16-31 April 2011


EU – EU Parliament Issues Report on Biometrics and Human Rights

The broad scope of biometrics and member states’ rapid deployment of the technology for multiple purposes (e.g. immigration control, crime fighting and access control) requires that member states immediately address any legal issues relating to biometrics and increases the need for clarity in the existing European legal framework (e.g. there is no generally accepted definition of “biometric data” and “second generation” biometrics such as heart rate measurements, brain activity patterns and pupil dilation cloud the general understanding of “personal data”); two of the biggest challenges are the risk of falsification (e.g. due to technical imperfections, lighting conditions, insufficient training of operators, bodily growth or change) and security issues (e.g. identity theft, unauthorised modification, tampering, improper disclosure). Primary concerns include unnecessary collection, collection without the data subject’s consent, and scope creep (e.g. the opening of databases that would allow government monitoring of individuals; biometric technology is capable of revealing a person’s racial origin, medical status (e.g. iris scans can reveal diseases unknown to the individual), or identity (e.g. gender change), which can impact job opportunities or insurance coverage. [Source: Council of Europe Parliamentary Assembly – Report of the Committee on Legal Affairs and Human Rights – The Need for a Global Consideration of the Human Rights Implications of Biometrics

EU – French CNIL Approves Fingerprint Use on Computers

This single authorisation for fingerprint readers on notebook or laptop workstations enables companies who use such readers (with the same categories of data and recipients) to indicate a commitment to comply with the authorisation, rather than seeking an individual permit from the CNIL before processing the biometric data. The template shall be exclusively stored on the computer notebook workstation owned by that user and whose content cannot be read without his knowledge (the fingerprint can only be used for access control, and not to control working time of the user). Technical requirements include only storing an encrypted template of the fingerprint that cannot be retraced to the original biometric (an image or photograph of the fingerprint cannot be stored), only allow enrolment on the user’s workstation, never allowing the template to flow over a network, and systematic erasing of the templates during notebook maintenance operations. Only persons in the computer security department can receive personal data in the course of their responsibilities (personal data is limited to user ID, password and template), and the fingerprint template can only be retained for the duration of time that the user is entitled to access his workstation (other data can be kept for a maximum of 5 years after the user’s departure). [Source: Commission Nationale de L’informatique et des Libertes – Single Authorisation No. AU-027 – Decision No. 2011-074 of 10 March 2011 Authorizing Unique Implementation of Biometric Devices Based on Recognition of Fingerprints

US – NY Mayor: Put Fingerprints on Social Security ID

Mayor Michael Bloomberg says he’s in favor of putting people’s fingerprints on Social Security cards. Bloomberg says such biometric identification cards would make it easier for employers to judge whether someone has legal permission to work in the U.S. He says it would reduce the supply of work to illegal immigrants, leading fewer to enter the country. Critics have said that such a system would raise cost and privacy concerns. Bloomberg was one of several politicians who discussed immigration issues this week with President Barack Obama. Bloomberg’s immigration reform group, the Partnership for a New American Economy, supports bringing more immigrant workers and entrepreneurs into the country. [Source: Wall Street Journal]


US – Recent Govt. Data Breaches Pose Privacy Risk

The Social Security Administration continued making public the full names and SSNs of tens of thousands of people three years after it first learned it was putting citizens’ privacy at risk, according to a new report by the agency’s inspector general. The information, which also included the ZIP codes and dates of birth of 63, 587 living people, was erroneously included in the agency’s Death Master File (DMF). Nevertheless, the agency continued selling the file to the public. The agency “continued to publish the DMF with the knowledge its contents included the PII of living numberholders,” the report found. The inspector general recommended that the SSA take additional precautions to limit such privacy breaches in the future, but “the agency disagreed with both recommendations,” according to the office’s report. The report does not mention what those recommendations were because the version made available to the public was merely a summary. The full version was given to authorized officials only. [Source]

Electronic Records 

US – HHS Told to Standardize Consent, Privacy in E-Health Record Exchanges

A group of healthcare CIOs have said the Health and Human Services (HHS) Department’s plan for health IT “doesn’t go far enough in standardizing the ways in which patient consent for release of personal health information would be managed.” The college of Healthcare Information Management Executives has submitted a letter asking for “greater uniformity in healthcare data privacy laws from state to state” and standards for healthcare privacy to apply nationally. HHS released its Federal Health IT Strategic Plan in March. It calls for meaningful use of e-health record systems. Meanwhile, two Maine legislators recently proposed a bill to make Maine’s electronic records system opt-in. [Source] See also: [Is health care security in intensive care?] [US – Chicagoland Hospitals Plan Big Health Information Exchange]


WW – Hiding Files on Hard Drives Without Encryption

Researchers have devised a method of hiding data on hard drives without using encryption. The technique allows a 20-megabyte message to be hidden on a 160-gigabyte hard drive. The technique involves storing clusters of the file to be hidden in places on the disk determined by a code, which would need to be known by the person receiving they disk. To an inspector, the disk would look like any other disk on which data have been stored and deleted in the course of regular use. The technique works as long as none of the files on the disk are modified before it reaches its destination. There are instances in which encryption is not desirable, because the extra data it creates are a giveaway that there’s something to be found. This could be the case when someone is trying to smuggle information out of a country with a repressive government. [Source]

EU Developments 

EU – German Lawmakers Say Data Retention Directive May Be Illegal

The German Parliament said that the European Commission’s controversial Data Retention Directive may be illegal. The directive requires European communications service providers to retain data for up to two years identifying the source, destination, date, time and duration of communications, along with the equipment used, and, for mobile telephony, the location of the equipment. The directive applies to phone calls and e-mail or text messages, although not their contents. A report from the Bundestag’s Working Group on data retention said that it would be impossible to rephrase the directive to make it compatible with the E.U. Charter of Fundamental Rights. The legal experts said that the law is disproportionate in the measures it requires to fight crime, as data retention increases the crime clearance rate only slightly. “This marginal increase in the clearance rate by 0.006 percent could raise doubts about whether the provisions in their current form would stand their ground under a proportionality review,” said the report. European Data Protection Supervisor Peter Hustinx has described the directive, introduced in 2006, as “the most privacy invasive instrument ever adopted by the European Union.” “The principle of proportionality is binding on any state governed by the rule of law,” added Kai-Uwe Steffens of the Bundestag’s Working Group. “Therefore the Federal Republic of Germany must work towards outlawing data retention within the E.U.” “The E.U. must abort this experiment immediately and replace the completely disproportionate blanket collection of the entire population’s communications records with an instrument for preserving the data of suspects,” said Uli Breuer of the Bundestag’s Working Group. Later this year, the European Court of Justice (ECJ) will rule on the constitutionality of the principle of data retention, after a referral from the Irish High Court. [Source

EU – European Commission Issues Evaluation Report on the Data Retention Directive

The Data Retention Directive obliges Member States to adopt measures to ensure that data is retained and available for the purpose of investigating, detecting and prosecuting serious crime (as defined by each Member State in its national law) however, variations have emerged (e.g. Bulgaria and Estonia have defined “serious crimes” and other Member states e.g., Belgium and Denmark require data to be retained in relation to all criminal offences), it also specifies the categories of data to be retained (namely data necessary for identifying with respect to communication source, destination, date, time and duration, type, user’s equipment and location of mobile equipment) – twenty-one Member States provide for the retention of each of these categories of data in their transposing legislation (Belgium has not provided for the types of telephony data to be retained, does not have any provision for internet-related data) and the Directive requires that the categories of data must be retained for at least six months and not more than two years, but there is no consistent approach across the EU, e.g., fifteen jurisdictions specify a single period (e.g., Poland – 2 years, Latvia 1.5 years) and three specify six months (e.g. Bulgaria, Denmark, Estonia and Greece). The Romanian, German Federal Czech Constitutional Court annulled the laws transposing the Directive into their respective jurisdictions on the basis that they were unconstitutional (the Romania Court found the transposing law to be ambiguous in its scope and purpose, the German Federal Court said that data retention generated a perception of surveillance which could impair the free exercise of fundamental rights and the Czech Court held that the purpose limitation was insufficiently narrow given the scale and scope of the data retention requirement). The Article 29 Working Party criticizes data logging, periods of retention, the types of data retained and data security measures and the European Data Protection Supervisor has called on the EU to adopt a comprehensive legislative framework which regulates how Member States use the data for law enforcement purposes. A revision of the current data retention framework will be proposed and a number of options will be devised in consultation with law enforcement, the judiciary, industry and consumer groups, data protection authorities and civil society organisations. [Source

EU – Dutch Data Protection Watchdog Criticizes Google Over Wifi Info Collection

The Dutch data protection watchdog criticized Google for collecting data on private wireless networks, ordering it to contact 3.6 million Dutch WiFi owners and offer them a way to have their data deleted. The Dutch Data Protection Agency (DPA) slammed Google’s Street View service for collecting personal data from unencrypted WiFi networks, a practice Google has halted and apologized for. Peter Fleischer, Google’s Global Privacy Counsel, said in a statement that the company never inspected or used the data. But the bureau said Google’s current use of WiFi locations still amounts to gathering personal information. Google spokesman Mark Jansen denied that, saying that it can’t identify people from their WiFi alone. Jansen said Google was studying the Dutch decision. The company has three months to comply, appeal or face escalating fines. Last month, France’s privacy watchdog fined Google €100,000 ($143,000) for improperly gathering and storing data for its Street View application, which allows Internet users to virtually tour locations on a map at ground level. More than 30 countries have complained about such data-gathering by Google Inc. [Source] [Available in Dutch

EU – Article 29 WP Issues Opinion on Smart Metering

Directive 95/46/EC applies to personal data (“PD”) in a smart meter (e.g. the device enables an individual to be singled out from other consumers, information collected is used to make a decision, other than for billing purposes, affecting the individual, and achieving an objective of reducing energy consumption is dependent on the collection of large amounts of information about consumers’ behaviour); the numerous organisations involved in the processing of smart meter PD (e.g. energy suppliers and network operators, regulatory bodies, third party service providers and communications providers) can all, under certain circumstances, be defined as a data controller (e.g. when a regulatory body has access to data for policy setting and research purposes). Privacy by design must be utilized in terms of security measures (e.g. prevention of unauthorised disclosures or modification of PD and effective authentication of recipients), and minimising the amount of PD processed (e.g. through filtering or removal). Consent as a legitimate ground for data controllers’ PD processing is valid only when it is based on an informed decision by the data subject, and must be revocable; consumers could be allowed to make their own decisions regarding retention of PD (e.g. holding data on the meter itself or gateway device and being provided with “housekeeping” reminders). Consumers must be advised of the nature of smart meter operations and their privacy rights (e.g. one meter currently being tested does not have a display sufficient to be used for a subject access request as it will neither allow the customer to access the information already transmitted by the meter nor display the load graph stored inside the meter). [Source: Working Paper 183

EU – Article 29 WP Opines on EU Data Breach Framework and Future Policy Dev’ts

The Article 29 Working Party (“WP29”) provides recommendations for consideration in the area of data breach notification; it supports the introduction of a provision in the General Directive that extends personal data breach notification obligations to all data controllers (currently, the ePrivacy Directive only obligates providers of electronic communication services to provide such breach notification) and the European Commission should rely on the same core elements as in the ePrivacy Directive (it would be counterproductive to apply different ones to data controllers other than providers of electronic communication services, and the rules contained in the ePrivacy Directive reflect the views of the different stakeholders and represent a balance of interests). The WP29 notes that a harmonized framework should take into consideration experience being gained by national authorities already experimenting with personal data breaches; the Commission should, as soon as possible, conduct a survey of early practices that are being developed by competent authorities and propose implementing measures based on collected feedback (late intervention would increase risk of establishing permanent diverging approaches by Member States), standardize the circumstances under which a personal data breach should be notified, set forth the procedure to follow in case of a data breach (e.g. more concrete deadlines for notification of the breach to the authorities and concrete procedural steps, which could include a requirement to enlist forensic investigators in order to ascertain the facts and circumstances surrounding the breach), develop a standard EU format to be used when notifying (notifications to competent authorities should include, at the least, a description of the breach, effects of the breach and measures taken/proposed) and determine allowed modalities for serving notices to individuals (will notifications be permitted by means of email, telephone notification, newspapers etc.). The rules should allow space for the judgement of competent authorities in the light of the circumstances of each case; they should provide guidance as to the technological protection measures which, if applied and depending how they were applied, would create an exemption from notification. [Source: Working Paper 184

EU – Member States React to Commission Data Retention Ruling

MEPs are opposing the European Commission on its recent ruling against five member states that have not adequately adopted the Data Retention Directive of 2006. Under the current legislation, countries can retain “swathes” of telecommunications data for a period of six months to two years. MEPs from Germany, Austria and Sweden–all of which face fines—are pushing for shortened data retention periods, or “quick freezes,” and more targeted searches. Constitutional courts in the Czech Republic and Romania declared the directive violates Article 8 of the European Convention of Human Rights. One MEP from Germany explained, “There is no evidence that the far-reaching retention of data has led to any concrete results beyond compromising civil liberties.” [Source

EU – Interactive Advertising Bureau Issues Self-Regulation for Online Behavioural Ads

A self-regulatory online behavioural advertising (“OBA”) framework for Europe provides a set of 7 principles and use of a behavioural ad icon; principles include notice (e.g. for third parties and web site operators) to consumers regarding data collection and use practices for OBA, user choice (e.g. explicit consent must be obtained for data used for OBA that is collected and used via specific technologies that harvest data from URLs traversed by a particular computer across multiple web domains), data storage (e.g. retain data only for as long as necessary for business needs or as required by law), and sensitive segmentation (e.g. do not create data segments for OBA that target children); signatory companies (including Yahoo!, Google and Microsoft) and associations must comply with the framework by June 30, 2012, which includes provisions for an icon to be placed in or around an ad targeted using behavioural data and an opt-out mechanism for consumers. Members subject to the user choice over OBA principle must submit to independent audits of their self-certification to demonstrate their framework compliance (e.g. they must publish decisions of un-rectified non-compliance and findings of good compliance); consumer complaints handling programmes under the framework must be easily accessible and available in consumers’ local language. [Source] [Source] [FAQ and Framework] See also: [Submission on the Comprehensive Strategy on Data Protection in the European Union – Federation of European Direct and Interactive Marketing

EU – EU and U.S. Differ on Passenger Data Sharing

Bloomberg reports on the differing views between the EU and U.S. on the collection of air passenger data. “The U.S. wants to collect data on anyone suspected of crimes carrying sentences of more than a year,” while the “EU wants data to be handed over only in individual cases related to fighting terrorism and organized crime,” the report states. The amount of time data can be stored should be restricted, the EU says, as should third-party access. However, the U.S. wants the data stored for 15 to 20 years. The U.S. will have to enter agreements with individual member states if an agreement with the EU cannot be reached. [Source]

Facts & Stats 

US – Verizon 2011 Data Breach Investigations Report

According to Verizon’s 2011 Data Breach Investigations Report, the number of data breaches resulting from cyber attacks increased, but the total number of compromised records from breaches decreased. The number of records compromised in breaches dropped precipitously over the last two years from 361 million in 2008 to 144 million in 2009 down to just 3.8 million last year. The number of breaches in which these records were compromised, however, rose from just 141 in 2009 to 760 last year. One explanation for the apparent contradiction is that there have been fewer large breaches and more attacks on smaller companies. 92% of the attacks were launched by outsiders, an increase of 22% over statistic in last year’s report. The report notes a shift toward attacks on smaller companies that “haven’t taken basic security considerations into account,” according to Verizon. Also, the attackers appear to be stealing less information, perhaps in an effort to avoid attention. Physical attacks, like ATM and gas pump skimmers, made the top three methods of data theft for the first time. [Source] [Source] [Source] [Report

WW – IT Study Reveals Same Challenges, Accelerated Pace

A survey of 2,400 IT security specialists from around the world shows compliance, governance and information security management at the top of their priorities for the remainder of 2011. The study, conducted by not-for-profit IT security association ISACA, found that the complexities of the IT landscape are accelerating due to new technologies and regulations as well as an increase in data breaches. Tony Noble, a member of ISACA’s guidance and practice committee, notes that this year’s survey shows a need to better align “business with IT to unlock greater value,” adding that there’s a perception on the business side of organizations that “IT is managed in a silo.” [Source

US – Despite Breaches, Consumers Dish Out Data

Consumers continue to share their personal information with online retailers and social networks despite the frequency and size of breaches involving sensitive data, reports the Associated Press. Jim Dempsey of the Center for Democracy and Technology says that, as consumers, we are “schizophrenic” about technology in that, “We love it, we use it…we’ve woven it into our daily lives professionally, socially and personally. But we don’t really trust it, and we get upset when our data is lost or stolen.” According to the Privacy Rights Clearinghouse, more than half a billion records have been exposed in the past six years, the report states. [Source] [NYT Blog

UK – Numbers Show Many Data Breaches, Few Fines

Of the 2,565 data breaches identified by the Information Commissioner’s Office (ICO) since April 2010, “only 36 have resulted in a punishment–and only four have resulted in financial penalties,” according to The Guardian. An ICO spokesman said getting organizations to comply with the Data Protection Act “isn’t always best achieved by issuing organizations or businesses with monetary penalties.” Just this week, the ICO announced breaches at Norwich City College and NHS Birmingham East and North. A Christchurch nurse was also found guilty of misconduct for inappropriate access of medical records. The ICO’s acting head of enforcement said, “organizations have a legal responsibility to abide by the principles of the DPA.” [Source

EU – Kids Not Using Privacy Settings

Many children using social networking sites don’t employ privacy settings, making them vulnerable to stalkers and other risks, according to EU Commissioner for the Digital Agenda Neelie Kroes. EU data shows 77% of 13 to 16 year olds and 38% of nine to 12 year olds are on social networks, but 25% don’t use privacy settings, and many display phone numbers and addresses. “These children are placing themselves in harm’s way, vulnerable to stalkers and groomers,” Kroes said. She is urging social networking sites to make minors’ profiles accessible only to designated “friends” by default. [Source]


WW – Poll: 67 Percent of PCI-Regulated Companies Not Compliant

In a survey conducted by the Ponemon Institute, 67% of PCI-regulated companies lack full compliance with the standard; 50% of security professionals view PCI as a burden, and 59% do not believe it helps with security. The survey also found an increase in the number of data breaches since 2009, with non-PCI compliant companies experiencing more data breaches than PCI-compliant ones. The study found little connection between PCI-related expenditures and compliance levels. Imperva’s director of security strategy noted, “In a somewhat counterintuitive manner, those organizations (that) suffered no breaches are not necessarily those who spent the biggest budget.” [Source

CA – Software Glitch Kills Electronic Stubs for Federal Workers’ Paycheques

A mysterious security breach has shut down the federal government’s online pay system, affecting some 320,000 public servants. The system was pulled offline for “urgent” repairs on April 4 after officials discovered the privacy of eight account-holders had been breached. Pay is still being deposited as scheduled in employees’ bank accounts. But electronic paystubs with information about basic salary, overtime, bonuses, reimbursement of travel expenses and other key data has been unavailable for more than two weeks. The glitch affects virtually every federal department, from Health Canada to Public Works itself, which operates the self-serve online system for all government employees. A spokesman said it’s still not known when the problem will be rectified. Last spring, Auditor General Sheila Fraser reported that Public Works had completed an internal risk assessment that found the department’s pay and pension systems “were close to imminent collapse, and compensation specialists were leaving as a result.” Fraser noted the department had begun a project to modernize its systems, though she did not audit them. On the other hand, Public Works last year completed a so-called privacy impact assessment on its online paystub service that found it was at low risk of breaching workers’ privacy. The assessment was approved by the privacy commissioner’s office. [Source]


CA – IPC ON Issues Fact Sheet on Applying PHIPA and FIPPA/MFIPPA to PHI

Certain provisions within the Freedom of Information and Protection of Privacy Act (“FIPPA”) and its municipal counterpart, the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”), apply to personal health information (“PHI”) in the control of an organization defined as both a health information custodian (“HIC”) under the Personal Health Information Protection Act (“PHIPA”) and as an institution under FIPPA or MFIPPA (e.g. hospitals); the head of an institution is required to disclose any record if there are reasonable grounds to believe it is in the public interest to do so (e.g. that present a grave environmental, health or safety hazard to the public). FIPPA and MFIPPA contain provisions for permitted disclosures (e.g. to aid a law enforcement investigation), mandatory exemptions from disclosure (e.g. cabinet records, confidential information from other governments, or a trade secret), and discretionary exemptions from disclosure (e.g. where a disclosure could prejudice the conduct of intergovernmental relations or the defence of Canada or an ally). PHIPA does not limit a person’s right of access to PHI under FIPPA or MFIPPA if all PHI is reasonably severed from the record; there are provisions within FIPPA and MFIPPA that permit a HIC to refuse access to a record (e.g. where records could interfere with a law enforcement matter, prejudice the economic interests of an institution, or are subject to solicitor-client privilege). [Source]

Health / Medical 

CA – Don’t Shred Documents, McGuinty Tells Hospitals

Hospitals should ignore a major law firm’s advice to “cleanse” sensitive documents from their files to prevent the emergence of spending scandals like the one at eHealth Ontario, Premier Dalton McGuinty says. The advice from Osler, Hoskin & Harcourt LLP was aimed at keeping hospitals out of trouble starting in January, when they become subject to freedom-of-information laws, but it ended up causing more problems for McGuinty’s Liberal government as it prepares for the Oct. 6 provincial election. The memo from the law firm went out Oct. 22 but after media reports exposed it this week, the Ontario Hospital Association issued a cautionary note to its members. “The first principle for the OHA — and for the law firms that are actually assisting us in preparing hospitals for FOIPPA (Freedom of Information and Protection of Privacy Act) — is that the spirit and the letter of FOIPPA must be adhered to at all times, period,” it said. “To do otherwise would undermine public confidence in hospitals and our health-care system.” In its controversial four-page memo, the law firm said hospitals face “significant reputational risks” from freedom-of-information law, specifically mentioning the eHealth example and advising hospitals to consider “cleansing existing files on or before Dec. 31, 2011, subject to legislative record-keeping requirements.” The memo also warned that hospital staff should be aware their expenses, procurement of supplies and services, decision-making and emails will be subject to freedom-of-information requests in the new year. Health Minister Deb Matthews said any inappropriate shredding would be “completely unacceptable.” [Source

EU – Swedish DPA Says Hospital Data-Sharing Unlawful

Sweden’s data protection authority has ruled that a hospital’s failure to provide patients with the choice to opt out of the sharing of their medical and other data via an electronic health records system violated the law. The Data Inspection Board ruled April 18 that the sharing of patient records requires consent by the Patient Data Law, and Stockholm’s Karolinska University Hospital’s method of consent did not meet those requirements. The hospital belongs to a data-sharing network that allows database access to both public- and private-sector healthcare providers. (Article in Swedish). 

US – Breach List Grows, Encryption is Key

The Office for Civil Rights’ (OCR) list of major healthcare breaches—those affecting at least 500 individuals—h s grown to 265 incidents affecting 10.8 million. In the past month, 16 breaches were added to the list, including the Health Net and Eisenhower Medical Center incidents that totaled 1.9 million and 514,000 individuals, respectively. The report suggests these cases have highlighted the need for encryption, which one security expert calls “the single best way to protect sensitive data.” Under HITECH, healthcare facilities with major breaches are required to report them to the OCR within 60 days; however, breaches of data encrypted “using a specific standard” do not need to be reported, the report states. [Source]

Horror Stories 

WW – Reports: 77 Million PlayStation Network Accounts Compromised

According to Sony, hackers obtained users’ names, addresses, e-mail addresses birthdates, and account login and password, and may have also taken users’ security questions and answers. If you set up a sub-account for your child, that information may also be in hackers’ hands. Reuters and other news outlets are reporting that in all, as many as 77 million accounts may have been hacked, based on the number of PSN accounts. Sony also states, “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.” For the time being, Sony has temporarily disabled its PlayStation Network and Qriocity services so it can analyze these services for other security issues. Sony is advising its customers to watch for e-mail and postal mail scams orchestrated by data thieves, and to stay on the lookout for anything suspicious on your credit report or financial account statements. [Source] [Source] [Source] [Source] [Source] [Source] [Source] [Sony Executives ‘Deeply Apologize’ for Security Breach] [Sony Breach Ignites Phishing Fears / Are Consumers Suffering ‘Breach Fatigue?] [CA – Privacy Commissioner’s office looking into Sony PlayStation hack] [Change passwords, advises Alberta privacy commissioner]

Identity Issues 

US – US Proposes Online Identities for Americans

The US Government has published plans to create digital identities for Americans. The US Government wants to create a voluntary system that will allow Americans to access financial services online using one account. It hopes the new system will help protect against fraud and identity theft and reduce the barriers to trade that multiple accounts brings to businesses and consumers, the strategy said. Under the new plans users will be able to register for access to a network of government and businesses providing data and ways to pay for things online. The Government has called this the Identity Ecosystem, the National Strategy for Trusted Identities in Cyberspace (NSTIC) said. Users could pay taxes and phone bills by entering only minimal information about themselves in the Ecosystem, such as purely their age, the NSTIC document said. “The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual’s transactions, thus ensuring that no one service provider can gain a complete picture of an individual’s life in cyberspace,” the NSTIC document said. The Ecosystem will improve privacy protection and efficiency it said. ‘Trustmarks’ will be used to help users identify organisations that have met security standards, it said. The US Government said that it was up to the private sector to develop technologies that make online identities secure and easy to use, safeguard transactions, and protect anonymity, but said that there are incentives for the industry to produce such a system. The Ecosystem benefits will also extend to individuals because the current process is bureaucratic, the NSTIC strategy said. Although the system proposed is voluntary, there is concern that some Government departments will adopt it, effectively forcing Americans to create a profile. The US Government is planning to host workshops to discuss the proposals with industry and the public between June and September to try to finalise details for NSTIC. [Source]

Internet / WWW 

WW – In Reversal, Yahoo Will Store User Search Data Longer

In a move that is unlikely to win it any new friends in the privacy community, Yahoo has announced that it will retain consumer search data for a substantially longer period of time than it does today. Starting sometime in mid-July, Yahoo will hold raw search log file data, including IP addresses, cookies and search-related information, for up to 18 months. It currently retains such data for 90 days. Yahoo’s chief trust officer, Anne Toth, said in a blog post that the change was designed to give consumers a more robust and personalized search experience while also bringing Yahoo into closer alignment with industry-wide data retention norms. Toth’s announcement marks an abrupt reversal of Yahoo’s current data retention policy which it put in place in 2008. Under its current policy, Yahoo stores most log file data for just 90 days, though in some cases the company holds raw data for as long as six months for what it calls fraud and security purposes, and to comply with legal requirements. In contrast, Google stores search data for nine months, while Microsoft retains it for six months. [Source

EU – Internet ‘Right to Be Forgotten’ Debate Hits Spain

In a case that Google Inc. and privacy experts call a first of its kind, Spain’s Data Protection Agency has ordered the search engine giant to remove links to material on about 90 people. The information was published years or even decades ago but is available to anyone via simple searches. Scores of Spaniards lay claim to a “Right to be Forgotten” because public information once hard to get is now so easy to find on the Internet. Google has decided to challenge the orders and has appealed five cases so far this year to the National Court. A final decision on Spain’s case could take months or even years because appeals can be made to higher courts. Still, the ongoing fight in Spain is likely to gain more prominence because the European Commission this year is expected to craft controversial legislation to give people more power to delete personal information they previously posted online. “This is just the beginning, this right to be forgotten, but it’s going to be much more important in the future,” said Artemi Rallo, director of the Spanish Data Protection Agency. “Google is just 15 years old, the Internet is barely a generation old and they are beginning to detect problems that affect privacy. More and more people are going to see things on the Internet that they don’t want to be there.” [Source] See also: [Foggy Thinking About the Right to Oblivion – Peter Fleischer

UK – More than Half Would ‘Delete Everything Ever Posted About Themselves Online’

More than half of British adults are so concerned about their online reputation they would erase everything they have ever posted on the Internet about themselves, a survey revealed. A staggering 35% believe they could never consider a career in politics due to damaging personal material online. And nearly a quarter of people admit to having posted a photo or personal information that they wouldn’t want an employer to see, according to a study by security firm Norton. Researchers questioned 1,004 people aged 18 and over about the amount of their personal information that is publicly available online and how it could affect them personally. The study reveals a sense of unease among Britons about their online reputation, with over 50% saying they would gladly hit the ‘reset’ button to delete all information about them online. Some 40% admitted to not actively protecting their reputation and personal information on the Internet. Of these, 59% ‘never thought it was an issue’, while 20% wouldn’t know where to start. [Source

WW – Amazon Provides Details About Cloud Outage

Amazon has apologized for the outage experienced in portions of its cloud services platform and has released a statement offering more detail about the cause of the incident. The problem arose because of a configuration error that was made during a network upgrade. The error caused traffic that should have been directed to a primary network to be routed to a lower-capacity network. Amazon also detailed steps it is taking to prevent a recurrence. [Source] [Source] [Source] [ Some Customer Data Permanently Destroyed in Amazon Cloud Crash | Report

WW – Web Standards Group to Discuss Do Not Track

The Web standards organization, World Wide Web Consortium (W3C), met this week to examine online privacy and the main issues surrounding a universal do-not-track mechanism, reports Media Post. Discussion topics included definitions for do not track and the mechanism’s operational feasibility. Nearly 60 position papers have been submitted by Web companies, academics and others prior to the conference. W3C Co-chair Lorrie Cranor added that the group “has not yet formally taken on the task of formalizing do not track or any of the other consumer protection technologies in the tracking space but are looking at it and trying to determine if there’s a role for them and, if so, what direction to go in.” [Source]

Law Enforcement 

US – ACLU Seeks Documents Regarding Police Use of Data Extraction Devices

When the American Civil Liberties Union (ACLU) made a Freedom of Information Act (FOIA) request for documents containing information to help them determine if Michigan State Police were violating Fourth Amendment rights, they were told it would cost more than half a million dollars. The issue centers on the use of a data extraction device used by police. The device is capable of scraping data from phones in less than two minutes. The ACLU of Michigan is trying to determine whether police violated people’s Fourth Amendment rights by taking those data without search warrants. The Michigan State Police has issued a statement regarding allegations of their abuse of data extraction devices. The statement says there have been no allegations of wrongdoing and that “the [Michigan State Police] only uses the [devices] if a search warrant is obtained or if the person possessing the mobile device gives consent, … [and they] are not being used to extract citizens’ personal information during routine traffic stops.” [Source] [Source

US – Federal Authorities Access Facebook Accounts

Stltoday.com reports that federal investigators in Detroit, MI, obtained search warrants allowing them access to the Facebook accounts of suspected criminals. Investigators were able to view photographs, e-mail addresses, phone numbers, lists of friends and GPS locations to disprove alibis. The practice raises many privacy concerns, including whether information gleaned from social media sites can be authenticated. In addition to Michigan, search warrants for Facebook accounts have been requested in an additional eight U.S. states. Facebook representative Andrew Noyes added, “We never turn over ‘content’ records in response to U.S. legal process unless that process is a search warrant reviewed by a judge.” [Source]


WW – Your iPhone 4 and iPad 3G Are Recording All of Your Movements

Your iPhone 4 or your iPad 3G are recording all of your movements and storing the information in easy-to-access files, two British scientists reveal. Alasdair Allan and Pete Warden stumbled upon the unencrypted data buried inside their iPhones while working on another project. “All iPhones appear to log your location to a file called ‘consolidated. db,” Allan explained in a video he and Warden prepared to answer questions about the discovery. “This contains latitude and longitude coordinated along with a time-stamp. The coordinates aren’t always exact, but they are pretty detailed.” The tracker is embedded inside Apple Inc.’s newest iPhone, the iOS 4, and on the iPad 3G. The data are stored in your devices, as well as on automatic backups when you synchronize them with iTunes. “Apple have (sic) made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movement,” Allan and Warden explained. The good news, said Allan, is that it appears the detailed trail only exists on the owner’s devices and is not stored by Apple. The bad news is that it would be easy to crack the code and recover all the data if an iPhone were lost or compromised. [Source] See also: in 2009, Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his GPS phone data and then folks created a graphic showing his travels

WW – Apple Responds to iPhone Tracking, Privacy Concerns

Apple says it is collecting “anonymous traffic data” for location-based services, not tracking iPhone owners. The company adds it will update the software to log only seven days worth of data, rather than several months. Apple has responded to the revelation that its iPhone and iPad products track their users’ movements across mobile phone networks and WiFi networks around the globe. Two British researchers last week described at a tech conference in California how this tracking data was being stored in an unencrypted file on the phone itself. They also wrote a data visualization program so that any iPhone owner could diagram their data on to an easy-to-understand map. In a statement published to Apple’s website, the company said users were “confused” about what exactly the company was doing with this data. “Apple is not tracking the location of your iPhone,” the statement went on to say the location data that the British pair found was not the precise location of the iPhone itself, “but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location, which can be more than one hundred miles away from the iPhone.” The company also explained that it is “collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.” The statement also said the anonymous data it did have was used to help the phone find its location in regions where weak GPS signals could make the process take minutes rather than seconds. By using a log of WiFi networks and cell tower data, Apple noted that it could reduce this location time to “just a few seconds.” However, the US company called the months or years worth of data stored on each phone a “bug we uncovered,” and said that following a software update to be released in the coming weeks, the iPhone and iPad would only store seven days worth of such data and that this data would be encrypted. Requests for comment from the office of Peter Schaar, Germany’s federal data protection commissioner, and CNIL, the French national data protection authority, as well as to the Italian data protection authority, have so far gone unanswered. [Source] See also: [Smartphone privacy threats no surprise to security experts

WW – Apple Filed Patent Application for Tracking Technology

In 2009, Apple filed a patent application for technology to track users through smartphones. Apple has recently been the focus of attention because it was found that iPhones were tracking and storing user location data. Apple had said that it was not tracking users and that a bug was to blame for the retained data. The September 2009 patent application refers to “Location Histories for Location Aware Devices.” [Source] [Source

WW – TomTom Sorry for Giving Customer Driving Data to Cops

Navigation device maker TomTom has apologized for supplying driving data collected from customers to police to use in catching speeding motorists. The data, including historical speed, has been sold to local and regional governments in the Netherlands to help police set speed traps. As more smartphones offer GPS navigation service, TomTom has been forced to compensate for declining profit by increasing sales in other areas, including the selling of traffic data. On Wednesday, Europe’s biggest satnav device maker apologized, saying it sold the data believing it would improve traffic safety and reduce bottlenecks. TomTom has said that any information it shares has been anonymized, but customers shouldn’t take such assurances at face value. [Source] See also: [Google Tracks You Too, Internal E-mails Show

US – DOJ Wants Warrantless GPS Tracking Authority

The Justice Department wants the US Supreme Court to overturn an August 2010 lower court ruling that reversed the conviction and sentence of a drug dealer whose vehicle was tracked for a month through GPS without a warrant. DOJ wants the authority to place GPS tracking devices on suspects’ cars without warrants. Three other circuit courts of appeals have said that law enforcement authorities do not need warrants to use the devices, which have become more prevalent in investigations. A 1983 Supreme Court decision allowed the use of a tracking beacon placed on a container without a warrant. The circuit court that overturned the drug dealer’s conviction said that the difference in the cases is that the 1983 case involved tracking someone from one place to another, while the GPS devices provide continuous monitoring and noted that it “illustrates how the sequence of a person’s movements may reveal more that the individual movements of which it is composed.” [Source]

US – Most Mobile Apps Lack Privacy Policies: Study

TRUSTe’s survey of 1,000 smartphone users indicates privacy is a primary concern. The results indicate users are concerned about privacy and want more transparency and control over the collection and use of their personal information as well as choices about advertising and geolocation tracking. “This survey makes it crystal clear that privacy concerns are a huge stumbling block to consumer usage of applications and websites on smartphones,” said TRUSTe President and Executive Chair Fran Maier. Behavioral targeting was also cited as a key concern by respondents, with 85% wanting the chance to opt out of targeted ads. [Source] [Study]


NZ – Survey: Organizations Need Guidance for Offshore Data Storage

Results from a survey conducted by New Zealand Privacy Commissioner Marie Shroff indicate that the public and private sectors need more guidance for the offshore storage of personal information. “The International Disclosures and Overseas ICT Survey” queried 50 businesses and government agencies about where they stored personal information; reasons for its use and storage overseas, and how it was protected. The article suggests that many organizations have controls for data in transit but no controls for information once it’s sent overseas. “If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer,” said Shroff, “it is imperative that privacy issues are tackled and got right.” [Source] [Survey: International Disclosures and Overseas Information and Communication Technologies] [Media Release]

Online Privacy 

US – Congressmen Call for Mobile App Privacy Codes

House Bi-Partisan Privacy Caucus Co-Chairmen Edward Markey (D-MA) and Joe Barton (R-TX) have released the responses they’ve received from the nation’s four largest wireless carriers following their requests for information about how the companies collect, store and share customers’ PII. The Wall Street Journal reports that AT&T, Verizon Wireless, Sprint Nextel and T-Mobile have all responded that they seek subscribers’ consent for use of personal data, but “they can’t control how applications developed by third parties use location information that the carriers don’t provide.” Mobile device applications “shouldn’t have free reign over your location data and personally identifiable information. I believe it is time we hold third-party developers accountable,” Barton said. [Source] [Source

WW – Friendster to Erase Early Posts and Old Photos

Long before there was a Facebook, or even a MySpace, there was Friendster, a Web site that gave many people their first taste of the socially networked world to come. Friendster, which started in 2003, has long been eclipsed by younger, more nimble rivals, turning into something of a ghost town. But its current owners told users of plans to change its business strategy – and to wipe out the site’s trove of digital memories, including ancient dorm-room photos, late-night blog entries and heartfelt friend endorsements, known as “testimonials.” That set off a wave of nostalgia among Friendster members, even though most had stopped visiting the site long ago. [The New York Times] See also: [US: Hacked Facebook accounts, stolen photos posted on Sex Sites

US – Suit Seeks Class-Action Status

The Wall Street Journal reports on a lawsuit filed against the social network Myspace that alleges the company violated federal privacy law and its own privacy policy. The suit seeks class-action status. The plaintiffs allege that the company shares users’ personally identifiable information with advertisers despite a statement to the contrary in its privacy policy. The plaintiffs are seeking “$1,000 per person affected” in addition to other unspecified damages. [Source

US – Judge Says PII Loss Sufficient for Suit

A federal judge has allowed a lawsuit filed against a social media application developer for exposing 32 million users’ personally identifiable information (PII). Judge Phyllis Hamilton has allowed four causes of action by RockYou user Alan Claridge in U.S. District Court in the Northern District of California. RockYou wanted the case dismissed, alleging Claridge suffered no harm when his e-mail address and password were exposed. But the judge said that the “plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his personally identifiable information has caused him to lose some ascertainable but unidentified value and/or property right inherent in the PII.” [Source

UK – UK Law Will Require Consent

The United Kingdom’s final plan to implement the amended EU e-Privacy Directive (2009/136/EC) does not deviate from the directive’s requirement that effective consent be obtained from online users in order to place most cookies on their computers, according to the Department for Culture, Media and Sport report released last week. The plan does not use the phrase “opt-in consent,” but it is clear from the rules that it would amend the country’s Privacy in Electronic Communications Regulations to require that such consent be obtained from users. “Organizations running Web sites will need the user’s permission before a cookie can be used,” said Culture Minister Ed Vaizey. [Report]

Other Jurisdictions 

JP – Japan May Hold Individual Employees Liable for Violations of Data Protection Law

As part of an effort to increase penalties for violations of the country’s Personal Information Protection Act, officials in Japan plan to extend liability under that law to individual employees, according to recent reports in The Yomiuri Shimbun and The Japan Times. Currently, a company that violates the law may be fined or ordered to take remedial steps, and the company head may be imprisoned. The law revision would come as part of changes to the legal framework accompanying a proposed national identification number system. [Source]

Privacy (US) 

US – Committee to Hold Hearing on Mobile Phones

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) has announced the committee will hold a hearing in May on mobile phone privacy, following announcements that certain smartphones have stored and shared users’ location data, The Hill reports. The announcement comes amid calls for investigations and hearings on such privacy concerns and the filing of lawsuits prompted by reports of mobile device tracking. Rockefeller has called the recent incidents “just the latest in a string of concerns raised in the mobile marketplace,” since it “collects and uses a wide range of personal information–often with inadequate or untimely disclosure.” [Source

US – Flash Cookie Lawsuit Against Specific Media Dismissed

A judge has dismissed a lawsuit alleging an ad network used Flash cookies to track users online. The seven users who filed the suit did not “adequately allege” economic losses, ruled U.S. District Court Judge George Wu. The plaintiffs alleged that their data has value, that they were not compensated when ad company Specific Media used it and that their privacy was violated when they were tracked. Specific Media has denied using Flash cookies, the report states. Last year, two companies paid a $2.4 million settlement in a similar case. [Source]


US – Unprotected Wi-Fi Network Bring False Accusations of Illegal Activity

A Buffalo, New York man found himself the object of a home raid by federal agents who accused him of downloading child pornography over his wireless network. Only after taking a desktop computer, iPads and iPhones from the home and examining them over a few days did federal agents clear the man of suspicion and pin the crime on a neighbor who had accessed the unprotected Wi-Fi network. The story is not unique; a similar incident occurred in Florida. The stories drive home the importance of home users securing their wireless routers. [Source] [Source] A poll conducted for the Wi-Fi Alliance, the industry group that promotes wireless technology standards, found that among 1,054 Americans age 18 and older, 32% acknowledged trying to access a Wi-Fi network that wasn’t theirs. An estimated 201 million households worldwide use Wi-Fi networks, according to the alliance. The same study, conducted by Wakefield Research, found that 40% said they would be more likely to trust someone with their house key than with their Wi-Fi network password. In Germany, the country’s top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party. The ruling came after a musician sued an Internet user whose wireless connection was used to download a song, which was then offered on an online file sharing network. The user was on vacation when the song was downloaded. [Source

Google Wi-Fi Judge Asks if Packet Sniffing is Spying

The question of whether Google is liable for damages for secretly intercepting data on open Wi-Fi routers across the U.S. is boiling down to the definition of a “radio communication.” That appears to be the legal theory embraced by the Silicon Valley federal judge presiding over nearly a dozen combined lawsuits seeking damages from Google for eavesdropping on open Wi-Fi networks from its Street View mapping cars. The cars had been equipped with Wi-Fi–sniffing hardware to record the names and MAC addresses of routers to improve Google location-specific services. But those cars were also capturing the contents of internet packets that were sent over unencrypted Wi-Fi as they drove by, something the company said was an accidental leftover from testing. At the center of the legal flap is whether Google breached the Wiretap Act. The answer is important not only to Google, but to the millions who use open, unencrypted Wi-Fi networks at coffee shops, restaurants or any other business trying to cull customers. Google said it is not illegal to intercept data from unencrypted, or non-password-protected Wi-Fi networks. Plaintiffs’ lawyers representing millions of Americans whose internet traffic was sniffed by Google think otherwise, and are seeking unspecified damages. Judge Ware, however, suggested the answer to the far-reaching privacy dilemma lies in an unanswered question. He has asked each side to define “radio communication” as it applies to the Wiretap Act, and wants to know whether home Wi-Fi networks are “radio communications” under the Wiretap Act. In response, Google wrote last week that open Wi-Fi networks are akin to “radio communications” like AM/FM radio, citizens’ band and police and fire bands — and are “readily accessible” to the general public. Indeed, packet-sniffing software, such as Wireshark and Firesheep, is easily available online. Hence, because unencrypted Wi-Fi signals travel over the radio spectrum, they are not covered by the Wiretap Act, Google responded. “There can be no doubt that the transfer of any sign, signal, writing, images, sound, data, or intelligence of any nature transmitted over the radio spectrum constitutes a ‘radio communication.’ Indeed, there is nothing in the text or legislative history of the Wiretap Act that would exclude any transmission sent over the radio spectrum from the definition of ‘radio communication,’” Google wrote. The plaintiffs’ lawyers countered that the communications in question started on a computer and only briefly were relayed on radio waves “across the living room from the recipient’s router to her laptop.” “The fact that either the first or final few feet of the electronic communication may have gone via wireless transmission [‘Wi-Fi’] does not transform the communication into a ‘radio communication’ broadcast similar to an AM/FM radio or a CB.,” plaintiffs’ lawyer Elizabeth Cabraser wrote. “Nor is there anything in the statute to define ‘radio communications’ as synonymous with anything sent on a radio wave, however briefly and without regard to the entirety of the communication system at use.” Both sides agree, however, that it’s illegal to listen in on cordless phones. [Source]


EU – Austrian Lower House Passes Data Retention Bill

The lower house of the Austrian parliament has passed a measure endorsing the storage of private phone call and e-mail data, and the upper house is expected to soon pass it into law. Data will be stored for six months under the measure, which the European Commission adopted in 2006. The information will be available to investigators and public prosecutors in criminal procedures. A spokesman for an Austrian organization that opposes data retention said he’s “very concerned” and that the “risk is that the data retained will not only be used for finding terrorists…but will be used against normal people.” [Source]

Telecom / TV 

US – Wireless Carriers Reveal Location Privacy Policies

The nation’s top wireless carriers say they all collect personal information, including location data, about subscribers and use much of that information to tailor marketing pitches for more services. In letters responding to lawmakers’ questions, they described varied policies on protecting data and how long they retain location and other sensitive information such as a user’s name, SSN, and address. The queries to the carriers by Reps. Edward Markey (D-Mass). and Joe Barton (R-Tex.) come amid increased scrutiny of privacy on mobile devices and questions about how Apple and Google store data on users’ locations. AT&T said it is in the process of encrypting all sensitive personal information about its users such as credit card numbers, date of birth and specific data on a person’s location. It said it disposes of location-based information within five years. T-Mobile was more vague about its data retention and security program. The company said only that it keep personal information “as long as we have a business need, or as applicable laws, regulations, or government order require.” It did not say whether personal information is encrypted. A spokesman did not immediately respond to a request for comment. [Source

Apple Facing Lawsuit Over Location Tracking Data

Two people have filed a lawsuit against Apple over location tracking data that are stored on iPhones without users’ consent. The suit was filed in the US District Court for the Middle District of Florida. The plaintiffs are seeking an injunction that would require Apple to disable the tracking mechanism. They allege that Apple violated the Computer Fraud and Abuse Act because the company is aware that the majority of users do not pore over the details of user license agreements. In a separate but related story, independent testing shows that the iPhone stores location data even after location services are turned off. [Source] [Source] [Source] [Source] [Source]

US – Colo. Supreme Court Hears Case on Privacy of Ritter’s Calls on Personal Phone

If the Colorado Supreme Court rules former Gov. Bill Ritter doesn’t have to release a list of business calls made on his personal cellphone while in office, it will provide a simple recipe for public officials to conduct government business in secret. “It will send a green light to governments across the state to do what Gov. Ritter did throughout his term . . . keep public business private by paying for their own phone,” lawyer Steven Zansberg told justices. The Denver Post has sought access to Ritter’s cellphone records since 2008, arguing it is the only way for the public to know with whom the governor spoke and when, and that the records should be available under the Colorado Open Records Act. The newspaper has limited its request to calls made during business hours, and agreed that the governor’s office should be allowed to redact information about personal calls. Ritter has acknowledged that he gave up his state-paid BlackBerry in 2008, and that the “vast majority” of calls made on his personal cellphone during his term were related to his work as governor. But his attorneys have argued that because Ritter paid for the phone himself, and the call logs were not made, maintained or kept by him for official business, records of the calls are not public. A district court and the Colorado Court of Appeals sided with Ritter. The Post then appealed to the state’s high court. [Source]

US Government Programs 

US – Sens. Question White House on Oversight Board

Members of congress continue to question the Obama Administration about the dormant Privacy and Civil Liberties Oversight Board. According to Congress.org, leaders of the Senate Homeland Security and Governmental Affairs Committee last week sent a letter saying, “It is inexcusable that, more than three years after the new board was meant to have begun its work, there is still no functional board at all.” The board was created in 2004 on the recommendation of the 9/11 Commission to oversee the protection of Americans’ privacy and civil liberties in the age of counterterrorism. The Obama Administration nominated two individuals to the five-member board in December. [Source

US – Privacy Advocates Question Proposed Supplemental Passport Form

Quick. Name where your mother was living and working when you were born. List who witnessed your birth. Now, name every residence where you’ve ever lived. And where you’ve worked. Don’t forget to give a list of all your current and former bosses, with a current phone number, if possible. A proposed supplemental form to U.S. passport applications could cause headaches for some and has drawn the ire of privacy advocates. But the U.S. State Department says the information requested on the form are questions that officials already ask when a person may lack proper documents to prove their citizenship when applying for a passport. The proposed form, DS-5513, likely would be given to passport applicants who may have questionable documents or insufficient proof of citizenship in the eyes of the government, said a State Department spokeswoman. Privacy advocate Edward Hasbrouk said the proposed form is too intrusive and “would be reintroducing the same kind of discriminatory practice” of rejecting applicants born to midwives. “Part of the settlement of that lawsuit was that they agreed to not make these kinds of inquiries of people unless there was a provision,” said Hasbrouk, spokesman for The Identity Project, which published a copy of the proposed form online. Obtaining passports became a high-profile issue across the Rio Grande Valley in 2009, when federal authorities began requiring U.S. citizens to show a passport to re-enter the country from Mexico. A flurry of denied and disputed passport applications emerged from many Valley residents who were born by midwives, casting doubt from the government about whether their birth certificates are valid. The American Civil Liberties Union filed a class action lawsuit against the State Department that was settled in June 2009, setting up a review panel for all denied applications requiring officials to list specific reasons for denying the passport application. Officials estimate the form would take about 45 minutes to complete and would be given to about 75,000 passport applicants — about one half of one percent of all applications processed each year. [Source

US – Audit Finds FBI’s Cyber Security Capabilities Not Maximized

According to an audit report from the US Department of Justice inspector general (IG), one-third of 36 agents interviewed lacked the necessary skills to investigate cyber intrusions. The audit examined the FBI’s ability to deal with the threat of national cyber security intrusions and finds major faults in the operations of the NCIJTF – the National Cyber Investigative Joint Task Force. Each of the FBI’s 56 field offices has at least one cyber squad but the report finds fault in the level of skills those field agents have. [Source] [Source] [Redacted report] [Justice

US – Papers Warns of Dangers of Alarmist Cyberthreat Rhetoric

A paper published by researchers at the Mercatus Institute at Virginia’s George Mason University says that the US government’s “alarmist rhetoric” about cyber threats facing the country’s critical infrastructure could result in the enactment of policy based on evidence that may not have a foundation in fact. The researchers, Jerry Brito and Tate Watkins, compared the dangerous possibilities of ill-informed policy to what happened in Iraq – a decision was made to invade the country based on rumors, not hard evidence, that the country’s political regime was connected to the September 11 attacks and that it possessed weapons of mass destruction. Decisions based on faulty information could lead to unnecessary regulation of network, and overspending on cyber security. [Source] [Source]

US Legislation 

US – Maine Passes Health Information Privacy Law

The bill requires a health information exchange (“HIE”) to obtain the consent of a patient prior to collecting, storing or disclosing that patient’s health care information and prohibits a health care practitioner from accessing that information without prior authorization (unless waived by the patient in an emergency); a HIE would be required to provide the patient with a website that permits the patient to view their health care information, identify who has accessed the records, select which records are to be included in the HIE system and which practitioners can access them (a non-electronic means must also be available for viewing health care information). The bill establishes a protocol for notification if a breach of the HIE system occurs and patient information is illegally accessed (requiring notice to both health practitioners and facilities that have access to the system and the affected patients within 60 days of discovering the breach). A patient may not be denied health care treatment, insurance coverage or insurance payment or reimbursement based on the failure of the patient or the health care practitioner to participate in a HIE system or charged a fee to access the health care information in the HIE system. [Source: LD 1337 – An Act to Ensure Patient Privacy and Control with regard to Health Information Exchanges – 125th Maine State Legislature – Text of Bill | Status Summary]

Workplace Privacy 

JP – Employees May Become Liable Under Law

Japanese officials plan to extend liability to individual employees under the Personal Information Protection Act, reports Hunton & Williams’ Privacy and Information Security Law Blog. The move is part of an effort to increase penalties for violations under Japan’s privacy law framework. Under current law, companies that violate the act can be fined, ordered to take remedial steps and a company head can face imprisonment, according to the report. The legal changes are part of the Japanese government’s planned introduction of a national identification system to help survivors of last month’s earthquake and tsunami. [Source]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: