinting of children in schools because of “significant concerns” that the policy breaks EU privacy laws. The commissioner is also concerned that parents are not allowed legal redress after one man was told he could not challenge the compulsory fingerprinting, without his permission, of his daughter for a “unique pupil number”. In many schools, when using the canteen or library, children, as young as four, place their thumbs on a scanner and lunch money is deducted from their account or they are registered as borrowing a book. Research carried out by Dr Emmeline Taylor, at Salford University, found earlier this year that 3,500 schools in the UK – one in seven – are using fingerprint technology. EU data protection rules, Brussels legislation that overrides British law, requires that the gathering of information such as biometric fingerprints, must be “proportionate” and must allow judicial challenges. In May, the incoming Conservative and Liberal Democrat coalition promise to “outlaw the fingerprinting of children at school without parental permission”. A government spokesman was not available yesterday to comment on the commission’s letter. [Source]


CA – MLAs in B.C. Resist Disclosing Expenses

A government promise to shed more light on how politicians spend taxpayer dollars is being undermined by MLAs who don’t want their expenses to be made public, says a Liberal MLA running for premier. Mike de Jong, who as attorney general and Liberal house leader spearheaded a push earlier this year to disclose expenses, said he’s frustrated at behind-the-scenes resistance from his colleagues. De Jong had promised the public would see, by September, the amount MLAs bill taxpayers for food, rent, salaries and office expenses. But some politicians complained about privacy concerns, and the deadline passed without information being disclosed or a new deadline set. [Source

CA – Provinces Win Control of Assisted Reproduction in Supreme Court Challenge

The Supreme Court has upheld the right of the provinces to regulate the assisted reproduction industry. The court issued a divided advisory opinion that upholds in part a 2008 Quebec Court of Appeal decision which said Ottawa had overstepped in asserting control over assisted reproduction. The Supreme Court spit 4-4-1 with Justice Thomas Cromwell offering the determining view. Quebec filed a constitutional challenge to the federal Assisted Human Reproduction Act and was supported by three other provinces. The province argued that Ottawa was treading on provincial jurisdiction over health care. The 2004 act regulated the use of sperm, eggs and embryos, while banning and cloning and hybrids. Ottawa maintained it had the right make criminal laws and that the purpose of the act was to protect the “health, safety and public morals” of Canadians [Source]


US – Poll: Most Web Users Dislike Targeted Ads

A new Gallup poll has found that two-thirds of Americans do not want to receive targeted ads based on their Web surfing habits. Responses to the poll indicated privacy concerns vary generationally, but 67% opposed having their Web use tracked for advertising purposes, while 61% “care so much about their privacy that they aren’t willing to sacrifice it in exchange for more free content paid for by targeted ads.” The report notes that “most Internet users would rather pay for content instead and withhold something as seemingly innocuous as their Web browsing history from advertisers.” [Source]

US – Targeted TV Ads Set for Takeoff

After years of promises and false starts, TV commercials targeted at individual homes may finally be ready for prime time. DirecTV Group Inc. is planning the biggest rollout yet of “addressable ads,” allowing advertisers to reach close to 10 million homes with commercials tailored to each household. Dog owners, for instance, could see ads for dog food, not kitty litter, while families with children could be shown minivan spots. Targeted TV ads are the latest manifestation of a fast-growing phenomenon: the gathering, repackaging and trading of personal data. Driving this move is the fact that targeted ads command much higher prices than regular ones. DirecTV plans to roll out its targeted ad service in August or September next year. [Source]

US – Study: Education Lacking on Smart Meters

When it comes to smart meters, consumers are not being adequately informed about their capabilities and the way they will affect privacy. That’s according to a new Ponemon study, “Perceptions about Privacy on the Smart Grid,” which polled 509 U.S.-based adults and found that 54% of those surveyed did not receive information about or know they had a smart meter until after installation. Smart meters will measure home energy usage, in some cases down to the appliance level. The privacy concerns consumers noted were misuse of personal information by the government (53%) and failure to protect personal information. [Source]


US – Woman Pleads Guilty to Accessing Student Loan Files

An Illinois woman says it was curiosity that led her to view the student loan files of hundreds of individuals while working within the Federal Student Aid Division of the Department of Education. Charlotte M. Robinson pleaded guilty in court this week to unauthorized computer access, according to a Department of Justice press release. She will be sentenced on February 22. Robinson admitted to repeatedly viewing the confidential student loan records of musicians, actors, family members, friends and others, even though she had no official reason to do so. [Source] See also: [U.S. Ups Scrutiny of Public]


US – Federal Court in Ohio Upholds E-Mail Privacy

A defense attorney said he sees a federal court’s opinion upholding e-mail privacy as groundbreaking and possibly helpful to his client, the founder of a company that sold male enhancement pills. Lawyer Martin Weinberg said e-mail evidence should have been excluded from the government’s case against Steven Warshak, who was convicted of fraud and other crimes related to his Ohio company. The company, Berkeley Premium Nutraceuticals Inc., sold products including Enzyte pills – known for their commercials featuring Smiling Bob, whose life improves after using them – and other herbal supplements promoted as treating a variety of health and personal conditions. The Warshak case, in which investigators obtained 27,000 e-mails, has been closely watched by civil liberties advocates in the still-developing field of online privacy, and some said Tuesday’s opinion was perhaps the strongest yet in protecting digital communications against unreasonable search and seizure. The 6th U.S. Circuit Court of Appeals in Cincinnati threw out Warshak’s 25-year sentence, saying the trial court didn’t adequately explain how it arrived at a figure that more than $400 million in losses resulted from deceptive ads, manipulating credit card transactions and refusing to accept product returns or cancel orders. While upholding Warshak’s conviction, the three-judge panel also said his constitutional rights were violated when investigators obtained his e-mails without warrants. The court said that with so much of today’s communication done electronically, citizens have a reasonable expectation of privacy just like with telephones and traditional mail. “The Fourth Amendment must keep pace with the inexorable march of technological progress or its guarantees will wither and perish,” Judge Danny J. Boggs, a Ronald Reagan appointee, wrote for the panel. The opinion stated: “The police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call – unless they get a warrant, that is.” But the panel concluded that the e-mail evidence was allowable in the case because law enforcement officers believed they were following the law when seeking it from an Internet service provider. Weinberg said that part of the ruling likely will be appealed in his effort to get Warshak’s convictions thrown out. “The extension of the Fourth Amendment to e-mails is a groundbreaking opinion that is of pivotal importance in terms of protecting privacy in the Internet age,” Weinberg said. [Source]

Electronic Records

US – Practitioners’ Holiday Wish? Privacy Improvements

HealthLeaders Media reports on healthcare practitioners’ holiday wishlists that they had more staff, more time to study HIPAA regulations and a year free of data breaches. A recent Ponemon Institute study revealed that of the 65 hospitals surveyed, 71% said they had inadequate resources to prevent and quickly detect patient data loss, the report states. Other wishlist items include a smooth transition to the implementation of electronic health records, an efficient and compliant data encryption program and more safeguards to protect personal health information. “I hope that technology continues to be enhanced to support patient privacy,” said Debra Mikels, a healthcare practitioner in Boston, MA. [Source]


US – Google Seeks Dismissal of Class Action

Google says its collection of personal data off of WiFi networks earlier this year broke no laws, and the company is asking a district court judge for dismissal of a potential class-action lawsuit related to the activity. In a filing last week with the U.S. District Court James Ware in San Jose, CA, the company said, “It is not unlawful under the Wiretap Act to receive information from networks that are configured so that communications sent over them are ‘readily accessible to the general public.’“ [Source] See also: [Blumenthal: Legal Action Possible in Connecticutt]

EU Developments

EU – Parliament Demands Commission Protect Web Users from Advertising

OUT-LAW News reports on the European Parliament’s call for stricter online advertising rules giving Web users more control of their privacy. The European Parliament has adopted a resolution asking the European Commission to introduce rules requiring Internet companies to disclose behavioral advertising and give users the right to opt out, expressing “serious reservations about the use of sophisticated technologies in advertising systems to track users’ activity.” Parliament is calling on the commission to “update, clarify and strengthen its guidelines on the implementation of the Unfair Commercial Practices Directive,” the resolution states, and create a labeling system based on the European Privacy Seal “certifying a site’s compliance with data protection laws.” [Source] [Source] [Resolution] See also [EU: Human rights court condemns Ireland over abortion

EU – German Resolution Sets Minimum Qualifications for DPOs

The German data protection authorities responsible for the private sector–the Düsseldorfer Kreis–issued a resolution pertaining to company data protection officers (DPOs). The resolution sets out minimum expertise requirements for DPOs and addresses their independence within the organizations for which they work. The resolutions come after inspections revealed a “generally insufficient level of expertise among DPOs given data processing complexities and the requirements set by the Federal Data Protection Act.” Under the resolution, DPOs should have a general command of data protection law, the blog states, including comprehensive knowledge of the Federal Data Protection Act. [Hunton & Williams Privacy and Information Security Law Blog]

Facts & Stats 

UK – Fraudsters Claim Nearly 2.5m Victims in 2010

More than 2.4 million people fell victim to a scam this year, with teenagers and the over-80s proving particularly vulnerable to cheats and fraudsters, according to new research by the charity Age UK. Its findings, which suggested almost three-quarters of victims lost money, coincided with an announcement of new government funding for the Scambuster teams run by trading standards departments. The most common type of deception was online fraud, with 34% of scams being perpetrated via the internet. The second most common category involved phone calls typically offering “failsafe” investments or informing the victim they have won money or a holiday. Others included bogus timeshares and rogue driveway repair companies. While most people lost under £100, almost one in six were cheated out of more than £500. Those in the youngest (16-24) and oldest (80-89) age groups were most likely to be “swindled”. Age UK’s study also found that once people had been “scammed” they were unlikely to tell anyone about it. Only 8% of victims went to the police, and only 9% went to organisations such as Citizens Advice. Perhaps surprisingly, most did not even share their story with friends or family. [Source] See also: [US: Man charged with hacking after reading wife’s emails]


CA – Calgary Man Wins $5,000 Court Judgment Over Credit Agency’s Blunder

A man who pleaded his own case before the Federal Court has won a precedent-setting $5,000 in damages from a company which sent an inaccurate credit report to his bank. Mirza Nammo of Calgary was also awarded $1,000 in legal expenses. Judge Russel Zinn found the credit agency, TransUnion of Canada Inc., blundered when it sent the report on Nammo to the Royal Bank. The report led the bank to refuse Nammo a business loan. The case is the first in which a judge levied damages for a breach of the Personal Information Protection and Electronic Documents Act. The judge took a harsh line with the credit agency, saying it put someone else’s information into Nammo’s file, tried to blame another company for the error and, when it finally redid the file, it failed to tell the bank. Zinn said if TransUnion had bothered to check its information before sending it to the bank it would have noticed that the person cited in the file had a different name, a different date of birth and lived in a different province. The information was “grossly inaccurate,” he said. Nammo had been planning to go into business with another man, but the plan fell through when the bank denied him the loan. When Nammo complained to TransUnion in February 2008, it sent a letter blaming a Calgary collection agency for the error. “It is a challenge to determine whether its response was mere obfuscation or, as was suggested by the applicant, a deliberate misrepresentation,” the judge wrote. He went on: “In the letter, TransUnion took no responsibility for the error which was its and its alone.” Nammo sued under the provisions of the personal information law. He had earlier gone to the privacy commissioner, who ruled that the complaint was founded, but has been rectified. The judge didn’t feel the agency’s error was completely rectified because, while it told the bank that there had been a change to Nammo’s file, it didn’t say what the change was. He also said that TransUnion took too long to correct the error. The judge refused to award Nammo compensation for lost business, but did award him damages for the humiliation he suffered by being labelled a bad credit risk. [Source]

US – President Obama Signs Red Flag Program Clarification Act

President Barack Obama has signed the Red Flag Program Clarification Act of 2010 into law, amending the Fair Credit Reporting Act and limiting the Federal Trade Commission’s Identity Theft Red Flags Rule. The Hunton & Williams Privacy and Information Security Law Blog reports that the new law limits the application of the Red Flags Rule to exclude creditors “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The change addresses concerns that the rule previously extended to “entities not typically thought of as creditors,” such as legal firms and healthcare providers, the report states. [Source

US – Judge Issues Permanent Injunction Against DA, Weld Sheriff

A Larimer District Court judge has put a formal end to efforts on the part of Weld District Attorney Ken Buck and Weld County Sheriff John Cooke to crack down on illegal immigration and identity theft using records from a Greeley tax preparer. District Judge Stephen Schapanski made permanent a temporary injunction issued against Buck and Cooke in April. The ruling directs the Weld County court clerk to destroy all copies of information obtained from the search and seizure of tax files from Amalia’s Translation & Tax Service in Greeley in 2008. Weld authorities also are forbidden from using any information learned from the contents of those files. Buck said authorities had already stopped using the files after the Colorado Supreme Court ruled in December 2009 that Operation Number Games was illegal. Schapanski’s ruling came as part of a civil suit filed by the ACLU filed on behalf of tax preparer Amalia Cerillo. The ACLU issued a release Wednesday that called Schapanski’s ruling the final nail in the coffin for Operation Number Games. [Source]


CA – Access Law Does Not Cover Personal Emails Stored at Work

Personal emails stored on workplace computers are not covered by access to information laws, an Ontario judge has ruled. In overturning a decision of the province’s Information and Privacy Commissioner, which granted an Ottawa resident access to the personal emails of a city solicitor, Madame Justice Anne Molloy said the purpose of Ontario’s access to information laws is not to provide unfettered access to any document within a government office, but rather “to enhance democratic values by providing its citizens with access to government information.” “It can be confidently predicted that any government employee who works in an office setting will have stored, somewhere in that office, documents that have nothing whatsoever to do with his or her job, but which are purely personal in nature,” the judge wrote. [Source

CA – Two more Tory Staffers Tried to Block Access to Information Requests

Two more Conservative staffers in the office of cabinet minister Christian Paradis tried to block the release of access-to-information documents, The Canadian Press has learned. In October, Paradis adviser Sebastien Togneri resigned after it was revealed he had meddled in at least three different access-to-information requests while with the Public Works Department. Those incidents are the subject of an investigation by the Information Commissioner. But two more policy advisers within Mr. Paradis’s office were also involved in dealing with records destined for public release under access-to-information legislation. Documents obtained by The Canadian Press show that Marc Toupin and Jillian Andrews both argued against the release of material on sensitive subjects. In one case dealing with the members of a federal panel who wrote a damning report on asbestos, Mr. Paradis’s political office had highlighted material it did not want released. When bureaucrats asked for an explanation, Mr. Togneri directed them to his colleague Mr. Toupin. “Those comments are inappropriate and improper, not relevant to the request and should not be disclosed,” Mr. Toupin said of the material in a July 2009 email. The manager of access to information and privacy balked at the direction. “Please note that the Access to Information Act was created to provide access to records under the control of federal institutions and limit the application of severances,” Julie Lafrance wrote to Mr. Toupin. “Therefore, the legislators did not include a section in the Act for ‘inappropriate and improper’ comments.” Ms. Andrews intervened in a separate access-to-information request, about preparations for U.S. President Barack Obama’s visit to Canada in February 2009. Mr. Togneri had argued with bureaucrats that only a single document should be released, and then directed them to Ms. Andrews for further “in-depth” analysis. “Our department specifically states that the only documentation they have pertaining to this is a work stop order,” Ms. Andrews wrote in July 2009. “The document is found at the very last page of the ATIP. Therefore, this should be the only part of the ATIP to be released.” But another bureaucrat noted in response that officials specifically mandated with collecting documents within the department had put together a much heftier package than a single work-stop order.[Source]

Health / Medical

CA – Nova Scotia Health Privacy Bill Passes Despite Media Fear of Jail or Fines

Nova Scotia legislation that aims to protect personal health records but also raises fears that it’s too restrictive on the media has passed. Fred Vallance-Jones, a journalism professor at the University of King’s College in Halifax, says the law could see journalists fined or jailed if they seek information from hospital officials when patients haven’t given permission to release information about their status. The opposition Liberals and Conservatives agreed with his objections and raised them during third reading of the bill last week, but still voted for it. NDP Health Minister Maureen MacDonald says her legal counsel doesn’t believe the legislation will be used to prosecute journalists, and the intent is simply to protect privacy rather than restrict reporting on the health care system. As drafted, a clause in the legislation says a person is guilty of an offence if he or she “wilfully gains or attempts to gain access to health information in contravention of this act or the regulations.” [Source] See also: [CA: Intervention or intrusion? Hospital asks patients about abuse

WW – Doctors on Facebook: Survey Shows Concerns

Doctors with Facebook profiles should be mindful of the privacy settings in order to avoid potential pitfalls with patients, according to a study published in the Journal of Medical Ethics. The study, which polled 200 residents and fellows at Rouen University Hospital in France last year, the majority of whom had a Facebook profile. About half of the respondents indicated that they felt the doctor-patient relationship would be changed if the patient had unrestricted access to the doctor’s profile, the report states. Deven McGraw of the Center for Democracy and Technology said young doctors are facing a dilemma familiar to many professionals–the merging of social and professional boundaries. [Source]

Horror Stories 

US – 110,000 Credit Card Records Stolen In NY Tour Company Web Server Breach

The web server of CitySights NY – a company that organizes tours around New York on double-decker buses – has been breached and names, addresses, e-mail addresses, credit card numbers, their expiration dates and Card Verification Value 2 codes belonging to 110,000 of their customers have been stolen. The breach is thought to have happened on September 26, when the attackers uploaded a script using an SQL injection attack, which allowed them to access the database on that web server. According to the breach notification letter sent to and published by New Hampshire’s attorney general, the compromise was discovered on October 25, when a web programmer discovered the unauthorized script. [Source] See also: [CDPH Loses Employee, Patient Data in Mail]

US – Millions of Honda Owners Victims of Data Breach

Carmaker Honda is warning more than 2 million of its customers in the U.S. that an e-mail database containing some of their personal information has been stolen. The list contained the names, login names, e-mail addresses and vehicle identification numbers of more than 2 million Honda owners. Another list, this one containing only the e-mail addresses of nearly 3 million Acura owners, was also taken. Honda has contacted all the customers via e-mail. The worry is that affected owners, especially those on the list with the VINs, may be targeted for some kind of phishing attack. [Source

US – OSU Notifying 760,000 of Data Exposure

The Ohio State University is notifying 760,000 individuals that hackers may have accessed their personal information after officials discovered unauthorized activity on a university server. “We regret that this has occurred and are exercising an abundance of caution in choosing to notify those affected,” said Provost Joseph Alutto. School officials expect to spend up to $4 million in investigative and credit-protection costs. Alutto said the university is “committed to maintaining the privacy of sensitive information and continually works to enhance our systems and practices to reduce the likelihood of such events occurring.” [Source

US – Case Against Starbucks Gets the Go-Ahead

The 9th Circuit Court in Seattle, WA, ruled on Tuesday that Starbucks employees whose names, addresses and Social Security numbers were on an unencrypted laptop stolen in 2008 have grounds to sue the company for negligence. A district court had dismissed the case saying it did not meet state requirements for injury but that it did have federal standing. The plaintiffs alleged that though they hadn’t lost any money, the time taken to monitor their credit and the stress of the possibility of identity theft amounted to an injury. The federal appellate panel agreed. “Here, plaintiffs-appellants have alleged a credible threat of real and immediate harm,” wrote judge Milan Smith for the court. [Source]

Identity Issues 

US – California: Online Impersonation Banned Starting in New Year

Assuming another person’s identity on the Internet and fabricating an e-mail or Facebook account is now against the law in California. A state law effective Jan. 1, authored by Sen. Joe Simitian, D-Palo Alto, makes online impersonation, when it seeks to harm someone, illegal. A handful of Internet free-speech advocates initially expressed concerns about Simitian’s law. Their chief fear was that such a measure would prevent spoofs or political satire. The final legislation holds that the person who is impersonated has to be “real” and “credible,” meaning there’s leeway for parody and Abe Lincoln and Santa Claus can still legally have Twitter accounts. [Source

IN – Powers to be Established for ID Governing Body

After the introduction of The National Identification Authority of India Bill (NIAI) in the Rajya Sabha earlier this month, privacy concerns persist. The bill will establish the Unique Identification Authority of India (UIDAI) as a legally sanctioned body and set out its powers and functions, The Telegraph reports. UIDAI will assign each citizen a unique identifying number, though legal experts and advocates say UIDAI’s plan does not provide enough safeguards for privacy. The Centre for Internet and Society says that the bill fails to protect citizens’ rights. “Lots of important details have been left to be defined by the UIDAI,” a spokeswoman said. [Source]

Intellectual Property 

FR – Nicolas Sarkozy’s Internet Police Warn 100,000 Illegal Downloaders

Nicolas Sarkozy’s war on illegal downloading has begun in earnest, with the state internet surveillance body dubbed “Big Brother” warning more than 100,000 French internet-users that they have been caught accessing pirate material. The controversial anti-piracy law is one of Sarkozy’s pet projects, backed by his singer wife, Carla Bruni-Sarkozy. The couple argue that artists must be protected from the nation’s massive illegal download culture – France is thought to be the world number one in illegally accessing film and music online. The internet policing system, known under its acronym Hadopi, investigates specific incidents of illegal downloading reported by music and film companies. It obtains web-users’ details from internet service providers and issues a series of warnings by email and letter. Repeat offenders risk one month’s suspension from all internet access. Those accused of counterfeiting can be fined and cut off from the internet for one year. At least 100,000 warning emails have been sent since early October. The French left has attacked the law as draconian and against civil liberties. But it is also criticised as ineffective and out of date. The law targets peer-to-peer sites, but not streaming and direct download sites. A study by the University of Rennes earlier this year reported an increase in illegal downloading as web-users turned to new ways of accessing material not covered by the law. [Source]

Internet / WWW 

WW – Microsoft Cloud Data Breach Heralds Things to Come

What might be the first major cloud data breach has happened. Microsoft announced that data contained within its Business Productivity Online Suite (BPOS) has been downloaded by non-authorized users. The knee-jerk reaction might be to blame hackers, but that’s not so here. The breach was down to an unspecified “configuration issue” in Microsoft’s data centers in the United States, Europe and Asia. The Offline Address Book component of BPOS, which contains business contact information, was made available to non-authorized users in “very specific circumstances,” according to Microsoft. The problem was fixed two hours after being discovered (how long was it open before that?), and to Microsoft’s credit it has tracking facilities in place that allow it to clean up the mess by contacting those who downloaded the wrong data. However, the whole affair will feel like a stomach punch for anybody considering cloud adoption in the coming year–especially those considering Office 365, Microsoft’s major cloud offering that ties into its Office suite. There are three basic threats that could lead to data leakage when it comes to cloud computing offerings from any vendor: 1. Misconfiguration of cloud service software, or bugs within the software; 2. Hackers stealing data, for fun or profit; 3. Employees being careless with data. [Source] See also: [Japanese woman sues Google for displaying images of underwear]

Law Enforcement 

CA – Vancouver Police to Use Licence-Plate Readers to Track Gangsters’ Movement

The Vancouver police department’s plans to use automatic licence-plate readers to track gangsters’ movements could have a real impact on gang violence, according to one of the first U.S. police departments to deploy the technology. Lt. Mike Wallace, head of Palm Beach County’s Gang Taskforce, said his force has successfully used the technology to help execute arrest warrants, gather intelligence on shifting gang alliances in Florida and prove in court that someone is affiliated with a criminal group. Automatic licence-plate readers, usually installed in a police car, use a series of mounted cameras to constantly scan for visible licence plates. Plate numbers are then automatically checked against police databases, alerting the officer inside if it finds a match against any wanted vehicles. The $20,000 devices can process 1,500 plates a minute. Wallace said Palm Beach County — an area of one million people that includes affluent Palm Beach but also a number of rural areas — got its first plate-reader four years ago. At first, the force used it mainly to find stolen vehicles. “But once we understood the technology we thought: There’s more we can do with this,” said Wallace. Soon, every time police learned gang members would be congregating, such as at a funeral or party, police simply drove one of their tracking-equipped cruisers to the scene and turned it on. “We’ll take it out and drive around at a funeral for an hour and we’ll get 3,000 to 4,000 numbers,” said Wallace. Almost immediately, said Wallace, the device started paying off, alerting officers to the presence of gangsters with outstanding arrest warrants. It also helped them discover new gang members who weren’t on their radar. The technology has also come in handy in court. Under Florida sentencing rules, gang members can receive stiffer sentences if police can prove their gang ties. Licence-plate tracking data has been submitted in Florida courts, along with other evidence, to help prove someone’s a gangster, said Wallace. Over the past five years, Palm Beach has seen a significant drop in gang murders, from 48 in 2006 to 18 so far this year. [Source] See also: [Public faith in local police still high: EKOS Poll

US – Washington Subway Police To Begin Random Bag Checks

Metrorail police officers plan to randomly select bags before passengers enter subway stations and they will swab them or have an explosives-sniffing dog check the bags, according to the Metro police. There is “no specific or credible threat to the system at this time,” Metro said in a statement. Passengers who refuse to have their bags inspected will be denied entry into the subway system. “The program will increase visible methods of protecting our passengers and employees, while minimizing inconvenience to riders,” Metro Transit Police Chief Michael Taborn said in a statement announcing the new checks. The decision to launch the new security checks, similar to programs in New York and Boston, comes after two people were arrested in recent months, accused separately of threatening to explode bombs in the Washington subway system. [Source]


US – MMA Calls for Smartphone Privacy Guidelines

Following media reports about smartphone apps sharing user data, the Mobile Marketing Association (MMA), which represents smartphone advertisers and publishers, is calling for guidelines to better protect users from “intrusive tracking technologies.” The MMA announced that it will begin work on a “comprehensive set of mobile privacy guidelines…to create consistency so marketers know how to act and consumers know what to expect.” MMA Global CEO Greg Stuart said the initiative demonstrates the “ongoing commitment to the importance of consumer transparency with regards to privacy issues and data collection.” The MMA hopes to address such mobile phone marketing as text messages, e-mail and voice calls, the report states, as well as mobile Web sites and apps. MMA Privacy Committee Co-Chairman Alan Chapell, CIPP, told the Daily Dashboard, “We’re optimistic that this initiative will attract a wide variety of stakeholders so that we can address these important issues in a meaningful way.” [The Wall Street Journal]

Online Privacy 

WW – Website Allows Users to Anonymously Post Hurtful Comments

“You should kill yourself.” It’s a message Vernon Hills , Ill., police officer Jim Koch said he sees “all the time” on one of the newest social networking sites that allows users to post messages anonymously. Others include “why r u so ugly? i cant find one attractive thing about u,” “ur so (bleeping) ugly and stupid! GO THE HELL AWAY! NO ONE LIKES U,” and “whats wrong with ur teeth theyre nasty.” Barely a year old, Formspring.me is quickly turning into a sensation, in part because of teenagers who are attracted by the ability to leave their names off their comments. Formspring boasts nearly 20 million users around the globe, according to a company spokeswoman. The idea of the site is to have a conversation by answering questions stemming from the prompt “Ask me anything.” So far, more than 1.5 billion questions have been answered. “It’s like a bathroom wall,” said Koch, the school resource officer at Vernon Hills High School. “You write whatever you want.” As a result, nearly every day he is calling students in to talk, on the phone with parents or in the hallways hanging up news stories of teens who committed suicide after being on the receiving end of nasty online remarks. [Source] See also: [Big Brotheresque App Kills Your Automotive Anonymity

US – Vigilante Group Wrongly Names Man As Serial Killer on Facebook

A man who feared for his safety had to be escorted from his home by police after he was wrongly named on Facebook as a wanted serial killer in the United States. A vigilante group posted the man’s name and photograph on Facebook and labelled him the “Kensington Strangler”, who is wanted in connection with at least three murders and several sexual assaults in Philadelphia, ABC America reported. Residents of Kensington, who once severely beat a suspected rapist based on a police photo, posted hundreds of comments and theories about the case on a Facebook page titled “Catch the Kensington Strangler, before he catches someone you love.” The Facebook group attracted more than 8000 members and one post falsely identified a suspect, leading to an angry crowd gathering outside the man’s home. The terrified occupant of the house called police for help. He was taken to a police station at his own request and had a DNA test performed, which cleared him of any link to the case. Police asked the Facebook group’s administrators to take down the photos and remove any reference to the man. [Source] See also: [I took Riewoldt’s naked photo, says apologetic Gilbert

WW – Facebook Testing New Ways to Tag Photos

Facebook will try to make it easier to identify friends in photos uploaded to the social networking site by using facial recognition software to suggest people that users may want to tag. In a blog post, Facebook engineer Justin Mitchell said the new tag-suggestions feature will match new photos to others that people have already been tagged in. Similar photos will be grouped and the software will let users know who it thinks is in the shots. Palo Alto-based Facebook already offers a way to tag one person in a group of photos, and it hopes this will add more simplicity to the process. Tag suggestions will be rolled out in the U.S. in the coming weeks. Users who don’t want their name suggested can use the site’s privacy settings to turn the feature off. Mitchell said over 100 million tags are linked to photos on Facebook daily. [Source] See also: [Facebook to hold hacker cup]

Other Jurisdictions

HK – Commissioner: Privacy Office Should Prosecute

Privacy Commissioner Allan Chiang feels that privacy-related prosecutions should be left to his office. Speaking at an RTHK program, Chiang said that resource limitations prevent the police from making privacy offenses a high priority. This, and the fact his office has the expertise means that his office should be given the power to prosecute, he said. [Source]

Privacy (US) 

US – Online “Privacy Bill of Rights” Called for by Obama Administration

New guidelines were released by the Obama administration that recommends ways to protect the privacy of consumer’s online. The new recommendations would create the “Privacy Bill of Rights” and would establish a privacy policy office within the Commerce Department. The recommendations would also establish clear guidelines for what types of data can be collected on a user and how that data can be used by companies according to a Commerce report. The Privacy Bill of Rights would give clear rules on data collection and would set up an audit trail to hold companies accountable for sticking to the rules. The Washington Post quotes commerce Secretary Gary Locke saying, “Self-regulation without stronger enforcement is not enough. Today’s report is a road map for considering a new framework that is good for consumers and businesses.” Locke also stated that the U.S. needs to ensure that regulators here coordinate their privacy standards with the standards adopted in Europe and other countries so there is no confusion. The ACLU said, “This is the first time that the administration has emphasized the need for comprehensive privacy protections, and that as of today it is a Wild Wild West out there for consumers and their privacy. We hope it will lead to strong administrative protections but Congress needs to act.” [Source] and also: [US: New report calls for online privacy bill of rights

US – Commerce Report Calls for Privacy Office, Federal Breach Notification Standard

The Commerce Department released its online privacy green paper today. The report calls for the creation of a Commerce Department privacy office and recommends a federal data breach notification law that would preempt state laws. “A comprehensive national approach to commercial data breach would provide clarity to individuals regarding the protection of their information throughout the United States, streamline industry compliance and allow businesses to develop a strong, nationwide data management strategy,” the report states. The paper also recommends the development of Fair Information Practice Principles. The department is soliciting comments on the paper. [Source] [Report: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework] [Commerce Report Draws Praise, Criticism] SEE ALSO: [FTC Report: Protecting Consumer Privacy in an Era of Rapid Change: A Framework for Businesses and Policymakers

US – President Appoints Two to Privacy Oversight Board

President Barack Obama has begun appointing members to the Privacy and Civil Liberties Oversight Board. The president’s first two nominees are Jim Dempsey, VP of the Center for Democracy and Technology, and Elisebeth Cook of the law firm Freeborn and Peters. “President Obama has nominated two outstanding and well-qualified individuals,” said Alan Charles Raul of Sidley Austin. “I hope the Senate will act quickly to confirm their nominations and that the president will nominate a chairman and two other members very soon.” The oversight board was created in 2004 on the recommendation of the 9/11 Commission to help advise and oversee the Administration’s efforts to fight terrorism while protecting the rights of Americans. It languished in 2008 following legislative changes. This week’s nominations are “an important first step to reestablishing the privacy board.” [Source

WW – Kids should Ho Ho Hold the Sensitive Info When Writing to Santa on the Internet

“Dear Santa” websites may not turn out to be as jolly as they look, warns a U.S. advertising regulator. More than 60 Internet domains have been registered in the name of Santa Claus offering kids a chance to email the portly purveyor of gifts, according to the U.S. Children’s Advertising Review Unit which is urging parents to be vigilant. While the organization hasn’t received any complaints, director Wayne Keeley says it’s good practice for parents to check a site’s privacy policies and to monitor their kids to ensure they don’t reveal too much personal information. Privacy policies should explain whether sites share information with third parties, including advertisers, whether they publicly disclose all information — for instance, by posting children’s letters — or retain them for future purposes, CARU said. Kids should avoid revealing their full names, phone numbers, addresses and schools, said CARU staff attorney Angela Tiffin, adding such data could be used by predators. “Santa already knows where all the children live,” CARU said. [Source] See also: [Santa’s Privacy Policy] [Check Privacy Policy on “Dear Santa” Websites]

Privacy Enhancing Technologies (PETs) 

WW – Browsers Boosting Privacy Options

Mozilla says the next version of its Firefox Web browser will include technology to let users cloak their online activities. The updated software will be released in the first part of next year, according to Mozilla Chief Executive Gary Kovacs. “Where I go on the Internet is how I live my life; that is a lot of data to hold just for someone to serve me ads,” Kovacs said. Microsoft, too, will increase privacy options in its Internet Explorer browser, the report states, including a feature “to help keep third-party Web sites from tracking your Web behaviour.” An MIT Technology Review article asserts that this would be a “step in the wrong direction for privacy on the World Wide Web.” [Source]


WW – Android Mobile Malware Has Botnet-Like Traits

Hackers are aiming for users of Google’s Android mobile operating system with a malicious application that harvests personal information and sends it to a remote server. The malware, which has been named “Geinimi,” appears to be the first one that has botnet-like capabilities targeted at the Android platform. Geinimi appears to target Chinese-speaking users of Android, and Lookout was tipped off to Geinimi after a user wrote a post concerned about it on a forum. The malware communicates with a central command-and-control server. The server can issue commands to a phone remotely, such as to download or uninstall software. The user of the Android phone is prompted and must approve either action, but it still raises concern, Mahaffey said. “It might be a vector to install other potentially malicious applications.” Geinimi also sends the Android device’s location and other hardware identifiers, such as the device’s International Mobile Equipment Identity (IMEI) number and SIM card information, to a remote server every five minutes. It can also send a list of the Android device’s installed applications. The malware can contact up to 10 domain names that are used to upload the information to the remote server. It is Geinimi’s ability to contact multiple domains and obtain instructions from a command-and-control server that Lookout decided to say it has botnet-like capabilities, Mahaffey said. [Source

WW – Apple Sued Over Applications Giving Information to Advertisers

Apple Inc., making of the iPhone and iPad, was accused in a lawsuit of allowing applications for those devices to transmit users’ personal information to advertising networks without customers’ consent. The complaint, which seeks class action, or group, status, was filed on Dec. 23 in federal court in San Jose, California. The suit claims Cupertino, California-based Apple’s iPhones and iPads are encoded with identifying devices that allow advertising networks to track what applications users download, how frequently they’re used and for how long. “Some apps are also selling additional information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political views,” according to the suit. The suit, filed on behalf of Jonathan Lalo of Los Angeles County, identifies applications such as Pandora, Paper Toss, the Weather Channel and Dictionary.com, and names them as defendants along with Apple. Lalo is represented by Scott A. Kamber and Avi Kreitenberg of KamberLaw LLC in New York. The case is Lalo v. Apple, 10-5878, U.S. District Court, Northern District of California (San Jose). [Source] See also [PopCap fires back at ‘misleading’ privacy probe

US – Colorado Flunks Test of its Information Security Systems

A covert penetration test conducted by the Colorado State Auditor has found that the state government networks and computers are at “high risk” of compromise, infosecurity.com reports. The test “identified a significant number of serious vulnerabilities in the state’s networks and applications that would likely provide a malicious attacker with unauthorized access to the public’s data.” The audit penetrated “thousands of individuals’ records…containing confidential data,” the report states. It also found that more than half of state agencies have not submitted information security plans to the state Office of Cyber Security despite the July 15, 2009 statutory deadline. [Source]

Smart Cards 

EU – Bankers Fail to Censor Thesis Exposing Loophole in Bank Card Security

A powerful bankers’ association has failed in its attempt to censor a student thesis after complaining that it revealed a loophole in bank card security. The UK Cards Association, which represents major UK banks and building societies, asked Cambridge University to remove the thesis from its website, but the request was met with a blunt refusal. The thesis by computer security student Omar Choudary, entitled “The smart card detective: a handheld EMV interceptor”, described a flaw in the chip-and-pin (personal identification number) security system that allows criminals to make fraudulent transactions with a stolen bank card using any pin they care to choose. But in a reply to the UKCA, Ross Anderson, professor of security engineering at the university’s Computer Laboratory, refused to take down the thesis and said the loopholes had already been disclosed to bankers. “You seem to think we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton and of Darwin; censoring writings that offend the powerful is offensive to our deepest values,” Anderson wrote. Anderson and his colleagues discovered the loophole in chip-and-pin security in October 2009 and told the banks about the flaw later that year. They revealed the loophole publicly on the BBC’s Newsnight programme in February 2010. In view of the UKCA’s letter, Anderson has authorised Choudary’s thesis to be published as a Computer Laboratory technical report. “This will make it easier for people to find and cite, and will ensure that its presence on our website is permanent,” his reply to the UKCA states. [Source

WW – Unsmart Investments in Smartcards

Chaos Computer Club (CCC) Congress, Security consultant Harald Welte explained how he was able to break Taiwan’s smartcard-based transportation-payment system, which was expanded this year to be a larger citywide payment system, using a $40 smartcard reader and a few hours of time. “Using this in the year 2010 as a payment system is ignorant, clueless, and a sign of gross negligence,” he told the audience. Taipei’s EasyCard system has been in place since 2001, largely as a means of paying for the subway, bus, taxis and parking. It has also been widely known to use a smartcard system called MIFARE Classic, produced by NXP Semiconductors, the security of which was publicly demonstrated to be broken by CCC members at their annual congress three years ago. This break is no secret. It was publicized at the time, is noted on Wikipedia, and the issue was noted by NXP itself on its Web site, which today says the MIFARE Classic offers “basic levels of data security.” The problem, Welte said, was when the city government decided to adopt a broader card-based payment system for stores and other functions, and EasyCard stepped in with its old, now-broken technology. According to Welte, researchers from the University of Taiwan wrote a letter protesting the decision, noting the security problems. But early in 2010, the EasyCard system was rolled out on a widespread basis, now upgraded to store the equivalent of nearly $350 in Taiwanese New Dollars, which was spendable at major department stores, 7-11s, Starbucks and other shops. [Source

WW – Breaking GSM With a $15 Phone … Plus Smarts

Speaking at the Chaos Computer Club (CCC) Congress, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer and a variety of open source software. While such capabilities have long been available to law enforcement with the resources to buy a powerful network-sniffing device for more than $50,000, the pieced-together hack takes advantage of security flaws and shortcuts in the GSM network operators’ technology and operations to put the power within the reach of almost any motivated tech-savvy programmer. “GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the net in the 1990s, when people didn’t understand security well.” [Source]


UK – CCTV ‘Used to Monitor Schoolchildren in Toilets and Changing Rooms’

Schools are using CCTV cameras to spy on pupils in toilets and monitor teachers’ performance in the classroom, according to a report by the Information Commissioner’s Office that warned many schools were flouting guidance on CCTV which insists cameras should only be used to monitor behaviour in exceptional circumstances. The study, which features contributions from a series of academics, said: “The use of CCTV has migrated from perimeter security and access control to monitoring pupil behaviour in public areas such as in corridors and playgrounds, and to more private realms such as changing rooms and toilets.” The report added that some schools failed to understand “their new regulatory responsibilities” as the nature of CCTV usage has changed. [Source] See also: [AU: Home security cameras are creating privacy concerns for Sydney neighbours]

Telecom / TV 

AU – Reverse Directory Web Site Under Investigation

Privacy experts are investigating a new Web site that allows people to look up the names and addresses attached to landline and mobile phone numbers to determine whether it breaks any privacy or communications laws. The Australian Communications and Media Authority (ACMA) claims the site breaks the Telecommunications Act, but the U.S. developer disagrees and has plans to release a smartphone app in the coming months. David Vaile of UNSW’s Cyberspace Law and Policy Centre and vice-chair of the Australian Privacy Foundation says the service carries potential criminal risks and has concerns about the requirement that database users log in with their Facebook account information. [Source] See also: [CRTC hits Bell with record penalty for violating Do Not Call rules]

US Government Programs 

US – VA Acknowledges Improper Patient Data Storage

Veterans Affairs (VA) facilities have been found in violation of the department’s policy that no patient information be stored on systems outside its firewalls. The most recent incident involved personal information on 878 patients—including patients’ full names, dates and types of surgery and last four digits of their Social Security numbers. The data had been shared between VA employees via an online calendar since 2007, and the breach was detailed in a November report to the U.S. Congress. The VA is looking at ways to bring such online tools inside its firewall, the report states, as part of ongoing steps to improve security and privacy. [Source]

US Legislation 

US – Two Privacy-Related Bills Signed Into Law

This week, President Obama signed several bills into law that have privacy implications. In addition to repealing Don’t Ask Don’t Tell, he signed The Social Security Number Protection Act of 2010 and The Truth in Caller ID Act. The former bill is intended to help reduce identity theft by restricting the use of full Social Security Numbers on government-issued checks and by preventing prisoners from having access to Social Security Numbers. A number of media stories in the past few years had revealed how government agencies were contracting with prisons, who, in turn, had prisoners doing work that gave them access to SSN. The second bill prohibits any person within the United States from knowingly transmitting misleading or inaccurate caller identification information “with the intent to defraud, cause harm, or wrongfully obtain anything of value.” Exemptions to the prohibition include law enforcement. People who violate the law may face forfeiture or criminal fines. [Source]

Workplace Privacy 

CA – Privacy Watchdog to Appeal Email Ruling

Ontario’s privacy commissioner is seeking leave to appeal a recent court ruling that says private emails on workplace computer systems are not covered by freedom of information laws. In overturning a decision of the commission, the Ontario Divisional Court ruled this month that the purpose of Ontario’s access to information laws is not to provide unfettered access to any document within a government office, but rather “to enhance democratic values by providing its citizens with access to government information.” Therefore, the court ruled, the fact that emails are stored on the computers of a public institution does not necessarily mean that the emails should be public too. “It can be confidently predicted that any government employee who works in an office setting will have stored, somewhere in that office, documents that have nothing whatsoever to do with his or her job, but which are purely personal in nature,” the judge wrote. The case was brought by Ottawa resident John Dunn, who grew up in foster care, and heads the Foster Care Council of Canada. Ann Cavoukian, the Ontario Information and Privacy Commissioner, granted him access before the Divisional Court overturned that ruling. The Ontario Court of Appeal is not obliged to hear the case. [Source



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: