16-31 March 2011

Biometrics 

EU – NL Court Upholds Passport Fingerprint Demand

The Hague city council is within its rights to refuse to issue a passport to a woman who refused to give her fingerprints, a court has ruled. The court backed the council because fingerprints are required by law. The woman refused to comply because they will be stored in a database and used to track criminals. The woman argued this infringed her right to privacy and her human rights. In February, the Volkskrant reported a majority of MPs oppose plans to store fingerprint details from new biometric passports in a central data bank which will be accessible to police. The plan has already been attacked by lawyers and privacy experts. Even the security service AIVD warned that the data bank would be vulnerable to hackers and identity theft. [Source

EU – EDPS Issues Opinion on Turbine (TrUsted Revocable Biometric IdeNtitiEs) Project

The European Data Protection Supervisor finds that the Turbine biometrics project is implementing “privacy by design” as a key principle in its research (e.g. by complying with the data protection legislation in Norway and Italy for both the proprietary and public databases used, and by notifying the data protection authorities in Germany and Greece for the “real-life” scenario demonstrations that were conducted); the implementation of 2 features, irreversibility and revocability of biometric identification, were acceptable privacy compliant solutions (e.g. they met the Regulation 45/2001 requirements of legitimate, not excessive, and relevant collection and accuracy). A list of 10 best practices in the context of the use of biometric data was developed (e.g. user control over biometric data by default, credential check, deletion of samples and original templates, and fall back procedures). Volunteers provided written consent for the collection of their biometric data; those involved in the enrollment process were provided with training that emphasised the important of data protection both prior to and during the enrollment phase. [Source

CA – OPC Issues Paper on Biometrics and the Challenges to Privacy

The privacy challenges of biometrics include covert collection (e.g. gathering images of people’s eyes from a distance), cross-matching (e.g. collecting a fingerprint for one purpose and using it for a different purpose without the person’s knowledge and consent), and secondary information (e.g. iris images used for authentication can divulge health information). Organisations looking to deploy a biometric system should do the following – build privacy solutions into all stages of the lifecycle of the initiative, conduct a privacy impact assessment, and administer a 4-part test of necessity (e.g. what specific problem is being solved), effectiveness (e.g. some biometrics may not be counted on for identification because they are neither permanent nor unique), proportionality (e.g. the loss of privacy may not be appropriate if the benefit is minor and some biometrics are more privacy-sensitive than others), and alternatives (e.g. some forms of authentication that do not collect biometrics may work for certain tasks). Privacy principles to be considered are recording just the summary information of biometric data (e.g. using biometric encryption, cancellable biometrics or biometric tokens), verification rather than identification (e.g. a “one-to-one” match versus a “one-to-many” match), and using local storage (e.g. individual computers systems or smart cards) rather than centralized storage. [Data At Your Fingertips: Biometrics and the Challenges to Privacy

EU – Wolverton: ‘Eye Tracking’ May Be Coming to Your Computer

A Swedish company has unveiled a new system to track what users are viewing on a computer screen based on eye movement. Though eye-tracking technology has existed for some time now, it has primarily been used for academic and market research, for example, and has required people to wear special equipment. Tobii Technology plans to build eye-tracking—which beams low levels of infrared light into the user’s eye to work in tandem with sensors to track the reflection of the light and gauge a user’s point of focus—to the average computer. Still at the prototype development stage, the mainstream system is expected within a few years. [Source

Canada 

CA – Air-Travel Bill Flies in Senate

An air-travel security bill that critics initially slammed as an infringement on passenger privacy and a surrendering of Canadian authority to the U.S. Department of Homeland Security has passed third reading in the Senate, winning support for an amended version of the legislation from both Conservative and Liberal members. The passage of Bill C-42 means personal information about Canadian passengers travelling to the U.S. or through U.S. airspace -including name, gender and birthdate —can now be shared with American authorities to determine whether any individual poses a threat to U.S. national security. Conservative Sen. Michael MacDonald said during a recent debate that the bill “will allow Canadian air carriers to comply with the law of another country —a law which, I might add, all nations, including the United States and Canada, are perfectly within their rights to implement.” Liberal Sen. Wilfred Moore said that while the bill initially sparked “great concerns” among Liberals, subsequent amendments to limit the use of passenger information and how long it will be kept by U.S. authorities have allayed such worries. [Source

CA – Court Says There’s No Tort of Invasion of Privacy in Ontario

The Ontario Superior Court of Justice has released a decision in Jones v. Tsige, 2011 ONSC 1475, which states, clearly and without ambiguity that there is no free-standing tort of invasion of privacy in Ontario. The facts involve a claim against an employee of a bank who reviewed the plaintiff’s confidential banking records on at least 174 occasions. Whitaker J. canvassed a number of authorities, including the well-known case of Somwar v MacDonalds, but concluded that there is no such tort. The Court notes that the plaintiff had a remedy under PIPEDA. [Source] [Source] [Decision

CA – OIPC BC Investigation Report F11-01 – British Columbia Lottery Corporation

The Commissioner determines that the BCLC security breach (individuals able to view the personal information (‘PI”) of other customers when they logged into the online platform) was not one that it could have reasonably prevented. An investigation into the online gaming platform revealed data collection issues (BCLC collected PI from potential customers to verify identity and sensitive registration information once the account is created which is transmitted unencrypted), information systems security policy deficiency (the policy had not been formally reviewed since 2005), policy training inadequacy (the individuals who attended the sessions were not formally tracked and a number had not attended training), access control problems (a small number of users’ accounts were found on the production systems where those users who no longer required access), no patch management (no patches since the environment was frozen in 2010 during the launch of casino games) and inadequate third party contracts (these do not require the service providers to adhere to BCLC security policies and procedures, including privacy requirements). BCLC took steps to resolve security issues. [Press Release] [Investigation Report

CA – Powers and Functions of the Ombudsman in PIPEDA: An Effectiveness Study

In this research document commissioned by the Office of the Privacy Commissioner of Canada, the authors recommend (1) extending the limits of the Ombuds Model to small and medium businesses – the current model does not appear to be well suited to the small and medium business sector where compliance rates are lower and where the risks to personal information is greater, and (2) granting limited order-making powers – compliance levels with PIPEDA remain too low, and the risk that consumers face with their personal information in the hands of small and medium sized businesses is too high, however, the OPC at this point does not need broad and intrusive powers, such as cessation orders. [Source

CA – OPC Tables Report on Privacy Implications of Street-Level Imaging Applications

The Canadian Federal Privacy Commissioner has tabled a study before the Report of the Standing Committee on Access to Information, Privacy and Ethics: Recommendations for technological innovators are to implement “privacy by design” into the development of new products and consult with the Privacy Commissioner to ensure privacy rights are protected; privacy protection needs to be a core consideration at the development stage, and two companies that deployed street-level imaging technology are moving in the right direction by appointing a Director of Privacy, mandating privacy training for employees and incorporating audits for projects under development. The Privacy Commissioner has made recommendations regarding street-level imaging technology including notifying citizens in advance that images are being taken and why, blurring faces and license plates to anonymize individuals (this technology needs to be improved), effective and quick take-down processes (so individuals can have their images removed), and not retaining raw data indefinitely (one company agreed to delete unblurred imagery after one year). [Report

CA – CAPAPA Appoints New Board Members

CAPAPA (Canadian Association of Professional Access and Privacy Administrators) Canada’s leading association of privacy and access professionals, has announced the appointment of four new directors to its Board. The CAPAPA Board of Directors now includes Dr. Teresa Scassa, who currently holds a Canada Research Chair in Information Law at the University of Ottawa; Marc Gagné, President of ATIPshop and Senior Consultant with Citizenship and Immigration Canada; Lawyer, consultant and author Michael Power; and Paulette Lacroix, Senior Privacy Consultant and Certified Management Consultant at PC Lacroix Consulting Inc. CAPAPA is now represented by a most distinguished group of Directors, from British Columbia to Newfoundland and Labrador:

1.       Robert Doherty, Privacy lawyer and consultant

2.       Marc Gagné, President of ATIPshop and Senior Consultant with Citizenship & Immigration Canada

3.       Paulette Lacroix, Senior Privacy Consultant and Certified Management Consultant at PC Lacroix Consulting Inc.

4.       Eric Lawton, Senior Privacy Specialist, Risk Management & Information Security, City of Toronto and Director of Professional Certification, CAPAPA

5.       George Michelau, Assistant Director of Education, Labrador School Board

6.       Sharon Polsky, President, Amina Corporation and National Chair, CAPAPA

7.       Michael Power, LL.B., Barrister and Solicitor

8.       Dr. Teresa Scassa, who currently holds a Canada Research Chair in Information Law at the University of Ottawa [Source]

Consumer 

US – Research: Users Read Labels, Not Policies

Kashmir Hill writes in Forbes about the work of a team of Carnegie Mellon researchers to come up with a new format for informing Internet users about their privacy. Quoting recent comments by Lawrence Strickling of the Department of Commerce that privacy policies that are “lengthy, dense and legalistic…do not appear to be effective in informing consumers of their online privacy choices,” Hill examines the researchers’ “nutrition label” approach to online privacy. Citing a 2009 study, the researchers “found that people demonstrated a better grasp of a company’s treatment of their data based on a ‘privacy label’ than a text version of a privacy policy,” the report states. [Source] [Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach]

E-Government 

CA – Federal Government Launches Pilot Open Data Portal

The Government of Canada has launched a one-stop shop for federal government datasets, which might inspire provinces to join the open data space. But the licence agreement may present obstacles for individuals, businesses and organizations. The GC Open Data Portal, available at data.gc.ca, launched as a 12-month pilot project that promises a catalogue of over 260,000 datasets from 10 federal departments. The government plans to increase the number of datasets and the number of participating departments over the 12-month pilot phase, according to a Treasury Board press release. “The GC Open Data Portal is a catalogue of federal government datasets that are available for users, developers and data suppliers to find, evaluate, access, visualize and reuse federal government data,” states the online FAQ. The catalogue can be searched with keywords or browsed by categories. The data is available free of charge to the public for commercial and non-commercial use, under certain licensing conditions. Section 3 of the licence agreement prohibits the use of data for identifying individuals, businesses and organizations. “That whole clause is unprecedented … it can’t be found anywhere on other open data portals and I think it pretty much renders a lot of the data useless,” said Public policy entrepreneur and open government activist David Eaves. Eaves’ other concerns are two clauses in Section 4, which stipulate attribution notices. The government is also encouraging feedback from the public, noted Eaves. This provides an opportunity for developers, for example, to let the government know what data sets they want added to the catalogue, what formats are frustrating to work with and which datasets aren’t updated often enough. The 10 departments participating in the pilot phase include: Agriculture and Agri-Food Canada, Citizenship and Immigration Canada, Environment Canada, Department of Finance Canada, Fisheries and Oceans Canada, Library and Archives Canada, Natural Resources Canada, Statistics Canada, Transport Canada and the Treasury Board Secretariat. [Source

US – 2 years Open Records Order, Agencies Still Use Baffling Delays and Denials

One government agency is still trying to find correspondence for a political reporter between federal officials there and prospective presidential candidates — from the 2008 election. Another censored 194 pages of internal e-mails about President Barack Obama’s new rules on open government. Another agreed to hand over records of travel expenses then changed its mind and refused to turn them over. Two years after Obama pledged to reverse the Bush administration’s penchant for secrecy and comply more closely with the U.S. Freedom of Information Act, The Associated Press grapples with many of the same frustrating roadblocks and head-scratching inconsistencies. Exasperating delays and denials also affect ordinary citizens, researchers and businesses, and they frustrate the administration’s goal to be the most transparent in history. [Source]

E-Mail 

WW – Google Make Ads Relevant by “Learning” on Gmail – Concerns For Privacy?

Google will begin trying out a new intelligent ad system which “reads” from your emails, learning from your messaging habits and interests to generate useful ad content, special offers and deals local to the individual Gmail-er. The plan is currently in effect, starting this month on a small scale, and Google plan to take this worldwide within a short space of time. Gmail users will receive a prompt informing them of the change, which is made without a choice, but the possibility to opt out of the new “personalised” ads will be available in the account settings. It’s likely many people will indeed choose to opt out for concern of privacy. However, Google do claim the ads will be generated from an automated system and no human eyes will be privy to your personal emails. Google also say no third-party advertiser will receive private information. [Source] Se also: [Spam Volume Drops by One-Third Following Rustock Takedown]

Electronic Records 

CA – Manitoba Launches E-Health Records

The Government of Manitoba has officially launched the first phase of its new e-health record system at seven health centres and hospitals across the province. The initial rollout of the eChart Manitoba system gives doctors the ability to view demographic, immunization and drug information. It also gives physicians access to select lab results. Over the next 18 months, up to 30 sites will be phased into the project with a second phase of eChart expected to go live before the end of 2011. With that update, doctors will be able to get access to diagnostic imaging reports, allergy information and more lab data sources will be added. The second phase will also allow doctors already running approved e-health software to integrate with eChart. [Source] See also: [FTC: Medical Identity Theft – FAQs for Health Care Providers and Health Plans]

Encryption 

WW – Fraudulent Certificates Issued for Major Websites

Nine valid but fraudulent certificates have been issued for major Internet sites – including Google mail, Microsoft Live, and Yahoo – raising the possibility of undetectable phishing, man-in-the-middle and drive-by download attacks, multiple advisories stated. The secure sockets layer (SSL) certificates, issued by root certificate authority Comodo, allow the attackers to sign fraudulent sites and content. The certificates were issued because of a compromise at a registration authority (RA) using stolen log-in credentials for one of Comodo’s European partners, according to the company’s report on the incident. [Source] Comodo has revoked the stolen certificates. [Internet Storm Center] [Internet Storm Center] [eWeek] [CNET]Update: [Comodo Says Two More Registration Authorities Were Compromised] [Iranian hacker claims he acted alone in stealing digital SSL certificates

WW – Twitter Offers Automatic Secure Connection Option

Twitter now offers users the option of always connecting to Twitter.com with HTTPS, which encrypts communication between the users’ computers and Twitter’s servers and helps prevent attackers from stealing sensitive data. Before the change, users who wanted to connect to Twitter securely had to enter HTTPS manually in the browser bar, but now they can configure their accounts so they are automatically connected with HTTPS. It is an especially good idea for people who access their twitter accounts over unsecured wireless connections. Twitter’s mobile website still requires users to manually enter HTTPS. Twitter hopes eventually to make HTTPS the default setting. [Source] [Source] [Source] [Source] [Source]

EU Developments 

EU – Reding Outlines Data Privacy Plans for Companies in Europe

European information society and media commissioner Viviane Reding has warned companies operating in the EU that they will face court action if they break forthcoming European data laws. Reding, who is currently preparing the new laws, warned that the EU would not hesitate to take action against non-EU companies that broke local laws on data collection and retention. “To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers,” she said. She explained that EU law would be based on four central principles. Firstly, citizens had to have a “right to be forgotten”, to opt out of data collection and for those companies collecting it to prove a need to store the information. Second, companies will have to be transparent on what data they are collecting and with whom it is shared. This was particularly important for young people on social networking sites she said. “The third pillar is ‘privacy by default’. Privacy settings often require considerable operational effort in order to be put in place,” she said. Finally, these laws must protect all EU citizens no matter where they are in the world. For example, third-party telecommunications companies would be bound by them whenever they processed data from an EU account. The other area that needs attention is law enforcement. Reding proposed that these same rules should apply to law enforcement organisations that were seeking to access commercial data as part of ongoing investigations. Legislative proposals on the new data protection rules would be released this summer, she said. [Source] See also: [EU Consultation document] [Google, Internet Companies Face Too Many Privacy Rules, U.S. Official Says] [Wall Street Journal: US, EU Seek To Guard Personal Data Exchanged During Crime, Terror Efforts]

UK – UK Responds to Call for Evidence on the Data Protection Legislative Framework

Responses to the call for evidence included confusion regarding whether anonymous data, IP addresses, and energy consumption are classified as personal data (“PD”); advancements in technology have led to uncertainties about whether certain data should be treated as sensitive PD (e.g. biometric information that could reveal race or health condition). Most respondents took compliance with subject access requests (“SARs”) seriously (e.g. through the use of “in-house specialists”, ensuring SARs were dealt with in a timely manner and keeping a log of SAR complaints); much of the organisational burden dealing with SARs relates to locating the information requested, the expense of redacting the relevant information from multiple audio, video and digital data sources, and the legislative requirement to retain PD for a specific period. Many data controllers thought that mandatory data breach notification would lead to “notification fatigue” (e.g. when data subjects no longer take notice of data breaches due to the volume of notifications); respondents had difficulty in quantifying mandatory breach notification costs, citing that it would depend on the type of breach and number of different costs (e.g. drafting and sending of notices, using data protection experts and establishing help lines). Many respondents would like to see clearer guidance from the ICO regarding consent in relation to certain disciplines (e.g. employment and medicine); it is generally thought that data subjects do not read fair processing notices in detail (e.g. they are too long and difficult to understand), which should use simple, plain language and be placed at the top of form. [Source

EU – French Regulator Fines Google Over Street View Data Collection

France’s National Commission for Information Freedom (CNIL) has fined Google 100,000 Euros (US $142,000) for the company’s inadvertent collection of personal data from unprotected Wi-Fi networks. (Google collected the data while gathering information for its Street View maps feature.) CNIL called Google’s activity an “unfair collection” of data and maintains that Google benefitted financially from the information it collected. [Source] [Source] [Source] [Source]

EU – German Court Rules Google Street View is Legal

Perhaps no Google product has spawned a better blend of quirkiness and scandal than Google Street View–cameras pranked with staged sword battles, naked men emerging from car trunks, unsavory snapshots of dead bodies, and the ire of multiple governments, primarily in Europe, who believe that it’s an invasion of privacy. But in one of those countries, Germany, Google Street View has had a victory of sorts. A Berlin court has ruled, according to Deutsche Welle, that it’s legal for Google to take the street-level pictures, striking down a lawsuit brought on by a German woman who sued Google over Street View and cited privacy and property rights. The case is complicated, because the woman who sued did so out of the possibility that her privacy might be invaded–e.g. if Google Street View happened to take photos of the front of her house, and that the camera on top of the Google Street View vehicle would see over the hedge in front of it. So the decision’s scope may be limited, and subsequently may not be evoked as frequently in property rights cases. The German lawsuit is certainly not the most bizarre one that Google Street View has produced: Last year, a Japanese woman sued Google and claimed that Street View had exposed her underwear drying on a clothesline, something which she then said caused her to lose her job. [Source]

EU – German Government Budgets 10 Million EUR to Set Up Data Protection Foundation

Federal DPA Issues Concept Paper: On February 8, 2011, the German Federal Commissioner for Data Protection and Freedom of Information issued a concept paper setting forth concrete suggestions for the creation of a Data Protection Foundation (the “Foundation”); among its tasks, the Foundation will test products and services for data protection compliance, educate citizens to help improve “self” data protection, conduct research activities, and establish a data protection seal. [Hunton & Willams LLP

EU – Czech Court Bans Telephone Data Retention

The Czech Republic’s Constitutional Court has overturned parts of a law that force telephone operators to retain data on telephone calls and Internet traffic. The court said the practice is unconstitutional. It says the provisions ordering data on all calls, faxes, text messages and e-mail exchanges to be retained for six months enabled a “massive” invasion into citizens’ rights and were not in line with the rule of law. Fifty-one lawmakers of Parliament appealed to the court to overturn the law, which was passed as part of anti-terrorism efforts. Germany’s Federal Constitution Court issued a similar ruling last year. The law stems from an European Union directive. [Source]

Facts & Stats 

US – OMB Report on Federal Agency FISMA Compliance

According to the Fiscal Year 2010 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002, cyber attacks against federal networks increased 40% in 2010. Agencies reported nearly 42,000 cyber incidents in 2010; in 2009, 30,000 incidents were reported. The report from the Office of Management and Budget (OMB) details agency compliance with Federal Information Security Management Act (FISMA) mandates. The report notes that agencies are beginning to deploy real-time scanners to monitor anomalies. The report says that 66% of IT assets at major federal agencies have automated surveillance tools. Most of the agencies are not using smart cards for system access, despite it being a requirement. As of October 1, 2011, agencies that have not installed electronic ID card readers on facilities and systems will have funds for other projects denied. [Source] [Report]

Filtering 

WW – Google Claims Chinese Government is Interfering with Gmail

Google says that Chinese authorities are interfering with its Gmail service. Gmail users are reporting difficulty using the webmail service in that country. Google says the interference appears to have been designed to make it look like the problems are in Google’s own systems, but the company has conducted thorough checks and found no problems on its side. [Source] [Source

WW – Facebook Traffic on AT&T Servers Detoured Through China

Internet traffic from AT&T servers bound for Facebook detoured through servers in China and South Korea, according to researcher Barrett Lyon. Lyon discovered the traffic’s path using traceroute. In his blog, Lyon calls the detour a routing mistake, and notes that the incident raises a number of questions, including whether the events constitute a privacy breach, whether Facebook should have notified users that their information was being sent over a network that might not be trustworthy, and whether Facebook should enable SSL by default on all accounts. [Source] [Source]

Finance 

US – FTC Issues Annual Report 2011 on the Fair Debt Collection Practices Act

Complaints to the FTC against debt collectors increased in 2010 – categories of complaints include harassing the alleged debtors (i.e. repeated calls, using obscene language, calling at inconvenient times, and threatening violence), failing to send the required consumer notice (consumers were not made aware of the requirement for any disputes of their debt to be made in writing), failing to identify themselves as a debt collector (creating a false or misleading impression for consumers), revealing the alleged debt to third parties (either repeatedly calling employers, relatives, etc. or illegally disclosing the debt to them), impermissible calls to a consumer’s place of employment (such calls cannot be made if the collector knows or has reason to know the employer prohibits such calls), and failing to verify disputed debts (ignoring written disputes of a debt or failing to send a written verification of the debt). In 2010, the largest civil monetary penalty was obtained against a debt collector for $2.8 million (for misrepresenting that the collector was a law firm, would bring civil action or criminal prosecution against consumers, and non-payment would result in garnishment of wages or seizure of property); in 2011, the Consumer Financial Protection Bureau will enforce the Fair Debt Collections Practices Act concurrently with the FTC, and will have the authority to prescribe rules and collect complaints. [Source

WW – Payments by Cell Phones: Swiping Is the Easy Part

The cellphone has been more than a cellphone for years, but soon it could take on an entirely new role – standing in for all of the credit and debit cards crammed into wallets. Instead of swiping a plastic card at the checkout counter, consumers would merely wave their phones. There’s just one hitch: While the technology is already being installed in millions of phones – and is used overseas – wide adoption of the so-called mobile wallets is being slowed by a major behind-the-scenes battle among corporate giants. Mobile phone carriers, banks, credit card issuers, payment networks and technology companies are all vying to control these wallets. But first, they need to sort out what role each will play and how each will get paid. The stakes are enormous because small, hidden fees that are generated every time consumers swipe their cards add up to tens of billions of dollars annually in the United States alone. “It all comes down to who gets paid and who makes money,” said Drew Sievers, chief executive of mFoundry, which makes mobile payment software for merchants and banks. “You have banks competing with carriers competing with Apple and Google, and it’s pretty much a goat rodeo until someone sorts it out.” Consumer advocates, meanwhile, said they were concerned that a mobile system would bring higher fees and questioned whether consumers even want a new system. “Is it possible to make a system that’s too easy to use, where you reduce so much friction from the transaction process that people aren’t necessarily aware of what they’re spending on something?” asked Jan Chipchase, executive creative director at the design firm Frog Design, who studies mobile payments. [The New York Times]

FOI 

CA – Ratepayers Win on Freedom of Information Request

Persistence has paid off for the Centre Hastings Ratepayers Association (CHRA). The CHRA made a freedom of information request more than a year ago with the Information and Privacy Commissioner of Ontario for the information contained in monthly spending vouchers of the Municipality of Centre Hastings. According to CHRA member Wendell White, “the association’s position was that monthly voucher information is public information” and some information on the voucher was being “blacked out” so it was unreadable. The privacy commissioner recently ruled in favour of the CHRA, ordering the municipality to “disclose to the appellant all of the responsive information contained in the voucher reports for the period from April 2009 to December 2010 by providing him with a copy by March 4, 2011” excluding any information pertaining to employee salaries or wages. As part of the ruling, CHRA will also be waived the $60 voucher fee because of its not-for-profit status. “It’s certainly recognition for the ratepayers, taxpayers — anybody,” White said of the decision. “It shows that you can’t just withhold information because you wish to.” [Source

US – DHS Document Review Process Blasted

The review process on releasing potentially sensitive government files from the Homeland Security Department to the public was onerous and overly political, a key official in the process had complained in a series of e-mails in late 2009. Chief Privacy Officer Mary Ellen Callahan, who was appointed by Homeland Security Secretary Janet Napolitano, said she wanted to change the process, according to uncensored e-mails newly obtained by the Associated Press. In the e-mails, she warned that the Homeland Security Department might be sued over delays the political reviews were causing, and she hinted that a reporter might find out about the process. The reviews are the subject of a congressional hearing later this week and an ongoing inquiry by the department’s inspector general. [Source]

Genetics 

UK – Police Hit Delete on DNA Profiles

DNA records will no longer be kept on innocent people questioned over routine crimes in England and Wales, the government has said. It will still keep samples of those questioned in connection with terrorist offences. The move is a major change in Government policy and will result in a massive reduction in the number of innocent people whose DNA is held by police. The move comes two years after the European Court of Human Rights (ECHR) called the policy for England and Wales an unfair interference with subjects’ rights to privacy. It forms part of the Government’s Freedoms Bill, a law that seeks to reform the way that records on individuals are kept and used, among other things. The Bill will reduce the number of people who will have to undergo criminal records checks; reform the law on investigations into individuals; reduce stop-and-search powers; and reduce the allowed period of pre-charge detention to 14 days. The Bill orders the destruction of DNA material in most cases where a person is not charged or convicted of a crime. For those whose samples were taken while detained under the Terrorism Act they must not be immediately destroyed, though. They can be kept for three years, or indefinitely in the case of people who have already committed a serious crime. Samples taken from people in the investigation of other serious offences and from people who have been previously convicted of serious offences can also be retained, some for three years and some indefinitely, the Bill said. The Bill also contains provisions reforming the use of technology for surveillance, including CCTV systems and automatic number plate recognition (ANPR) systems. The Government said that the Bill would rebalance the relationship between the state and individuals. [Source]

Health / Medical 

US – Army: To Reduce Suicides, Share Mental Health Info

Army officials say knowing more about soldiers’ mental health will help to prevent suicides, the rates of which doubled after 2004. But that thinking is troubling to some who say army access to mental health records may deter soldiers from seeking help if they feel their privacy is being violated. Though HIPAA protects health information, exceptions exist, such as when a patient might cause harm to himself or another. The army encourages doctors to report if a “high-risk” solider misses a counseling session, for example, and has begun to require a list of soldiers’ medical appointments. It’s unclear what other behavior might allow the sharing of private therapy information, said a HIPAA officer at Duquesne University. [Source]

Horror Stories 

US – Big Breach at NYC Hospitals

New York City Health & Hospitals Corp. is notifying 1.7 million patients, staff, employees of vendors and others who received services at two hospitals and two clinics during the past 20 years that some of their protected health information has been breached. Computer backup tapes were stolen from the truck of a contractor on Dec. 23, according to a HHC statement and letter of notification to affected patients. Types of protected information on the tapes included name, address, telephone number, Social Security number, medical records, insurance details, diagnosis and treatment information, and birth, admission and discharge dates. “The data in the stolen files is not readily accessible without highly specialized technical expertise and data-mining tools, and there is no evidence to indicate that the information has been accessed and misused,” according to the HHC statement. [Source] See also: [US: Health record privacy violation haunts VA workers] See also: [Nine-Year Sentence for Breaking Into Medical Center Computers

EU – Ireland Telecoms Firms Guilty of Data Breach

Leading telecommunications companies Vodafone, 02, Eircom and UPC have been prosecuted for spamming customers with unsolicited text messages and phone calls in breach of the Data Protection Acts. The four companies pleaded guilty to a list of charges related to making unsolicited sales calls and sending text messages for direct marketing purposes without the consent of the recipients. The cases were brought before the Dublin District Court by the Data Protection Commissioner on foot of complaints by consumers who were subjected to repeated cold calls and unwanted messages after they had expressly asked not to be contacted for marketing purposes. [Source

US – BP Employee Loses Laptop Containing Data on 13,000 Oil Spill Claimants

The personal information of 13,000 individuals who had filed compensation claims with BP after last year’s disastrous oil spill may have been potentially compromised after a laptop containing the data was lost by a BP employee. The information, which had been stored in an unencrypted fashion on the missing computer, included the names, Social Security numbers, addresses, phone numbers, and dates of birth of those who filed claims related to the Deepwater Horizon accident. A spokesman is quoted as saying that BP waited nearly a month to notify victims of the breach because it was doing “due diligence and investigating.” BP said the missing laptop is equipped with a security capability that allows security administrators to remotely disable the computer “under certain circumstances.” However the company offered no further details on what those circumstances might be or whether it has actually disabled the system so far. “Because this investigation and search for the missing laptop is ongoing, we are unable to provide additional detail that might jeopardize our investigation efforts,” the company said. BP has sent written notices to victims informing them about the potential compromise of their personal information and to offer them free credit monitoring services, the statement noted. The BP compromise is only the latest in a very long list of similar breaches involving the loss of unencrypted personal data stored on laptops, and mobile storage devices.[Source] [Source] See also: [Medical records found in Regina recycling bin] and also: [TripAdvisor says email list of members stolen

US – Restaurant Group to Pay $110,000 to Settle Allegations of Poor Security Practices

The Briar Group LLC, which runs a number of restaurants in the Boston area, has agreed to pay US $110,000 to settle allegations that it did not take adequate precautions to protect customers’ personal information and placed at risk of compromise information on tens of thousands of payment cards. The Briar Group was the target of a data security breach in April 2009; malware that had been surreptitiously placed on the company’s computer systems was not removed until December 2009. The Massachusetts attorney general filed a lawsuit as a result. According to the lawsuit, the Briar Group did not change default usernames and passwords on its point-of-sale computer system; did not have adequate security for its wireless network; and accepted credit card information from customers after learning of the breach. [Source] [Source

UK – University of York Launches Personal Data Leak Probe

Personal details of 17,000 York students and residents have been accidentally leaked online. Students’ addresses, phone numbers and even A-level results were published on the University of York website. Dates of birth, phone numbers and the phone numbers and addresses of emergency contacts were also made freely accessible. The university has apologised and has informed the Information Commissioner, which has the power to fine organisations up to £500,000. Gus Hosein, of campaign group Privacy International, said: “That’s the largest breach I have heard of in the UK. “There could be a significant fine now the Commissioner has fining powers. “It’s appalling. If the university cannot secure the information it should not be collecting it.” [Source]

Identity Issues 

US – U.S. Military Using Fake Online IDs in ‘Sock Puppet’ Operation

U.S. Central Command has launched its first online “sock puppet” operation to plant hundreds of fake identities across social-media sites in the Middle East. The $2.7 million contract for “commercially available software” from Ntrepid Corporation in California, awarded in August 2010, gives U.S. Central Command 50 user licences, with 10 fake identities per user, 50 static IP address management licences, and “virtual private servers,” the contract said. “These are for overseas acts,” U.S. Central Command Cmdr Bill Speaks told the Star on Friday. “They are not directed at domestic U.S. audiences and not in English.” The “sock puppets,” a term for fake online identities, will operate at the MacDill Air Force Base in Florida, where U.S. Central Command operates, and in Kabul, Afghanistan, and Baghdad, Iraq. The cyber double agents will use social media and other websites, but “not Facebook or Twitter,” said Speaks. “This is not for use on U.S.-based websites. They are American companies.” Each of the fake personas uses the Ntrepid software to create “cyber presences that are technically, culturally and geographically consistent,” each with their own background, history, supporting details and “real-time local information” to fool their new-found online friends. One person could be pulling the strings on 10 “sock puppets” at one time “from the same workstation and without fear of being discovered by sophisticated adversaries,” the contract said. Rotating the IP (Internet Protocol) addresses daily should help shield them from discovery. “This traffic blending provides excellent cover and powerful deniability,” the contract says. The software also creates an online history for them so that over time the picture is fleshed out. Speaks wouldn’t say where the sock puppetmasters will be, but he did say this is the first time U.S. Central Command has launched this kind of operation. [Source] See also: [Cloud Girlfriend: Start-Up Offers Fake Relationships for Facebookers

WW – RSA Deeply Penetrated; Says SecurID Information Stolen

An “extremely sophisticated cyber attack against RSA” may have compromised the security of RSA SecurID two-factor authentication products. In an attack preliminarily identified as an Advanced Persistent Threat, digital information relating to SecurID tokens was stolen from RSA systems. The company is contacting customers to let them know of the breach and to offer suggestions for “strengthen[ing] their SecurID implementations.” Forty million SecurID tokens have been deployed; they are often used to conduct financial transactions and at government agencies. [Source] [Source] [Source] [Source] [Source] [Source] [The letter to customers from RSA ] [SecurID Customers Advised to Prepare for Worst Case] [RSA BREACH: Data storage maker’s anti-hacking division hacked]

WW – Children the Target for ID Theft

Identity thieves are targeting children when picking victims, MSNBC reports. That’s according to a report published by Carnegie Mellon University fellow Richard Power, who examined 40,000 children’s profiles using data from identity monitoring company Debix. Power found that, of those profiles, 10 percent had identities that were “tainted in some way,” including 500 children with names attached to mortgages or foreclosures and 415 with driver’s licenses. The report is the first real attempt to quantify the problem of children’s identity theft, Power said. The child ID theft expert at the Federal Trade Commission said the results are “informative, giving us the best insight available into the potential scope and nature of the problem.” [Source] [Report: “Child Identity Theft: New Evidence Indicates Identity Thieves are Targeting Children for Unused Social Security Numbers“ ] 

WW – How Your Username May Betray You

By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture the users. “These results show that some users can be profiled just from their usernames,” says Claude Castelluccia, research director of the security and privacy research group at INRIA, and one of the authors of a paper on the work. “More specifically, a profiler could use usernames to identify all the site [profiles] that belong to the same user, and then use all the information contained in these sites to profile the victim.” Those who have more unique usernames are more vulnerable. “The other 50% of users are more difficult to link because their usernames have ‘low’ entropy and could in fact be linked to multiple users,” says Daniele Perito, a doctoral candidate at INRIA, who was involved with the work. The INRIA researchers have created a tool that can check how unique a username is, and thus how easily an attacker could use it to build a profile of a person. [Source]

Intellectual Property 

WW – McAfee Study Says Thieves Targeting Corporate Data

According to a study from McAfee, cyber thieves are increasingly targeting intellectual property. Some attackers are specializing in stealing data from corporate computer systems. In particular, information thieves seem to be looking for trade secrets, research and development reports, marketing plans and source code. The report also noted that many companies are not taking adequate measures to protect information and are not going public with news of data security breaches. Of the companies that reported experiencing a data security breach, just half said they had taken steps to improve cyber security. [Source] [Source]

Internet / WWW 

WW – EU and US Working Together on Web Regulation

Intensive meetings in recent months between Internet regulators from Washington and Brussels point to the fact that both the US and Europe are narrowing the gap in their approach to regulating the Web. Till recently officials on both the sides differed in their policy towards privacy on the Web. While Europe wants strict measures to protect individuals, the policy of the US has been to hold companies responsible for matters concerning privacy. However, after officials from both sides met again in Brussels last week, the gap seems to be narrowing, according to Reuters. EU justice commissioner Viviane Reding said, “Until recently there was a common belief that our approaches on privacy differed so much that it would be difficult to work together. This can no longer be argued.” Regulators on both sides say they have moved closer to a common position following US President Barack Obama’s endorsement this month of a “privacy bill of rights.” [Source

US – NIST Issues Guidelines on Security and Privacy in Public Cloud Computing

Key security and privacy issues include – trust (e.g. lack of visibility into cloud providers’ security, difficulty assessing and managing risk in cloud services, and insider threats now include cloud provider staff), architecture (e.g. traffic over virtual networks may not be visible to security devices, cloud providers hold significant amounts of ancillary data), identity and access management (e.g. attacks can manipulate validation mechanisms), software isolation (virtual machines may be large and difficult to analyze and improve security), governance (individuals may bypass an organization’s normal process for acquiring computational resources), and compliance (lack of information about location makes it difficult to ascertain if legal requirements are met); recommendations include incorporating mechanisms into the contract that allow visibility into cloud provider security controls, understand the cloud provider’s underlying technologies, virtualization and software isolation techniques used, and the laws that potentially impact cloud computing initiatives, duplicate physical network protection capabilities on the virtual network, ensure adequate safeguards are in place to secure authentication, and cover cloud computing environments in policies, procedures and standards used for application development and service provisioning. Public cloud outsourcing activities include planning (specify security and privacy requirements, assess risks, and evaluate the cloud provider’s ability to meet security and privacy levels stipulated), initiating (establish contractual obligations and assess cloud provider performance) and concluding (reaffirm contractual obligations, eliminate physical and electronic access rights, and recover organizational resources and data). [NIST – Draft Special Publication 800-144

WW – Top 11 Privacy Trends for 2011 – Ernst & Young

Privacy trends include governance, risk and compliance (“GRC”) tools (organizations can benefit from using GRCs by continuously monitoring their privacy program and asking GRC vendors for updated modules to help monitor risk and compliance), privacy by design (ensures that privacy professionals play an integral part in the consideration of the business developments that may impact both employee and customer personal information), hiring privacy professionals (requiring specific certification for professionals in marketing, IT, internal audit, compliance and legal), cloud computing (organizations should manage third-party reporting capabilities, review what business processes and personal information are needed before a move can be made to a cloud, assess what levels of protection and control they require and clarify retention periods and the ability of other parties to access the data for market research or other secondary activities), social networking (recruiters should have policies about how to use social networks to mine for information on candidates and should communicate those intentions when candidates are interviewed and organizations should be transparent about expectations of employees’ behavior on social networking sites and any monitoring practices and should bring together compliance and HR groups to discuss policies regarding personal information on social media sites of employees and job candidates), and use of mobile devices (organizations may apply technical controls that provide visibility such as requiring a download of a load set before allowing a personal device to connect to the firm’s network and should communicate what information is being monitored, how it is being monitored and the consequences for not adhering to mobile device policies). [Source]

Law Enforcement 

US – Thousands of FBI Probes After 9/11 Stir Privacy Concerns

Within months after the Bush administration relaxed limits on domestic-intelligence gathering in late 2008, the FBI assessed thousands of people and groups in search of evidence that they might be criminals or terrorists, a newly disclosed Justice Department document shows. In a vast majority of those cases, FBI agents did not find suspicious information that could justify more intensive investigations. The New York Times obtained the data, which the FBI had tried to keep secret, after filing a lawsuit under the Freedom of Information Act. The document, which covers the four months from December 2008 to March 2009, says the FBI initiated 11,667 “assessments” of people and groups. Of those, 8,605 were completed. And based on the information developed in those low- level inquiries, agents opened 427 more intensive investigations, it says. The statistics shed new light on the FBI’s activities after the 2001 terrorist attacks, as the bureau’s focus has shifted from investigating crimes to trying to detect and disrupt potential criminal and terrorist activity. It is not clear, though, whether any charges resulted from the inquiries. Because the FBI provided no comparable figures for a period before the rules change, it is impossible to determine whether the numbers represent an increase in investigations. Still, privacy advocates contend that the large number of assessments that turned up no sign of wrongdoing show that the rules adopted by the Bush administration have created too low a threshold for starting an inquiry. Attorney General Eric Holder has left those rules in place. [The New York Times

CA – 85% of B.C. Adults in Police Database ‘Disturbing’

The B.C. Civil Liberties Association says it is disturbing that up to 85% of B.C. adults have their names in a police computer database designed to track criminals. The association has written a letter to B.C. Solicitor General Shirley Bond, asking her to investigate why the majority of B.C.’s law-abiding citizens are in the PRIME-BC database. Even more troubling, said Robert Holmes, president of BCCLA, is that no information is available as to how long the information is kept on file. The computer database is used by police to record contacts with citizens, including “negative police contact,” which can then be used to prevent people from getting jobs, BCCLA claims. “With more than eight out of every 10 B.C. adults in this database, we’re wondering if people know what the police are writing about them,” Holmes said in a statement. “These notes by police officers can prevent people from getting jobs, schooling and training, and it is difficult if not impossible to remove or alter incorrect information.” The RCMP’s policy for the retention and destruction of records is online here. A spokesperson for the office of the Solicitor General has since issued this statement: ““It is wrong to suggest that 85 per cent of British Columbians names are entered into PRIME. In fact, many are multiple calls involving the same people. Names are retained for a minimum of two years, and privacy is maintained through federal and provincial privacy legislation. This is the same privacy standard maintained by other police forces across the country. PRIME is an important tool that is helping us to make big strides in maintaining the safety of communities throughout the province.” [Source] UPDATE: [BC Privacy czar to probe use of police database] See also: [Goldman Sachs Programmer Sentenced to 8 Years in Prison for Code Theft]

Location 

WW – Location Privacy and Wireless Body Area Networks

One of the factors that is rapidly changing the nature of healthcare is the increasing availability of wireless sensors that can monitor blood pressure, body temperature, blood oxygen levels and so on. These devices transmit their readings back to a hub, such as a smart phone, which then sends the data to a health care monitoring service. The benefits of this approach are many. One example is the “virtual ward” in which patients are monitored at home and visited by mobile medical teams when the data shows that it is necessary. That’s generally better for the patients and cheaper for the community that has to pay for it. One crucial requirement of such a system is privacy since these so-called wireless body area networks will be broadcasting highly personal information. It’s relatively straightforward to protect this data thanks to the many kinds of data encryption algorithms that are available. But Mohammed Mana at the University of Tlemcen in Algeria and a couple of buddies point out that data privacy is not the only issue at stake. They argue that another important issue is location privacy. They say that even though the data within a wireless body area network is encrypted, it’s still possible to track the location of the individuals simply by tracking the unique hardware addresses associated with the gadgets themselves, which are not encrypted. Such an attacker doesn’t even have to be particularly nearby. He or she could pick up the signals from a wireless body area network from a distance using ultra sensitive antennas, for example. Mana and co have a solution, however. Their idea is to make the monitoring devices within a body area network use pseudonyms which constantly change in a way that is hidden from external view. So although an eavesdropper may be able to pick up a temporary hardware address, that would quickly change preventing anybody following it. Mana and co say their new protocol is light weight and energy efficient, both important factors for networks that are likely to run on limited battery power. [Source] SEE ALSO: [Thailand: Patient data need protection

UK – Home WiFi Users Lack Understanding of Security

According to a survey from the UK Information Commissioner’s Office (ICO), nearly half of home computer users who have WiFi networks do not understand WiFi security settings. Most Internet service providers (ISPs) now set up and install customers’ WiFi security settings, but 40 percent of WiFi users do not understand those settings and 16 percent are either using an unsecured network or do not know if their network is secured. ICO head of policy Steve Wood pointed to Google’s Street View data collection vehicles gathering information from unprotected networks as evidence that users need to be aware of their network settings. [Source] [Source] [UK’s Information Commissioner’s Office guidelines for home users on how to secure their wireless networks

WW – Facebook ‘Places’ App Puts Soldiers at Risk by Telling Enemy Where They Are

Army chiefs have warned soldiers that a Facebook application that discloses their location could pose a security risk from terrorists. Troops have been urged to switch off the Facebook ‘Places I Checked Into’ application, which uses global-positioning satellites to pinpoint where they use a hand-held device. The Facebook Privacy Settings pamphlet, issued to units worldwide, warns the application ‘may inadvertently compromise the locality of a military user’. It continues: ‘Of significant note, users on operations in Northern Ireland are potentially putting themselves at risk by drawing attention to their exact whereabouts.’ The booklet, issued by the Army’s 643 Signal Troop, adds: ‘Personnel are generally unaware of the vulnerabilities associated with openly providing a vast amount of personal information on the internet.’ It follows growing concern in military circles about terrorists using the internet to monitor troops. An MoD spokesman said: ‘It is our duty to ensure that our personnel, who are a very unique user group…understand how to use social networks and channels safely and responsibly.’ [Source

WW – Color App: A New Frontier in Social Networking Privacy

Color, a new app, has launched with the goal of re-inventing the idea of social networking for the smartphone era. Now the question is whether users are ready for its notion of privacy. Color tells users that they shouldn’t expect any of the photos, videos or other information that they share through the app to be private. However, it does use a basic social standard to determine who gets to take a look at your stuff — people you’re physically near. Whenever the app is turned on, Color captures a lot of data about the world around the phone, including GPS location, information from the gyroscope, and even ambient light levels. It uses that data to figure out where the user is — and whether there are other Color users nearby. If there are other Color users nearby, the service automatically puts all of them in the same social network, instantly sharing each others’ photos, videos and messages from inside the app. When somebody else looks at one of your photos, you get a notice about it. (There is no lurking.) The Color app also keeps tracks of the people who users are around the most often, like family, co-workers and best friends. Those people get automatically added to what Color calls an “elastic network,” whose photos, video and other information you get regular updates about, even when you’re not around them. If you stop spending so much time around a member of your elastic network, that person’s photo starts to turn grey and eventually disappears (in a reference to the film “Back to the Future.”) There are no privacy settings to adjust, though you do have the ability to block a specific user from seeing what you share through Color. Each Color account is associated with a smartphone’s device ID, not a full name or other personally identifiable information. Users set up an account by entering a screen name and taking a photo, presumably of their face, to identify them to other users. [The Wall Street Journal

WW – Social Network Turns User “Likes” Into Ads

Facebook’s “sponsored stories” ad plan, which has raised concerns among privacy advocates, is now being rolled out across the social network. For those who don’t like the plan, Forbes reporter Dan Tynan suggests in his report, “don’t ‘Like’ it—or anything else. Because once you do…There is no opting out. Facebook can use your name and profile image alongside any product you endorse, per its privacy policy.” A forthcoming plan to allow third-party advertisers to put users’ images and names in a similar way will have an opt-out, the report states. [Source] [Source] See also [Wall Street Journal: Privacy Lost: Customized Ads Come to Television]

Offshore 

SK – Proposed Law in South Korea Would Mandate Security Software on PCs

Proposed legislation in South Korea would require users to have security software on their PCs. The Korea Communications Commission (KCC) would have the authority to decide which security products are acceptable and which are not, which means the security solution providers would be wooing the government rather than users. The KCC would also have the authority to “examine the details of the business, records, documents and others’ of those believed to be out of compliance with the security software mandate. Dancho Danchev, the article’s author, points out that security software “only mitigates a certain percentage of the risk … [and that] multiple independent reports and tests show that despite users running antivirus software, they still get infected with malware.” [Source

IN – Group Calls for National Body to Oversee Privacy

The Associated Chambers of Commerce and Industry of India (ASSOCHAM) is calling for a national body to oversee cybersecurity and data protection concerns. ASSOCHAM also wants a “detailed regulatory, legal and policy-enabling regime to facilitate further protection and preservation of cybersecurity,” the report states. The calls came from the ASSOCHAM event “Safeguarding the Digital Economy.” The group’s cyberlaw committee chairman, Pawan Duggal, said, “Both the requirements of national sovereign governments as those of balancing the needs of data protection and privacy have to be appropriately addressed.” [India Infoline News Service]

Online Privacy 

WW – Yahoo’s Offers Cookie Opt-out Button Ahead of New EU Law

Yahoo! Has introudced a feature that allows users to opt out of cookies. The icon was unveiled last Friday ahead of a new law that will come into force in the EU on May 25 known as the “Cookie Directive,” which will require online companies to obtain explicit consent to track users’ Web movements via cookies. Yahoo’s mechanism involves an “Ad Choices” icon that users can click to find out what information has been collected about them and modify their preferences on targeted ads. “Businesses like ours depend on the trust of our users,” said Justin Weiss, Yahoo’s director of international privacy and policy. [Source] See also [Advocates: Device Fingerprinting Easier to Track Than Cookies] and [Chrome Will Warn Users of Suspicious Downloads] and [CDT: What Does “Do Not Track” Mean: a Scoping Proposal – Center for Democracy and Technology

WW – Microsoft Adds Do-Not-Track Tool to Browser

Microsoft will be including 2 new features in Internet Explorer 9 – a do-not-track tool to help people keep their online habits from being monitored, and “tracking protection lists”, which will let users prevent specific Web-tracking companies from snooping on their browsing habits. It is uncertain how effective these privacy protection tools will be – the system will only work if tracking companies agree to respect visitors’ requests, no companies have publicly agreed to participate, and the Interactive Advertising Bureau says its members do not know how to respond to a do-not-track request (a header) because there is no context for headers or common definitions, and there is no standard operating procedure in place for entities to detect or react to headers. [The Wall Street Journal

WW – Mozilla Releases Firefox 4

Mozilla has released Firefox 4; the updated browser includes a number of new security features. Content Security Policy (CSP), which is enabled by default, helps stop cross-site scripting (XSS), data injection and other web-based attacks. CSP allows sites to let the browser know what information is legitimate. Firefox 4 also lets users automatically connect to websites through secure connections with the HTTP Strict-Transport Security (HSTS) feature. Firefox 4 also allows users to opt out of behavioral tracking. [Internet Storm Center] [Source

US – Man Charged with Polygamy After Posting Second Wedding Photo Online

You’ll never believe who turned him in: his first wife – because the two were still married. Here’s a tip we never thought we’d have to share: If you’re already married, don’t post pictures of your new wife on Facebook. An already-married Grand Rapids, Mich. man had what NewsFeed can only assume was a joyous wedding ceremony last July. But it turns out Richard Barton, Jr. already had a wife, whom he married in 2004. When photos of Barton and his new Michigan wife turned up on Facebook, his old (but still current) wife, living in Rhode Island, took issue with Barton. She alerted authorities, who arrested Barton for polygamy. [Source] See also: [How Young is Too Young for Kids to Start Social Networking?]

Other Jurisdictions 

AU – Content Providers Slammed for “Hostile” Privacy Policies

Long-time privacy advocate Dr Roger Clarke has called for tough new laws to rein in “hostile” terms and conditions used by international internet content giants like Facebook and Google. Speaking before the Joint Select Committee on Cybersafety, Clarke branded the business models of the internet and social media companies “consumer-hostile” and exploitative of “people and their data”. Clarke – who runs the Xamax business consultancy and chairs the Australian Privacy Foundation – appeared before the committee in a private capacity. He called on content service providers to “clarify” terms and conditions of use, including how much personal data could be used by a provider “for their own purposes”. Clarke also said that information on privacy settings – and the extent of user control over them – should be concisely tabled and clearly visible to consumers. Clarke called for “baselines” for privacy and disclosure to be established, backed by enforcement tools like “regulatory action” and “quick and efficient access to judicial warrants”, which could be used to force oversight. [Source

AU – Pilots Sue Over ‘Invasive’ Airport Screening Procedures

Two US commercial airline pilots complained in a lawsuit that new screening procedures for flight crews – scaled back after complaints by pilots – were still too invasive and violated privacy rights. The US Transportation Security Administration on October 19 started requiring air travelers and flight crews to go through full-body scanners or physical patdowns amid concerns that militants could hide a bomb underneath their clothing and detonate it aboard a plane. Pilots and flight crews complained the new screening exposed them to excessive radiation because they fly so frequently and that extra scrutiny for them was unnecessary because they already control the planes. [Source] [Australia to Get Stick Figure Airport Body Scanners This Year

AU – Digital Privacy a Concern, Says Federal Information Commissioner John Mcmillan

The expanding volume of sensitive personal information held in government and business databases is driving public concern about privacy protection, federal Information Commissioner John McMillan has warned. “People are concerned at how much is recorded about them in relation to their financial and taxation affairs, their family and medical history, employment records and transactions with agencies,” Professor McMillan told the Australian Government Solicitors Information Law conference in Canberra. “They are worried about the inconvenience and damage that may result if information is incorrect or out of date, and the danger their personal information will be misused, wrongly disclosed, merged inappropriately with other personal data, or revived at a time when it would be better buried or destroyed.” Data protection and management of personal information were now a high priority for organisations, with privacy breaches damaging to individuals and costly for government and industry. “Breaches can arise from simple programming and clerical mistakes,” Professor McMillan said, revealing the privacy commissioner received 60 notifications of data breaches in the past year. Professor McMillan said the Gillard government had announced its intention to strengthen the powers of the Privacy Commissioner to make enforceable determinations and seek civil court penalties for serious or repeated offences. “The prospect of (financial) penalties for privacy breaches will provide an added incentive for organisations to take their responsibilities seriously,” he said. [Source]

Privacy (US) 

US – Google Settles With FTC Over Buzz Privacy Charges

On Wednesday, March 30, Google settled deceptive privacy practice charges from the Federal Trade Commission regarding its social networking tool, Buzz. The terms of the settlement call for Google to launch a privacy program and undergo regular third-party audits for 20 years. The settlement does not impose a fine, but Google could face fines if it violates the terms of the settlement. The settlement is the first in which the FTC has ordered a company to implement a comprehensive security policy. On the same day, Google launched a new social networking tool called +1; it allows users to annotate search results to recommend pages to friends. [Source] [Source] [Source] [Source

US – Privacy Advocates, FTC, Google React to Proposed Buzz Settlement

Amid announcements by the FTC and Google that the two have reached a settlement agreement on privacy issues raised over last year’s introduction of the Google Buzz social network, FTC officials, privacy experts and advocates alike have been weighing in on the implications of the proposed settlement. Under the proposed settlement, Google has agreed to provisions including the implementation of a comprehensive privacy program to include independent privacy audits for the next 20 years. In its announcement, the FTC specifies, “The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-EU Safe Harbor or other privacy, security or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties…” FTC Commissioner J. Thomas Rosch issued a separate statement on the proposed agreement, stressing that he has approved of accepting the consent decree for public comment purposes but has concerns that such an opt-in requirement in the agreement “might sometimes be contrary to the public interest.” Public comments on the consent agreement are being accepted through May 2. [Source] See also: [US: Tech firms hiring White House staffers

US – EPIC Files Objection to Lawsuit Settlement

The Electronic Privacy Information Center (EPIC) has objected to a class-action settlement reached between Google and Gmail users. EPIC filed its opposition in court this week, saying that the part of the settlement that doles out $6 million to Internet privacy interests is flawed because the funds were given to groups that “receive support from Google for lobbying, consulting or similar services.” EPIC had requested but was not granted a share of that sum. The filing states that the court should reject a deal “that encourages organizations to stand by quietly while others do the actual work of safeguarding Internet privacy.” [Reuters

US – U.S. Court of Appeals Affirms Cell Phones are Computers

The Court of Appeal affirmed a district court’s decision that an ordinary cellular phone (used only to place calls and send text messages) was a computer; the district court found that “computer” has the meaning given in U.S. vs Kramer, 18 U.S.C. § 1030(e)(1), that is, an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device. [Decision

US – Privacy Lawsuits Rain Down on Netflix

In the wake of the most recent suit alleging a privacy violation by the world’s foremost video-rental provider, Netflix “has been accused of violating U.S. privacy laws in five separate lawsuits filed during the past two months,” with each case alleging the company “hangs onto customer information, such as credit card numbers and rental histories, long after subscribers cancel their membership.” The lawsuits allege the company has violated the Video Privacy Protection Act. The most recent suit was filed last week by a Michigan resident. Each of the plaintiffs has filed suit in U.S. District Court, and the complaints are seeking class-action status. [Source

WW – UDID: The Next Privacy Frontier?

Companies that make their money in the mobile computing space – application developers, device manufacturers, software adaptors – have a new worry. Many functions and applications used on iPhone devices currently rely on reporting that includes the UDID unique device identifier. Two new lawsuits against Apple for its use of UDID information may change the way that mobile functions and applications are built, managed and paid for. The UDID for the iPhone is a 40 character identifier that is set by Apple and stays with the specific defined device forever. Its function is to uniquely identify any one iPhone, allowing the UDID to be connected with the name and behaviors of that iPhone’s user. The Wall Street Journal may have started the snowball of lawsuits rolling in its ongoing series of articles about how the computer industry tracks people using the internet. The Journal’s investigation examined 101 popular smartphone applications (“Apps”) and found that 56 of them sent the UDID for their smart phones to other companies without the user’s awareness or consent. Five of the Apps transmitted personal details of the user like age and gender. Because each UDID is specific to each iPhone, it cannot be shut down or suppressed by users in the way that cookies may be deleted on laptop or desktop computers. The suits against Apple complain that releasing this information without the user’s consent or knowledge violates a number of U.S. federal and state laws including the Electronic Communications Privacy Act. [Source] See also: [The changing meaning of “personal data” ] SEE ALSO: [OPC Canada – Fact Sheet – Privacy on the Go: Workplace Tips for Protecting Personal Information on Mobile Devices

US – PG&E Unveils ‘Opt-out’ Plan for its Controversial SmartMeter Program

After months of controversy, PG&E has unveiled an opt-out plan for its SmartMeter program that further enraged its critics, who said its high fees would punish the customers it was designed to help. Barely meeting a deadline set by the California Public Utilities Commission, PG&E released a plan that would give customers the option of having the wireless portion of the device turned off but force them to pay hundreds of dollars for the privilege. [Source]

US – Hearing Date Set for WikiLeaks Twitter Data Demand Appeals

Three people associated with WikiLeaks are appealing a ruling that grants federal prosecutors access to records of their Twitter use. The legal team for the three maintains that the ruling violates a federal statute and the US Constitution’s First Amendment rights to free speech and association. The filing seeks to overturn the earlier ruling. The US Justice Department is seeking the Twitter records as part of a grand jury investigation into WikiLeaks and its disclosure of classified UG government information. A hearing is set for April 22. [Source] [Source] [Source]

RFID 

EU – EU Issues Opinion on the Revised Industry Proposal for an RFID PIA

The Working Party endorses a revised industry-proposed data protection impact assessment framework (“framework”) for RFID applications, following changes that will require a privacy impact assessment (“PIA”) when tags may be used outside the operational perimeter of an RFID application or are carried by persons (this addresses a concern that third parties may misuse RFID tags for tracking and profiling purposes); the framework takes effect August 11, 2011 (6 months after the date of this opinion). The framework contains two phases – categorizing RFID applications into 4 levels, with a full scale PIA required for the top levels (RFID tags are carried by individuals and applications further process personal data) and a risk assessment (identifying the risks to personal data, identifying controls to respond to the risks, and resolving the conditions of implementation for the application); personal data in an RFID application includes a unique ID contained in a tag, if the tag is destined to be carried by a person. [Article 29 WP Working Paper 180]

Security 

WW – Companies Lose Business Following Data Breaches: Study

A study conducted by the Ponemon Institute on behalf of Symantec, 37% of data loss cases reported in the UK in 2010 involved system failures; that figure is 7% higher than it was in 2009. The study also found that the average cost of data breaches for large UK companies in 2010 was GBP 1.9 million (US $3.1 million), an increase of 13% from 2009. The report also found that companies that suffer computer breaches experience significant financial repercussions in lost business. [Source] [Source] [Source

WW – Most Companies Keeping Mum on Data Breaches

For corporations, the threat of data breach is more dangerous than ever—but, according to a new study, most companies still do not take the measures needed to keep their information secure, nor are they always up front with their customers about security breaches. A recent study by McAfee outlined the difficulties companies face while securing information. Their study, “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency” surveyed over 1,000 senior IT professionals in the U.S., U.K., Japan, China, India, Brazil and the Middle East. Despite the danger of losing corporate intellectual capital or customer information to cybercriminals, it appears that companies have not always been vigilant about trying to improve security, even following successful attacks. Of all the organizations that had experienced a data breach, only half undertook actions to fix and protect their systems from later break-ins. A quarter of companies assess the risks to their data twice a year, or less. But not many companies actually report suffering data breaches. Three in ten firms report all data breaches, with the majority, or six in ten companies, “picking and choosing” what breaches they share. Recently, Mozilla expressed its regret over failing to disclose a breach involving stolen SSL certificates for sites including GMail, Skype, Yahoo Mail and more. The attack was suspected to involve the work of the Iranian government. McAfee notes the report “also shows that organizations may seek out countries with more lenient disclosure laws, with eight in ten organizations that store sensitive information abroad influenced by privacy laws requiring notification of data breaches to customers.” And the biggest hassle may be yet to come, as the rise of devices like tablets and smartphones presents an as yet unsolved challenge for locking down information securely. [The Huffington Post] See also: [NSA to Join Nasdaq Hack Investigation] and [Australian Government Computers Attacked] and [European Parliament Network Attacked] and [NASA IG Finds Vulnerabilities in Agency Systems

WW – SecurID Customers Advised to Prepare for Worst Case

How serious is the security threat posed by the theft of inside information about SecurID, the two-factor authentication system sold by EMC division RSA? “It is important enough that it required an official note to the stock markets.” But, despite the apparent severity of the breach, RSA’s failure to detail what was stolen is generating an immense amount of customer frustration, because they don’t know if their SecurID hardware fobs are still secure, or if they might provide attackers with a conduit through enterprise defenses. Until RSA coughs up more information, security experts advocate conducting a thorough and immediate SecurID risk assessment. “Our recommendation for customers which have RSA SecurID cards implemented is to first carefully analyze the situation and their specific risks — [for example] which type of information is at risk if the RSA SecurID-based authentication is not only at risk — like now — but an attack actually takes place?” Next, identify specific technologies and remediation activities for securing at-risk data or accounts. “These actions might range from increased threat analysis and forensics to adding other authentication technologies.” RSA had 40 million SecurID hardware token customers by 2009, as well as 250 million users of SecurID software. [Source

US – NIST Issues Guidelines on Managing Information Security Risk

Organization, Mission, and Information System View, March, 2011, by the Joint Task Force Transformation Initiative, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology: NIST Special Publication 800-39 

WW – No Keystroke Loggers on Samsung Laptops

Concerns about Samsung laptops shipping with pre-installed keystroke loggers have proven to be groundless. An anti-virus program called VIPRE misidentified a folder created by Microsoft Live Application Suite as a known keystroke logging software. An executive with the company that that makes VIPRE has apologized for the incident. [Source] [Source] [Source] [Source

US – Captured Images of Your Physical Keys Can Be Used to Make Copies

Computer scientists at the University of California: San Diego, Jacobs School of Engineering, have presented proof-of-concept for capturing images of physical keys from a substantial distance and using those images to make working copies of the keys. “We built our key duplication software system to show people that their keys are not inherently secret,” said Stefan Savage, the computer science professor from UC San Diego’s Jacobs School of Engineering who led the student-run project. “Perhaps this was once a reasonable assumption, but advances in digital imaging and optics have made it easy to duplicate someone’s keys from a distance without them even noticing.” Professor Savage notes, however, that the idea that one’s keys are sensitive visual information is not widely appreciated in the general public. “If you go onto a photo-sharing site such as Flickr, you will find many photos of people’s keys that can be used to easily make duplicates. While people generally blur out the numbers on their credit cards and driver’s licenses before putting those photos on-line, they don’t realize that they should take the same precautions with their keys.” [Source]

Smart Cards 

US – Obama Administration Proposes Online Privacy Bill of Rights

The outcry over internet firms’ habit of surreptitiously tracking web surfers’ activities has clearly resonated inside the White House. On March 16th the Obama administration announced that it intends to work with Congress to produce “a privacy bill of rights” giving American consumers greater control over how their information is collected and used by digital marketers. Those who have been lobbying for change agree with, but are unsympathetic to, internet firms’ worries that such a law could dent their advertising-driven business models, which rely on tracking and targeting consumers to maximise revenues. “This is dimming the prospects of Google, Facebook and other digital ad companies,” says Jeffrey Chester of the Centre for Digital Democracy. Quite how dark things get for them will depend on the details of the bill. It will seek to lay down the basic principles of internet privacy rights, broadly following recommendations published last December by the Department of Commerce. The department’s report said consumers should be told more about why data are being collected about them and how they are used; and it called for stricter limits on what companies can do with information they collect. Whatever legislation finally emerges is likely to give a broader role to the FTC, which will almost certainly be charged with deciding how those principles are translated into practice and with policing their implementation. Among other things, the FTC is known to be keen on a formal “do not track” system, which would allow users to block certain sites from monitoring their online activities. [Economist] [Analysts Weigh In on Privacy Bill of Rights]

Surveillance 

US – The Right to Sue Over Wiretapping

Federal authorities have always made it difficult to bring a legal challenge against the government’s warrantless wiretapping enterprise that was set up by the Bush administration in the years after the Sept. 11, 2001, attacks. Because the wiretaps were secret, no one could know for certain if they were being tapped, so the government urged judges to throw out lawsuits for lack of proof of real harm. That strategy was halted last week when a federal appeals court said that civil liberties and journalism groups challenging an eavesdropping law could pursue a suit trying to get the government’s wiretapping declared illegal. In an important ruling, the United States Court of Appeals for the Second Circuit reinstated a lawsuit that a federal district judge had thrown out in 2009. The new decision might lead to a significant – and far too long delayed – legal review of the statute. The law in question, passed in 2008, amended the Foreign Intelligence Surveillance Act. It essentially legalized retroactively President George W. Bush’s outlaw program of wiretapping certain terror suspects without a warrant. It also immunized telephone companies that cooperated in the program. And it permitted the government to listen to the international phone calls of Americans who are not engaged in criminal activity, and to read their e-mail messages. At great cost to the privacy of innocent people, it reduced the longstanding protections of judicial supervision over these powers. The law was challenged by human rights, labor and news media organizations, led by the ACLU. They argued that their communications with clients and interview subjects outside the country would almost certainly be monitored under the law, in part because their jobs required conversations with activists and others whose work would be of interest to the government. Some are lawyers representing accused terror suspects in the United States and often need to communicate with the suspects’ family members or acquaintances outside of the country. The government argued that the plaintiffs had to prove that they were monitored or harmed, but the Second Circuit didn’t buy that defense. The plaintiffs had every reason to believe that they were being monitored, the court said, and some even spent considerable sums to go abroad for meetings to avoid the eavesdropping. The final outcome of this legal challenge is far from certain; the government, if it follows its pattern, is likely to cite another familiar defense that a full trial would reveal state secrets. But just by allowing this lawsuit to proceed, the Second Circuit has sent an important message: The government cannot count on simplistic legal arguments to avoid scrutiny of its program to spy on civilians. When one challenge is allowed, others will follow. [The New York Times]

Telecom / TV 

EU – ENISA Report: Top Ten Smartphone Risks

The risks that present the highest level of information security risk for smartphones include data leakage resulting from device loss or theft (encryption is recommended, but weaknesses exist in the implementation of encryption in smartphones), attacks on decommissioned smartphones (if decommissioned improperly, attackers can gain access to data on the device), and unintentional data disclosure (the user is unaware that an app collects and publishes personal data trace users). [Report] Other recent ENISA Publications: ENISA – App Kill-Switch – The Last Line of Defence | Privacy, Accountability and Trust – Challenges and Opportunities (Feb 2011) | Bittersweet cookies. Some security and privacy considerations (Feb 2011) | Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (Jan 2011) 

US – Mobile Phone Users Lax on Security: Survey

A survey conducted by the Ponemon Institute on behalf of ACVG says that mobile phone users in the US are lax on mobile phone security. Nearly 84% of those surveyed use the same phone for both business and personal matters. Many people also make purchases over their mobile phones. Few consumers use phone-locking passwords and many use the same password for multiple apps. [Source

UK – UK Users Not Wiping Mobile Devices Before Selling Them

An investigation commissioned by data protection company CPP Group found that many people in the UK who sell their old smartphones and SIM cards are failing to wipe the devices of sensitive personal data. More than half of the devices examined for the study were found to contain credit card PINs, bank account information, and login information for social networking sites. The information was gathered from 35 used phones and 50 used SIM cards. Users selling old phones should perform a factory reset. Unless old SIM cards are being transferred to another of the owner’s devices, they should be destroyed. [Source] [Source] [Source] [Source]

UK – Teachers’ Union Says No to Bill Allowing Searches of Student Mobiles

The UK teachers’ union, NASUWT, calls government plans to allow teachers to search and even delete content on student mobile phones “reckless”, according to the BBC. The education bill introduces the following measures in order to help combat cyber-bullying: (6E) The person [eg, a teacher] who seized the item [eg, ‘an electronic device’ belonging to a pupil] may examine any data or files on the device, if the person thinks there is a good reason to do so. (6F) Following an examination under subsection (6E), if the person has decided to return the item to its owner, retain it or dispose of it, the person may erase any data or files from the device if the person thinks there is a good reason to do so. Teachers claim that putting these measures into action will cause friction between teachers, pupils and parents. [Source

EU – Irish Parliament Passes Communications (Retention of Data) Act 2011

Ireland has passed a law that would transpose the Data Retention Directive requirements for service providers to retain for two years, fixed network telephone and mobile telephone data (e.g. calling telephone number, name and address of subscriber, number dialled, date and time of call, location of mobile callers and equipment identifiers such as IMEI number), and for one year, internet access, e-mail and internet telephony data (e.g. user ID, name and address of user, user ID of communication recipient, date, time and duration of communication, calling telephone number for dial-up access and DSL or end point of the originator of the communication); service providers are persons who provide a publicly available electronic communications service or public communications network. Service providers must provide the retained data to law enforcement for preventing, detecting and investigating serious offences (e.g. punishable by 5 years imprisonment, false reporting of child abuse, poisoning, and making false statements in a proceeding), for safeguarding the security of the State and to save a human life; service providers must also take appropriate security measures and destroy the data one month after their retention period has passed (unless they have been accessed under a disclosure request). [Source]

US Government Programs 

US – Panel Urges TSA to Implement ‘Trusted Travelers’ Program

Treating every airport passenger as a potential terrorist slows the security system, is needlessly frustrating and deters some people from flying, according to a report that recommends ways to ease bottlenecks at security checkpoints. The report, commissioned by the U.S. Travel Association, calls on airlines to allow passengers to check one bag free of charge and urges the creation of a voluntary “trusted traveler” program that partially resembles a mandatory one previously proposed by President George W. Bush – and shot down by Congress. The federal government would not need congressional approval to mandate that airlines allow one checked bag free. But it is doubtful that the TSA could implement a trusted-traveler initiative without congressional approval. Adding impetus to the report is the heavyweight panel behind it, headed by Tom Ridge, former secretary of homeland security, and former congressman Jim Turner (D-Tex.), who was on the House Homeland Security Committee. Travel industry analysts think the long-awaited report will continue the debate over screening procedures and add another element to it: Even a voluntary trusted-traveler approach would require passengers to provide credit information, tax returns and other personal data to verify that members pose little or no risk. In return, they would be allowed to zip through security. The proposal of a trusted-traveler program takes the debate through a thicket, pitting the right to privacy against the goal of secure flight. Congress rejected a Bush administration plan known as CAPPS II that would have tapped into credit information to verify passenger credentials. “The key difference is that the program we’re recommending is totally voluntary,” said Geoff Freeman, executive vice president of the U.S. Travel Association, which commissioned the study a year ago. The report recommends a voluntary trusted-traveler program in which passengers would supply fingerprints and other personal information in return for an identification card that would allow them to bypass security lines. Members would enter a kiosk where either fingerprint or iris scanning technology would be used to confirm their identity. Both the passenger and carry-on bags would pass through an explosives-detection device, but there would be no requirement to remove shoes, coats or hats. [Source

US – United States Government to Allow E-Verify “Self Check”

Starting on March 21, 2011, the U.S. Citizenship & Immigration Services (USCIS) will allow an individual to use E-Verify to check on his or her work authorization status and correct errors in the federal databases used by E-Verify. E-Verify is an Internet-based employment verification system run by the USCIS, part of the Department of Homeland Security (DHS). Until now, only employers were allowed to use the system to verify the work authorization of newly-hired employees. Any individual over the age of 16 will be able to use E-Verify Self Check by first providing information to authenticate the person’s identity and then submitting work authorization information normally provided in completing Form I-9 employment authorization forms. A message of “work authorization confirmed” will be displayed if the information provided by the individual matches the information contained in the DHS, Social Security Administration (SSA), and Department of State databases used by E-Verify. If there is a mismatch in the information, the Self Check will provide a message such as “Possible mismatch with SSA” or “Possible mismatch with Immigration Information.” The Self Check will also provide instructions on how to request corrections of errors in database records. Employers may not use Self Check as a pre-screening tool for possible new hires. For example, an employer may not require a job applicant to present Self Check certification as a condition of application for employment. As before, employers can only use E-Verify to confirm employment authorization of workers once they are hired. This use of E-Verify is limited to employers enrolled in the program. Self Check will initially be available only in Arizona, Colorado, Idaho, Mississippi and Virginia. The USCIS plans to expand Self Check to other states over time and eventually make it available throughout the United States. The service is free. A preview of the program is available at the USCIS website. [Mondaq News]

US Legislation 

US – Obama Administration Calls for New Privacy Law

The Obama Administration is backing a new data privacy bill of rights aimed at protecting consumers against indiscriminate online tracking and data collection by advertisers. In testimony prepared for the Senate Committee on Commerce Science and Transportation, the Commerce Department’s assistant secretary, Lawrence Strickling, said that the White House wants Congress to enact legislation offering “baseline consumer data privacy protections.” Such a bill is needed to protect personal data in situations not covered under current law, Strickling said, adding that any legislation should be based on a set of fair information practice principles and give the U.S. Federal Trade Commission enforcement authority. He also called for incentives to encourage the development of codes of conduct on privacy matters. Strickling said the administration’s call for new online privacy protections stems from recommendations made by the Commerce Department in a paper released in December. Many of those in the industry who weighed in on the idea at the time backed the creation of a new online consumer privacy law, he said. The document was based on a comprehensive review of existing privacy protections and of ongoing data collection, consumer tracking and profiling practices online. The administration’s support for privacy protections is very significant, said Joel Reidenberg, a professor at Fordham Law School who specializes in privacy issues. “This is the first time since 1974 that the U.S. government has supported mandatory general privacy rules,” Reidenberg said. [Source

US – “Privacy Bill of Rights” Draft Released

Following up on his announcement that he would soon submit the “Commercial Privacy Bill of Rights Act of 2011“ during a hearing on the call for federal privacy legislation, Sen. John Kerry (D-MA) and the bill’s cosponsor, Sen. John McCain (R-AZ), have published a draft of the legislation. The draft includes provisions to “give the Federal Trade Commission authority to craft privacy regulations and to operate a Web site where consumers can opt out of online behavioral targeting.” In the Hogan Lovells Chronicle of Data Protection, Christopher Wolf highlights major provisions of the draft legislation, including what would constitute PII and “unique identifier information,” safe harbor programs, access to data and opt-in consent. “No private rights of action are allowed,” Wolf writes, “and state laws–except those dealing with health or financial information, data breach notification or fraud–are preempted.” [Source

US – Senate Committee Holds Hearing on the State of Online Consumer Privacy

 Impact to Subscriber: In line with Sen. John Kerry’s statement that the status quo for online privacy cannot stand, a Senate Committee hearing heard support for online consumer privacy legislation from the Department of Commerce (based on a collection of agreed-upon fair information practice principles that provide the FTC with enforcement authority and creates incentives for developing codes of conduct, such as by offering a safe harbor for signatories), Microsoft (establishing reasonable baseline privacy protections), and Intuit (a principles-based approach should be taken). Participants testified that online consumers should have choices about how their information is being collected and used; the FTC set out 5 critical principles for a Do Not Track system of universal implementation (consumers do not need to repeatedly opt out on different sites), easy-to-find and use, persistent (choices should not be deleted if cookies are cleared or browsers updated), opt out of tracking altogether (do not limit the system to only tracking for advertising), and effective and enforceable without technical loopholes. [Source] [Source

US – Senator Pushes for Mobile Privacy Reform

Sen. Ron Wyden’s (D-OR) has proposed a bill that would provide privacy protections for geolocation information. Once introduced, the Geolocational Privacy and Surveillance Act (GPS Act) would seek to require law enforcement to obtain a warrant before accessing information related to a wireless device or GPS system, for example. The bill will likely gain “strong support” from Internet companies, civil libertarians and wireless carriers, “many of which have joined a coalition saying that location information should be accessed only with a warrant,” the report states. The bill would require court evidence relating to location data be thrown out if procedures weren’t followed and allows for civil lawsuits and damages in cases where location data is inappropriately accessed and used. [Source

US – Proposed Legislation Would Replace FISMA Paperwork with Real-Time Monitoring

US Representative James Langevin (D-Rhode Island) has introduced a bill that would replace the paper-intensive compliance requirements of the Federal Information Security Management Act with automated, continuous monitoring. The Executive Cyberspace Coordination Act would also create a National Office of Cyberspace in the White House and increase the Department of Homeland Security’s (DHS) authority over private networks that are part of the country’s critical infrastructure. [Source] [Source]

Workplace Privacy 

CA – Material on Work Computer Private, Court Rules

Ontario’s top court has found a right to privacy in material contained on a work computer. A judgment on from the Ontario Court of Appeal broke new ground on an issue that is exploding into the court system – the extent to which Internet information is private and beyond the reach of the law. The case involved a Northern Ontario high school teacher charged with possessing child pornography. The judges said that police breached his Charter rights by viewing his computer files without a warrant. “The police technique was intrusive in copying the entire contents of the hard drive,” the court said. “The contents of the hard drive of a laptop may contain extremely personal information such as medical and financial reports, personal journals, e-mails and appointments. At the same time, the court concluded that school officials who stumbled upon the pornographic images had a right to monitor whether the school computer system was being used appropriately. Frank Addario, a lawyer for defendant Richard Cole, said that the ruling has repercussions for employees who use their electronic devices for personal purposes, “which is pretty well everyone. “There was a belief that ownership meant control of privacy, but that’s an old school way of looking at privacy,” Mr. Addario said. “Most Blackberry users carry a subset of their existence around with them regardless of who paid for the hardware.” In a pretrial ruling, the trial judge in the case tossed out the evidence as a violation of Mr. Cole’s privacy rights. The Crown appealed to Superior Court, which reversed the ruling and sent it back for trial. The defence appealed that ruling to the Ontario Court of Appeal. Toronto lawyer Scott Hutchison, a privacy expert, said that the court has given a sound answer to a vital question. “This case comes down firmly on the side of privacy and holds that employers cannot give police investigators access to a workplace computer,” he said. “This case makes it clear that the employer may own the computer, but that doesn’t give them the power to waive the employee’s privacy rights,” Mr. Hutchison added. “It recognizes the realities of how people use modern workplace technology. People don’t artificially ‘switch off’ their privacy interests just because the device in question is owned by someone else.” [Source] [Mondaq: Work computers – user rights v owner rights] and [Breach of privacy case holds lessons for IT departments

US – Ex-Employee’s Blogs Can’t Be Stopped, NY Court Rules

Joseph Lazzarotti and John Snyder comment on Cambridge Who’s Who Publishing v. Sethi, a case recently covered on DataBreaches.net because of its reference to an alleged data breach that had never been reported in the media. The court ruled that Cambridge Who’s Who could not get an injunction that would stop its former employee from writing about a data breach that occurred while he was employed by them, nondisclosure agreements notwithstanding. [Pogo Was Right

US – DHS Sets Privacy Policies for Selected Social Media Tools

The Department of Homeland Security has trained its employees not to collect personal data from individuals with whom they interact via social media tools such as widgets, mobile applications, text messages and Real Simple Syndication feeds. Given the nature of such tools, some personal data — such as user ZIP codes — may be collected and displayed by the systems during sign-on or may be published in a public profile of the user. To protect privacy, DHS officials are not collecting or storing such personal information, says a 19-page report from the Office of the Chief Privacy Officer. The report gives an overview of DHS’s strategy for one-way social media communications, also including podcasts and video streams, in which it primarily pushes out messages to subscribers who request such services. [Source

AU – Australian Government Bans Free Web-Based eMail Services for Employees

Government workers in Australia will no longer be able to use free web-based email services like Gmail and Hotmail. The government made the blanket decision following a report from Australia’s Federal Auditor-General recommending that “agencies should not allow personnel to send and receive emails on agency ICT systems using public web-based email services.” For situations in which government employees require access to these services, the auditor recommended the use of single, stand-alone desktops. The ban will take effect on July 1, 2011. [Source] [Source

US – U.S. Supreme Court Clarifies Informational Privacy In Security Clearance Context

In a widely-watched case that pitted privacy rights against national security issues, the U.S. Supreme Court has issued a narrow ruling allowing the federal government to ask employees about drug counseling, medical treatment, sexual matters and other personal information. On January 19, 2011, the nation’s highest court unanimously upheld the National Aeronautics and Space Administration’s background checks in a defeat for scientists, engineers and others who argued the in-depth investigations were too intrusive. (NASA v Nelson et al, No. 09-530). The Respondents in this case were longtime government contract employees at NASA’s Jet Propulsion Laboratory (JPL) in California. At the time the Respondents were hired by NASA, there was no policy in place that required government background checks on contract employees, but the Department of Commerce later mandated that all contract employees with long-term access to federal facilities would have to undergo a standard background check by October 2007. As a result, the JPL announced that employees who did not timely complete the new required background check would be denied access to the JPL and face termination. The background check at issue consists of a standard form (SF-85), which inquires into whether an employee has “used, possessed, supplied, or manufactured illegal drugs” within the last year. If a JPL employee answers in the affirmative, then he or she must provide details about any treatment or counseling received and then sign a release authorizing the government to obtain personal information from schools and employers, among others. Upon the completion of SF-85, the government mails a questionnaire (Form 42) to the employee’s references that asks open-ended questions about the honesty and trustworthiness of the employee. The constitutional right to “informational privacy” has only been discussed by the Supreme Court in two cases, and even there, the Court did not go so far as to acknowledge that here is such a right. In both cases, Whalen v. Roe and Nixon v. Administrator of General Services, the Court held that any concern about the violation of privacy rights was eliminated by existing legislation that provides sufficient protection against the dissemination of private information. Prior to the JPL deadline, Respondents filed suit seeking an injunction and claiming a violation of their constitutional right. The District Court held in favor of the government, but the Ninth Circuit Court of Appeals reversed, ruling in favor of the employees. In the Supreme Court, Justice Samuel Alito wrote a majority opinion that again refused to declare whether there is a constitutional right to informational privacy and opted instead to assume that, even if there were such a right, it would not prevent the government from asking the sort of questions included on SF-85 and Form 42. The government interest in obtaining background information for the sake of hiring a competent, reliable workforce was held to outweigh the privacy interests of the individual employee. The Court ruled that the questions at issue were reasonable, in light of the fact that millions of private employers use background checks in order to make hiring decisions, checks which include questions about drug use and treatment. Similar to its holdings in Whalen and Nixon, the Court concluded its decision by stating that the Privacy Act provides sufficient safeguards against the dissemination of any personal information revealed in the course of an employee background check. Had the Court issued an opinion in favor of the JPL employees, and acknowledged a constitutional right to informational privacy, it is likely that both the government and private job application process would have been tremendously affected. Employees and prospective employees who are asked to provide sensitive information in order to retain or gain clearance could have had the option of pursuing litigation if their refusal to respond to such inquiries resulted in a denial of access or employment. This narrow decision maintains the status quo and allows the government to continue with its standard background checks. [Source

CA – Province Slammed for Secret Criminal Checks on Labour Inspectors

A branch of the Ontario government responsible for ensuring employers act fairly and obey the law has been criticized for infringing the privacy rights of its employees and violating a collective agreement. In a landmark decision, the Crown Employees Grievance Settlement Board found the labour ministry acted unreasonably by conducting secret criminal background checks on its inspectors. The Ontario Public Service Employees Union filed a grievance last year after a workplace health and safety inspector found out, via the ministry’s legal services branch, that his name had been run through the computerized Canadian Police Information Centre and registered a “hit.” The inspector hadn’t been told about the search beforehand or asked for his consent, but was questioned about the result. It involved an offence for which he’d been pardoned. “OPSEU was saying it is a fundamental right for employees to have privacy and you don’t give up privacy rights just because you choose to work for the Government of Ontario,” said Kate Hughes, a lawyer representing the union. “Your criminal or your disciplinary record are private to you.” [Source

US – Bizarre Incident in a Manager’s Living Room

A manager whose outburst at his TV set was accidentally recorded by a co-worker’s voicemail says Verizon fired him for his comments, which included his beliefs on politics and health care. Richard D’Arpe, a manager for Verizon for 15 years, says he was at home and off duty when he made a work-related call to Christian Flete, a technician. He hung up and put the phone “somewhere in the vicinity of his pants pocket.” It was July 7, 2010. While watching a news documentary, D’Arpe says, he became upset and “began to yell at his television regarding politics, health care and his beliefs. These comments were not directed at anyone.” D’Arpe did not realize that his phone had accidentally redialed Flete, whose voicemail caught D’Arpe’s rant. D’Arpe says he “was completely unaware of the entire incident at this point in time.” But Flete, who is not a party to the complaint, filed an incident report with D’Arpe’s manager about the message, D’Arpe says. He adds that Flete forwarded the message to an undisclosed number of colleagues, who in turn continued forwarding the message to others. D’Arpe was confronted by his manager and an Equal Employment Opportunity agent the next day and was suspended. D’Arpe says he refused to attend a meeting to discuss his employment status: “As Mr. D’Arpe was well aware that a number of other employees received the voicemail, he feared for his own safety and decided not to attend this meeting.” He was fired on July 14, “for violation of the company code of conduct.” D’Arpe says that any violation of that code did not occur at work, nor was it directed at any Verizon employee. It “merely represented comments made in the privacy of his own home and outside of the workplace.” He seeks punitive damages for wrongful firing, negligence, defamation, and privacy invasion, and documents, including a copy of the voicemail recording. [Source

US – Arizona County Employees Unhappy About Saliva Test

An Arizona county is trying to get reliable data on whether its employees are smokers by testing saliva, a move some workers are resisting. Maricopa County, which includes Phoenix and its suburbs, is not compelling employees to have their saliva tested – but those who do not, along with those who test positive for tobacco – will pay higher insurance premiums. Chris Bradley, who heads the county’s Business Strategies and Healthcare Program, said officials found that relying on employees to self-report that they or someone in their immediate family smokes produced data that appeared to be at odds with reality. Some employees who say they do not smoke are leery of handing over a saliva sample. They say they fear the county can gather other information and share it with other agencies. [Source

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: