01-31 January 2011

Biometrics

US – D.C. Jail to Fingerprint Visitors, Check for Warrants

All visitors to the District’s jail soon will have their fingerprints scanned and checked against law enforcement databases for outstanding warrants. The D.C. Department of Corrections is already using the “live scan” fingerprint technology on inmates when they enter and leave the jail, corrections officials said. The digital technology allows the department to take an image of an inmate’s fingerprint and check it against D.C. police databases to confirm the inmate’s identity. Starting in March, the fingerprint-scanning technology will be put to use for all visitors, DOC spokeswoman Sylvia Lane said. [Source]

WW – Fingerprints Collected From Up to Two Meters Away

Over the years, fingerprinting has evolved from an inky mess to pressing fingers on sensor screens to even a few touch-free systems that work at a short distance. Now a company has developed a prototype of a device that can scan fingerprints from up to two meters away, an approach that could prove especially useful at security checkpoints in places like Iraq and Afghanistan. The device, called AIRprint, is being developed by Advanced Optical Systems (AOS). It detects fingerprints by shining polarized light onto a person’s hand and analyzing the reflection using two cameras configured to detect different polarizations. Joel Burcham, director for projects at the Huntsville, Alabama-based company, says AIRprint could help make authorization more efficient in lots of settings. Instead of punching a keypad code or pressing fingers to a scanner, individuals could simply hold up a hand and walk toward a security door while the device checks their identity. “We’re looking at places where the standard methods are a hassle,” says Burcham. For instance, AIRprint could be linked to a timecard system, he says, to help avoid a logjam at manufacturing plants at the start or end of the workday. The military has a growing interest in biometric sensors that operate at a distance. The U.S. Department of Defense awarded $1.5 million to Carnegie Mellon’s CyLab Biometrics Lab to support development of technology that performs iris detection at 13 meters. Over the past nine years, the Marines have made increasing use of biometrics to distinguish friend from foe in Iraq and Afghanistan. Says Powell, “It’s actually been very successful so far, and technologies like AIRprint have the potential to make it even more so.” [Source]

TW – Taiwan Develops Face-Recognition Vending Machine

Government-funded researchers in Taiwan have developed a vending machine that recommends purchases based on people’s faces, one of the inventors said. The machine, designed by the Institute for Information Industry in Taipei, builds a profile after checking characteristics such as complexion and hair color. Those clues help the machine guess a shopper’s gender, approximate age and other things that might be helpful in promoting a suitable product. Researchers spent the past year using a grant from Taiwan’s Ministry of Economic Affairs to build the first machine, which was rigged up to spit out free cosmetics samples in the institute’s lobby. The machine looks for clues like whether a person has glasses, a beard or a mustache, said Tsai. Based on that it guesses their use of make-up or frequency of shaving, Tsai said. It then might recommend a facial mask, razor, or health products that people in a certain category are statistically likely to buy. “If you stand in front of it, the machine has ways of recognizing your characteristics, though it doesn’t know exactly who you are as that would infringe on personal privacy,” Tsai said in an interview. Researchers in Japan unveiled a similar concept in August last year. The Taiwanese machine isn’t a copy of that but the Taiwan researchers kept up on what Japan was doing. The machine also attempts to detect any smartphones, e-readers or tablets the buyer might be carrying, the institute told Taiwan’s Central News Agency. That recognition would tell the machine whether the shopper was equipped to download books, music or films. Taiwan’s institute aims to tailor-design machines for vendors, with storage capacity and exact features depending on the individual order. Information on what buyers actually choose will be stored and sent to the Internet, helping retailers to analyze shopping patterns. [Source] See also: [Facial recognition a system problem gamblers can’t beat? ]

Canada

CA – Quebec Swears in New Access and Privacy Chief

Greater access to government information and a preventive approach in privacy protection will be the focus of Jean Chartier, sworn in this month as the province’s new access and privacy commissioner. Chartier said he wants to introduce a “preventive” approach, informing people they are not obliged to divulge extensive private information just to join a video club, for online shopping or to join a social network. The same goes for Google Street View, the online service that shows pictures of your street. Chartier said his “personal colour” would influence the direction of the commission. Saint-Laurent was voted unanimously by the Quebec National Assembly as the assembly’s first ethics commissioner in December, when the assembly named Chartier to succeed Saint-Laurent. [Source]

CA – Privacy Commissioner at ‘Impasse’ with SGI

Saskatchewan’s information and privacy commissioner says Saskatchewan Government Insurance is collecting vast amounts of personal health information and needs to do a better job of protecting people’s privacy. That SGI is “over-collecting” is one of Gary Dickson’s conclusions after dealing with three privacy complaints about the Crown corporation. The complaints concerned people who made claims after being injured in motor vehicle accidents over the last decade. Dickson said he investigated and while SGI has a right to collect information, he agreed with some of the concerns raised. “From a risk assessment perspective, the fact that so many persons will have the opportunity to view the personal health information, much of which will be completely irrelevant to the particular claim in dispute, of any claimant, is worrisome,” Dickson said in the 37-page report, which was released this week. However, the investigation was complicated by SGI’s insistence the complaints weren’t under his jurisdiction, he said. Dickson said he wants the legislative assembly to clarify the rules and confirm that he has a role investigating SGI privacy complaints. As things stand now, the privacy commissioner’s office is at an “impasse” with SGI on privacy investigations, he said. [Source] Other news: [Sask. woman guilty of census refusal] and [Summit on perimeter security delayed as negotiations face obstacles] and [Conservatives relied on a few complaints to scrap the census] [Democracy includes freedom to refuse census pressure

CA – Privacy Year in Review (2010): Legislation

Bill 89: Personal Health Information Act (NS) The Nova Scotia government finally re-introduced the Personal Health Information Act in the fall of 2010, but it’s still working its way through the provincial legislature. Hopefully, it will not be long before Nova Scotia joins New Brunswick and Newfoundland and Ontario with third-generation health privacy laws. It should be noted, while we’re thinking about the year that was, that both New Brunswick’s Personal Health Information Privacy and Access Act and Newfoundland’s Personal Health Information Act came into force this past year. All of these are designed to be substantially similar to PIPEDA so that PIPEDA would cease to apply to most health information in the relevant provinces. None of them have yet been so-declared, though.

PIPEDA Revisions: The LONG awaited result of PIPEDA’s so-called five year review was introduced on May 25, 2010 as Bill C-29 and has yet to get to second reading. Unless there’s an election (and who knows about that …) here are the main features:

Business Contact Information: The first significant change is the exclusion of “Business Contact Information” from the purview of the statute. “Business Contact Information” refers to an individual’s name, position name or title, work contact details (including e-mail address) and any similar information of the individual so that, in the new Section 4.01, business contact information is excluded from the provisions of PIPEDA if business contact information is collected, used or disclosed solely for the purpose of communicating with the individual in relation to their work.

Valid Consent: Bill C-29 raises the bar, or at least clarified, what is necessary to get consent from an individual. Section 6.1, entitled “Valid Consent” clarifies that the consent that is required under Principle 3 of the CSA Model Code is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. This likely raises the bar on what is valid consent.

Witness Statements and Work Product: In Section 7, which allows the collection, use or disclosure of personal information without consent a number of changes have been added to permit the collection, use and disclosure of information in witness statements where it is necessary to assess, process or settle an insurance claim. In addition, information produced by individuals in the course of their employment is exempt from the consent requirements provided that the collection, use and disclosure are consistent with the purposes for which the information was produced. This particular exemption codifies what is often referred to as “work product” exception to consent.

Lawful Authority: Also in Section 7, the government has attempted to clarify what has been a very confusing provision regarding disclosures to law enforcement. Section 7(3)(c.1) permits the disclosure to government institutions and law enforcement where the government body has identified its “lawful authority” to obtain the information. The meaning of “lawful authority” has been very problematic since the first version of PIPEDA, with interpretations ranging from legal authority to compel or just part of a lawful process.

Gag Order: A notable addition to PIPEDA is a “gag order” that prohibits an organization from notifying an individual that information has been requested or obtained by a government institution or part of a government institution under a range of provisions contained in Section 7(3). Before it notifies the individual, it has to notify the government institution and get their OK. If the government institution vetoes the disclosure, the organization is not allowed to notify the individual but is required to notify the Privacy Commissioner. This above provision supplements what had previously been the case where an individual had made a request for access to their own personal information or an account of its collection, use or disclosure where that personal information had been the subject of a government request.

Removing Investigative Bodies: Notably, these amendments have completely done away with investigative bodies. It used to be that under Section 7(3), an organization could disclose personal information to designated investigative bodies for the purposes of investigations. Investigative bodies included the Insurance Fraud Bureau of Canada, most Barristers’ Societies and other professional regulators. Instead, the new Section 7(3)(d.1) permits disclosures to another organization where that disclosure is necessary to investigate a breach of an agreement or a violation of the laws of Canada or Province or is necessary to prevent, detect or suppress fraud where it would be reasonable to expect the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Subsection (d.2) allows disclosures to government institutions or next of kin related to “financial abuse”. Finally, Subsection (d.3) further permits disclosures for notifying the next of kin of injured, ill or deceased individuals.

Business Transactions: The new Section 7.1 permits disclosures and uses of information in connection with a “prospective business transaction”. This term is defined to include a range of transactions, including purchase or sale of a business, mergers and amalgamations, financings, leasings, and joint ventures. This section 7.1, parties to a perspective business transaction can use and disclose personal information without the knowledge or consent of the individual if they have entered into an agreement that requires the recipient to use the information and disclose it solely for the purposes related to the transaction, to protect that information with appropriate safe guard and, if the transaction does not proceed, to return or destroy the information within a reasonable period of time. This provision that permits the use and disclosure of personal information for business transactions does not apply to business transactions where the primary purpose or result is the purchase, sale or other acquisition of personal information.

Employee Personal Information: The new Section 7.2 will mark a significant change in how PIPEDA applies to employees of federal works, undertakings and businesses. No longer is consent of the individual required to collect use and disclose employee personal information if that collection use or disclosure is necessary to establish, manage, or terminate the employment relationship, provided that the employer has notified the individual that the personal information will be or may be collected, user disclosed for these purposes.

Breach Notification – Notification of the Commissioner: Perhaps the most notable addition to PIPEDA in Bill C-29 is the addition of Division 1.1, which deals with breaches of security safe guards. The new section 10.1 requires an organization to report to the Privacy Commissioner any “material breach” of security safeguards. Whether the breach is material depends upon the sensitivity of the information, the number of individuals whose personal information was compromised and an assessment by the organization whether the cause of the breach or a pattern of breaches indicates a systematic problem. The form of the notice will be set out in the regulations. The Commissioner has no power to require the organization to notify individuals, nor does she have any power to seek a remedy on behalf of affected individuals unless they themselves complain.

Breach Notification – Notification of the Individual: The new Section 10.2 deals with notification to the individual, which is mandatory if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Section 10.2(2) defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Subsection (3) then goes on to provide guidance on whether there is a “real risk”, which is based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused. The notification has to contain enough information to allow the individual to understand the significance of the breach to them and to take steps to mitigate that harm. Notice has to be given as soon as feasible after the organization confirms the occurrence of the breach and concludes that they are required to give notice occasionally under Section 10.2(1). The form and manner of notice may be prescribed in regulations, which I anticipate will allow for notice to large groups of people though the mass media where it is not feasible to give individual notice. This new Section 10.3 allows organizations to give breach notification to other organizations that will help to reduce the risk of harm that could result from the breach or to mitigate that harm.

Bill C-28, Fighting Internet and Wireless Spam Act or FISA After what has been a very, very long process, 2010 finally saw the passage of Canada’s attempt to grapple with unsolicited commercial e-mail through Bill C-28, Fighting Internet and Wireless Spam Act. The bill, in various forms, had been previously introduced and fell off the order paper. [Opinion: Email marketing might be a casualty on the anti-spam battlefield] Parliamentary Library Summary Story by [David Fraser, Privacy Lawyer] SEE SLSO: [The 2010 Top 10 International Data Privacy Changes]

CA – Help for B.C. Privacy Watchdog

B.C.’s privacy watchdog has created an external advisory board to help with her duties. Information and Privacy Commissioner Elizabeth Denham announced Monday she invited six people from both the public and private sector to help identify and address emerging privacy problems in the province. The six board members are University of Victoria political scientist Colin Bennett, former assistant privacy commissioner Heather Black, privacy consultant Drew McArthur, former B.C. privacy commissioner David Flaherty, UBC law professor Ben Goold, and former B.C. police complaints commissioner Dirk Ryneveld. [Source] See also: [Holding dear the value of privacy by Elizabeth Denham] and [Empower privacy watchdogs to enforce laws, name offenders: Geist]

CA – Alberta Privacy Ruling Forces Change at Staples

Alberta’s privacy commissioner has ordered Staples Canada to better protect personal information on computers brought in for repair. In a recent finding, the office supplies retailer was told to ask customers who bring in computers for repair whether the unit contains a hard drive. Staples must also ask customers if they authorize any personal information on it to be destroyed or preserved in the event the company buys back the computer. The Office of the Information and Privacy Commissioner investigated after a woman complained in 2008 that a Calgary Staples store had returned her laptop missing its hard drive after she had taken it in for repair. Staff had told her it was not cost-effective to repair the laptop and it would be “bought back.” But when she asked to have the computer to back up its contents and wipe the hard drive clean of family and business information, she discovered the drive was gone and it could not be found. Adjudicator Teresa Cunningham said in her report that if Staples had taken steps to confirm it had the hard drive, asked the customer’s wishes for personal information on it and documented the status of the hard drive at each stage, it would have reduced the risk of its unauthorized destruction. [Source]

Consumer

US – Data Privacy Concerns Have a Reality Gap: Report

A survey released to coincide with Data Privacy Day, shows American’s have strong concerns related to online privacy violations, though they aren’t always very proactive in defending themselves. One surprising data point in the survey results is that among U.S. respondents, concern over online privacy violations rated higher (25%) than having to declare bankruptcy (23%) or even losing their jobs (22%). A clear majority of American respondents (79%) said they use anti-virus solutions to protect their privacy. But only 61% said that they use safe passwords and only 47% said they regularly delete their browsing history (though men did so more often (52%) than women (42%)). Only 15% of respondents said they only use software and websites that do not collect personal information. Research firm YouGov conducted the online survey, sponsored by browser developer Opera Software, which said more than 1,000 people in the U.S., Japan and Russia completed the survey between January 19 and January 24. The figures were weighted and are representative of all adults aged 18 or more in the three countries, according to Opera. Responses diverged among countries on the question of who should be responsible for ensuring citizen’s online safety and privacy. For example, in the U.S. 54% said users themselves should be responsible versus only 46 and 42% in Russia and Japan, respectively. The results for Japan show that 47% believe Web companies should be primarily responsible, while only 25% of those in U.S. agreed. In the Russian response, 41% said Web companies should be primarily responsible for online safety and privacy. Desktop computers rated higher than mobile devices on the question of which was safer for accessing the Internet. In the U.S., 54% said desktop computers were safer, while only 3% said mobile devices were safer and 31% said they didn’t think either platform was safer than the other. [Source] [Report

US – California: Cantil-Sakauye Court Opens With ZIP Code Privacy Concerns

California’s new chief justice kicked off her first oral arguments at the Supreme Court with a privacy rights case that deals with whether retailers can record customers’ ZIP codes to track down their addresses. In Pineda v. Williams-Sonoma, S178241, Folsom attorney Gene Stonebarger argued that retailers improperly record ZIP codes when customers check out with credit cards, then use the data to look up their addresses later to send them catalogues or, worse, sell the information to other marketers. Williams-Sonoma’s attorney urged the court to agree with the Fourth District, and at least one other court, that have found a ZIP code too general to be considered personally identifying information. And he argued that, with the Song-Beverly Credit Card Act of 1971, the Legislature only intended to prevent retailers from asking customers for personal information on pre-printed credit card forms. But most of the justices sounded bothered by retailers’ ability to record ZIP codes, and eager to address consumers’ privacy rights, asking “Isn’t this privacy issue the exact thing the Legislature was intending to stop?” amd “Isn’t the effect here that you obtain indirectly what you couldn’t obtain directly?” [Source] [CA – Nudity laws to be subject of constitutional challenge] and [Wired-up ref sparks controversy: Shocked by minor hockey ‘invasion of privacy’] and [Woman who refused to fill our census gets absolute discharge] [Data Privacy Day is January 28, 2011] [Protect your personal information because the Internet never forgets, Privacy Commissioner of Canada says] and [ANA Asks Marketers To Comply With Self-Regulatory Privacy Standards] and [Banks allow ads in online checking accounts]

E-Government

CA – Alberta Privacy Commissioner Blasts Provincial Gov’t on Transparency

Alberta’s Information and Privacy commissioner publicly castigated the provincial government for failing to keep an election promise to foster accountable and transparent government. Frank Work issued the rebuke in the opening message to his most recent annual report, released this month. People who want our votes … espouse accountability and transparency. The first of Premier Ed Stelmach’s five priorities when he ran for election in 2006 was to govern with integrity and transparency,” Work said in the two-page message. “I cannot let this occasion pass without commenting on what I see as a lack of leadership at the provincial level with respect to access to information,” he said. “What I do not see, for the most part, is leadership at the political level in terms of getting information out, being proactive and fostering a culture of openness.” Work suggested ministers have failed to issue clear directives that instruct staff to err on the side of disclosure when handling requests for access to information. Work highlighted the government’s “lukewarm” response to Right to Know Week and openly challenged Stelmach to appear during the event this year and “talk specifically about what has been done to further open and transparent government.” [Source]

KR – Korea: Tax Group Criticizes Invasion of Privacy

New government guidelines stipulating that charity donors should give more detailed information to tax authorities is being criticized as an invasion of privacy. The Korea Taxpayers Association, a non-profit organization established in 2001, claimed that donors’ personal information is at risk of being exposed if the regulations introduced by the National Tax Service go into effect this year. Previously, donors who made contributions of more than 500,000 won ($444) to charities had to submit details to get tax deductions. However, all donors must now submit documents to the NTS no matter how small the contribution. Documents to be submitted to the NTS must include the name and business registration number of the charities receiving the donations and the donor’s name, social security number, address and contribution amount. KTA is raising concerns on the possible abuse and misuse of the personal information relating to donors. “From the personal information given to the NTS, it is very easy to find out about an individual’s religious or political orientation,” said Kim Sun-taek, president of KTA. “You would never know if a NTS official decided to gain access to its computer system to retrieve this information,” he added. “The NTS was found to have logged into 19 million personal records per month (on average). And despite the massive amount of taxpayers’ information to be managed, the NTS has only one person who has been managing log-in security for the last seven years,” Kim said. [Source]

BR – Brazil: Your Personal Data in the Wrong Hands

What happens when all of your personal data is readily available for use by a cybercriminal? In Brazil CPF numbers – the Natural Persons Register – are the equivalent of a Social Security Number used by the Brazilian government to identify each citizen. A CPF is the most important document a Brazilian citizen possesses. It’s a prerequisite for a series of tasks like opening bank accounts, getting or renewing a driver’s license, buying or selling real estate, receiving loans, applying for jobs (especially public ones), getting a passport or credit cards, etc. Apparently criminals are now offering access to a complete database of all Brazilian citizens that have a CPF – all you need to do is contact a number and the system will bring you the complete personal data of a potential victim. The database is complete and contains data about every Brazilian. The search results display full name, date of birth, address, filiations, city, zip code, etc – all easily available to a cybercriminal. 3 mirrors of this website offering this kind of ‘service’ to Brazilian bad guys have been detected. Using such data it is possible for a cybercriminal to impersonate a victim and steal their identity in order to access resources or obtain credit and other benefits in that person’s name. You are probably wondering how the cybercriminals obtained this kind of information. Basically, it occurred through incidents of data leakage – not only from governmental departments, but via e-commerce and other corporate entities that have had their databases attacked and their data stolen, too. [Source] See also: [Privacy And Data Protection Laws In India: India has become an Orwellian Society] and [NYT: High Price for India’s Information Law]and also: [When MySpace Goes, What Happens to the Data and Privacy? ] and also: [Administrative Access to Government and Education Sites For Sale in Underground Forum | Source | Source | Source]

UK – Ex-KGB Agent Sues MI5 Over ‘Privacy Breach’

A former senior KGB agent is suing MI5 over invasion of his privacy, alleging his family members were victims of a campaign of harassment and unlawful surveillance. Judges are now investigating claims made by Boris Karpichkov that his east London home was broken into and his telephone calls and post unlawfully intercepted. [Source]

UK – Scandal of Computer Snooping by Public Servants

The scandal of dozens of police officers, nurses, social workers, council staff and other public servants caught snooping in the private files of people living in Yorkshire can be revealed for the first time. Disciplinary records released by police forces, NHS trusts and local councils across the region have revealed scores of cases of public workers being caught abusing their positions of trust to look up private information about people they know. The cases include numerous police officers caught running criminal record checks against ex-partners and family members, a council finance officer in Rotherham found looking up the private details of 72 friends and neighbours, and a doctor in Doncaster caught looking at a colleague’s medical records. At one hospital, in Rotherham, a cleaner was caught only last month accessing the private medical files of a friend to determine that she had recently had an abortion. That disciplinary case is still proceeding. At another hospital, in Sheffield, a receptionist gathered patients’ personal contact records and used them for a second job as a market researcher. The most worrying pattern of data abuse emerges at the region’s four police forces, where by far the most frequent breaches of data protection have taken place. Humberside Police said 31 members of staff had been disciplined for inappropriately accessing data over recent years, including a CID “serious crime” officer who received a written warning after running criminal record checks on his own nephew. [Source] See also: [David Edgar asks “Who’ll stand up for liberty in Britain?”][Councils banned from abusing terror laws to Snoop] and [Despite continuing attack fears, UK’s new government rolls back unpopular anti-terrorism laws]

CA – Thousands of Federal Officials Under Lifelong Gag Order, Records Show

More than 12,000 current and former federal intelligence officials must take the secrets of their most sensitive work to the grave, newly obtained records show. The number of people “permanently bound to secrecy” is more than double the figure expected in 2003 when the government began putting the provisions in place after the Sept. 11, 2001, terrorist attacks. The Security of Information Act – quickly passed following the dramatic assaults on the United States – updated several elements of Canada’s antiquated legal regime covering classified information. The secrecy law forbids discussion of “special operational information” including past and current confidential sources, targets of intelligence operations, names of spies, military attack plans and encryption or other means of protecting information. Revealing such information could result in up to 14 years in prison. Notes prepared by the Treasury Board Secretariat say individuals forever bound to secrecy are “held to a higher level of accountability” than others under the secrecy law. It means unauthorized disclosures are subject to penalty whether the information is true or not and even if it was obtained after the employee left a sensitive post. [Source]

E-Mail

US – Client Attorney Privilege Doesn’t Apply if Client Communicates Through Work eMail

A ruling from a California appeals court means that communications between client and attorney are not considered privileged if the client uses his or her work email account to conduct the communication. A unanimous decision by the Sacramento Third Appellate District involves a secretary who claimed her employer turned hostile after learning of her pregnancy shortly after she was hired. The company used email the secretary had sent from the workplace as evidence that she was not suffering severe emotional distress. [Source] [Source

UK – Fears Over Privacy With Virgin Emails

Virgin Media has been allocating previously used email addresses to new customers, leading to potential breaches of privacy. If a new customer using a recycled address attempts to register with a website that happens to have beenused by the former subscriber, the site will inform them that they are already registered. The website will unwittingly send the new subscriber the former customer’s password on request, allowing them to view personal information- perhaps including bank account details. Virgin Media said when an account holder cancelled their subscription they were told they would be losing their email address and they were given three months to cancel any automated links to their account. Following that period, for a further three months, the company said it would keep control of the address and remove all personal details linked to it. The address would then be reallocated. Virgin said other internet service providers followed the same policy. However, the Information Commissioner said recycling could lead to companies falling foul of the Data Protection Act. ‘The Act requires that personal information should be kept secure and processed fairly,’ said a spokesman. [Source]

Electronic Records

US – Hard-to-Use Software Causing Data Leaks from Confidential Health Records: Study

Software that is difficult to use is a top culprit for much of the leakage of health data – creating privacy and security concerns about confidential medical records, according to a new study by Dartmouth business researchers. According to The Wall Street Journal, the reason why difficult-to-use software is responsible for leakage is because people using the weak proprietary software find ways around it, such as “word-processing and spreadsheet tools.” These aren’t very secure, and many times files are downloaded onto home computers. In addition, the researchers point out in their study that consumers of health care are increasingly concerned about their privacy. There has been “increasing reliance on web-based systems for managing health information and the deployment of personal health banks.” In addition, government mandates, such as the HIPAA Act, are criticized for their “lack of clarity.” There are currently “low levels of full compliance among hospitals.” The researchers also point out that in the past five years the health care sector has seen “significant growth in use of mobile devices and web-based applications.” With growing use of digitized versions of health records, medical identity theft has become a large issue, say the researchers. In addition, the growing use of cloud computing may actually help reduce the risks in the health care sector because of improved software. But bill collectors and labs are sharing “much more information about patients than they need to conduct business.” In a related matter, TMCnet reported recently that electronic medical records were once seen as a panacea to increase patient safety and ensure better treatment. There were errors with medical records recorded with pen and paper. However, errors continued as patient records are recorded electronically. A government panel is reviewing the use of electronic medical records and is trying to come up with a list of recommendations to improve patient safety. The Institute of Medicine’s Committee on Patient Safety and Health Information Technology was to hold its first meeting in December. [Source] [Data Breaches at Arizona Medical Center Makes Case for Zero Trust Security] and [SCOTUS to hear case on Vermont law & Rx data-mining]

US – Mandatory Data Retention Is Overwhelmingly Invasive

The House Judiciary Subcommittee on Crime, Terrorism and Homeland Security held a hearing on mandatory Internet data retention, once again reviving the debate over whether Congress should pass legislation to force ISPs and telecom providers to log information about how users communicate and use the Internet. The hearing, awash with rhetoric about targeting Internet crime and including an unexpected condemnation of EFF’s privacy advocacy, was purportedly an information- and fact-finding hearing to explore the issue of data retention and consider what Congress’ role should be. However, it’s already clear where the new House Judiciary Chairman, Representative Lamar Smith, stands on the issue: he introduced data retention legislation just last year and likely will do so again this year. EFF believes that government-mandated data retention would be an overwhelmingly invasive and costly demand, raising serious privacy and free speech concerns – points well-argued at the hearing by John Morris, General Counsel of CDT [written testimony], and Kate Dean, Executive Director of the United States Internet Service Provider Association [written testimony].Perhaps the biggest surprise in the hearing was Deputy Assistant Attorney General Jason Weinstein’s attack on EFF and our Best Practices for Online Service Providers (OSPs) whitepaper. Unfortunately, today’s hearing is the first signal that the Obama Administration, like the Bush Administration before it, hopes to push a new data retention law through Congress. [EFF]

Encryption 

WW – Self-Encrypted Drives Set to Become Standard Fare

As secure data storage becomes more crucial, more companies are moving to on-board data encryption. We’ve seen this coming over time: Based on the Trusted Computing Group’s standard, hard drives and solid state drives (SSD), are offering self-encryption built-in. The key difference with these next-generation encrypted drives is that these units have the encryption integrated into a single chip on drive in the drive. Securing data storage is especially important for small businesses, due to legal specifications that require companies to report breaches, and to maintain data for long periods of time for accountability purposes. Since 2005, over 345,124,400 records containing sensitive personal information have been involved in security breaches. One of the advantages to the single-chip, no-software approach now in place: There’s no performance degradation. It’s also safer; the encryption keys are generated within the drive, so there are no keys to lose. The keys never leave the drive. What is a self-encrypted hard drive? The drive itself protects the data, with either 128-bit or 256-bit AES keys that are stored in the drive itself. In a few years, predicts Thibadeau, you’ll be buying a self-encrypting drive and you won’t even realize it-because it will be so pervasive. “The encryption just works, it doesn’t impact you.” [Source] [DOJ pressed for details on Internet tracking plan] [House Panel Presses for ISP Data Retention Mandate] [DOJ seeks mandatory data retention requirement for ISPs]

EU Developments

EU – Privacy Watchdog Urges Stronger Data Protection in EU Law Review

Organisations which lose personal data should be forced to disclose the data security breach, the European Union’s privacy watchdog has said. Planned changes to EU privacy law do not go far enough, said the European Data Protection Supervisor (EDPS) Peter Hustinx, who has published an opinion urging the European Commission to extend the obligation to tell people when their data security has been compromised beyond current limits and has backed calls for a ‘right to be forgotten’. The Commission said in November that it would consider adopting a more wide-ranging security breach policy as part of a review of the Data Protection Directive. Hustinx said that the ongoing review of the Data Protection Directive should strengthen the rights of the subjects of data to know and control what information is held about them. He said that in addition to the right to be informed of data security breaches they should have a ‘right to be forgotten’, meaning that they should be able to demand the deletion of information held about them by online service providers. That proposal has proved controversial, since deleting information that is in the public domain is being seen by some as allowing the alteration of historical record. The EDPS also backs a strengthening of rules that organisations must adhere to in order to stay within the revised Data Protection Directive. Hustinx also said that national data protection authorities should be given greater powers as a result of the review, and that there should be more consistency between the way that the Directive is implemented in the EU’s 27 member states. [Source]

EU – Study Frowns Over Data Breach Notification Rules

A new EU study has identified risk prioritisation, enforcement and resources as key issues in applying data breach notification rules. ENISA, the EU’s cyber-security agency, launched its investigation on data breach notification rules against a backdrop of steadily rising incident of personal information disclosure breaches. The agency identified key concerns from both telecom operators and the Data Protection Authorities (DPA) in applying a recent ePrivacy Directive (2002/58/EC) that applied breach notification rules to the electronic communication sector. The agency hopes the research will help to develop best practice on breach notification as well as informing ministerial decisions on whether EU data breach disclosure rules first applied to telcos ISPs ought to extended to financial service firms and other sectors of the economy. Key concerns raised by telecom operators and DPAs interviewed by ENISA include:

  • Risk Prioritisation – Interested parties want breaches categorised according to risk levels to avoid ‘notification fatigue’. Graded responses should be applied depending an the level of risk. A one size fits all approach would be counterproductive.
  • Communication Channels – Operators wanted assurances that applying by breach notification rules and reporting slips would not result in damaging their brands. The concern is that those that report problems, in compliance with the rules, will be “punished” by earning a reputation for poor security while those that do nothing will avoid tarnishing their reputation.
  • Resources – Several regulatory authorities have other priorities beyond the handling of breach notification and there were concerns this could lead to over-stretching of resources, leading to possible problems in enforcement and other areas.
  • Reporting Delay – The report identified a split between service providers and regulators on deadlines for reporting breaches. Regulators want short deadlines whereas service providers wanted to be able to focus their resources on solving the problem, before they dealt with the regulatory fallout.
  • Content of Notifications – Another area of disagreement. Operators want to make sure the notification content avoided unduly alarming customers, who might be inclined to think the worst about any breach. Regulators, meanwhile, advocated complete transparency.

ENISA intends to use its research to develop guidelines on best practice for data breach notification, as well as analysing the possibility for extending the general obligation of data breach notification to other sectors, such as the financial sector, health care and small businesses. The issue will be discussed at an ENISA-organised workshop in Brussels on 24 January. [Source] [full report]

UK – New U.K. Law Keeps Royal Secrets Private

A new British law that took effect this month makes Queen Elizabeth II, Prince Charles and Prince William exempt from freedom of information laws, meaning many private details of their lives won’t be made public for decades. Justice Secretary Ken Clarke says the exemption will protect the monarch’s private conversations with politicians and officials — but information advocates say it will make it even harder to hold to account a royal family that costs taxpayers millions a year. For centuries, the workings of the British monarchy were shrouded in secrecy by a blend of law, convention, deference and media self-censorship. That media acquiescence is long gone, and under freedom of information laws that took effect in 2005, information about the royal family could be released if it was shown to be in the public interest. “It at least raised the possibility that information could be disclosed,” said Maurice Frankel of the Campaign for Freedom of Information. “What the changes do is remove the public interest test — exemption becomes absolute.” [Source

EU – German Privacy Commissioner Terminates Talks over Google Analytics

Google faces trouble again as a German privacy commissioner overseeing Analytics, the search giant’s service that gives website administrators the power to monitor and trace who visits their websites, terminates negotiations in an issue that will likely arrive in court. The main advantage of having Google Analytics is data comparison, allowing website administrators and owners to manage data with Google records for a better understanding on who visits their websites, where they can adjust the site’s products or messages to focus on a particular group of visitors. Two years ago, Google suggested to German officials that removing parts of a visitor’s IP address, the Internet Protocol number designated to each online connection, would help make data more private, and the US-based online company has not changed its stance. However, Johannes Caspar, Hamburg’s privacy commissioner, announced on the German Press Agency that the US Internet giant is taking things lightly by not providing more secure methods to solve the problem. As the representative for all 16 state privacy commissioners in handling Google negotiations, Caspar said, “About 10 per cent of web users are not being included.” The German privacy commissioner announced that he would bring up the issue on an upcoming conference among state commissioners, and make a proposal to let the court decide on the necessary steps to handle the problem. [Source] See also: [SKorean police say Google violated laws] and [Former F1 boss makes EU privacy case over tabloid sex-orgy story]

Facts & Stats 

US – More Drivers Let Insurers Track Miles for Discount

A form of car insurance that requires electronic verification of miles driven, in return for a discount, is gaining popularity. These so-called pay-as-you-drive policies – miles are often tracked through a GPS system in the car – are now offered in more than half of the states and are spreading, albeit slowly, despite privacy concerns. Progressive Insurance, which began selling pay-as-you-drive policies in 1998 and now offers them in 27 states, said acceptance was strong among those eligible. “Approximately one in four customers are choosing this,” said Richard Hutchinson, Progressive’s general manager for usage-based insurance. Several factors are driving the growth. One is that the cost of GPS systems and data devices has plunged. For less than $100, companies can buy trackers that simply plug into the diagnostic port required on cars made after 1996. Insurers have also decided to collect less information than they once anticipated. GMAC Insurance, which offers pay-as-you-drive coverage in 35 states, uses the OnStar system in General Motors cars only to confirm miles driven. “Mileage is pretty innocuous,” said Tim Hogan, vice president for national accounts. “When you talk about time of day and speed, people become more concerned.” Initially, the idea was that the insurers would collect data on what streets a driver takes, at what time of day and how aggressively he drives. Insurers would then determine risk based on behavior as well as mileage. Progressive was at the forefront of this movement in the United States, but has reduced the scope of the data it uses to rate drivers – for instance, by excluding location and speed. And it has changed the name of its plan to Snapshot Discount because it sets a discount after 30 days of data collection. After monitoring a driver for six months, it removes the device. [Source]

Filtering 

IN – RIM to Block Porn in Indonesia

Research In Motion said it will filter pornographic Internet content for its BlackBerry smartphone users in Indonesia, following government pressure to restrict access to porn sites or face its browsing service being shut down. RIM “is fully committed to working with Indonesia’s carriers to put in place a prompt, compliant filtering solution for BlackBerry subscribers in Indonesia as soon as possible,” it said in a statement. Indonesia, home to about 2 million BlackBerry users, also asked RIM to open a local server, though RIM says the location of its servers makes no difference to the ability to decrypt the data flow on its devices. [Source]

Finance

US – Banking Industry Criticizes FinCEN’s Proposed Reporting Rules

The banking industry has been sharply critical of the Financial Crimes Enforcement Network’s (“FinCEN”) proposed rules (the “Proposed Rules“) to broaden the reporting obligations of banks and money transmitters for cross-border electronic transmittals of funds (“CBETFs”). Comment letters from the industry have attacked the proposal on various grounds, including that the Proposed Rules are overbroad and that FinCEN is not technologically prepared to utilize the data which would be provided by banks under the Proposed Rules. The banking industry’s main criticism of the Proposed Rules is that requirements for annual reporting of taxpayer identification information for accountholders engaged in cross-border electronic transfers are an unnecessary invasion of privacy that would not collect useful information. In addition, the industry commented that the Proposed Rules would require banks to submit a large volume of reports, but that the information would not provide FinCEN with more meaningful data than it could collect through more limited reporting requirements. Industry commenters also pointed to the fact that FinCEN exceeds current FinCEN data management capabilities and fails to impose adequate standards on law enforcement for data use accountability or security. Other commenters stated their views that the Proposed Rules exceed the limited rulemaking authority provided to FinCEN by Congress in Intelligence Reform and Terrorism Prevention Act of 2004 by imposing overly broad reporting requirements. [Source]

US –Banks to Get Updated Online Authentication Guidelines

The Federal Financial Institutions Examination Council (FFIEC) plans to issue new online transaction authentication guidelines for banks. The guidelines will clarify existing recommendations. The earlier version of the guidelines called on banks to use two-factor authentication, but allowed the institutions to choose their own methods. Some chose measures that did little or nothing to improve security, so the updated guidelines will make it clear what steps the banks need to take. Cyber theft through online transactions has been on the rise over the last few years; the criminals have been targeting small and medium-sized businesses. The thefts have also drawn attention to the need to implement transaction monitoring controls and fraud alert systems. [Source] [Source]

US – Corporate Account Takeover Case Could Set Precedent

Valiena A. Allison, CEO and president of Michigan-based Experi-Metal Inc., says it’s no longer” business as usual” when it comes to online fraud. EMI this week faced its former online banking account provider, Comerica Bank, in U.S. District Court. The crux of the trial: determining who is responsible for the takeover of EMI’s online bank account. The case – the first major ACH/wire fraud incident to actually go to trial – ended Jan. 26. The two parties now await judgment. Although originally framed as a legal showdown over what constitutes “reasonable security,” that question was taken off the table by the court. According to a July 2010 opinion filed by the district judge presiding over the case, “Based the plain and unambiguous terms of the Service Agreement and Master Agreement, the Court finds as a matter of law that Comerica’s secure token technology was commercially reasonable.” But EMI’s attorney, Tomlinson, says the question over reasonable security is a mere sliver of the big picture. “We had three real themes in this case,” he says. The themes include:

  • Approving a wire transfer that was allegedly authorized by EMI’s controller, even though the controller was not authorized by EMI to approve or initiate wire transfers;
  • Comerica’s acceptance of a wire transfer that was not initiated in accordance with industry standards;
  • Comerica’s lack of adequate fraud-detection and monitoring tools.

“This not just about a lack of authorization, but that Comerica failed to have any monitoring, with respect to the payments,” Tomlinson says. “As a result, a customer who had made zero transfers in 19 months suddenly made 90 in one day.” That should have been a red flag, Tomlinson and Allison say. “Under the FFIEC, monitoring is the industry standard,” Tomlinson says. “Nearly all of the top 40 banks monitor. Comerica, being the 31st biggest bank in the country, should have monitored those transactions.” [Source

US – Survey on PCI: How It’s Impacting Network Security

A survey of 500 information technology professionals with responsibility to assure compliance with the Payment Card Industry (PCI) security standard shows just over half find it “burdensome but necessary” in their organizations and about a third see it impacting their virtualized network environments in particular in the future. The survey was sponsored by Cisco to gauge attitudes toward PCI, its cost to organizations that need to achieve PCI compliance and where future security changes are now under consideration. The survey indicated about 85% were confident their organizations were prepared to pass a PCI audit but at the same time about a third indicated they anticipated making changes to their virtualized networks, such as using firewall and intrusion-protection systems as virtual security appliances, to meet future PCI compliance needs. Although the PCI mandate applies specifically to how payment-card data is secured and stored, the security standard, which is set by the PCI Security Standards Council, appears to be having the effect of influencing security in general across the organization. “A whopping 60% were using point-to-point encryption to simplify their compliance efforts and possibly reduce the scope of their next PCI assessment,” Cisco’s survey results state. The PCI mandate is impacting plans for how virtualized networks will be secured as well. When asked, “How do you anticipate needing to change your virtualized environment to meet PCI compliance?” about a third replied they would need to add virtual security appliances, such as firewall and IPS, in order to meet PCI 2.0 compliance, while a third also wanted to “further harden our virtualization software.” [Source] See also: [Mint.com helps you stay on track, but at what risk? ] and [Newfoundland: RCMP warns of slick credit card scam by fraudsters]

FOI 

US – Republican Congressman Proposes Tracking Freedom of Information Act Requests

Representative Darrell Issa calls it a way to promote transparency: a request for the names of hundreds of thousands of ordinary citizens, business executives, journalists and others who have requested copies of federal government documents in recent years. Mr. Issa, a California Republican and the new chairman of the House Committee on Oversight and Government Reform, says he wants to make sure agencies respond in a timely fashion to Freedom of Information Act requests and do not delay them out of political considerations. But his extraordinary request worries some civil libertarians. It “just seems sort of creepy that one person in the government could track who is looking into what and what kinds of questions they are asking,” said David Cuillier, a University of Arizona journalism professor and chairman of the Freedom of Information Committee at the Society of Professional Journalists. “It is an easy way to target people who he might think are up to no good.” [The New York Times] See also: [NYT: Documents Open a Door on Mideast Peace Talks] and [Wikileaks: A True Test of the Cloud

US – Wikileaks, Twitter, and Our Outdated Electronic Surveillance Laws

CATO Institute Opinion: The U.S. government last month demanded records associated with the Twitter accounts of several supporters of WikiLeaks-including American citizens and an elected member of Iceland’s parliament. As the New York Times observes, the only remarkable thing about the government’s request is that we’re learning about it, thanks to efforts by Twitter’s legal team to have the order unsealed. It seems a virtual certainty that companies like Facebook and Google have received similar demands. Most news reports are misleadingly describing the order [PDF] as a “subpoena” when in actuality it’s a judicially-authorized order under 18 U.S.C §2703(d). Computer security researcher Chris Soghoian has a helpful rundown on the section and what it’s invocation entails, while those who really want to explore the legal labyrinth that is the Stored Communications Act should consult legal scholar Orin Kerr’s excellent 2004 paper on the topic. As the Times argues in a news analysis, this is one more reminder that our federal electronic surveillance laws, which date from 1986, are in dire need of an update. Most people assume their online communications enjoy the same Fourth Amendment protection as traditional dead-tree-based correspondence, but the statutory language allows the contents of “electronic communications” to be obtained using those D-orders if they’re older than 180 days or have already been “opened” by the recipient. Unlike traditional search warrants, which require investigators to establish “probable cause,” D-orders are issued on the mere basis of “specific facts” demonstrating that the information sought is “relevant” to a legitimate investigation. Fortunately, an appellate court has recently ruled that part of the law unconstitutional -making it clear that the Fourth Amendment does indeed apply to email. a mere 24 years after the original passage of the law. The D-order disclosed this weekend does not appear to seek communications content-though some thorny questions might well arise if it had. (Do messages posted to a private or closed Twitter account get the same protection as e-mail?) But the various records and communications “metadata” demanded here can still be incredibly revealing. Unless the user is employing anonymizing technology-which, as Soghoian notes, is fairly likely when we’re talking about such tech-savvy targets-logs of IP addresses used to access a service like Twitter may help reveal the identity of the person posting to an anonymous account, as well as an approximate physical location. The government may also wish to analyze targets’ communication patterns in order to build a “social graph” of WikiLeaks supporters and identify new targets for investigation. (The use of a D-order, as opposed to even less restrictive mechanisms that can be used to obtain basic records, suggests they’re interested in who is talking to whom on the targeted services.) Given the degree of harassment to which known WikiLeaks supporters have been subject, easy access to such records also threatens to chill what the courts have called “expressive association.” But unlike traditional wiretaps, D-order requests for data aren’t even subject to mandatory reporting requirements-which means surveillance geeks may be confident this sort of thing is fairly routine, but the general public lacks any real sense of just how pervasive it is. Whatever your take on WikiLeaks, then, this rare peek behind the curtain is one more reminder that our digital privacy laws are long overdue for an upgrade. [Source] See also: [CATO: The Sun Never Sets on the PATRIOT Act] and [The New York Times: 1986 Communication Privacy Law Outdated For Cloud Age]

CA – Privacy Association Hopes to See IBM Contract

The B.C. government must hand over an unedited copy of its $300-million contract with IBM to a privacy group – just 24 hours after the government awarded another multi-million-dollar contract to the computer services company. Vincent Gogolek, policy director of the B.C. Freedom of Information and Privacy Association, said Monday he suspects the government will deliver the hefty copy today – as it was ordered to do in late November. However, the “insanity” of a six-year battle so far suggests the government might choose instead to take an adjudicator’s ruling to B.C Supreme Court for a judicial review, he said. The association claimed a huge victory over “government secrecy” more than a month ago when B.C.’s privacy commissioner ordered the Citizens’ Services Ministry to release its full IBM workplace services agreement. Since the association began fighting for a copy of the contract in 2004, it has garnered about 483 pages of it – more than half. Information and Privacy commissioner Elizabeth Denham said recent decisions that both the Vancouver Island Health Authority and the Ministry of Citizens’ Services must disclose commercial and financial details of two outsourcing contracts demonstrate that public agencies should consider routine disclosure of these types of contracts with private service providers. Despite this, the government has continued to argue that releasing the full IBM contract would threaten its security systems and B.C.’s economic interests, as well as the business interests of IBM. However, in a 13-page ruling, adjudicator Michael McEvoy strongly disagreed with the government. [Source

US – Consumer Product Safety Commission to Launch Public Database of Complaints

The federal government is poised for the first time to make public thousands of complaints it receives each year about safety problems with various products, from power tools to piggy banks. The compilation of consumer complaints, set to be launched online in March by the Consumer Product Safety Commission, has been hailed by consumer advocates as a resource that will revolutionize the way people make buying decisions. But major manufacturing and industry groups have raised concerns about the public database, saying it may be filled with fictitious slams against their brands. Competitors or others with political motives could post inaccurate claims, business leaders say, and the agency will not be able to investigate most of the complaints. Arguing that this could present a new burden in an already difficult economic environment, they are working behind the scenes to delay or revamp the project. “We’re not opposed to a database,” said Rosario Palmieri, vice president of the National Association of Manufacturers. “We’re opposed to a database that’s full of inaccurate information.” Agency officials say they have built in safeguards to prevent such abuse and have carefully balanced the interests of consumers and manufacturers. The database, which is scheduled to be launched March 11, will be available at www.saferproducts.gov. [Source]

Health / Medical 

CA – Ontario Recruiting for Massive Health Study

Researchers in the province of Ontario have embarked on the largest long-term health study ever conducted in North America. An initial research phase involving 8,000 adults in three different communities in Ontario is complete and the Ontario Health Study is now beginning the main phase, which will follow the health of adults in the province for the rest of their lives. Study organizers have kicked their recruitment efforts into high gear with advertising, posters, tweets and Facebook updates being used in an attempt to recruit around 2 million volunteers (around 20% of eligible adults in the province). [Source] See also [Canadian woman denied entry to U.S. because of suicide attempt]

Horror Stories 

WW – 2011 Starts with a Reminder that Privacy Breaches Cause Harm

The first three breach posts of 2011 all involved insiders, and they all caused harm:

  • A breach report by Kinetic Concepts, Inc. (KCI) that a call center employee with authorized access to a database of customer information misused some customers’ payment card information for fraudulent purposes;
  • A court opinion that reveals how a former employee of the Social Security Administration exceeded his authorized access and obtained information about women he was romantically interested in; the women felt scared and unsettled at what he knew about them and that he just showed up at their homes when they had no idea how he got their address or details;
  • A story about how an employee of Moniker/Oversee.net domain registrar misused his authorized access to a database and for personal reasons, contacted the employer of a customer to reveal that their employee had registered a domain with a “sucks.com” domain name – even though the customer had enrolled for WHOIS privacy protection.

Each of the situations represents a different type of harm, but they all involve harm. All of these privacy breaches are insider security breaches that are not just human error. They are not the kinds of security breaches that tend to make major headlines in the mainstream media because they involve only one or a few individuals, but they serve as a timely reminder that breaches cause harm and our current legal system does not always recognize the harm or compensate victims adequately. [Source] [Top 10 Data Breaches of 2010] and [Statistics Canada mum on data breaches involving Canadian citizens] [Security lapses at Stats Can]

WW – Trapster Hack May Have Exposed Millions of iPhone, Android Passwords

Millions of e-mail addresses and passwords may have been stolen from Trapster, an online service that warns iPhone, Android and BlackBerry owners of police speed traps, the company announced. California-based Trapster has begun alerting its registered users and has published a short FAQ on the breach. “If you’ve registered your account with Trapster, then it’s best to assume that your e-mail address and password were included among the compromised data,” the FAQ stated. But in the next breath, Trapster downplayed the threat, saying it wasn’t sure that the addresses and passwords were actually harvested. And when replying to follow-up questions today, Trapster claimed that not all its 10 million users were at risk. Trapster said it has rewritten the service’s code to prevent similar attacks in the future, and has “implement[ed] additional security measures to further protect your data.” The company did not spell out what those measures were, however. [Source

CA – Privacy Czar Orders Ottawa Hospital to Tighten Rules on Personal information

The Ottawa Hospital has again been ordered by Ontario’s privacy commissioner to examine its rules and practices relating to personal health information, following another electronic breach of a patient’s medical records. Information and Privacy Commissioner Ann Cavoukian says in a report that the hospital failed to comply with certain elements of a revised policy. Cavoukian asked the hospital to consider changes following a breach in 2005 that was “strikingly similar” to one she recently investigated. Cavoukian says the hospital failed to inform a patient of any disciplinary action against Allan (she was suspended for three days without pay and ordered to undergo privacy re-training and counselling), did not report the breach to the appropriate professional regulatory college, and did not follow up as it was supposed to with an investigation to determine if policy changes were required. Cavoukian also concludes “the actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective” and fail to comply with a section of the Personal Health Information Protection Act. She also says her directives in the report “speak to the cultural shift that is required in order to effect a change in attitude about patients’ privacy in the Ottawa Hospital.” [Source] See also: [CA – Privacy Breach at Bruyere Clinic]

US – OCR Patient Data Breach List Hits 225

The number of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals has hit 225. The web site was born out of HITECH and has been live since February 2010. OCR says the breach reports date back to September 2009. Hence, it’s been about 17 months since OCR has accepted the reports. It amounts to about 13 reports filed per month, or 0.44 per day. The OCR breach notification website also reports the following numbers:

  • 10 – Number of reports affecting more than 100,000 individuals, or 4.4% of breaches.
  • 4 – Number of reports affecting between 50,000 and 99,999 individuals
  • 6 – Number of reports affecting between 25,000 and 49,999 individuals
  • 27 – Number of reports affecting between 10,000 and 24,999 individuals
  • 61 – Number of reports that involve a laptop, or 27.1 percent.

HITECH’s breach notification interim final rule is still in effect. OCR has been close to signing off on a final rule before it pulled it out of the hands of the Office of Management and Budget (OMB) for further review. [Source

US – UConn Reports Data Breach of Online Retail Site

An online retail site at University of Connecticut is warning thousands of customers that their billing information may have been hacked. The information was exposed when a hacker managed to breach the HuskeyDirect.com database, which has billing information for about 18,000 customers who use the site to buy Husky-branded sports items from the UConn Co-op. The Co-op acts as the university’s bookstore but is a run as a separate, member-owned non-profit group. The information includes names, addresses, e-mail addresses, credit card numbers, expiration dates and security codes. The retail site is managed for the co-op by an unnamed third-party vendor. It was this vendor that alerted the co-op about the attack, according to a statement issued by the co-op on Jan. 11. In a separate FAQ, the co-op says the Web site vendor reported that the hacker had compromised an administrative password to gain access to the encrypted credit card data. “The hacker appears to have unencrypted that data,” according to the FAQ. The credit card information was encrypted, but the hacker appears to have unencrypted that data. The co-op’s first response was to order the Web site shut down, and pull the database offline. It then notified the customers, and “is in the process of arranging for credit protection” for them. The breach only affects those who made online purchases of items on the HuskyDirect Web site. [Source] See also: [US: Three fired at Tucson hospital for violating patients’ privacy] and [Security lapses at Stats Can] and [Michael Poer: Privacy: Linking Damage Awards to Values]

Identity Issues 

WW – Security Alert on Facebook’s New Privacy Setting ‘Instant Personalization’

Facebook does share your information with so-called partners (more like clients) and non-Facebook websites for advertising and other purposes. This is no longer a secret with the introduction of a new privacy setting that spells it out for you in plain English. The setting is cleverly called ‘Instant Personalization’ and is automatically set to enable sharing of your information. However, you can secure your privacy and disallow your information from being shared (even if Facebook buried the option to do so deep). The procedure to maintain privacy in your Facebook account is simple but your friends must do it as well or your information will be shared regardless of your preference not to have it so. [Source, details and instructions] See also [U.S. eyes Internet user ID system] [What Your Facebook Profile May Be Telling ID Thieves] and [Facebook Would Love to Go to Court to Protect a User’s Privacy] [Tapscott: Social media’s unexpected threat]

WW – Facebook Disables Ability to Share Home Address With Apps

Facebook is temporarily disabling the feature that lets users share their mobile number and address with third-party app developers, following privacy concerns. Facebook announced third-party app developers could access a user’s home address and mobile phone number that they have on their profile when they agree to download an app. However, following criticism over privacy protection from users and security experts, Facebook has decided to temporarily disable this feature and make some changes in order to ensure that users only share this information when they clearly intend to do so. Facebook noted that the feature was made to allow users to share their mobile number and address with a shopping site to streamline the purchasing process or sign up for text alerts on special deals. However, the new feature raised fears that users may grant permission to share their home addresses with third-party app developers without realising. Some were worried it could be a new way for scammers to gain access to such personal information of Facebook users. “The ability to access users’ home addresses will also open up more opportunities for identity theft, combined with the other data that can already be extracted from Facebook users’ profiles.” [Source] [Facebook backs down over address and mobile information

WW – Facebook Lets Users Prove Their Identity by Identifying their Friends

Facebook has launched a pair of new security features — “social authentication” and “secure connection” — each designed to prevent hackers from gaining access to user profiles and private data on the world’s largest social network. With social authentication, users will be asked to identify photos of their friends in order to prove their identity. The thinking is that while a hacker might be able to figure out a user’s password, they won’t be able to identify that person’s friends. Facebook describes the social authentication technology as an upgrade over the ubiquitous “captcha” challenge-response tests employed by other sites on the Web. Captcha tests are often used on online forms and at the check outs of e-commerce sites to prove that the user is in fact a human being, and not a computer or bot attempting to manipulate the system. However, Facebook believes the technology is sometimes difficult to understand — anyone who has ever tried to use captcha knows that sometimes it takes a couple of attempts to even read the words contained in the box — and is still vulnerable to human hackers. Facebook said the new social authentication technology will be used to verify a user’s identity in the event of suspicious activity on the account. Facebook is also going to allow users to conduct all of their interactions with Facebook over an HTTPS connection. Facebook said the new secure connection feature will be rolled out to all users over the next couple of weeks and that users who want to use HTTPS connections exclusively can make the change on their Account Settings page. Facebook said the plan is to offer HTTPS as a default whenever anyone is using Facebook “sometime in the future.” [Source] See also: [Japan: EDITORIAL: ID number system] and [CA – Privacy concerns surround ID scanners] and [‘Anonymous’ movement views Web hijinks as public good, but legality is opaque] and [The wrong kind of sharing: Mark Zuckerberg’s Facebook page hacked] and [Healthcare assistant ‘Kate Middleton’ banned from Facebook] and [Facebook Wins Relatively Few Friends in Japan] [Social media in Indonesia: Eat, pray, tweet: Who will profit? – The Economist] 

US – Jury Acquits Mocek of All Charges in TSA Airport Identification Protest

A Seattle man has been acquitted of all charges brought against him when he refused to show ID to TSA officials and videotaped the incident at an airport security checkpoint. Prosecutors’ case against Phil Mocek was so weak that he was found not guilty without testifying or calling a single witness. Friday’s acquittal was the first time anyone has “successfully challenged the TSA’s assumed authority to question and detain travelers.” Mocek’s video, shot in November 2009 at the Albuquerque International Airport, portrays a passenger politely refusing officers’ request that he show ID and stop videotaping his encounter with them. Watch the video. But as the six-woman jury in New Mexico’s Arizona’s Bernalillo County Metropolitan Court made clear, Mocek isn’t in trouble. They returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct. along: That checkpoint staff have no police powers, that contrary to TSA claims, passengers have the right to fly without providing ID, and yes, passengers are free to video record checkpoints as long as images on screening monitors aren’t captured. “Annoying the TSA is not a crime,” the blog post states. “Photography is not a crime. You have the right to fly without ID, and to photograph, film, and record what happens.” [Source] [Source] [Source] [The TSA’s Worst Nightmare: The Seattle frequent flyer finally gets his day in court] [Phil Mocek: TSA Demand for ID all About Airline Revenue] and see also: [Michigan – ID Required to Enter Detroit Public School Buildings] See also: [Jesse Ventura files lawsuit against DHS and TSA Screening Procedures] and [Privacy advocates, Boise State expert say no thanks to federal government ID] and [CATSA offers apology for humiliating cancer survivor at airport ] and [Ralph Nader: “The TSA is a basketcase, collectively” ] [US officials say airport scanners ‘erode rights’ ] and [Key lawmaker wants to limit full-body screening at airports] and [The Stripping of Freedom: EPIC vs. DHS on TSA Body Scanners EPIC vs. DHS on the Stripping of Freedom and TSA naked body scanners]

Internet / WWW 

WW – Beware Shortened URLs, Geo-Location in Social Media

Security vendor McAfee is warning of a rising security risk in 2011 in the 3,000 shortened URLs generated per minute for use on social media sites such as Twitter. With the growing phenomenon that is social networking and instant communication, the popularity of shortened URLs in a limited character space is a ripe opportunity for cyber criminals. “People click on things and they really don’t know where they’re going to go, or what they’re going to get.” It’s an incredibly lucrative business for hackers, who can easily drop malware on unsuspecting Twitter users in order to reap private information. Another risk, also pertaining to social media, is the increased hacker attention to geo-location services such as Foursquare, Gowalla and Facebook Places that track and publish the whereabouts of users. Cyber criminals can easily determine a user’s interests based on geo-location information and launch specific targeted attacks at that person. It’s a vector attack that’s particularly alluring for well-funded organized crime. Social media aside, McAfee also predicts that 2011 will be the year when hackers up the ante on Mac-targeted attacks given the popularity of Apple devices such as the iPhone and iPad. So far, the primary mobile threat to Apple devices has been “jailbreaking” – when users are able to remove usage and access limitations set by Apple – but that’s about to change. [Source]

Law Enforcement 

US – California Court: Cops Can Search Texts Without Warrant

The California Supreme Court ruled that police do not need a warrant to search a cell phone carried by someone under arrest. The justices determined a Ventura County deputy had the right to conduct a warrantless search of the text messages of a man he had arrested on suspicion of participating in a drug deal. The state court ruled 5-2 that U.S. Supreme Court precedent affirms that police can search items found on defendants when they are arrested. However, the San Francisco Chronicle reported that in 2007, U.S. District Court Judge Susan Illston ruled that police could not search the cell phones of drug defendants without a warrant. The Ohio Supreme Court also found in 2009 that police did not have that right. California Deputy Attorney General Victoria Wilson, who represented the prosecution in the case decided Monday, told the newspaper the split opinions in California and Ohio could lead the U.S. Supreme Court to weigh in on the cell phone issue. The California Supreme Court decided the loss of privacy upon arrest extends beyond the arrestee’s body to include personal property. Authorities can not only seize items but also can open and examine what they find, the ruling said. [Source]

Location

US – Lawmaker Seeks to Protect Device Location Privacy

A US legislator plans to introduce a bill that would require law enforcement agencies to obtain a warrant before requesting location-based data from mobile devices. Senator Ron Wyden (D-Oregon) is concerned about citizens’ privacy. [Source] [Source]

CA – Calgary Airport Wi-Fi Abuses Privacy: Traveller

A Calgarian who is a frequent air traveller wants to know why he should provide personal information to use Wi-Fi at the airport. One of the options for logging on to the Wi-Fi network at the Calgary International Airport involves hooking up through Facebook. Users hooking up through Facebook must agree to provide access to the personal information on their Facebook accounts. “It just seemed a completely ridiculous request and one that I just wasn’t prepared to accept,” said Andrew Burton, a Calgarian and a frequent traveller who contacted the CBC about the issue. A Calgary airport spokesperson wouldn’t comment on Monday except to say it’s the policy of the airport’s third-party provider, Boldstreet Wireless. Boldstreet said users’ information is safe. President and CEO Tom Camps said the company provides the airport with a demographic breakdown of who is using the service. [Source

US – ‘Find Your Car’ System in US Gaining Fans Amidst Privacy Concerns

Santa Monica Place in US has installed the nation’s first camera-based ‘Find Your Car’ system, which can help absent-minded shoppers locate their vehicles. Shoppers who have lost track of their vehicle amid a maze of concrete ramps and angled stripes can simply punch their license plate number into a kiosk touch screen, which then displays a photo of the car and its location. But the new system has also brought out privacy concerns, with people questioning if the array of 24/7 surveillance cameras could be worth the loss of privacy. Steven Aftergood, a senior research analyst at the Federation of American Scientists, which studies national security issues, said people should understand that the technology is being forced upon them. “What should give people pause is that this technology is advancing upon us without anyone having chosen it,” Aftergood said. “We have not decided as a society or as individuals that we want this convenience. It is being thrust upon us,” he stated. “The unintended consequences can be huge.” [Source]

Online Privacy

US – D.C. Judge Blocks Release of TSA Body Scan Images

The U.S. Department of Homeland Security has shielded from public review 2,000 whole-body scan images, a federal judge in Washington said in a public records suit. The Electronic Privacy Information Center sued in the U.S. District Court for the District of Columbia to force DHS to turn over the images and other documents. The Washington-based privacy center is examining the use of body scanning technology and its implications for civil rights. Lawyers for the center want to review “unfiltered or unobscured” images of volunteers that the body scanning technology captured. The center filed suit in November 2009. DHS officials produced more than 1,700 pages in response to the suit but it withheld 2,000 whole body images and 376 pages of Transportation Security Administration training materials. The images were created to test the degree to which the body scanners met the government’s detection standards, government lawyers said. Judge Ricardo Urbina of Washington’s federal trial court said the government has no obligation under the Freedom of Information Act to produce the images to the plaintiffs. The center’s lawyers were not immediately reached for comment this morning on the ruling. U.S. Justice Department lawyers said in response to the demand for the images that their release “would constitute a threat of transportation security” by revealing certain vulnerabilities of body-scanning technology. The images, DOJ lawyers also said, are internal records that are not subject to public disclosure. Lawyers for the privacy center, John Verdi and Marc Rotenberg, said in court records that the government has already produced a limited number of body scanner images to the public and therefore there’s no justification for blocking further disclosure. The attorneys said there is a substantial public interest in the release of the images. “The body scanner program is presently the subject of substantial debate in Congress, between international delegations, and in the media,” the center’s lawyers said in court papers in June. “Central to the dispute is whether the TSA can store and record detailed images of naked air travelers at US airports without any privacy filters. The TSA contends that it would not do this, but the agency possesses 2,000 relevant images and refuses to release any.” In his 15-page ruling, Urbina said the privacy center has provided no basis for the court to question the government’s “reasonable conclusion that disclosure of the images may provide terrorists and others with increased abilities to circumvent detection by TSA and carry threatening contraband onboard an [airplane].” [Source] [Source]

CA – Canadian Sues Google Over Data-Sharing Program

A Manitoban is suing Google for unspecified damages in a class-action suit over alleged problems with the launch of Google’s Buzz program earlier this year. It took information from user email and integrated it with social networking accounts like Facebook. Lawyer Norman Rosenbaum is acting for Tyler Wereha, of Rosa, Manitoba. Rosenbaum alleges that even though Google told users on Feb. 9 they had a choice whether or not to activate Buzz, Google automatically activated it on users’ Gmail accounts. “It’s a breach of privacy,” Rosenbaum said. “It automatically affected all of your followers. Even if you said you didn’t want to have your email list forwarded, it did it anyway.” The statement of claim, filed in Manitoba Court of Queen’s Bench, alleges anyone who has exchanged at least one email with a person could add that person to their Buzz “following” list and immediately see private information, including the user’s profile, Buzz posts and follower and followings lists. Information available to everyone “following” the user could contain the user’s occupation, where they live and contact information. The lawsuit asks the courts to put a permanent injunction on Google, preventing it from operating Buzz in “a deceptive and unfair manner whereby causing the unwanted disclosure of personal information.” Because it’s a class-action suit, other complainants can sign on. [Source

WW – Dating Site Believes It’s the ‘Facebook of the Dating World’

A U.S. online dating company hopes to be the “Facebook of the dating world” by creating profiles for non-registered individuals based on publicly available information online, including social networking sites. Gotham Dating Partners Inc., a New York City-based dating company behind such websites as PrisonHookup.com and UglyPeopleDate.com plans on compiling bits of public information on 300 million people around the world to create profiles. They hope to re-launch the site on Feb. 14 -Valentine’s Day. “We are the Facebook of the dating world,” he continued. “We are not doing anything malicious. It’s no different than what Facebook does. We are accessing the same public records.” Gotham will build profiles of public information from social networking sites, such as Facebook and MySpace, mailing lists, marketing surveys, marriage and divorce records, government census records, real estate listings and personal and business websites. Once the information is posted, a person can delete or update their profile for free but will be charged a fee if they want to contact any other member, Jordan said. If the profile lists the person as single, their profile will automatically be added to the dating section of Gotham’s site. David T.S. Fraser, a privacy lawyer with McInnes Cooper in Halifax told the Star that Gotham’s initiative would violate Canadian privacy laws since anybody engaged in commercial activity would have to have consent from the individual to use or disclose personal information. And in terms of a person’s public information on a site like Facebook, the information can only be used for the purpose for which it would have been made available in the first place, Fraser said. Fraser said Gotham and Facebook differ in how they gather information. Information on Facebook profiles are submitted by users themselves, while Gotham’s model includes the site itself gathering the information online, and the user then updating or deleting information. [Source] See also: [OkCupid Profile Fraud Is The Crime You’d Never Expect

WW – Spokeo Raises Privacy Concerns For Celebrities: No Privacy from Fans

Spokeo is raising some eyebrows in the electronic world today with their new service. As people realize this website is an one-stop shopping opportunity to find out anything and everything about an individual, they are asking if it goes too far. Boasting “it’s not your grandma’s phone book” the website mills and then publicizes information about an individual found online. According to the website, it doesn’t share Social Security numbers, driver’s license numbers or bank account information, but that doesn’t stop it from telling everything else including your astrology sign to anyone who asks. If you don’t think Spokeo knows about you, take a minute to go over to the website and type in your name. If you have a Facebook page, ever subscribed to anything or even typed your name into a form online, there is a good chance you too have a file over there waiting to be read by the world. [Source

WW – Facebook ‘Sponsored Stories’ Turn You into the Ad

Your clicks of Facebook’s “Like” button and check-ins at restaurants, stores and other establishments are already valuable marketing material. Now Facebook is letting companies and individuals buy the right to republish those actions to your friends in ads – including your name and profile photo – on the social network’s site. Called “Sponsored Stories,” these ads look like the other small ads that adorn the right side of the screen (which can already feature your name if you’ve Liked the product in question). In this case, as a video posted to Facebook’s marketing page explains, the ad will simply recycle your check-in or Like as an ad labeled “Sponsored Story.” In the video, Facebook developers explain how the format works and how it lets advertisers get around one disadvantage of people’s check-ins and Likes showing up in the usual News Feed: “a lot of impressions do get lost because there’s so much content coming through.” One staffer also makes an important point that is already getting lost in debates about this: “A sponsored story never goes to somebody who’s not one of your friends.” [Source] See also: [What Happens to Your Digital Life When You Die?

EU – Facebook Makes Deal With German Privacy Group

Facebook, facing potential fines for violating strict privacy laws in Germany, has agreed to let users in the country better shield their e-mail contacts from unwanted advertisements and solicitations it sends. Facebook, which has more than 10 million users in Germany, agreed to modify its Friend Finder service to let Germans better block its ability to contact people, including non-Facebook users culled from a user’s e-mail address books. Tina Kulow, a Facebook spokeswoman in Hamburg, said users in Germany would now be advised that the site could send solicitations to people on their mailing lists, should they choose to upload their address books to Friend Finder. [The New York Times

WW – Google and Mozilla Announce “Do Not Track” Browser Features

Google has announced a new feature for its Chrome browser that lets users opt out of tracking cookies from several online ad networks. Just two months ago, the US Federal Trade Commission called for a do not track mechanism like the “Do Not call” list, that would let users choose whether their personal data are collected. Mozilla recently said it is looking into adding a similar feature to Firefox. [Source] [Source] [Source] [The Wall Street Journal: Web Tool on Firefox to Deter Tracking] [Google to Debut Chrome “Do Not Track” Tool]

Other Jurisdictions

LV – New Latvian Data Protection Law to Take Effect February 1

The law was passed in October 2010 in the wake of a major security breach of online financial and tax records from the State Revenue Service. The legislation also creates a new Cyber-Security Response Agency. This marks the first legislation in this Baltic nation that puts a new IT security head at the top of every state institution.This official will also have to check the systems for any vulnerability to threats by hackers and viruses at least once a year and make sure that no files are lost in case of emergency or natural disaster. “We will establish the minimal standards for every state and every local government institution in IT security,” said Maris Andzans, the head of the Consultative Council on Security of Electronic Communications and IT, and one of the officials involved in drafting of the legislation. He adds that while the country has fire safety rules, but there have been no such laws for the use of digital information. In order to ensure that the officials follow and obey the rules, two present computer security prevention institutions will be merged into a new Cyber-Security Response Agency. [Source

IS – Israel: Child Welfare More Important Than Privacy Laws

The welfare of children must take precedence over the right to privacy, lawmakers concluded, giving the government 14 days to complete legislation that would demand its ministries share information pertaining to children at risk. [Source] See also: [Uganda: Uganda Court Bans Outings by Media and Women protest bra checks]

Privacy (US)

US – Supreme Court Limits Privacy Rights Of Federal Contract Workers

The Supreme Court has upheld the personal background checks now required of scientists and thousands of others who work under government contracts, ruling that questions about drug use and other personal matters do not violate their privacy rights under the Constitution. In the wake of the 9/11 attacks, the Bush administration extended the use of background checks to those in companies and universities who worked on government-funded projects. A group of 28 veteran scientists and researchers at NASA’s Jet Propulsion Laboratory in La Canada Flintridge, Calif., sued, contending the prying questions violated their privacy rights, and they won before the U.S. 9th Circuit Court of Appeals. But the high court unanimously reversed that decision this month and said that backgrounds checks, long standard for federal civilian employees, were reasonable for government contract workers as well. Writing for the court, Justice Samuel A. Alito Jr. agreed it would raise true privacy concerns if the government were to pry into the private lives of ordinary citizens. But the government has “wide latitude,” he said, “in its dealings with employees.” [Source]

US – List of Online Tracking Class Action Lawsuits in 2010

Review of important class action lawsuits about online tracking in 2010:

[Source] SEE ALSO: [Is 2011 the Year of a Digital Privacy Revolution?

US – What’s in a Word: Does ‘Personal Privacy’ Extend to Corporations?

Telecom giant AT&T wants “personal privacy” protections applied to businesses, just as they have long been granted to individuals. At issue is whether corporate “personhood” extends to the Freedom of Information Act, which exempts the public release of government documents that invade personal privacy. The company wants material gathered by a federal agency during a consumer investigation to be kept secret. Several justices seemed deeply skeptical of the company’s claims for relief. Citing “dozens and dozens” of examples in a study of government bureaucracy, Justice Ruth Bader Ginsburg said that “overwhelmingly, ‘personal’ is used to describe an individual, not an artificial being.” “Can you give me any examples in common usage where people would refer to the ‘personal privacy’ of a corporation?” asked Justice Antonin Scalia. “It’s a very strange phrase to me.” But others on the bench were not willing to say personal privacy applies only to a single human being. Beyond interpreting the meaning of personal privacy, the court may also have to wrestle with defining or redefining “corporate,” either as an association of citizens with extended, shared rights, or as a state-chartered entity with its own separate, competing rights apart from those of its members. Such interpretation was key to the high court’s controversial campaign finance ruling a year ago, in which the conservative majority gave corporations greater power to spend freely in federal elections, overturning a federal law that had imposed strict limits. The court said corporations had to be treated as “persons” when it came to campaign spending, with the same power as individual donors. Now the dispute is whether corporations enjoy similar protections in the privacy context. Liberal groups have complained that the Roberts court has been overly friendly to businesses in recent rulings, at the expense of individual consumers. They want a blanket rule exempting corporations from personal privacy protections. “Congress did not and could not imbue corporations with the dignity interests that FOIA protects when it shields living, breathing human beings from invasions of personal privacy,” said Elizabeth Wydra, chief counsel of the Constitutional Accountability Center. “A corporate charter cannot blush or feel embarrassed by FOIA’s policy of transparency,” The case is FCC v. AT&T Inc. (09-1279). A ruling is expected in the next five months or so. [Source] [Justices Appear Skeptical in AT&T Privacy Case]

Privacy Enhancing Technologies (PETs) 

EU – Germany: Digital Eraser Software Aims to Increase Privacy

Currently only a prototype, a piece of software created by a group of German researchers could help photos automatically disappear from the Internet after an amount of time determined by picture’s owner. Called X-pire, the software would let users give their pictures an expiration date after which the photo would become unrecognizable, said Michael Backes, the software’s creator, and the chair for Information Security and Cryptography at Saarland University. The software, an add-on for the Firefox Web browser, was presented during a conference held by the German Ministry for Consumer Protection. This is the first concrete application since the German interior minister, Thomas de Maiziere, called for a “digital eraser,” as part of a broader German government Internet plan unveiled in June 2010. Data protection officials praised the project for giving the public a way to have more control over what happens to the material they post online. [Source] [Der Speigel: Why ‘Web Erasers’ Can’t Wor 

WW – API Allows Users to Delete Flash Cookies More Easily

Adobe has introduced technology that makes it easier for users to delete local shared objects (LSOs), known as Flash cookies. LSOs store user preferences, but some websites have been using the LSOs to restore user cookies even after users have manually deleted them. Working with Mozilla, Google and Apple, Adobe has developed an application programming interface (API) known as NPAPI ClearSiteData that lets users delete LSOs from the settings panels of certain browsers. [Source] [Source] [Source]

Security 

US – 2010 Annual Security Report Notes Cybercrime Moving Toward Mobile Devices

According to Cisco’s 2010 Annual Security Report, cyber criminals appear to be shifting their focus from Windows machines to mobile devices. Users are falling prey to social engineering scams through social networking, email and even phone calls. In addition, 2010 marks the first year “in the history of the Internet” in which the volume of spam dropped, due in large part to botnet takedowns and increased ISP email restrictions. [Source] [Source] [Source] [The Cisco report

WW – Experts Display Skepticism on IT Security Matters

Experts paint a gloomy picture of global cybersecurity. The EastWest Institute issued a report this week and a poll of participants suggests that the global challenges of cybersecurity are tough ones:

  • 61% anticipate the impact of losing global connectivity for an extended period of time to be catastrophic with irreversible consequences;
  • 66% say a treat on cyber warfare is needed now or is overdue;
  • 66% think home users need to take more responsibility for cybersecurity;
  • 66% view their government’s maturity as low regarding int’l cooperation in cybersecurity;
  • 69% doubt their country could defend against a sophisticated cyber attack; and
  • 70% believe that international policies and regulations are far behind technology advances.

According to the Institute report, Protecting the Digital Economy: The First Worldwide Cybersecurity Summit in Dallas, the current approach to cybersecurity is limited: “We left with the clear impression it could take years to arrive at a global treaty on cybersecurity, since many states are not ready for it – and perhaps never will be.” The solution, the report suggests: Voluntary agreements in the private sector and international standards as avenues to change. “The best approach is to target concrete, specific problems while speaking to the big issues.” [Source] See also: [Tracking Bad Guys Who Enter IT Systems] and [AU – Criminals may be microchipped one day, Mal Hyde tells forum]

Smart Cards 

UK – University Will Not Take Down Chip-and-Pin Vulnerability Thesis

A UK banking lobby group is attempting to censor a student’s thesis on chip and pin system vulnerabilities. In a letter to Cambridge University, The UK Cards Association asked that the thesis be removed from a website because it provides a “blueprint for building a device … to exploit a loophole in the security of chip and pin.” The thesis is an outgrowth of earlier work by Cambridge researchers that was published early last year. Cambridge University Professor of Security Engineering Ross Anderson sent a response, refusing the request, and questioning the right of the University to censor a student’s published work “simply because a powerful interest finds it inconvenient.” Anderson also pointed out that the publication of the earlier research last year resulted in some financial institutions improving their chip and pin systems to mitigate the vulnerabilities. [Source] [Professor Anderson’s response

UK – End of the Road for ID Cards

The much criticised UK ID cards scheme is finally dead and buried after the government revealed on Friday that any cards issued can no longer be used to prove identity or travel within Europe. A brief statement on the Home Office web site explained that the final nail in the coffin would come “within days” when the National Identity Register, the database designed to hold the card details, will be destroyed. “Laying ID cards to rest demonstrates the government’s commitment to scale back the power of the state and restore civil liberties,” said home office minister Damian Green. “It is about the people having trust in the government to know when it is necessary and appropriate for the state to hold and use personal data, and it is about the government placing their trust in the common-sense and responsible attitude of the people.” [Source] [UK: £400k to destroy National Identity Register personal data]

Surveillance

US – BCJ Report: FBI Domestic Spy Powers Too Broad

New restrictions should be placed on the FBI’s power to investigate people and organizations inside the United States suspected of having links to terrorist activity, including requiring agents to get prior written approval before conducting surveillance operations, according to a new report from a nonpartisan public-interest law center. The report, released by the Brennan Center for Justice at New York University School of Law, calls for both Congress and the Obama administration to rein in investigatory powers granted to the FBI in 2008 by then-Attorney General Michael Mukasey. The Obama White House has retained the powers, known as the Attorney General’s Guidelines for Domestic FBI Operations, even though they were written during George W. Bush’s administration. The guidelines allow FBI agents, for example, to initiate surveillance on a person or group inside the United States without first opening a formal investigation and getting approval from a manager and without having probable cause. “Both Congress and the Justice Department should act to ensure vigorous oversight of the guidelines’ use,” the report states. “There must be meaningful internal and external checks on the vast powers the FBI have been granted.” The report does not call for abolishing the guidelines but rather for more oversight to prevent abuses. “The time to act is now–before the guidelines result in widespread and unwarranted intrusions into Americans’ privacy, harmful religious and ethnic profiling, and the divergence of scarce resources to ineffective and indiscriminate collection of information,” the report concluded. [National Journal] RELATED STORIES: [IG launches new probes of domestic surveillance 17 June 2010] and [Justice official keeps mum on privacy rights – Sept 23, 2009] and [Roots of surveillance standoff go back decades

EU – Privacy Study Signals a Worrying Increase in Surveillance Across Europe

The UK improves its privacy performance since 2007 but France is catching up as Europe’s “worst surveillance society.” A landmark EU-wide study of national privacy safeguards published today shows a decline in privacy protection across Europe and a steep increase in state surveillance over the lives of individuals. The year-long study, funded by the European Commission and backed by a 600-page analysis of privacy in 31 countries, was co-authored by the London-based global watchdog Privacy International, the Electronic Privacy Information Center in Washington DC and the Center for Media and Communications Studies of the Central European University in Budapest. The study includes a rating for EU member states and accession candidate countries. This rating pits Britain and Ireland fighting over the bottom of the privacy league. The EPHR project comprises three action areas: (1) Map European privacy laws and recent developments as well as summarise the trends in the light of the right to privacy; (2) disseminate information and publish it on multiple online and offline platforms; and (3) develop innovative awareness-raising campaigns to be launched at the European Data Protection Day on 28th January 2011. The country reports were also translated into native languages. [Source] [Worrying increase in surveillance across Europe] Further information about the project will be found at www.privacyinternational.org/ephr

UK – CCTV Success in 2010

London’s Metropolitan Police Service has released a statement with some statistics supporting the use of CCTV: 2512 wanted people, including suspected murderers and rapists have been successfully identified by the Metropolitan Police Service using CCTV this year. In 2010 specialist teams of video ID investigators identified 574 robbery suspects, 427 people wanted for burglary, 199 for grievous bodily harm, and 23 suspected sex offenders. The overall figure marks a 25% increase on 2009. CCTV hasn’t prevented any terrorist acts and its use in terrorism is all after-the-fact to identify suspects. [Source

CA – Surveillance Cameras in Calgary Useful, Report Finds

Calgary police and bylaw officers are using downtown surveillance cameras about four times a month on average — enough that they should be kept, but not enough that there should be more of them, a new report says. City bylaw officials will tell a council committee that the cameras have not triggered a single privacy complaint since a two-year trial program began in March 2009. Officers have accessed the footage 93 times for investigation or security work. Staff have stopped trying to move around the 16 cameras to emerging crime hot spots because it’s proven tough to keep up, and they’ve concluded the system isn’t used in investigations often enough to warrant buying more electronic eyes. The system has cost $500,000 for the new equipment, and $100,000 to operate. [Source] See also: [Studies Says Webcam Users Under Serious Threat] and also: [Cobourg: CCTV cameras won’t be used to violate citizens’ privacy, chief promises] and also: and [US: Air Force’s ‘All-Seeing Eye’ Gorgon Flops Vision Test] and [US: Privacy issues hover over police drone use] and [AU – Dads banned from filming birth in new privacy clamp down by hospitals] and [Wyoming – Lawmakers propose classroom video surveillance]

CN – Restive Chinese City Put Under Full Surveillance After Ethnic Riots

China is putting a western city where deadly ethnic violence broke out in 2009 under full surveillance, including ensuring “seamless” coverage of sensitive areas of the city with tens of thousands of cameras, state media reported. Security has been tight in Urumqi since tensions between the area’s largely Muslim Uighurs and members of the country’s Han majority flared into open violence in 2009. Uighurs have long resented what they see as an incursion by Han migrants into their ancestral homeland, the Xinjiang region. The government says 197 people were killed in that outbreak of violence, the deadliest in Xinjiang in years. China has sentenced dozens of people for their involvement in the riots, most of them Uighurs. Beijing blamed overseas Uighur groups of plotting the violence, but exile groups denied it. Just before the one-year anniversary of the violence last year, officials said about 40,000 high-definition surveillance cameras with riot-proof protective shells had been installed throughout the region. Nearly 17,000 were installed in Urumqi last year, the state-run Xinhua News Agency reported. It was not clear if that figure was in addition to the one reported last year. The surveillance coverage will continue to grow this year, according to Urumqi Mayor Jerla Isamudinhe. Surveillance is “seamless” — meaning there are no blind spots — in sensitive areas of the city, the report quoted Wang Yannian, who leads the city’s information technology office, as saying. [Source] and also: [D.C. expanding public surveillance camera net

EU – Belgium: Supreme Court Clarifies Key Concepts of Camera Law

In a judgment dated 5 October 2010, the Supreme Court (Hof van Cassatie/Cour de Cassation – the “Court”) clarified certain key concepts of the Law of 21 March 2007 regulating the placement and use of surveillance cameras (the “Camera Law”). The dispute before the court relates to a surveillance camera which recorded a criminal offence. The relevant images were provided to the police and the public prosecutor and later on used as evidence during criminal proceedings. During these criminal proceedings, the accused opposed the use of the images as evidence based on restrictions imposed by the Camera Law. Full discussion by [Mondaq News]

AU – Crime-Fighting Video Camera in Public Toilet Sparks Privacy Complaints

Security cameras that helped cut vandalism in a public toilet have prompted a complaint to the South Australian privacy watchdog. A report by the South Australian Privacy Committee reveals concerns have been raised over “surveillance” by a local council in a public toilet. A Local Government Association (LGA) spokeswoman refused to release the name of the council, but said the cameras had been installed in a male toilet after consultation with the police. The cameras recorded people entering the toilet block as well as rear-view vision of the urinal. “The cameras only record persons entering the toilets and the walls,” an LGA spokeswoman said. The spokeswoman said video recorded by the camera had secured successful vandalism prosecutions and helped reduce graffiti attacks by 90 percent. [Source]

Telecom / TV

IN – RIM Gives India Access but Not to Secure E-Mails

BlackBerry maker Research In Motion said it has given India the means to access its Messenger service and reiterated that no changes could be made to allow monitoring of secure corporate emails. “… No changes can be made to the security architecture for BlackBerry Enterprise Server customers since, contrary to any rumors, the security architecture is the same around the world and RIM truly has no ability to provide its customers’ encryption keys,” the company said. [New York Times] See also: [SKorean police say Google collects emails, other data from Wi-Fi networks

WW – Smartphone OSes Disclose MAC Addresses When Interacting with IPv6

Smartphones interacting with IPv6-based servers have a privacy hole -the IDs they transmit contain unique hardware IDs. The problem lies not in IPv6, but in the smartphones’ operating systems. Devices determine half of their IPv6 addresses themselves, so the operating systems need to be tweaked to generate random IDs. The problem is not currently widespread because IPv6 is not yet in wide use. [Source

AU – Privacy Fears for Phone Data

Police would have access to the telephone records of missing people even when there was no suspicion of criminal activity under a plan that civil liberties activists say could lead to “gross invasions of privacy”. A federal bill to change surveillance laws would give state and federal police the power to inspect records such as call, SMS and data use in the search for missing people. Police could look at records in the period leading up to the filing of a missing persons report. But NSW Police want the bill to include access to all records beyond the date of the missing persons report. Privacy activists fear that would allow police to use technology to monitor people’s movements without their knowledge. [Source]

AU – Privacy Commissioner Investigates Vodafone

Australian Privacy Commissioner Timothy Pilgrim has said that he will investigate the allegations that personal information of Vodafone customers had been exposed. Vodafone fell into hot water following allegations that criminals had been sold access to its sensitive customer database who planned to use the information, which includes voice and SMS logs, to blackmail customers. It was also alleged that other people had obtained the internal log-in to check their spouse’s communications. Pilgrim said he had spoken with Vodafone CEO Nigel Dews, who had promised full cooperation. [Source] [Roger Clarke Q&A: the Vodafone breach

US – NY judge Questions Husband-Wife Calls on Wiretaps

A federal judge demanded the government explain itself for eavesdropping on phone calls between an insider trading defendant and his wife in a case that was celebrated for its use of wiretaps. U.S. District Judge Richard Sullivan in Manhattan ruled in favor of the government’s right to wiretap insider trading suspects, but drew the line at the private chats between a husband and wife, saying it was the only area where he believed some suppression of the evidence might be warranted. He was the second judge to rule in favor of wiretap evidence in insider trading cases. Sullivan ordered the government to respond in writing to claims by a lawyer for defendant Craig Drimal that 13% of his time on phones involved chats with his wife, including “deeply personal conversations about private marital matters.” Drimal has pleaded not guilty. Prosecutors have described the prosecution that resulted in Drimal’s 2009 arrest as the biggest hedge fund insider trading case in history. Among defendants is Raj Rajaratnam, a one-time billionaire founder of the Galleon group of hedge funds who has pleaded not guilty and insisted any trades he made were based on publicly known information. Prosecutors say the insider trading resulted in more than $50 million in profits. The government began wiretapping Drimal, a former Galleon trader, in November 2007. His lawyer, Janeanne Murray, said in court papers that 98.2% of the calls captured by the government and 97.4% of the call-minutes involved non-pertinent conversations. Murray accused the government of a “cavalier disregard for marital privacy,” saying investigators were required to discontinue monitoring if they discovered that they were intercepting a personal communication solely between Drimal and his wife. [Source] [Huffington Post: Do Married Couples Have a Reasonable Expectation of Privacy in Their Email Messages? ] and also: [BC Court: ex-Wife Awarded $40K Over Privacy Violation

US – Cell Phones Used More to Track Criminal Movements

When FBI agents wanted to reconstruct the movements of a rogue New York City cop who staged a $1 million perfume heist in Carlstadt, N.J., last February, they turned to cell phone records to trace his steps. Using a computer mapping program and “call detail” logs obtained from Sprint Nextel, agents plotted the locations of 42 cell sites in Bergen and Hudson counties and New York to track Kelvin L. Jones’ movements as the armed robbery plot unfolded. Jones was convicted last month. Cellular tracking of criminals – including those like Jones who use prepaid mobile phones that can’t easily be traced because there is no subscriber contract — has become a cottage industry for the FBI. The demand for cell site records has mushroomed as the ability to zero in on phones has become more and more precise, drawing criticism from civil libertarians and prompting some courts to take a new look at the legal ground rules for granting access to such data. The ACLU and the EFF say they don’t object to law enforcement using cell-tracking records as long as they get a warrant first. Ultimately, adds the EFF’s Bankston, the uncertainty will continue until either the Supreme Court rules on the issue or Congress steps in and clarifies the law. [Source] See also: [CA – Cellblock audio recorders being installed]

US Government Programs 

US – DoC to Establish National Program Office to Support Trusted Identity Efforts

The US Department of Commerce will establish a National Program Office focused on creating and promoting trusted online identities for Internet users; the effort will support the current administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC) by encouraging the development of interoperable technologies and standards for online authentication. Users would be able to establish a single online identity that could be used across multiple sites with confidence, eliminating the need for remembering a lengthy list of passwords. NSTIC seeks to create an Identity Ecosystem that does not rely on a centralized database and will not be mandatory. The final version of the NSTIC will be released in the next few months. [Source] [Source] [Source] [Source

US – Federal Agencies Must Submit Classified Data Management Reports by End-Month

US federal agencies have three weeks to submit reports to the White House on how they manage and protect national security data. Shortly after the first of the stolen diplomatic cables appeared on WikiLeaks, the White House issued a memo directing all agencies to assess their procedures for ensuring the security of information that has been designated classified. A January 3, 2011 memo from the Office of Management and Budget (OMB) provides compliance guidance for the agencies and includes questions about what agencies are doing to prevent unauthorized information disclosures by disgruntled employees. Agencies have until January 28 to submit internal assessments outlines in the first memo and answer questions in the January 3 memo. [Source] [Source] [Source

US – Color-Coded Terror Warnings to be Gone by April 27

By the end of April, terror threats to the U.S. will no longer be described in shades of green, blue, yellow, orange and red. The nation’s color-coded terror warning system will be phased out beginning this week, according to government officials familiar with the plan. The officials requested anonymity to speak ahead of an announcement scheduled by Homeland Security Secretary Janet Napolitano. The Homeland Security Department and other government agencies have been reviewing the Homeland Security Advisory System’s usefulness for more than a year. One of the most notable changes to come: The public will no longer hear automated recordings at U.S. airports stating that the threat level is orange. The Obama administration will take the next three months to roll out a replacement, which will be called the National Terrorism Advisory System. The new plan calls for notifying specific audiences about specific threats. In some cases, it might be a one-page threat description sent to law enforcement officials describing the threat, what law enforcement needs to do about it and what the federal government is doing, one of the officials said. When agency officials think there is a threat the public should know about, they will issue an announcement and rely on news organizations and social media outlets to get the word out. [Source

US – Defense Dept. Social Media Policy Set to Expire

Social media guidelines set by the US Department of Defense (DoD) last year are set to expire on March 1, 2011. Despite concern that the event might leave the future of social media at DoD ‘in limbo,” a Pentagon spokesperson said that it will not ban the use of social media, noting that “social media tools are pervasive in the 21st century communications environment, and the department intends to fully utilize those capabilities.” Reports up through 18 months ago indicated that the US military was considering a wholesale ban on networking tools because of network security concerns. [Source] [Source] [Source] [Source]

US Legislation 

US – Senator Proposes Mobile-Privacy Legislation

Federal law needs to be updated to halt the common police practice of tracking the whereabouts of Americans’ mobile devices without a search warrant, said Ron Wyden, an Oregon Democrat, who also said it was time for Congress to put an end to this privacy-intrusive practice, which the Obama Justice Department has sought to defend in court. In an luncheon speech at the libertarian Cato Institute in Washington, D.C., Wyden said his staff was drafting legislation to restore “the balance necessary to protect individual rights” by requiring police to obtain a search warrant signed by a judge before obtaining location information. Even though police are tapping into the locations of mobile phones thousands of times a year, the legal ground rules remain hazy, and courts have been divided on the constitutionality and legality of the controversial practice. Wyden’s push to advance Fourth Amendment-like privacy protections through legislation is likely to be met with applause among technology firms. Last March, as CNET was the first to report, a group called the Digital Due Process coalition including Facebook, Google, Microsoft, Loopt, and AT&T as members endorsed the principle of location privacy. One of the coalition’s principles says: “A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.” The Obama Justice Department, on the other hand, has argued that warrantless tracking is permitted because Americans enjoy no “reasonable expectation of privacy” in their–or at least their cell phones’–whereabouts. U.S. Department of Justice lawyers have argued in court documents that “a customer’s Fourth Amendment rights are not violated when the phone company reveals to the government its own records” that show where a mobile device placed and received calls. [Source

US – Indiana Lawmakers to Consider Upskirt Ban

A key Indiana Senate committee will consider a proposed bill by State Sen. Tom Wyss (R-Fort Wayne) that would make it illegal to take or distribute pictures or video of a person’s private areas. The bill would establish the new crime of “Invasion of Privacy by Photography,” a Class A misdemeanor. A crime is committed if a person, with the intent to: (1) gratify the person’s sexual desires; (2) humiliate or embarrass the victim; or (3) publish, transmit, or disseminate the photograph; surreptitiously photographs the private area of an individual under circumstances in which a reasonable person would believe that the individual’s private area would not be visible to the public. The penalty is increased to a Class D felony if the person knowingly or intentionally publishes, transmits, or otherwise disseminates the photograph. [Source

US – Women Say Salon Filmed Them Naked

Two women claim they were surreptitiously photographed naked at a tanning salon, and their nude photos posted on “numerous pornographic websites.” The women sued Sunkissed Tanning and Spa and its owner in Westmoreland County Court. In separate but identical complaints, both women say they were longtime customers of the tanning spa in Mount Pleasant, Pa. They also sued its owner, Toni Tomei. Both women say the surreptitious filming happened in 2006, though they did not discover it until the summer of July 2010. Both say that Tomei “knew or should have known the aforesaid conduct was occurring on her premises, especially in light of the fact that the authorities previously investigated complaints of similar conduct in the past.” They seek punitive damages for negligence, privacy invasion and outrage. [Source]

Workplace Privacy

CA – B.C. NDP Screening Leadership Candidates to Head off Internet Embarrassments

Have you left a cringe-inducing impression on YouTube? Ever made intemperate remarks on a blog? Would all your tweets bear public scrutiny? B.C. NDP leadership hopefuls must hand over the keys to their social media accounts – their usernames and passwords – in a confidential questionnaire as the party aims to head off any e-embarrassments. The 23-question disclosure statement asks potential candidates to bare any legal troubles, past political affiliations or disagreements with party policy – any incidents that could be considered politically controversial. But it is the sweeping demands for access to any social-media activity that has taken some candidates aback. The New Democratic Party’s executive is asking each candidate: “Do you currently author or have you previously authored a blog? Please send all previous or existing blogs. Do you have a personal website or belong to any social networking sites such as Facebook? Do you have a Twitter account? Are there any photos or videos of you on YouTube or similar sites? Are there any photos or comments about you or by you on someone else’s sites?” The party also is demanding access to material that would-be candidates have posted in private forums. “Do any of your social-media sites have material ‘behind’ privacy settings? Please provide details including site URL and your username and password for all social networking sites to which you belong.” The 17-page disclosure allows the party executive the right to reject any candidate they deem unfit. It asks sweeping, cover-all-bases questions such as: “Is there any matter in which you were/are involved which has/may result in an accusation of impropriety or illegality, or an incident which if disclosed could cause embarrassment to you or the BC New Democratic Party?” [Source] See also: [US: A Site (Un)Seen: Using Social Media in Hiring Decisions] and [Calgary City staff face new online protocols: Social media caution urged] and [When monitoring needs meet privacy rights]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: