01-15 March 2011


CA – Canadian Air Passengers a Step Closer to U.S. Law After Bill Passes

The House of Commons passed a controversial private member’s bill that would force airlines to provide passenger information to the United States when they travel to American destinations or even pass through U.S. airspace. Bill C-42, introduced by Conservative House leader John Baird while he was transport minister, passed its third reading by a vote of 246 to 34. The NDP was the only party to vote against the proposed bill, which now moves to the Senate for consideration prior to royal assent. Opposition parties and civil liberties groups have said the proposed bill raises privacy concerns because Canadians’ personal information would be in American hands. The legislation is designed to amend Canada’s Aeronautics Act and essentially gives the U.S. the final say on who gets to travel on Canadian flights that pass over its airspace. Canadian airlines currently aren’t obligated to share flight information with the U.S. unless passengers are landing there. If made law, the bill would comply with American laws so that Canadian airlines would have to provide passenger information 72 hours before departure. U.S. Homeland Security officials would then screen travellers’ names, birthdates and sex information against lists of suspected terrorists, including the notorious American no-fly list. If a passenger shares the same name as someone on a no-fly list, he or she could be questioned, delayed or even stopped from boarding a flight. Last month, a British man was stuck in Canada for three days after he was barred from boarding a flight because his name was on a security threat list. Dawood Hepplewhite, 30, of Sheffield, England, said British High Commission consular officials had to intervene so he could leave Toronto. Hepplewhite’s name appeared on the U.S. no-fly list, and his flight from Toronto to England was scheduled to fly through U.S. airspace. Last month, the Canadian Civil Liberties Association said the government should disclose how Canadian passenger flight information will be shared with the U.S. “Canadian sovereignty has gone right out the window. You are going to be subject to American law,” Liberal transport critic Joe Volpe told Postmedia News when the bill was introduced. [Source]


US – ID Theft Tops List of Consumer Complaints

The Federal Trade Commission (FTC) yesterday released its list of the top consumer complaints for the year 2010, and identity theft tops the list for the 11th year in a row. According to an FTC press release, the commission received 250,854 complaints related to identity theft–19 percent of all of the complaints received. According to the Consumer Sentinel Network Data Book report, “government documents/benefit fraud” was the most common form of reported identity theft, and Florida is the state with the highest per capita rate of reported identity theft complaints. The category “Internet services” accounted for the third-highest number of complaints, with 65,565 reported to the FTC in 2010. [Source] [Text of Full Report

US – Study: Attitudes on Privacy Becoming Polarized

According to a Ponemon Institute study, 58% of social network users feel their privacy is less important to them than it was five years ago, while 53% of non-users said it is more important, msnbc.com reports. Ponemon Institute Founder Larry Ponemon, CIPP, called the findings surprising, adding, “The fact is there’s not a lot of complacency about privacy now. People are thinking about this.” Privacy expert Alessandro Aquisti says one reason for the polarization may be that the more people use social networks, “the more costly it becomes for others (who aren’t members) to be loyal to their views…That means some people’s right to privacy is being rendered more difficult to protect precisely by the right of other people not to care about privacy.” [Source] See also: [Why should I care about digital privacy?

WW – Study: Data Anonymity Changes Internet Users Minds

A PubMatic study asked about 500 Internet users how they feel about advertisers tracking their online activities. The study found that the anonymity of the data and how the data is used matters to respondents. Once respondents understood that only anonymous data was used for ad targeting, 40% changed their response from disapproving of the practice to approving of it. PubMatic’s vice president of marketing said, “Everyone knows the user’s privacy is paramount and that we provide a service to them. Understanding the how and the why changes everything.” [Source]


CA – Ontario Public Sector Must Go Beyond “Patchwork Adoption” of Open Government

Experts from the Office of Ontario’s Information and Privacy Commissioner (IPC) will make the case for taking a proactive approach at the 2011 Information Management and Access and Privacy Symposium at the Metro Toronto Convention Centre. Brian Beamish, Assistant Commissioner for Access, will discuss the benefits of Access by Design (AbD) as it relates to the open data and open government movement. The concept of AbD was developed by Commissioner Cavoukian to provide a set of fundamental principles that encourage a proactive approach to releasing government-held information. The objective is to foster a culture of transparency and accountability, where access is the default. [Symposium] [Source

CA – Ontario Could Let Cameras Capture Courtroom Dramas

Canadians have never been able to watch courtroom dramas unfold in their living rooms the way American viewers have come to expect. But now, Ontario, Canada’s largest court system and the only one in the country to specifically legislate a ban on cameras, is opening the door to delivering trials to the public via the small screen. In an interview with The Canadian Press, Ontario’s attorney general says he’s open to the idea of allowing cameras in courtrooms and says the time is right to canvas judges, Crown attorneys and defence lawyers on their opinions. “I’m interested in the views of people as to whether we should move forward,” Chris Bentley said. [Source

US – Man Pleads Guilty to Looking at Passport Files

The Justice Department has now netted a dozen convictions of State Department workers who looked at confidential passport records of celebrities in violation of privacy laws. Former State Department contractor Mark Carter of Upper Marlboro, Md., became the latest when he pleaded guilty to unauthorized computer access. The investigation began in 2008 after officials discovered access of files containing photos and personal information for then-presidential candidates Barack Obama, John McCain and Hillary Rodham Clinton. Federal agents found the unauthorized access extended well beyond politics. For example, Carter admitted he looked at the files for celebrities, musicians, actors, business leaders, a professional athlete, his colleagues and family members. He could face up to a year in prison and a $100,000 fine at sentencing Aug. 5. [Source] See also: [CA – Snooping Bureaucrats Get ‘Slap On The Wrist’

CA – Against Lawyer’s Advice, Toronto City Council Spent Over $250,000 on Legal Fees

Toronto city council has spent more than $250,000 pursuing a legal fight against the advice of its own lawyers, including $96,057 on a recent unsuccessful court case, according to confidential documents viewed by The Globe and Mail. The city’s top lawyer is recommending council abandon its quest for access to a database containing private information about residents, something the province’s privacy commissioner and two outside legal experts warned would violate privacy laws. The database legal saga began four years ago, when some councillors began pushing for “read-only” access to the Integrated Business Management System (IBMS,) which contains up-to-date information such as the status of permits, applications and inspections. The city’s legal department warned that granting councillors unfettered access to IBMS would violate privacy laws because the database includes the names and personal information of constituents. But if council votes this week to reject that advice, an appeal would cost at least another $35,000, the documents say. [Source

CA – Ottawa School Board Gets Personal

Ottawa-Carleton District School Board surveys asking students and their parents probing questions about home life, religious affiliation and sexual orientation are permitted under the Municipal Freedom of Information and Protection of Privacy Act and will go ahead unchanged in April and May, the board announced. Between April 18 and May 20, the board will survey the parents of students from junior kindergarten to Grade 6, while students in Grades 7 to 12 will be asked to complete the survey on their own. The Office of the Information and Privacy Commissioner of Ontario handed the board its final report. The board went to the commission to have its plans looked at in October, before those plans were made public. After a number of complaints were called into the commissioner’s office about the potential use of the information, potential errors, lack of anonymity and the process of withholding consent, a privacy investigation was launched. The report found that the information the survey hoped to glean was personal, but that it was OK to collect under the act because it was “necessary to the proper administration of a lawfully authorized activity.” The survey questions touch on a wide range of issues, including academic abilities, bullying, extracurricular activities, cultural backgrounds and language and religious affiliation.[Source

EU – Hackers Breach French Finance Ministry, Take G20 Files

The French Finance Ministry has confirmed that hackers infiltrated 170,000 of the agency’s computers in December and stole data related to the G20. The attack involved Trojan horses and was discovered in January, according to French Budget Minister Francois Baroin. Officials are investigating. [Source]


WW – Google Faces Second Privacy Lawsuit Over Gmail Content Scanning

Google is being sued for the second time over its practice of scanning Gmail message content to serve users ads relevant to the messages’ topics. The first lawsuit brought by a Texas man in November 2010, has been sealed. The new suit, on behalf of Kelly Michaels, focuses on Google’s Terms of Service agreement. The complaint claims that Google asks users to agree to its Terms of Service, but doesn’t ensure that the users understand what it is they are agreeing to. The Google Terms of Service agreement includes 92 paragraphs. The Google Program Policy and Privacy Policy are also separate entities; the Privacy Policy includes 55 external links. [Source

CA – Canadian Scientists Crack Code for Tracing Anonymous Emails

Engineers and computer scientists at Concordia University have cracked the code for tracing anonymous emails. For the first time, said data-mining expert Benjamin Fung, analysts have used the complex algorithms and almost imperceptible human quirks that make up the concept of “frequent pattern” to work out each person’s unique email fingerprint or “write-print.” “The people who wrote the email don’t even recognize what they are doing,” Fung told the Star. “One of the features we break down is vocabulary richness. That would be hard to increase quickly.” Other telltale evidence of the mystery writer can come from common grammatical mistakes, an unconscious extra space between each paragraph or patterns in punctuation. “We’ve collected thousands of features to find the different combinations,” Fung said. The combinations are the key. All of the suspects may misspell “consensus,” but not all of them misspell “consensus,” use commas instead of periods, and think “none” takes a plural verb. “Everyone has a unique combination. We see it as quite useful in criminal investigations.” The cyber-forensic tool, reported in the journal Digital Investigation, can ferret out the author of emails used for phishing, spamming, cyber bullying, email bombing, child pornography and sexual harassment, among others. The next stage of research will be to apply the data-mining method to the even shorter texts of instant messaging, chat rooms and social media, said Fung. [Source] See also: [Robert Soloway Exits Prison, Disavows ‘Spam King’ Ways] [Fighting Spam And Spyware Canadian Style – Part I – McCarthy Tetrault Analysis] and also: [IPv6 Shift Will Impede Spam Filtering

US – Cyber Attackers Release Internal Bank of America eMails

The group of hackers that calls itself Anonymous has released email messages that they say demonstrate fraud at Bank of America (BofA). The information appears to come from an unnamed whistleblower, a former employee of Balboa Insurance, which used to be owned by BofA. The emails indicate that the company withheld foreclosure information from regulators. [Source] [Source] [Source]


CA – Friends of Medicare Call for Better Protection After Unencrypted PHI Disappears

Friends of Medicare are calling for Alberta to write privacy protection into law after yet another unencrypted hard drive containing patient information went missing. Two surgery videos and 3,600 photos of wounds, lab specimens and dead infants, all labelled with the patients’ names, went missing during an office move at the Misericordia Hospital in January, Covenant Health announced. The external hard drive, about the size of a book, was put under a desk during the move and couldn’t be found a week and a half later. The files were not originals, only four of the files have birth dates attached, and none contain financial information, but the hard drive should have been encrypted, said Covenant Health president. “In this case, a staff member did not follow policy,” he said. “We have a very solid policy that just wasn’t followed.” The Office of the Information and Privacy Commissioner will be investigating, he added. [Source]

EU Developments 

EU – Reding Calls for “Right to be Forgotten”

The European Commission’s new rules for Internet user privacy should protect EU citizens no matter which country the data is stored in, said Justice Commissioner Viviane Reding. The Wall Street Journal reports that during a speech in Brussels today, Reding said the commission’s proposed rules–expected to be finalized this summer–should provide citizens the “right to be forgotten…When modernizing the legislation, I want to explicitly clarify that people shall have the right–and not only the ‘possibility’–to withdraw their consent to data processing,” Reding said. She also called for harmonization of EU data protection rules and for the burden of proof that data collection is necessary to rest on data controllers, not Web users. [WSJ

EU – US-EU Data Sharing Efforts Snagged by Privacy Oversight Debate

The United States-European Union high-level contact group for data sharing has begun converting shared data exchange principles into workable standards, said a Homeland Security Department official speaking March 2. But the collaboration effort has hit a roadblock in the area of privacy oversight. Europeans argue that the United States lacks an independent agency that is equivalent to the EU authority over data privacy. “One thing that has been of debate or discussion with the Europeans is this issue of independence,” said Mary Ellen Callahan, chief privacy officer at DHS, while speaking at an American Bar Association event in Washington, D.C. “So what does the independence of the data protection commissioners get you? It gets you the ability to review something ex post in an objective fashion.” Callahan argues that there are plenty of bodies conducting ex post review in the U.S. federal government—the Government Accountability Office, inspector generals and Congress–and creating more bureaucracy is unnecessary. One solution that could move the high-level contact group beyond this impasse would be for Congress to make the dormant Privacy and Civil Liberties Oversight Board more independent and give it a full staff, said Abraham Newman, a foreign service professor at Georgetown University. [Source

EU – Germany Adopts Telecom Breach Notification Requirements

The German government has adopted a draft law that revises the German Telecommunications Act to include breach notification requirements for telecommunications companies. The law brings Germany into alliance with the European e-Privacy Directive. Under the draft law, telecommunications companies are required to notify the federal data protection commissioner and the federal network agency about data breaches. The law also includes provisions requiring “providers of location-based telecommunications services to send text messages informing users whenever their mobile devices are being tracked on location,” according to the report. [Hunton & Williams Privacy and Information Security Law Blog

EU – Irish Notification Requirements Didn’t Make Deadline

Data Protection Commissioner Billy Hawkes says a new code of practice that would have forced data breach notification cannot be enforced because it was not put it front of parliament before the last session’s dissolution. Hawkes said at a recent Irish Computer Society event that though he approved the code last year, it “does not have the force of law because the final step to give it such force was never taken,” the report states. Hawkes said, “the code of practice that exists now is not legally binding–it’s just strong recommendations.” He added that he would like to see penalties put in place to “complement” notification requirements. [Source

EU – French Decree Mandates Yearlong Data Retention

Internet service providers, video sites and other Web sites will be required to retain certain personal data on users for one year after account closure, according to a decree published in the official gazette. “Decree 2011-219 states that information provided upon contract subscription or account creation…must be kept,” the report states. Such information may include names, postal addresses, pseudonyms, phone numbers and passwords. “Web sites will also have to keep for one year after any content is published the user name, type of protocol used, nature, date and time of the operation,” according to the report. [Source

EU – Spanish Parliament Reduces DPA’s Penalties

The Spanish Data Protection Agency (DPA) is described as “one of the more enforcement-oriented DPAs in the EU,” but parliament has modified its penalty structure to lower many fines, the Hogan Lovells Chronicle of Data Protection reports. The main modifications include warning businesses and giving them a set amount of time to resolve breaches before fines would be levied and changes in the level of infringement for certain transfers of personal data, the report states. The modifications were announced in the wake of Europe’s highest court’s review of the DPA’s order that Google remove links to Web content due to privacy concerns. [Source

UK – New Camera Commissioner Could Cause Confusion, Says Privacy Watchdog

The Information Commissioner has warned that new plans for a Surveillance Camera Commissioner could result in confusion and conflicting regulation. The Government has proposed a new code of practice on the use of CCTV networks and traffic-monitoring automatic number plate recognition (ANPR) systems. The code will establish a new watchdog to ensure that it is followed, the Surveillance Camera Commissioner. The code was proposed by the Government’s Freedom Bill. In its evidence on that Bill to the Public Bill Committee, data protection regulator the Information Commissioner said that the appointment of another commissioner with some of the same duties as him could cause damaging confusion. [Source] See also: [UK: Unmanned spy drones and facial recognition cameras could soon be the norm]

Facts & Stats 

US – New Jersey Comptroller Finds Data on Machines Marked for Auction

An audit conducted by the Office of the New Jersey State Comptroller found that nearly 80 percent of retired state government computers headed for auction still contained sensitive personal data. The computers examined were being held at a state surplus property warehouse. New Jersey guidelines require that data be removed from hard drives before computers are sent to the warehouse. The audit was prompted by a number of arrests of warehouse employees. New Jersey state comptroller Matthew A. Boxer says that he believes it is likely that other machines containing data have already been sold because no outside agency had investigated the procedures before his office looked into the matter at the warehouse. [NYT] [GovTech] and also: [Solid State Drive Firmware Destroys Data

WW – Working On-The-Go Could Pose Privacy Threats

The ability to take work on the road via laptops, tablets and smartphones enabled for WiFi access is convenient, but these mobile offices are vulnerable to data breaches, The New York Times reports. According to a report by Symantec and the Ponemon Institute, such breaches are becoming more expensive. From leaving laptops in hotel rooms to using public WiFi to sharing information on social networks, experts detail the myriad risks to personal and business data. Prof. Betsy Page Sigman of Georgetown’s McDonough School of Business suggests, “You want to be overly cautious, especially if you are around a lot of competitors.” [Source

WW – Survey: Quick Responders Pay More for Breaches

InformationWeek reports that the cost of a data breach for a U.S. company continues to rise, reaching $7.2 million in 2010, an increase of 9% from the previous year. A Ponemon Institute study, published by Symantec, found that companies that responded to a breach rapidly paid more than companies that responded slowly. “Quick responders paid $268 per record, an increase of 22% from 2009, while organizations that took more time paid $174 per record, a decrease of 11% from 2009,” the report states. Negligence topped the list of data loss causes. [Source]


EU – Medical Malpractice Case at Heart of Legal Debate

A plastic surgeon who was cleared of wrongdoing in a criminal medical malpractice case 20 years ago is at the heart of a legal debate in a Spanish court. The case involves the Spanish data protection authority’s request for Google to remove from its search results links that go to a 1991 newspaper article about the surgeon’s troubles. Google is contesting the request, saying that to do so would be censorship. But “Spain has always taken an extremely strong line over privacy,” says a Barcelona lawyer, and now the European Court of Justice may become involved. [Source

WW – Google Remotely Removes Infected Apps from Android-based Devices

Google has begun using its “remote removal function” to purge infected apps from Android devices running versions prior to 2.2.2. About 50 apps were found to be infected with malware known as DroidDream; all have been removed from the Android Market. Google has also suspended the accounts of the developers believed to be responsible for the infected applications and plans to take legal action. [Source] [Source] [Source] [Source] [Source] [Source] and also: [Google Pulls Infected Apps From Android Marketplace

US – Legislative Subcommittee Approves Bill Nullifying Net Neutrality Rules

The House Energy and Commerce Committee Subcommittee on Communications and Technology has voted to nullify the Federal Communications Commission’s (FCC) net neutrality rules. The action was taken through the subcommittee’s approval of a bill that uses the Congressional Review Act. It now goes before the full committee. [Source] [Source]


EU – European Lawmakers Still Worried About Banking Data Security

Europe’s police force, Europol, has approved requests to send private citizens’ banking data to the U.S. Department of Treasury without sufficient consideration for data protection laws, according to an internal report. An official report on an investigation carried out by the organization’s Joint Supervisory Body (JSB) was made public by the German Commissioner for Data Protection and Freedom of Information. Since August 2010, the European Union has allowed European citizens’ financial data to be transferred to the U.S. under the Terrorist Finance Tracking Agreement, also known as the Swift agreement. However, one stricture of the accord specifies that the U.S. must “clearly substantiate the necessity of the data” in combating terrorism. The JSB inspection team was made up of seven data protection experts who found, that of the four requests made by the U.S. since the Swift pact was established, all were too abstract to allow proper verification for whether they comply with the accord. The report concludes that given the dearth of information, verifying whether the requests to date “are in line with the conditions of the agreement, is impossible.” Oral statements from the U.S. Treasury to Europol personnel had a bearing on the decisions, but even the JSB team has no knowledge of the content of those statements. Therefore it is impossible to tell whether omissions in the written requests were rectified by oral information, according to the report. This renders proper inspection by Europol’s Data Protection Office impossible, concluded the report. Giving Europol a role in implementing the controversial agreement was one of the concessions made to the European Parliament after it initially rejected the accord over concerns about civil liberties. On Wednesday these misgivings resurfaced. Parliamentarians said that Europol appears to be just rubberstamping requests for the transfer of bulk data, without any kind of scrutiny or oversight. Alexander Alvaro, Parliament’s rapporteur on the TFTP Agreement, called for “all relevant documents must be declassified.” “This report should send alarm bells ringing in Brussels,” added Sophie In’t Veld, vice-president of the parliamentary committee on civil liberties. “It would seem Europol has not been respecting the agreed data protection safeguards which we insisted upon as a condition for this agreement to go ahead. We need clarification on how these data transfers are being processed.” The Commission is due to publish its evaluation of the TFTP on March 17. [Source

CA – Canada Still Has More Work to do on Money Laundering: Report

An evaluation of Canada’s anti-money laundering and anti-terrorist financing regime over the past decade suggests government institutions still don’t share enough information among themselves. The report presented to the Finance Department by a private consulting firm Monday says a lack of proactive disclosures from Canada’s financial intelligence unit hampered efficiency. The report says the inefficiencies in the regime’s efforts related to the Financial Transactions and Reports Analysis Centre of Canada stem from the strict rules the agency has to operate under. The evaluation was mandated by the Treasury Board with its findings meant to contribute to an upcoming five-year parliamentary review of the Proceeds of Crime act. [Source]


CA – CAJ Opposes Proposed B.C. ‘Proactive’ Disclosure

The Canadian Association of Journalists has told the British Columbia government it opposes so-called proactive disclosure plans proposed for ministries and agencies because they will lead to fewer freedom-of-information requests. The Office of the Information and Privacy Commissioner for British Columbia was seeking input on proposed changes to legislation in B.C. that would, in part, require all FOI requests to be posted freely online after the requester had gone through the expense of filing the request. “The CAJ supports proactive disclosure. We’ve been advocating for more routine disclosure for years as part of our work promoting access to information and open government,” CAJ president Mary Agnes Welch said. “What the B.C. government is proposing is not proactive disclosure. This is still reactive disclosure, because it relies on a formal request being filed and a long and at times expensive legislated process.” In particular, the CAJ opposes the idea that someone who would file an FOI request, work through the red tape and pay at times exorbitant fees to see what they’ve asked for would see the fruits of that effort immediately posted online for all to see—before even receiving their own paper copy. If the province insists on continuing to charge these fees, then those paying them should have time-limited exclusive access to review what they paid for before a full public posting. [Source] [BC: Why David Hahn Has Investigative Reporters in a Tizzy] See also: [US: Lawmakers’ cell phones often out of public reach]


US – Researchers Present Study of Vulnerabilities in Cars’ Computer Systems

Researchers at the University of California, San Diego and the University of Washington have published a paper in which they say they have found ways to break into newer-model cars’ computer systems through Bluetooth and cellular network systems and through the diagnostic tools used by auto mechanics. The same researchers presented a study last year describing how they were able to shut off a car’s engine, lock the doors, turn off the brakes and falsify odometer readings. That attack required plugging a laptop into the car’s diagnostic system. The new paper focuses on remotely accessing a car’s computer system. The researchers, Stefan Savage and Yoshi Kohno, acknowledge that the attacks are challenging, but Savage noted that “When people first started connecting their PCs to the Internet, there wasn’t any threat and then over time it manifests. The automotive industry … has the benefit of the experience we went through.” [Source] [Source]

Health / Medical 

US: New App Gives Patients Instant Access to their Medical Records

University Health Care now offers a free application for students to access their medical information directly from their iPhones. MyChart, developed by Epic Systems Corporation, gives patients instant access to lab results, medications, immunizations and any other medical records. The smartphone app keeps record of interaction with any U care facility or physician as well. The program also serves as a reminder for any needed medical care. If a patient is due for a shot, checkup or any type of procedure, MyChart will alert the patient with a notification. Curtis Newman, director for the MyChart project, said the “ask my doctor” feature is a major bonus for students in particular. MyChart’s developer has yet to come out with technology in support of the Android or BlackBerry operating systems, but Newman said these will likely follow close behind. [Source] See also: [State AGs to Get HIPAA Training

US – OMB Reviews Information Disclosure Changes to HIPAA Privacy Rule

The Office of Management and Budget’s review of a Health and Human Services (HHS) proposal to extend the HIPAA privacy rule’s requirements to “include disclosures during the previous three years for treatment, payment and healthcare operations (TPO) if a healthcare provider uses an electronic health records (EHR) system.” The Medical Group Management Association is raising concerns about the plan, writing to HHS that the stipulation “that the TPO accounting is only required for those physician practices that have adopted an EHR suggests that the government believes TPO disclosures would be collected and stored on this one clinical system. This is simply not the case.” [Source

US – Study: HIPAA Laws May Have Borders, Ethics Don’t

It is a breach of ethics to post pictures of medical patients receiving treatment outside of the U.S., even if HIPAA laws don’t extend that far. That’s according to researchers in a recent Journal of Medical Internet Research study, who looked at 1,023 medical students’ Facebook pages and found 12 photos of patients being treated in developing countries. In the U.S., patients agree to be photographed after signing consent forms. But in developing countries, patients may feel that by signing such a form, they have a better chance at receiving care, says one of the study’s authors. “Use your moral and ethical compass,” she tells practitioners. “What if this was your child?” [Source]

Horror Stories 

US – CA Investigating Latest Health Net Data Breach

After Health Net, Inc. in California announced that several data servers containing sensitive health and personal information on its enrollees are unaccounted for, state officials said the security breach involves “personal information for 1.9 million current and past enrollees nationwide.” The California Department of Managed Health Care, the only stand-alone HMO watchdog agency in the nation, also provided further details beyond the plan’s statement, saying that the missing records on nine servers are “for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in the California Department of Insurance products (another state agency that has oversight responsibility) and a number enrolled in Medicare.” “The DMHC has opened an investigation into Health Net’s security practices,” said DMHC spokesperson Lynne Randolph. “Health Net has agreed to provide two years of free credit monitoring services to its California enrollees, in addition to identity theft insurance, fraud resolution and restoration of credit files, if needed.” [Source] See also: [Health Canada mails details of marijuana users] and [Youth-only clinic delivers privacy patients crave] and also: [Privacy breaches found at Central Health] See also: [2010 Annual Study: U.S. Cost of a Data Breach – Ponemon/Symantec] 

US – Company Fined for Improper Document Disposal

The Office of the State of Illinois Director of Insurance’s has issued a decision to fine an insurance company for its improper disposal of private insurance documents. MetLife must pay a fine of $75,000 and provide credit fraud protection for those customers who may have been affected when a former sales office discarded clients’ personal documents in a dumpster without shredding them. The documents, which remained in the dumpster for up to four days, included such information as Social Security numbers, birth dates and account balances. [Source

US – Student Data Losses for Three Institutions

The State reports that the University of South Carolina has notified 31,000 current and former faculty, staff and students throughout its eight campuses about a breach that exposed their personal information–including Social Security numbers (SSNs). Meanwhile, at Missouri State University, the names and SSNs of 6,030 students of the College of Education were accidentally posted online and searchable through Google, reports SC Magazine. The university has worked with Google to remove the lists and is notifying those affected and offering them identity theft protection. In a separate incident, the Alaska Department of Education and Early Development is notifying students and parents that 89,000 students’ personal information was being temporarily stored on an external hard drive that was stolen from its Juneau headquarters. [Source

US – Blood Bank Loses Data on 300K

Cord Blood Registry (CBR), the world’s largest stem cell bank, has notified about 300,000 people that their data may have been have been exposed when storage tapes and a laptop were stolen from an employee’s locked car last December. According to CBR’s director of corporate communications, the tapes may have contained credit card numbers, driver’s license numbers or social security numbers but no medical information. CBR sent letters to affected people dated February 14 offering a year of free credit monitoring and assurances of better security practices in the future, but some are questioning why it took so long for them to notify people and why the data was not better protected. [Source

US – BCBS of Florida Mails Forms to Wrong Addresses

Blue Cross and Blue Shield of Florida (BCBSF) has alerted about 7,400 of its members that for three months it has been mailing explanation of benefits forms to old addresses. The error occurred when BCBSF converted to a new source of customer mailing address information. According to BCBSF, no Social Security numbers, dates of birth of financial information was exposed. The company has corrected the problem and notified all affected customers. [Source]

Identity Issues 

WW – Fingerprinting to Supplant Cookies?

Several startups are experimenting with tracking technologies that could supplant cookies as behavioral targeting mechanisms. Device fingerprinting operates by tracking mobile phones, PCs, TVs and cars using unique identifiers. Based on the device’s properties and settings, fingerprinting allows advertisers to link to and track the device and transmit messages based on activity. It’s easier to opt out of fingerprint tracking than cookies, developers say; because the device’s fingerprint lasts as long as the device itself, opting-out must only happen once. In addition, the developers say, the new technology already complies with do-not-track principles because users can “opt out of both tracking and targeting independently.” [Source

US – CA Zip Code Ruling Incites Flurry of Class Actions

In the month’s time since the California Supreme Court decided that zip codes are personal information, 106 class-action lawsuits have been filed. That’s because the presiding justices ruled that the law would apply retroactively, putting every retailer that has collected zip codes during credit card transactions since the Beverly-Song Act of 1971 at risk for liability. In a Privacy Advisor exclusive, experts discuss the potential implications of the Pineda v. Williams-Sonoma decision. Among them, Linda Woolley of the Direct Marketing Association says the case is “very troubling” and has “great implications for what marketers do in terms of data collection,” while Martin Abrams of the Center for Information Policy Leadership at Hunton & Williams says the court’s decision is the “wrong approach.” [Source]

Internet / WWW 

UK – UK ISPs to Clarify Traffic Management Policies

Major broadband providers in the UK will soon clarify their network traffic management practices. BT, Virgin Media and others have signed a voluntary code of practice saying they will provide consumers with clear information about when Internet connection speeds are slowed, why they are slowed, and what effect the throttling will likely have on consumers’ broadband service. The disclosures will also state whether the provider has arrangements with specific content providers to prioritize their traffic. [Source] [Source] [Source] See also: [AT&T to Impose Data Caps for Broadband Customers

US – Twitter, Facebook Still Reluctant to Join Free Speech Initiative

Three years ago, some of the world’s leading tech companies agreed to participate in the Global Network Initiative (GNI) – a code of conduct designed to protect online speech and privacy around the world. The initiative was originally launched in response to brewing tensions in China, where some Internet companies were accused of complying with government censorship policies in order to pursue profit-driven agendas. Today, the GNI can count corporations like Google, Microsoft and Yahoo among its prized members, but there are still some glaring omissions – including Facebook, and Twitter. According to its code of conduct, all initiative participants are required “to avoid or minimize the impact of government restrictions on freedom of expression,” while doing their best to protect user privacy whenever government regulations “compromise privacy in a manner inconsistent with internationally recognized laws and standards.” All companies and organizations are subject to evaluations from independent auditors, who determine whether or not their policies comply with the initiative’s objectives. [Source

US – Private WiFi Intended to Protect Consumers on Public WiFi Networks

Private Communications Corporation (PCC), a security technology company that protects personal data and information online, today announced the launch of Private WiFi®, its flagship Virtual Private Network (VPN) software. Private WiFi encrypts all data going into and out of a person’s computer to support online privacy, protect consumers’ identities and secure sensitive communications transmitted over the more than 400,000 known unencrypted WiFi networks or “hotspots” worldwide, according to JiWire. Microsoft’s 2010 U.S. Remote Working National Research findings suggest that more employees are working from public places, reporting 21% on a plane, 27% from a coffee shop and 37% on vacation. Consequently, users are increasingly taking advantage of WiFi networks in public places. In fact, the U.S. experienced a 17.3% growth in public Wi-Fi usage in 2010. Despite such rapid growth in public WiFi usage, many are unaware of the risks associated with transmitting information across unprotected public networks. [Source

UK – Home WiFi Users Lack Understanding of Security

According to a survey from the UK Information Commissioner’s Office (ICO), nearly half of home computer users who have WiFi networks do not understand WiFi security settings. Most Internet service providers (ISPs) now set up and install customers’ WiFi security settings, but 40% of WiFi users do not understand those settings and 16% are either using an unsecured network or do not know if their network is secured. ICO head of policy Steve Wood pointed to Google’s Street View data collection vehicles gathering information from unprotected networks as evidence that users need to be aware of their network settings. [Source] [Source

WW – Report Forecasts Pros and Cons of the Cloud

Experts have suggested that 75% of senior business leaders believe that privacy and security concerns are the key impediments to the adoption of cloud computing, the Financial Times reports in an analysis piece on the benefits and risks of cloud computing for entities in the UK and EU. With the European Commission anticipating introducing data protection reforms later this year, the report stresses that “to comply with EU personal data requirements, the data controller needs to ensure that the security standards are appropriate, having regard to the nature of the personal data, the state of technological development and the cost of implementing particular measures.” [Source

EU – Cloud Provider: Legislation Required for Cloud Success, Census

“Legislation is an impediment” to the UK government’s G-Cloud initiative, say officials from Lockheed Martin, the largest provider of cloud services to the U.S. government. In the UK and Europe, data privacy laws prevent the movement of data outside the jurisdiction, which is “the antithesis of cloud computing’s concept.” For the cloud to succeed, privacy and confidentiality legislation will need to change, the report states. “Governments should all be updating their laws if they aren’t already,” said Melvin Greer, chief strategist for Lockheed Martin, adding that the UK government and the G-Cloud initiative “will have to deal with the concept of having a secure infrastructure…” [Source

WW – Google Street View Expands Off-Road Imagery

Google Street View has added more locations in the U.S. and around the world, the company revealed on its blog this week, thanks to a high-tech tricycle that’s filming public and private places that aren’t accessible by roads. In 2009, the company unveiled the “trike,” a modified bicycle with camera and surveying equipment mounted in the rear. For more than two years, the trike has been mapping bike paths, gardens and many other off-road areas around the world. “Some of the properties that we are currently interested in include zoos, parks, universities, amusement parks, outdoor marketplaces, stadiums, monuments, tourist destinations and race tracks (to name a few),” according to Google. “I feel like we’re just scratching the surface of what sorts of images our users want to see,” Google engineer Daniel Ratner, the trike’s inventor, told McClatchy news service. [Source]

Law Enforcement 

CA – Ontario Police Can Detect Computers Accessing Child Porn

Halton police say technology is helping them pinpoint predators in their war on child pornography. A one-second snapshot of Internet use on Wednesday morning showed six Oakville computers, seven in Burlington, four in Halton Hills and five in Milton were accessing child pornography sites at that moment, said Det.-Sgt. Brad Cook. Police also detected 158 computers in Halton that accessed child porn last month, he said. But Cook said police won’t reveal how they can track Internet traffic for fear of giving an upper hand to those who troll child porn sites. Police departments around the world are engaged in an evolving game of technological cat-and-mouse with web offenders. In 2005, Halton was one of several Canadian police departments that adopted the Microsoft Child Exploitation Tracking System (CETS). The CETS database acts as an information repository, helping officers organize data and share information across jurisdictions. Halton is among 18 police services across Ontario involved in a joint forces strategy to protect children from sexual abuse and exploitation. [Source] See also: [Ottawa man victim of Facebook, email scam] and [In Social Media Postings, a Trove for Investigators]


CA – IPC, ASU Partner on Applying Privacy by Design to Mobile Technologies

Ontario’s Information and Privacy Commissioner Ann Cavoukian and Arizona State University’s Privacy by Design Research Lab have released a new white paper that maps the way forward for achieving meaningful privacy protection in the mobile space. The new report builds on original research conducted by ASU’s new PbD Research Lab, which convened an expert panel of top executives from leading mobile organizations to identify privacy and security challenges in their rapidly-expanding field, and propose potential solutions, grounded in real-world experiences. Focusing on the solutions identified by this expert panel, The Roadmap for Privacy by Design in Mobile Communications outlines practical tools to help developers, service providers, and users achieve mobile privacy. [Source

CN – China to Track Its Citizens Using Cellphones

The Chinese government is planning to track Beijing’s 17-million mobile-phone users using their phones’ built-in GPS. The initiative is being sold as a way to curb traffic congestion, but human-rights campaigners worry the government will use the information to quell unrest. In a city infamous for its nine-day traffic jams, the “information platform of real-time citizen movement” would use signals from a mobile phone’s GPS to monitor traffic and track how residents were using the subway, bus lines and roads, according to the Chinese government’s website. Beijing’s inhabitants would be able to buy some of the data, helping them avoid bottlenecks as they moved through the city. Specific information about individuals would not be available. But some worry this latest announcement could be part of a larger plan to curtail dissent. Last year, China passed legislation making it illegal for the country’s 850 million cellphone users to register their SIM cards under a false name. “Certainly the use of the platform will not be limited to gathering traffic information. Officials in other areas, such as anti-terrorism and stability maintenance, will also find it useful.” There is no word on whether people will be able to opt out of the program, which is expected to launch in the first half of this year. [Source

CN – Mobile Phone Tracking Proposal Approved

An expert panel has approved plans to collect real-time location data on 17 million China Mobile subscribers to help resolve Beijing’s traffic problems. Under the program, phones’ locations will be registered with base stations then collected, aggregated and reviewed by transportation officers and city planners. The first phase of the Beijing Real-Time Travel Information Platform is expected to roll out in June. Once the program is up and running, the government plans to send the aggregated data back to citizens to help them make smart travel decisions. While the deputy director of social development said the data would only be used for traffic control–and mobile users’ privacy would be protected–the panel that approved the plan recommended linking the platform with city-management efforts in other government departments. [Source

EU – Industry Submits Code of Practice for Online Maps

Germany’s digital industry has submitted a voluntary code of privacy to the government in response to public concerns over services like Google’s Street View that publish images of residences online. The draft code of practice, submitted by a federation representing the industry, would establish a Web site disclosing information collected about German towns, explain how Germans can file objections to data gathering and offer links for complaints, the report states. Interior Minister Thomas de Maizière, who received the industry’s code, called it “a sign of greater transparency by German businesses and international corporations.” [Source]


LV – DPA Suspends Electronic Tax Service

Latvia’s data protection inspectorate has suspended the State Revenue Service’s tax return service due to privacy concerns. The inspectorate ordered a halt to the Electronic Declaration System due to the fact that “users who happen to know another person’s identity number can find out that person’s name, surname, address and other personal data,” the report states. The system will remain suspended until the revenue authority finds a way to control access. [Source]

Online Privacy 

EU – E.U. Privacy Directive Angers Start-Ups

U.K. start-ups have reacted angrily to the stance by the country’s Information Commissioner on the European e-Privacy Directive on web cookies which comes into effect in May. According to the E.U.’s Privacy and Electronic Communications Directive “explicit consent” must be collected from Internet users who are being tracked via cookies. The e-Privacy Directive was passed in Brussels in 2009. It comes into force on May 25. [Source] See also: [Peter Fleischer blog: Foggy thinking about the Right to Oblivion] See also: [Data Mining: How Companies Now Know Everything About You] and [New York Times: Tracking Users’ Web Footprints] and [Peer Swire paper: Social Networks, Privacy, and Freedom of Association] [Executive Summary] [Full report

WW – Consumer Group: Cookie Concerns Continue

An investigation by Which?, a consumer group, that points to difficulties for Internet users to manage local shared objects–more commonly known as Flash cookies–is sparking a push for stricter online legislation. The difficulties of removing local shared objects from hard drives and features comments by Sarah Kidner of Which?, who suggests, “If such practices are happening without the user’s knowledge, it is pretty serious and could be in contravention of data protection law.” A member of the group’s legal counsel says that “as the online behavioral advertising industry innovates to collect ever more data,” both the UK Information Commissioner’s Office and the EU need to address such technologies. [Source

US – Judge: Debt Agency Can’t Contact Woman on Facebook

A Florida debt collection agency has one less tool in its quiver for contacting debtors. A judge has ordered Mark One Financial LLC not to contact a debtor or her family or friends via Facebook. Attorney Billy Howard said in doing so, the company violated his client’s privacy and a provision of the state’s consumer protection law. He said that debt collectors are turning to social media increasingly to retrieve payments and, increasingly, debtors are looking for legal remedy. “It’s the beginning of an epidemic,” Howard said. [Source]

Other Jurisdictions 

NZ – Privacy Measures Removed to Help Quake Response

Privacy protections for taxpayers and other New Zealanders have been temporarily removed or amended to help the response to the Christchurch earthquake. Using controversial legislation put in place following last September’s quake, Earthquake Recovery Minister Gerry Brownlee has made an “Order in Council” allowing the Inland Revenue Department to share information with other Government agencies. A spokesman for Finance Minister Bill English said the order, which is in force until the end of October, was to allow processing of claims under the Government’s $130 million financial support package for Christchurch’s employers and workers, specifically the wage support subsidy. Information sharing for anything other than earthquake-related support would “absolutely” not occur. [Source

MY – Prime Minister: SMS to 4 Million Didn’t Violate Privacy

Malaysian Prime Minister Datuk Seri Najib Abdul Razak says he did not violate people’s personal privacy or the data protection law when he sent Chinese New Year messages to citizens. The four million messages were sent to three telecommunications companies for transmission, he said in response to inquiries. “The Prime Minister’s Office has ensured that the principle of personal data protection was not compromised and the terms and conditions of the companies were fully respected,” Najib said, adding that the prime minister had no access to any of the recipients’ personal data. [Source]

Privacy (US) 

US – Administration: Privacy Bill of Rights Needed

The Obama Administration is weighing in on the dialogue surrounding online privacy, and the consensus is that the time has come for baseline privacy legislation at the federal level. That was the focus at a Senate Commerce Committee hearing on consumer privacy. The Department of Commerce “has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers,” explained National Telecommunications and Information Administration Administrator Lawrence Strickling. This Daily Dashboard exclusive examines the testimony and reactions from legislators, industry and advocates at today’s hearing paired with expert opinions on a U.S. “privacy bill of rights.” [Source

US – Supreme Court Determines Corporations Are Not Persons

The U.S. Supreme Court has ruled that the term “personal privacy” does not extend to corporations. The 8-0 decision in FCC v. AT&T, which was prompted by an appellate court decision to extend a Freedom of Information Act exemption prohibiting the release of information that causes “unwarranted invasion of personal privacy” to corporations. In his opinion, Chief Justice John G. Roberts Jr. wrote, “We do not usually speak of personal characteristics, personal effects, personal correspondence, personal influence or personal tragedy as referring to corporations or other artificial entities. In fact, we often use the word ‘personal’ to mean precisely the opposite of business-related…” [Source

US – Bureau to Enforce Self-Regulatory Program

The Council of Better Business Bureaus plans to announce it will start enforcing its program to make online tracking more transparent and give consumers an easy way to opt out. In an effort to avoid government regulation, the council released self-regulatory principles in 2009 that require companies to “clearly explain how they track and use information about consumers’ Web activities,” the report states, including an icon that users can click on for information and to modify ad preferences. The council will employ 300,000 volunteers who will use software allowing them to view companies tracking their Web movements to be sure companies are complying. [Wall Street Journal

US – CDT Receives 2011 IAPP Privacy Leadership Award

The Center for Democracy and Technology has received the 2011 IAPP Privacy Leadership Award. The annual award recognizes a global leader in the field of privacy and data protection. Presenting the honor at the IAPP Global Privacy Summit in Washington, DC, IAPP Board of Directors treasurer Brendon Lynch, CIPP, said the CDT “is at the forefront of efforts to keep the Internet open, innovative and free. They have consistently been a leading voice for free expression and privacy in communications and have fostered practical and innovative solutions to public policy and civil liberties.” CDT President Leslie Harris accepted the award on stage with CDT staff members Justin Brookman, Jim Dempsey and Erica Newland and CDT board chairman Deidre Mulligan. [Source

US – FTC Settles With Online Ad Agency for Privacy Violation

The Federal Trade Commission said that it settled with online advertising provider Chitika for allegedly tracking online activities of users who had opted out of the company’s service. The consumer protection agency had been investigating Chitika for deceptive practices, it said. Between May 2008 and February 2010, the company allegedly placed cookies on the Web browsers of consumers who had explicitly asked to bar the tracking service from collecting information to be used for behavioral advertising. Chitika had stopped tracking those users for just 10 days and then resumed placing cookies on their browsers to target ads, the FTC said. The cookies are used to collect information about users, such as the searches they perform, items purchases and sites visited. In a settlement agreed to unanimously by the FTC, Chitika agreed to stop making misleading statements about the extend of its data collection and to extend to five years the period it is barred from tracking users to opt out of its service. Highlights from the settlement:

–          Every targeted ad by Chitika must include a hyperlink that takes consumers to a clear opt-out mechanism.

–          Chitika must destroy all identifiable user information collected about users who had opted out of the service.

–          Chitika must alert consumers who previously tried to opt out that their attempt was not effective and advise those users to opt out again to avoid targeted ads.

“The FTC investigated Chitika as part of its ongoing efforts to protect consumers’ privacy online,” the agency said in a release. “The FTC charged Chitika’s claims about its opt-out mechanism were deceptive and violated federal law.” [Source

US – Twitter Settles With Feds Over ‘09 Obama Hack

Twitter has settled a federal complaint over a pair of 2009 breaches in which hackers were able with relative ease to gain access to user accounts, including one used by President Barack Obama. The FTC had accused Twitter of promising privacy and security to users while, it alleged, protections were so lax hackers were able to take over accounts with little effort. The final consent order does not impose fines for what amounts to a truth in advertising violation. But it does require that Twitter tighten its security system, perform security audits every two years for the next decade and not make deceptive security claims. Twitter agreed to the punishments, but admitted no violation of law. Among the sloppy practices outlined in the FTC order:

  • From July 2006 to July 2009, nearly all Twitter employees had total access to the Twitter system, including the ability to reset passwords, read users’ direct messages and nonpublic tweets and send tweets in any user’s name.
  • Twitter employees used the public Twitter login page to get into these admin accounts and there were no controls on how strong such passwords had to be or how long they lasted. Twitter did not lock down accounts after multiple wrong password guesses.

On Jan. 4, 2009, a hacker took advantage of these flaws using an automated password guessing tool (a so-called dictionary attack) to figure out an employee’s administrative password, after submitting thousands of guesses into Twitter’s public login webpage. Once in, the hacker reset passwords, passed them along to other hackers and sent out Tweets from the president’s account — one promised Obama’s followers $500 in free gasoline for filling out a survey — as well as from Fox News. [Source] [Source] [Source] [Source] [Source] See also: [Judge Denies Request to Throw Out Order Seeking Twitter Account Information

US – E-Commerce Site Makes Changes After Users Complain

As a result of privacy concerns voiced by a number of users, an e-commerce Web site has decided to stop publishing customers’ purchase histories within user feedback posts. Etsy recently activated a “people search” tool allowing users to search for other users’ names as a way to view purchases and recommendations. However, some users claimed they were not notified that their information would become public when they initially entered their full names on the Web site. Etsy has now disabled the feature and says it is considering further changes to protect buyer privacy, Ars Technica reports. In the future, the site may allow users to post purchases, but it would be “completely opt-in,” executives said. [Source] See also: [The Changing Meaning of “Personal Data” by William Baker and Anthony Matyjaszewski ]

Privacy Enhancing Technologies (PETs) 

WW – Microsoft Do-Not-Track Tool to Debut

Microsoft’s newest version of Internet Explorer is set to release with a do-not-track tool to help Internet users “keep their online habits from being monitored.” However, concerns persist as to whether self-regulatory approaches will work. Microsoft and Mozilla have adopted do not track in the wake of the Federal Trade Commission’s recommendation for such tools, highlighting “the pressure the industry faces to provide people with a way to control how they are tracked and targeted online” with legislation being contemplated at the federal level. However, the report goes on to state, industry-based systems “will only work if tracking companies agree to respect visitors’ requests,” and to date, none have publicly agreed. [The Wall Street Journal

US – U.S. Funding Tech Firms That Help Mideast Dissidents Evade Government Censors

The Obama administration may not be lending arms to dissidents in the Middle East, but it is offering aid in another critical way: helping them surf the Web anonymously as they seek to overthrow their governments. Federal agencies – such as the State Department, the Defense Department and the Broadcasting Board of Governors – have been funding a handful of technology firms that allow people to get online without being tracked or to visit news or social media sites that governments have blocked. Many of these little-known organizations – such as the Tor Project and UltraReach- are unabashedly supportive of the activists in the Middle East. [Source]


US – Walgreen Accused of Selling Patient Data

Walgreen Co is the target of class-action lawsuit related to how the company profits from customers’ prescription data. The suit claims that Walgreens deprives its customers of the “commercial value of their own prescription information,” by selling it to data mining companies. “We believe this information belongs to the patient who paid for the drug, not the pharmacy,” said a lawyer for the plaintiffs. Last week, a Pennsylvania man filed suit against another drugstore chain for similar activities, but that suit alleges the activity violated the privacy of consumers. [Source

US – Health System Installs Data Protection Technology

New Jersey’s Saint Barnabas Health Care System is rolling out a “major data loss prevention initiative that will enforce new content-control restrictions” on more than 10,000 computers used by the system’s staff. Software installed on each computer will enable policies on what kind of data they collect or what they e-mail, according to a spokesman for the healthcare system, and will be capable of recognizing what is patient information and what is “just a medical document,” he said. [Source] See also: [DLP Comes of Age]


US – Homeland Security Looked Into Covert Body Scans at Public Venues

The Homeland Security Department paid contractors millions of dollars to develop and study surveillance systems that could covertly track pedestrians and check under people’s clothing with airport-style body scanners as they enter train stations, bus depots or major events, newly released documents show. Two contracts the department signed in 2005 and 2006 were part of its effort to acquire technology to find suicide bombers in a crowd of moving people, according to documents given to the Electronic Privacy Information Center (EPIC), a privacy-rights group that is suing Homeland Security. The department dropped the projects in a “very early” phase after testing showed flaws. EPIC lawyer Ginger McCall says the project is disturbing nonetheless because it shows the department “obviously believed that this level of surveillance is acceptable when in fact it is not at all acceptable.” A $1.9 million contract with Rapiscan Systems, which makes airport body scanners, asked the company to develop similar machines for “covert inspection of moving subjects” and to find explosives on suicide bombers “through clothing, backpacks and other packages.” The contract was signed in 2005. Rapiscan’s airport body scanners require subjects to stand still while the machines create an image of passengers underneath their clothing to reveal hidden weapons. EPIC has sued the department to stop their use, saying the machines violate privacy. Rapiscan Vice President Peter Kant says the company gave Homeland Security a prototype machine designed “primarily for non-aviation settings” because it could scan people while they were moving. [Source 

US – Drivers May Lower Insurance Premiums by Getting Monitored

Progressive is one of a growing list of insurers with discounts for monitoring: Although the programs are voluntary, they’ve raised the eyebrows of privacy advocates. One worry is that the insurers eventually will make the monitoring mandatory. And while insurers say they information will only be used for discounts – not punitively – there is little to prevent them from “changing the rules down the line” says Robert Ellis Smith, publisher of Privacy Journal. And, he notes, some states have privacy laws that might ban such programs even if drivers are willing to opt in. Progressive says it is trying to protect privacy while delivering discounts. It notes that its device, for instance, doesn’t have GPS tracking, so it doesn’t know where a participant is driving. It also doesn’t monitor speed. He predicts the program, now available in 32 states, will appeal to drivers who feel they aren’t getting the discounts that their safe driving habits deserve. Insurance companies typically set rates based on accidents or tickets, but also on such factors as age, gender and ZIP code. [Source] See also: [US: ‘Black boxes’ common in US autos, but many drivers don’t know they’re there

WW – Cable, Satellite Test Targeted TV Ads

As cable and satellite providers test systems to target ads to specific households, The Wall Street Journal reports that data gatherers are compiling information on what viewers are watching with such personal data as prescription records to “emulate the sophisticated tracking widely used on people’s personal computers with new technology that reaches the living room.” However, some industry executives are raising privacy concerns, pointing to the push to regulate online tracking. Others say TV targeting is less intrusive, as it involves outside companies providing aggregated data without PII. The founder of one such company says they do not know who is sitting in front of any given TV, noting, “We don’t want to look in the window. It is a little spooky.” [Source]

Telecom / TV 

IN – RIM Hits India’s Email Demands

A top executive of BlackBerry-maker Research in Motion Ltd. said Indian security agencies are making “rather astonishing” demands for increased powers to monitor email and other data traffic, raising serious privacy issues that threaten to harm the country’s reputation with foreign investors. Robert Crow, vice president of industry and government relations for RIM, said India’s Home Ministry, which oversees domestic security, wants the ability to intercept in real time any communication on any Indian network—including BlackBerry’s highly secure corporate-email service—and get it in readable, plain-text format. Such a broad requirement raises the question of whether the government believes any communications are legally off-limits, he said, including email conversations of foreign ambassadors and financial records that get transmitted over secure telecommunications networks to Indian outsourcing companies. [Wall Street. Journal] [Source] See also: [Montreal city hall addresses BlackBerry privacy]

US Government Programs 

US – Proposed DOT Rule Invasion of Privacy, Says AIA

AIA is very concerned that a new rule proposed by the Transportation Department would constitute an unnecessary and undesirable invasion of privacy, hampering the mobility of citizens and companies. “The Block Aircraft Registration Request program functions much like a ‘Do Not Call’ list for private aircraft owners,” said AIA President and CEO Marion C. Blakey. “The rule that the FAA is proposing would strip away that right to privacy.” Currently, private aircraft owners can choose to have access to their private travel itineraries blocked to third parties. Through its Aircraft Situation Display Information and National Airspace System Status Information data, the FAA has all the information it needs to monitor the movement of legally registered aircraft for safety and security reasons. The rule proposed in Docket No. FAA-2011-0183 would make available the personal and business itineraries of law-abiding citizens to anyone requesting them, unless the aircraft owner could demonstrate a “Valid Security Concern.” American companies need to be able to operate and explore new business opportunities free from surveillance or competitive interference. For example, under the proposed rule, business competitors would be able to track the movements of private aircraft owners, making it easier to discern their proprietary business plans. “When Americans get in their cars, they don’t have to worry that strangers are able to follow their every movement,” said Blakey. “Why should citizens who fly their own aircraft be subject to such scrutiny?” [Source]

US Legislation 

US – Proposed Bill Would Put Curbs on Data Gathering

Senators John McCain (R-AZ) and John Kerry (D-MA) are the most recent federal legislators moving forward with plans for online privacy legislation. The Kerry-McCain proposal “would create the nation’s first comprehensive privacy law, covering personal data gathering across all industries,” The Wall Street Journal reports, with an “online privacy bill of rights…that would require companies to seek a person’s permission to share data about him with outsiders” and would pertain to such data as names and addresses to identification numbers and biometrics. “It would also establish a program to certify companies with high privacy standards” that would be allowed special provisions for selling personal data, the report states. [Source] See also: [WSJ Poll: Is Your Personal Info for Sale?] and also [Privacy in the Legislative Branch: A Quick Update

US – RI Legislators Seek to Protect SSNs

The Boston Globe reports on a push by two Rhode Island lawmakers to keep businesses from asking for the last four digits of customers’ Social Security numbers (SSNs). The new legislation follows an existing state prohibition on recording full Social Security numbers on personal checks, the report states. Sen. Dominick J. Ruggerio (D-North Providence) and Rep. Brian Patrick Kennedy (D-Hopkinton) have introduced bills seeking to end a practice where businesses may record partial SSNs, noting an entire number can be determined from those few digits. [Source

US – Drug Database Passed in South Carolina

South Carolina has joined nine other states in passing a law to adopt a national database for tracking the sale of pseudoephedrine, which can be used to make methamphetamines. While pharmacies throughout the state have been recording purchases, National Precursor Log Exchange (NPLex) allows states to share information. Privacy advocacy groups are not “watching NPLex,” says the report, but when “personal information is collected into a database, there is always a chance of some secondary use,” said Tena Friery of Privacy Rights Clearinghouse. Meanwhile, an Arkansas Senate panel is backing legislation to create a statewide database for tracking some prescription drug purchases. [Source 

U.S. – Bill Would Make It Illegal to Take a Picture of a Farm

The days of photographing picturesque farm landscapes will be a thing of the past if a new U.S. bill passes. The legislation, moved by Florida senator Jim Norman, would make it a felony to take photos or videos of farms without written permission from the owners. The bill does not explain the reasons behind it. It is a move that has Canadian farming groups scratching their heads. “We’re going the opposite way of this legislation,” said Crystal Mackay, executive director of Ontario Farm Animal Council. “We encourage farmers to open their barn doors. We’re here to have a conversation with you.” A similar bill was put forward in Iowa, but that one focuses on making it illegal for people to shoot undercover videos and gain access to farming facilities under false pretenses. The Iowa legislation is in response to animal activist groups, which have released videos taken from inside farming facilities, said Iowa Senator Sandy Greiner. [Source]

Workplace Privacy 

US – Employee Fired for F-Bomb Tweet on Chrysler Account

An employee of Chrysler Group LLC’s social media agency has been fired after it was discovered the person dropped the f-bomb in a tweet on the Chrysler brand’s official account. The message has since been removed from the account, but the offending quip has been re-tweeted by some Twitter users. The Auburn Hills-based carmaker posted a response on its official blog apologizing for the actions of the New Media Strategies employee. “Chrysler Group and its brands do not tolerate inappropriate language or behaviour, and apologize to anyone who may have been offended by this communication,” the post read. The blog also confirmed an employee at NMS had been fired for the Motown diss. [Source

CA – Probe Into Request for Leadership Candidates’ Social-Media Passwords Continues

British Columbia’s privacy commissioner says she isn’t backing off her investigation of a request by the B.C. NDP for party leadership candidates to provide social-media passwords even though a high-profile dispute on the issue has been resolved. Elizabeth Denham said that she is pleased that MLA Nicholas Simons has reached a compromise with the party, which is poring over candidate sites to look for embarrassing information. However, she said she worries about similar requests, which may be at odds with provincial privacy legislation. “This is a teachable moment for other organizations.” [Source] [Leadership candidate rebuffs B.C. NDP request for social media passwords]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: