01-15 May 2011


CA – Alberta’s Privacy Commissioner Stepping Down

The province’s Information and Privacy Commissioner Frank Work has decided to step down when his term expires at the end of the year. Work has been with the office for all 16 years of its existence, including the last nine years as commissioner. Among the highlights of his career was a major expansion of the office when the Health Information Act was passed in 2001 and the Personal Information Protection Act was passed in 2004. “I am particularly proud of Alberta for being one of four jurisdictions in Canada to pass a private sector privacy act,” Work said in a statement released Wednesday. “I am proud of the fact we were instrumental in making Alberta the only jurisdiction in Canada to have mandatory breach notification across the private sector. Ensuring that Alberta Netcare is as secure and accurate as possible is another source of pride.” The province is expected to strike a special committee to conduct a search for a new commissioner. [Source

CA – Privacy Commissioners Unveil Tool to Strengthen Personal Data Security

The federal, Alberta and British Columbia Privacy Commissioners launched a new online tool that will help businesses better safeguard the personal information of customers and employees. The new Securing Personal Information: A Self-Assessment Tool for Organizations is a detailed online questionnaire and analysis tool that helps organizations gauge how well they are protecting personal information, in keeping with the applicable private-sector privacy law. Developed jointly by the federal, Alberta and British Columbia privacy commissioners’ offices, the tool can be used by any private-sector organization, particularly small and medium-sized businesses. The tool is comprehensive and detailed, but also offers users the flexibility of focusing on areas most relevant to their own enterprise. The self-assessment and analysis process results in a framework that organizations can use to systematically evaluate and improve their data-security practices. The Securing Personal Information Self-Assessment Tool is available via the commissioners’ websites: www.priv.gc.ca; www.oipc.ab.ca; and www.oipc.bc.ca. [Source

CA – Clement Open to Large Fines for Massive Data Breaches

Industry Minister Tony Clement said he’s open to the idea proposed by Canada’s privacy watchdog to give her the power to slap corporations with huge fines if they don’t protect the personal information of their customers. Earlier this week, Privacy Commissioner Jennifer Stoddart said the federal government should update the country’s private-sector privacy law to include fines, given the “alarming trend toward ever-bigger” data breaches. The Conservative government’s most recent proposal to update the law – which died when the federal election was called – did not include any powers to impose fines. But the proposal stated a company would have to report a “material” data breach to the privacy commissioner if the company concluded that the breach indicated a systemic problem. [Source] [Data breach fines sought by privacy watchdog] SEE ALSO: [Geist: Tory majority gives Ottawa a crack at breaking the digital logjam] [Geist: Web surveillance legislation requires study, not speed] and [The Lawful Access Legislation: Does it Really Criminalize Linking & Anonymity?

CA – Ontario Appeal Court to Consider Privacy Tort

The Ontario Court of Appeal will soon have an opportunity to decide the vexing question of whether the common law recognizes the existence of a tort for invasion of privacy. Because PIPEDA doesn’t apply to individuals, the defendant will go free in the absence of a common law tort. The opportunity comes on an appeal from the December 2010 judgment of Superior Court Justice Kevin Whitaker in Jones v. Tsige. Christopher Du Vernet of Du Vernet Stewart in Mississauga, Ont., who represents plaintiff Sandra Jones, says the case has been making waves in legal circles. [Source]


WW – Study: Consumers Define Do-Not-Track More Broadly Than Web Companies

Initial results of a study of 200 Web users reveal that consumers might define the term “do not track” differently than Web companies. Preceding last week’s World Wide Web Consortium workshop, researcher Aleecia McDonald asked Internet users what kind of data would be collected after activating a do-not-track option. Nearly 40% of respondents felt that “nothing at all” would be collected. 51% of those polled indicated that they would not be surprised if nothing changed after they activated a do-not-track option. 81% said it was the first time they had heard the phrase do not track. [Source

CA – Most Canadians Unaware of Online Tracking: Privacy Watchdog

Canada’s privacy watchdog said many Canadians don’t know how closely companies are tracking their online activities — much less are they providing informed consent. “We have some serious concerns about online tracking, profiling and targeting — and the fact that many Canadians don’t know what’s happening behind their computer screens, let alone agree to it. Children — who are going online at younger and younger ages — are even less likely to understand,” Jennifer Stoddart told a privacy symposium in Toronto, where she released the final report of public consultations held last year on privacy issues in the online world. Stoddart looked at the rich trail of data scooped up by companies and marketers when people browse the Internet, use social networking site or use geo-location functions of their mobile devices. In addition to calling companies to be more upfront with their customers about their practices, her report also flags issues with the growing popularity of “cloud computing.” By storing information and services on shared remote computers and accessed via the Internet or the “cloud,” companies can reduce their storage requirements and costs. Noting that even small- and medium-sized enterprises are embracing cloud computing with varying levels of technological security, the Office of the Privacy Commissioner’s report calls for the development of strong standards to ensure the security of personal information stored or processed on cloud services. The findings in the final report were drawn from the consultations, which included public events in Toronto, Montreal and Calgary, as well as 44 written submissions from industry, academics and advocates. Many of the participants highlighted a specific challenge with obtaining meaningful consent, especially involving children. [Source

CA – Online Canadians Trust Information from Media More than Other Sources: Report

A survey suggests Canadian web users may not want to pay for news, but they still trust content from the mainstream media over other sources. The latest report from the Canadian Media Research Consortium states that about 90% of wired Canadians consider the information they get from newspapers, television, radio and online news sites to be reliable. The percentages were a few points lower among those aged 18 to 34. Only 26% believed information from social networks is reliable – although the trust rating jumped to 40% among daily social media users – and 65% said they thought news from family and friends was reliable. When asked how much they trusted information from governments or major corporations, only 42% and 38% respectively found them very trustworthy or trustworthy. [Source] See also: [US: Customers stay despite high-profile data breaches]


CA – Online Election Voting Approved by Vancouver

Vancouver city council has approved online voting in November’s municipal election — pending approval by the provincial government. If the pilot project gets the green light, eligible voters would have the option of voting in advance polls by home or mobile computer. Councillor Andrea Reimer believes the technological shift could improve voter participation, which has dipped to about 30% in Vancouver. Council voted 10-1 for the project, with the opposing vote coming from Councillor Suzanne Anton. Anton said she was concerned about the potential for voter fraud and wanted more public consultation. Voters would be given a personal identification number to pre-register and then would be given another PIN, in a process designed to minimize voter fraud, according to city staff. [Source]


UK – Information Commissioner Gets New Powers to Fine for Spam Emails

Organisations that make unwanted marketing phone calls or send spam emails to consumers could face fines of up to £500,000, the Government has warned. Increased financial penalties will come into force later this month as part of amendments to the UK’s Privacy and Electronic Communications Regulations (PECR). Data protection watchdog the Information Commissioner’s Office (ICO will also be given greater investigatory and auditory powers). The changes to PECR will allow the ICO to fine businesses and other organisations for serious breaches of the regulations, including sending unwanted marketing emails and texts as well as making live and automated marketing phone calls. It can already administer fines of up to £500,000 for data protection offences. The ICO’s increased investigatory powers will allow the Commissioner to demand information from telecommunications companies and internet service providers (ISPs), to help with investigations into breaches of the regulations. Telecommunications companies and ISPs will also have to notify the ICO and their customers in certain circumstances if a personal data breach occurs. The ICO will be able to audit these companies and ISPs to ensure they comply with this requirement. Information Commissioner Christopher Graham welcomed the new powers and said guidance on the changes would be issued soon. The amended laws are being implemented to ensure the UK comes into line with new European data privacy laws. Under the EU’s Electronic Communications Framework, the ICO will also enforce new rules surrounding cookies and similar technologies which can be used to track user activity online. The Government indicated the plans as part of its response to the consultation around the Electronic Communications Framework, published last month. [ICO Statement] [Guidance] [Source] [Confusion Surrounds U.K. Cookie Guidelines] and [Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 – S.I. 2011 No. 1208 – United Kingdom]

Electronic Records 

UK – Scotland Awards £1.1m Privacy Breach Software Contract

Health boards in Scotland will get access to an IT system which aims to enhance the protection of their patient records. The Scottish government has awarded a £1.1m contract for privacy breach protection software to Northgate Managed Services, for use by all health boards in the country. It advertised the contract last October. “It is important that the procured service or product has been proved to be capable of interfacing and is compatible with all major electronic clinical systems used within NHS Scotland,” said NHS National Services Scotland in a notice published in the Official Journal of the European Union. It adds that the service or product provided by Northgate should be able to “interrogate” data provided in the form of audit logs from existing clinical systems and highlight areas where potential privacy breaches have occurred. The software will also be expected to have an extensive reporting capability, including reports that contain information based on access date, demographic data and system user ID. [Source

US – Allina Fires 32 Employees Over Patient Privacy Violations

Nearly three dozen employees of Allina Hospitals and clinics were fired after allegedly violating the privacy of patients involved in a recent mass overdose incident. Allina confirms that 32 employees were dismissed for what they termed “a HIPAA violation.” 28 of them were from Unity Hospital, and four worked at Mercy Hospital. The employees are accused of looking up electronic medical records of patients treated at Mercy and Unity hospitals after a mass drug overdose in Blaine last March. 11 people were hospitalized and one died. Allina says those employees did not have legitimate patient care reasons to look up the information.[Source]

EU Developments 

EU – Websites Should Notify European Users About Privacy Breaches

Europe-wide laws which require telecommunications companies to notify users if their data is at risk should be extended, the European justice commissioner has said. Privacy rules created under the EU’s Electronic Communications Framework should be extended to cover online banking, video games, shopping and social media, Viviane Reding said in a speech. Current rules, which are being implemented in the UK as part of amendments to the Privacy and Electronic Communications Regulations, require telecommunications companies and internet service providers to notify their customers and national regulators of personal data breaches immediately. “I think it is important that users are notified if someone has unlawful access to their data,” Reding said. “It is essential for consumer confidence that they know what happens to their data.” Reding said that in the upcoming review of data protection laws in Europe she would investigate the extension of the data breach notification process to more than just telecoms companies. [Source

UK – Law Attorney Fined for Violation of Data Protection Laws

The UK Information Commissioner’s Office (ICO) has fined ACS:Law £1,000 for failing to adhere to data protection laws. The company gained notoriety for accusing people of illegal filesharing based on their IP addresses. None of the cases ever came to court, and some questioned whether or not ACS:Law had the authority to bring the lawsuits in the first place. The company has ceased operations and would have been fined considerably more, but the judge in the case chose to fine Andrew Crossley as an individual rather than the company. The fine is being imposed because of a breach that was an after-effect of a distributed denial-of-service attack launched against the firm’s website. [The Register] [BBC

UK – ICO Launches Code for Sharing Personal Data

The Information Commissioner’s Office has launched a code of practice aimed at guiding private- and public-sector companies on data protection when it comes to legally sharing personal information. The code of practice, which incorporates input solicited during the consultation period, can be applied in all sectors, said Information Commissioner Christopher Graham. “…We can be confident that it not only makes sense on paper but will work in the real world,” he said. “I would encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.” [V3.co.uk]


UK – Judge Issues Gag Order for Twitter

A British judge has banned Twitter users from identifying a brain-damaged woman in one of the first attempts to prevent the messaging website from revealing sensitive information. The ruling follows the publication on Twitter of a list of celebrities alleged to have tried to cover up sexual indiscretions by obtaining court gag orders. The injunction, dated May 12 and seen by Reuters, includes Twitter and Facebook in the list of media prohibited from disclosing the information. It was issued in the Court of Protection in the case of a mother who wants to withdraw life support from her brain-damaged daughter. It prevents the identification of the woman and those caring for her. [Source] [Tweets spark media storm

UK – Ex-Formula One Chief Loses Newspaper Privacy Case

Max Mosley, the former head of Formula One, has lost a high profile case at the European Court of Human Rights that would have required newspapers to warn people in advance before publishing details of their private lives. Mr. Mosley, who won an earlier landmark privacy case in the English courts against the News of the World newspaper, said the UK failed to impose a legal duty on newspapers to notify subjects in advance of a story appearing. Pre-notification would allow subjects to then obtain a court injunction preventing publication, he argued. However, the ECHR in Strasbourg ruled unanimously that there had been no violation of the European Convention on Human Rights, and that to introduce a pre-notification requirement would have a “chilling effect” on journalism. [Source]


CA – Insurers Must Inform Consumers that Credit Scores Will Be Used for Underwriting

B.C.’s Office of the Information and Privacy Commissioner has ruled that Economical Mutual Insurance Company must stop collecting and using credit scores until it provides customers with appropriate notification as required by the Personal Information Protection Act (PIPA). The May 6 order notes that The Economical did include a valid disclosure statement in its 2003 CSIO insurance application form but this was not adequate notice of the purposes of collection of credit information within the meaning of PIPA. “The consent statement on the complainant’s application form did not expressly say that credit information might be obtained for the purpose of underwriting,” the order reads. “In order to satisfy the notice requirements in ss. 7(1) and 10(1)(a) of PIPA, individuals must be informed that their credit information may be collected for the purpose of assessing future risk of loss in underwriting the policy. “Without this information, it is not reasonable to expect that a consumer would understand how Economical actually uses this information and therefore could not meaningfully consent to its collection for this purpose.” “Consumers are generally unaware of the use of credit scoring in risk assessment in the insurance industry,” B.C. Information and Privacy Commissioner Elizabeth Denham said in a statement. “This order underscores the need for organizations to obtain informed consent from their customers for the collection of their personal information.” [Full Order] [Source

US – Visa Pitches ‘Digital Wallet’

Visa is launching a centralized electronic payment system designed to make online shopping as easy as pulling out a wallet. Visa hopes its “digital wallet,” set to launch this fall in the U.S. and Canada, will make it possible for consumers to pay with any of their credit or debit cards using a single click or a tap of their cellphone and a single password, the company announced. “What that comes with is a place for customers to be able to centralize their credit, debit and pre-paid card information in a single secure location,” said Mike Bradley, head of products for Visa Canada. A customer could add any card they choose to the wallet, including competing cards. Unlike an old-fashioned wallet, Visa’s system won’t hold identification such as driver’s licences or health cards or photos of your loved ones – it’s not much more than a central customer account stored in Visa’s network that contains information about the customer’s payment card accounts. Merchants can sign up to link into an electronic system through their website so they can accept payment from the wallet. Bradley would not say what kind of fees would be involved for merchants, consumers or the institutions that issue cards placed in the wallet. If the merchant accepts both the digital wallet and the payment card that the customer wishes to use, the customer enters an email address or username and a password to pay. There is no need to enter a billing address and payment information. [Source] See also: [Stop ID thieves from stealing your kid’s credit]


CA – Top Court Says PM, Ministers Not Subject to Info Law

The public does not have a right to access all documents in the offices of cabinet ministers or the prime minister, the Supreme Court of Canada ruled in a unanimous decision. The top court upheld a Federal Court of Appeal decision, and sided with the federal government in a decade-old legal battle with the information commissioner. Had the federal government lost its case Friday, it could have vastly expanded the scope of Canada’s access-to-information law. The case involved a number of legal issues related to the access-to-information law that stipulates what government documents can and cannot be made public. The Supreme Court rejected four different appeals from the information commissioner. But the decision does not mean that all records within the Prime Minister’s Office and the offices of ministers are off-limits to the public. Some records can be accessed if they are determined to be under the control of the government institutions that are led by the prime minister or a minister. What “control” means, however, is not defined in the access-to-information legislation. A lower court judge in this case developed a test to use when interpreting the meaning of the word and whether the access-to-information law would therefore apply. The Supreme Court, in its decision, accepted that test and slightly modified it. Physically locating a document in a minister’s office or the PMO does not provide protection for it, according to the courts. The first step in the test is to determine whether the record relates to a departmental matter. If it does, Step 2 then asks whether a senior staff member in the department, such as a deputy minister, should reasonably be able obtain a copy of the record. If the answer is yes, the record should be disclosed to anyone who requests it. [Source] See also: [Provincial NDP grills Grits over access]

Health / Medical 

US – Large PHI Data Breach Incidents Now at 265

The number of large health data breaches reported to the Office for Civil Rights (OCR) is now at 265. As a provision to the HITECH Act, the OCR now posts entities who have reported a breach of personal health information that affects more than 500 individuals. The single largest reported breach affected 1.9 million individuals. In the 15 months since the OCR began posting the breaches, there has been an average of nearly 18 per month, or slightly more than one every other day, the report states. [HealthLeaders Media]

Horror Stories 

US – Michaels Breach Affects Customers Across the Country

Craft store chain Michaels now says that point of sale terminals at stores across the country have been tampered with, compromising customers’ financial information. The thieves appear to have been after payment card data. The issue first arose in the Chicago area, but the company now says that compromised payment terminals have been found at stores across the US. Michaels discovered the situation after they were informed by authorities that fraudulent payment card transactions had been traced to cards used at certain of its stores. An official statement from Michaels says that fewer than 90 PIN pads were found to have been affected. [Krebs] [Press Release

WW – X Factor Contestants Warned After 250,000 Data Breach

Would-be contestants of Simon Cowell’s US X Factor might have got more public exposure than they bargained for with the news that the details of 250,000 of them have been lost after an attack on the TV show’s database. The records were stolen from TV network Fox Broadcasting and included personal information such as names, addresses, phone numbers and dates of birth, but not credit card details, said UK tabloid, the Daily Star, which broke the news. “This week, we learned that computer hackers illegally accessed information you and others submitted to us to receive information about The X Factor auditions,” read an email sent to those affected by the attack. The worry now is that criminals will use the data to mask social engineering or identity attacks.[Source] SEE ALSO: [Proposed class action suit filed against Sony] [Suit Seeks $1 Billion in Damages] [Sony May Offer Reward in PSN Attack | Source] [Sony PlayStation Network (PSN) Hack | Summarized] [Sony PlayStation Network Relaunch Delayed | Source | Source] [New York AG Subpoenas Sony Regarding How it Represented Site Security] [Sony Calls in Forensic Experts | Source | Source] [SOE Intrusion Discovered During PSN Breach Investigation] [Sony Declines to Testify at House Subcommittee Hearing on Breach | Source | Source | Source | Source | Sony’s Letter]

Identity Issues 

EU – ENISA Issues Report on Managing Multiple Electronic Identities

The risks to managing multiple identities (“IDs”) include an identity’s lifecycle (e.g. the longer the lifespan, the greater the challenge in keeping that ID secret), ensuring that policies agreed with an initial ID provider are respected by subsequent recipients of any ID data (e.g. when a company holding data is purchased by another company), revocation (e.g. failure to revoke means that defunct ID data makes it unclear which record relates to a particular subject, and increases the potential for a system to be compromised because it will continue to allow access), and attacks that rely on multiple IDs (e.g. whitewashing involves the creation of a new ID intended to subvert the system when an existing reputation falls below a tolerable level, and a sybil attack involves the creation of multiple IDs (sybils) to distort ratings within a reputation-based system). Priorities should include making digital IDs portable (so the user can choose both the ways in which they present themselves and the type of device on which their data is held), using partial IDs to protect privacy by respecting the principle of minimal disclosure (e.g. select attributes from a subject’s full collection of IDs that can be combined according to particular needs), using renewals (different IDs may need to be renewed or replaced several times throughout an individual’s lifetime due to changes in appearance or new types of attacks), clarifying the legal position (e.g. regarding anonymous data and revocation), and sufficient enforcement powers and increased penalties for deterrence on the part of data protection authorities. [Source] See also [Facebook restores other Mark Zuckerberg’s profile]

WW – Anonymous IDs on iPhones, iPads Can Reveal Your Identity

Security researcher Aldo Cortesi last week published his discovery of a flaw in the unique device identifier (UDID) stored on each iPhone, iPad and iPod Touch. While this device identifier is well-known, it’s not supposed to be connected to a person’s actual identity. But Cortesi discovered that some apps can link the identifier to the phone owner’s Facebook profile, which effectively puts a face behind that string of numbers and letters. “It’s like a permanent, unalterable tracking cookie that can’t be changed and that the user is not aware of,” Cortesi told Wired.com. “The UDID idea has got such deep flaws because it literally identifies the device.” Apple and iOS app programmers use the 40-character string of letters and numbers as a method to identify each device uniquely, and presumably anonymously. The UDID is permanently tagged to the device, and it can’t be erased or changed. [Source

US – California DMV Online Identity Service More Popular Than Expected

Some California drivers may cringe at the thought of going to a Department of Motor Vehicles field office to take care car or license issues. Now they can avoid that step with an on online tool at their disposal – the option to establish identities through the DMV website to access more Web-based services. Last fall, DMV set up an identity and access management system with its partner IBM to allow users to set up a user name and password on its website. Since then, more than 1 million users have created online identities. The rapid popularity is a surprise to the DMV, which didn’t anticipate the quick response. Once users create an identity for the site, they can access services such as driver record, vehicle registration information and registration renewal reminders. In the future, the DMV is slated to roll out more applications accessible through an online user identity. The California Employment Development Department (EDD) is in the process of developing a similar identification access management system. In the future, the DMV and the EDD will integrate their systems so that users can access services from both departments by using one identity, Soriano said. [Source

CA – Lac Carling: Belgian IT Ministry Shows Off Electronic IDs

Belgium is using electronic identity cards (eIDs) to manage all kinds of public services, from birth registration to getting beer out of a vending machine. FEDICT, which stands for Federal Government Information and Communications Technology Service connects’ citizen data to the relevant ministries through a fibre optic network called FEDMAN, with a federated service bus that governs who accesses information. The eID card is the common key. Belgium attempts to keep version control and security n part by not replicating databases, Leyman said, and those in the public service can only access the information for which they have clearance, which limits the potential for misuse. While some citizens may balk at the idea of having to swipe an eID card on a routine basis, Leyman said the government offers a simple online tool called mondossier.rrn.fgor.be, which keeps a record of all the information Belgium has collected about citizens through the card, and which civil servants have accessed specific pieces of information. Citizens can then inquire why certain personal details were accessed. “Almost nobody goes there,” he admitted, “but this stupid little Web site does a tremendous amount towards generating trust from our citizens.” FIDECT is also in talks with other EU countries about extending the functionality of the eIDS so they can be used outside of Belgium, Leyman said. [Source]

Intellectual Property 

US – Proposed Anti-Piracy Bill Increases Government Authority

Legislation introduced in the US Senate would increase the government’s authority to disrupt the availability of and close down websites that are “dedicated to [copyright] infringing activities.” The Protect IP Act, sponsored by 11 senators, would grant the government the power to bring lawsuits against the websites and obtain court orders prohibiting search engines from returning the sites in their results. [Source] [Source]

Internet / WWW 

WW – Google to Appeal in Swiss Street View Privacy Battle

Google said that it will appeal to Switzerland’s highest court against a ruling ordering the Internet giant to ensure that all people and cars pictured on Street View are unrecognisable. The official Swiss data protection watchdog took Google to court in November 2009 after complaining on several occasions that the service’s coverage of Switzerland flouted privacy rules, following similar complaints elsewhere in Europe. Google warned that it might be forced to shut down the facility for Switzerland even though it was used by what it said was “half of the Swiss population.” Google’s global privacy counsel, Peter Fleischer said: “Ninety-nine percent of people are not identifiable.” “The decision of the Federal Administrative Tribunal requires us to guarantee that 100% of faces and licence plate are not identifiable. We simply cannot comply with that. [Source

WW – Google Services Prompt Questions, Investigation

The Center for Digital Democracy (CDD) is asking the FTC to require Google to remove statements in its privacy policy that its behavioral advertising program does not collect PII. Asking the FTC to include behavioral targeting restrictions in its proposed Buzz settlement, the CDD wrote, “the commission should require Google to revise its policies to reflect the inherently personal nature of cookies and related data targeting and collection applications.” Meanwhile, police in South Korea are investigating Google’s privacy policies over what one official said are concerns that the company’s “AdMob collected personal location information without consent or approval from the Korean Communication Commission.” [MediaPost] [South Korean police raid Google

US – White House Reveals Cyber Security Plan

A cyber security plan proposed by the Obama administration aims to protect individual privacy, federal computer networks and elements of national critical infrastructure. The proposal includes more stringent penalties for cyber criminals; mandatory data breach reporting for organizations; placing the responsibility for defending federal agency networks from attack in the hands of the Department of Homeland Security (DHS); and improving protection for elements of the country’s critical infrastructure. It also would establish guidelines for the government to help companies that suffer cyber incidents, and for information sharing about threats among businesses and state and local governments. [Source] [Source] [Source] [Source] [Whitehouse Fact Sheet]

Law Enforcement 

UK – Police Buy Software to Map Suspects’ Digital Movements

Britain’s largest police force is using software that can map nearly every move suspects and their associates make in the digital world, prompting an outcry from civil liberties groups. The Metropolitan police has bought Geotime, a security programme used by the US military, which shows an individual’s movements and communications with other people on a three-dimensional graphic. It can be used to collate information gathered from social networking sites, satellite navigation equipment, mobile phones, financial transactions and IP network logs. Police have confirmed its purchase and declined to rule out its use in investigating public order disturbances. Campaigners and lawyers have expressed concern at how the software could be used to monitor innocent parties such as protesters in breach of data protection legislation. Alex Hanff, the campaigns manager at Privacy International, called on the police to explain who will decide how this software will be used in future. [Source

CA – Alberta Police Access to Missing Persons’ Info Broadens

Alberta police can now access financial records to help locate missing people in the province. The Missing Persons Act, passed May 10 in the Alberta Legislature, allows officers to access personal information, including telephone and banking records, to help locate missing people, even if police determine a crime has not been committed. Previously, this information was only accessible if officers determined a crime had been committed. On average, Edmonton has 1,800 missing persons cases each year, many of which are youth, people with Alzheimer’s or people with mental disabilities. Sgt. Rod Appelt with the Missing Persons Unit says the new legislation eliminates some red tape associated with accessing vital information. “If it’s a youth or someone who we believe may be in trouble, we certainly would like to access their cell phone records, or banking records as quickly as possible,” says Appelt. Officers used to have to prove a crime had been committed to obtain a search warrant from a judge. Now no crime is needed to search for the necessary personal information. In the coming weeks, Olson says, ministry staff will be working in tandem with Alberta police forces to hammer out exactly how the act will be implemented. [Source]


US – DoJ Wants Providers to Store Location Data

The US Department of Justice wants wireless carriers to retain location data to be used in criminal investigations where that information would be crucial to solving the crime. Deputy Assistant Attorney General for the criminal division Jason Weinstein made the request at a hearing of the Senate Judiciary Committee Subcommittee of Privacy, Technology and the Law, which was called over concerns about iPhones storing location data without users’ permission. [InformationWeek] [CNET

US – Verizon to Put Location Warning Sticker on iPhones

Expect to peel off one more warning sticker when you buy an iPhone from Verizon Wireless. In a letter dated April 19, 2011, and addressed to U.S. congressmen Ed Markey and Joe Barton, Verizon detailed the processes it uses to protect customer privacy and revealed plans to begin adhering the warning sticker pictured here to any new device capable of tracking its owner’s location. [Source

WW – TomTom Announces Plan to Sell Data

Shortly after getting heat in the Netherlands for selling data that was used by police to set speed traps, TomTom Australia has announced plans to sell user data to third parties. The company’s vice president of marketing says they’ll have to figure out how to ensure the data won’t be used for speed traps but gave assurances that it cannot be tracked back to an individual. Australia Privacy Commissioner Timothy Pilgrim said companies that provide GPS devices should be clear about their practices, adding that he has concerns about data aggregation, “where pieces of individual data can be put together to build up a profile.” [The Sydney Morning Herald

WW – Apple iOS Update Addresses Location Data Issues

Apple has released iOS 4.3.3 to address three flaws associated with location information in iPhones, iPads and iPods. The update reduces the amount of location stored to one week’s worth. It also alters the operating system so that it will not back up the cache to computers while synching devices. Finally, the update deletes the cache from devices when users disable Location Services in iOS Settings. The update was released just a week after Apple said it would fix the problems. Apple says that the next major update for iOS will include encryption for location information on devices running the operating system. [BBC] [ComputerWorld] [The Register

EU – EU Advisory Board to Issue Geolocation Opinion

The Article 29 Working Party will publish an opinion this month announcing that location-based data must be handled like names, birthdays and other personal data. Mobile phone and Internet companies would likely have to get consent prior to data collection, delete the information in a timely manner and keep the information anonymous. The opinion will not be binding, but, the article suggests it would likely be used as a guiding principle by several national regulators. “Geolocation data has to be considered as personal data,” said an EU official. “The rules on personal data apply to them.” [The Wall Street Journal]


IN – New Indian Privacy Regulations Stricter Than EU, U.S. Provisions

In a client alert, Morrison & Foerster reports on a “dramatic transformation” in the privacy landscape for India with the issuing of final regulations for the protection of personal information. The Information Technology Rules 2011 “apply to all organizations that collect and use personal data and information in India,” the report notes, and represent the implementation of parts of the Information Technology Act. The rules include a provision for prior written consent for the collection and use of sensitive personal information in what the report’s authors, Miriam Wugmeister and Cynthia Rich, describe as much stricter provisions than current laws in the EU and U.S. As a result, “U.S. and European multinational businesses…may have to adjust their personal data collection practices to conform to Indian data protection rules,” the report states. Among the provisions in the regulations, organizations will be required to provide privacy policies and give individuals notice when information is collected, grant data subjects access and put in place the right to correct any personal data that has been collected. Information must also be secured, and a dispute resolution process must be put in place, the report states. “Given the scope of the Privacy Rules, it appears that every company in India and every company that sends data to a service provider in India will be affected by these new rules,” Wugmeister said. [Source] [Source]

Online Privacy 

WW – Facebook Apps Possibly Leaked User Information (Again)

Security researchers at Symantec reported that hundreds of thousands of Facebook apps have been inadvertently leaking user data to third party developers for years due to a programming error. Facebook acknowledged the issue, but claimed that information was never accessible thanks to contracts the social networking giant has with third parties and assured worried Facebook users that they had no evidence of information being used in ways that violated company policies. According to the Symantec report, a faulty API was accidentally transmitting access tokens to third parties like advertisers. This error allowed third parties access to users’ accounts, including profiles, chats, and pictures, as well as enabled the parties to mine personal data and even post messages on users’ walls. “We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.” Symantec offered some assurances, though, saying that they have worked with Facebook to fix the error since its discovery and that many of the third parties likely had no idea they had access to this information. They did advise users to change their passwords just in case, however, since this will lock out any third party who may have access to this information. Given that there is no way of knowing just how many access tokens were leaked since Facebook started releasing apps back in 2007 and there is a chance that the tokens are still being used by advertisers or available in log files in third party servers, all Facebook users should strongly considering changing their passwords in the near future. [Source] [ Congressmen Press Facebook on Privacy Security Flaw (Again) | letter

WW – Study: Most Apps Lack Policies

A Future of Privacy Forum (FPF) study examined some of the most popular mobile applications available for major platforms and found that 22 of the top 30 have no policy stating how the app treats personal data. “Without a privacy policy to review, consumers may not have the ability to understand and control the use of their personal data by the apps,” the FPF said in a blog post. The FPF is currently working with the Center for Democracy and Technology to come up with privacy improvements for app developers. The study comes on the heels of a senate hearing on mobile privacy challenges. [MediaPost News] [FPF Blog post

US – Facebook, Google, Yahoo Fight “Do Not Track” Privacy Measures

There’s a growing social and legal momentum behind the “do not track” initiative to protect online privacy, but now Facebook and Google are opposing the legislation, hinting that job losses and profit cuts could be the result. Are there slightly dirty tricks afoot? Californian legislators are slowly pushing ahead with a Do Not Track law introduced by Senator Alan Lowenthal, which would force Net companies to allow consumers to easily and effectively opt out of personal data being collected online–violators could face civil legal action. Lowenthal has noted that in his opinion legislation “is consistent with California’s long history of championing privacy issues.” But now Facebook, Google, Yahoo and other companies have written to Lowenthal to state their specific objections. “The measure would negatively affect consumers who have come to expect rich content and free services through the Internet” is one of their counter-arguments, along with an allegation that a no-track law would make the public “more vulnerable to security threats.” Also, forcing the law through would “prove costly to the state” and also “cumbersome for the Attorney General to figure out how to regulate under the bill and to enforce the law.” Essentially the letter’s signatories say the proposed law would deplete user experience of online services (and potentially stifle innovation), put them at risk from Net criminals in ill-determined ways (an allegation that could scare users), be expensive to enforce, and potentially spawn extra work and maybe legal cases at a governmental level. Oh, and as an extra point the firms note that Net-related businesses are the fastest growing source of jobs in California. Putting this at risk, they argue, would damage the state’s potential employment figures. That’s a broad list of reasons–each of which, by itself, could really affect the current model for how websites make money from users, or force lawmakers to reconsider. If they’re true. [Source] See also: [Facebook Busted in Clumsy Smear on Google

UK – ICO Publishes Advice on Cookie Law

Businesses should gain user consent for cookies that collect statistical information or remember user preferences, according to the UK privacy authority. The advice was included in the Information Commissioner’s Office’s (ICO) cookie law guidance, published this week. Businesses cannot yet rely on consent via browser settings, so must find alternative ways of gaining consent for cookies that store information on users’ machines, the advice stated. The cookie guidance is for compliance with UK regulations that will come into force on 26 May. The law will not be enforced right away, but businesses need to take steps now to ensure future compliance, the ICO said. [Source

US – Flash Cookie Lawsuit Against Specific Media Dismissed

A judge has dismissed a lawsuit alleging an ad network used Flash cookies to track users online. The seven users who filed the suit did not “adequately allege” economic losses, ruled U.S. District Court Judge George Wu. The plaintiffs alleged that their data has value, that they were not compensated when ad company Specific Media used it and that their privacy was violated when they were tracked. Specific Media has denied using Flash cookies, the report states. Last year, two companies paid a $2.4 million settlement in a similar case. [MediaPost News

WW – Flash Update Allows Simpler Management of Flash Cookies

Adobe has released an update for Flash Player to address a number of security issues and give users a more manageable way to control web tracking. Flash Player 10.3 allows users to manage Flash cookies either through a new control panel or in browser privacy settings. Flash cookies, also known as Local Stored Objects, have made the news several times in the last few years when researchers noted that they were being used to track users’ online behavior and that they have been difficult to remove. The use of persistent Flash cookies, however, may be waning. Adobe pointed to a January 2011 report from Carnegie Mellon University, commissioned by Adobe, which found that only two of the top 100 websites were using Flash cookies. [Internet Storm Center] [ComputerWorld] [InformationWeek] [Adobe blog post

CA – OPC Publishes Fact Sheet on Web Tracking with Cookies

Data about a user’s browsing habits are collected through methods such as third party cookies (used by advertising companies to build detailed profiles for targeted advertising), Flash cookies (often used to track preferences and websites visited), super cookies (e.g. HTML 5 technology that can store data permanently) and web bugs (small, invisible images placed on a web page or hidden in an e-mail message); third party cookies involve unknown third parties and data are often collected without the user’s knowledge or consent, Flash cookies are more hidden than traditional web cookies, are often not mentioned in privacy policy disclosures, and are not impacted by web cookie opt-outs, and where super cookies are used, users are often unaware that they exist and are not provided with tools to control the information that is stored. Web privacy tools include “private browsing mode”, and add-on applications (e.g. BetterPrivacy, NoScript and Targeted Advertising Cookie Opt-Out (“TACO”)) which clear all the different forms of web cookies and web storage programs. [Fact Sheet] [FAQs

US – Judge Rules Against IP Address Linkage

A U.S. judge has ruled that a copyright holder may not force Internet service providers to hand over subscribers’ personal details. Federal Judge Harold Baker said Canadian adult entertainment provider VPR Internationale cannot seek the personal information of illegal file sharers because an IP address–which, when linked with subscriber information, can identify the owner of the Internet connection line–could falsely identify the illegal file sharer, who could be a subscriber’s family member, friend or anyone using the subscriber’s IP address. The judge described trying to identify file-sharers by IP addresses as a “fishing expedition,” which he said wouldn’t be allowed for the “purpose and intention of class actions.” [OUT-LAW News]

Other Jurisdictions 

AU – Victoria Privacy Commissioner Issues Cloud Computing Guidelines

Victoria’s Privacy Commissioner Helen Versey has warned that the cost of addressing privacy and security issues may outweigh expected capital and operational savings for agencies wanting to shift to cloud computing. Ms Versey told state government organisations they should only use cloud service providers that agree to comply with Victoria’s information privacy laws, and preferably have locally-based data centres. “Where the provider is located offshore, or even outside of Victoria, taking reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure may be difficult or even impossible,” she said in a statement. “By using a cloud service, the government agency is relinquishing some — if not all — control over their data. “This includes being able to control security measures, and can present problems if something goes wrong.” There was a real problem of enforceability or remedying a breach if it occurred where data was stored in an offshore server, she concludes in an information sheet on cloud computing released today to guide agency decision-making on adopting cloud solutions. [Source

NZ – Commissioner Shroff Rolls Out Toolkit for Awareness Week

Privacy Commissioner Marie Shroff has released a toolkit for healthcare providers and consumers as part of Privacy Awareness Week. The kit contains brochures and fact sheets for consumers as well as an updated privacy reference guide, case notes and a training presentation for providers. Shroff said the patient-provider relationship is “based on confidentiality and trust,” and while providers do their best, it’s important for consumers to know their rights. “Consumers need the chance to participate in the conversation about how their health information can be appropriately managed. They need some control. And they can only do this if they know what’s going on,” she said. [Source

NZ – Survey: Organizations Need Guidance for Offshore Data Storage

Results from a survey conducted by New Zealand Privacy Commissioner Marie Shroff indicate that the public and private sectors need more guidance for the offshore storage of personal information. “The International Disclosures and Overseas ICT Survey” queried 50 businesses and government agencies about where they stored personal information; reasons for its use and storage overseas, and how it was protected. The article suggests that many organizations have controls for data in transit but no controls for information once it’s sent overseas. “If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer,” said Shroff, “it is imperative that privacy issues are tackled and got right.” [Source

AU – Australian Privacy Commissioner Calls For Online Security Laws

Privacy Commissioner Timothy Pilgrim is calling on companies to make sure their data protection efforts are “world standard.” Citing the breach notification laws in 40 U.S. states, the commissioner said the Australian Law Reform Commission is recommending similar regulations. Pilgrim says that while the onus is on companies to protect information online, users can do more by setting privacy settings to the strongest level. For those who feel their privacy has been breached, the commissioner will hear complaints, but, the report states, the Law Reform Commission is also asking for an “explicit right to privacy” so people can bring lawsuits. [ABC Sydney]

Privacy (US) 

US – Federal Court Endorses Warrantless GPS Tracking

The US Court of Appeals for the Seventh Circuit ruled in favor of police officers who attach GPS tracking devices to vehicles without first obtaining a warrant. The three-judge panel insisted searches of this sort do not violate the Fourth Amendment after considering the case of Juan Cuevas-Perez. On February 6, 2009, Phoenix, Arizona detective Matthew Shay attached a tracking device to Cuevas-Perez’s Jeep Laredo while it was parked on the street. He did not bother to ask a judge for a warrant. By February 8, the device had tracked the Jeep driving through Missouri. After sixty hours of use the GPS battery died so Shay had other law enforcement agencies track the Jeep to its ultimate destination in Illinois. After following Cuevas-Perez for forty miles, an Illinois State Police pulled him over for “remaining in the left-hand passing lane,” a violation almost never enforced by the department. A subsequent drug dog search uncovered nine packages of heroin. Seventh Circuit already ruled in a 2007 case that secretly installing a GPS device on a vehicle did not constitute a search because the unit provided the same information that could be had from an officer physically following the car. In light of the November US v. Maynard decision from the DC Circuit striking down GPS searches lacking judicial approval (view ruling), the Seventh Circuit judges re-examined the issue. The judges concluded that the twenty-eight-day surveillance in DC could not be compared to the sixty-hour tracking in the present case. “Unlike in Maynard, the surveillance here was not lengthy and did not expose, or risk exposing, the twists and turns of Cuevas-Perez’s life, including possible criminal activities, for a long period,” Judge Richard D. Cudahy wrote for the majority. “As the Maynard court noted, the chances that the whole of Cuevas-Perez’s movements for a month would actually be observed is effectively nil — but that is not necessarily true of movements for a much shorter period.” Lawyers for Cuevas-Perez also argued that the tracking device in this case was far more advanced than those used in prior precedents. The device was capable of sending real-time location updates every minute, whereas the systems in previous cases required physical retrieval of stored information. “We do not consider this particular advancement to be significant for Fourth Amendment purposes in general: real-time information is exactly the kind of information that drivers make available by traversing public roads,” Cudahy wrote. “The historical data gathered and stored on comparatively primitive GPS devices is actually less akin to the publicly-exposed information on which the Fourth Amendment permissibility of GPS tracking is based.” Judge Diane P. Wood disagreed with the majority’s interpretation, arguing it leaves open the possibility of mass surveillance restrained only by the financial resources of the police department. [Source

US – Spyware is Forever

Documents obtained from the FBI by the Electronic Frontier Foundation (EFF) under a Freedom of Information Act (FOIA) request say that software placed on suspects’ computers by the FBI to assist in gathering evidence in cyber crimes gathers information whenever the target’s computer is turned on. The documents obtained indicate that government officials are unclear as to the legal procedures for requesting permission to use the Computer and Internet Protocol Address Verifier software. EFF staff attorney Jennifer Lynch says the tool has proven valuable in identifying and capturing serious criminals and that in that regard “it’s an important tool to use [but] we need to get on the FBI about … using the proper authority” for installing the tool and for deactivating it once the investigation is complete. [NextGov] [US – As terrorism tips spike, collection of data raises privacy concerns

US – Google Supports Opposition to California Do Not Track Bill

Google has joined a number of other groups in opposing proposed legislation in California that would grant consumers the right to prevent companies from tracking, retaining or selling data about their online activity. The Bill passed the State Senate Judiciary Committee; it now goes before the Appropriations Committee before moving to the Senate and State Assembly. Those opposing the legislation say it places undue burden on businesses conducting online commerce. [PC World] [The Register

US – Two Companies Settle FTC Charges

The US Federal Trade Commission (FTC) said that two companies have settled changes the Commission brought against them for failing to implement adequate security controls to protect sensitive information. Ceridian, a payroll services provider, and Lookout Services, which provides immigration services software, both falsely claimed to offer adequate protection. Both companies experienced breaches that exposed sensitive personal information of consumers. The settlement agreements call for the companies to obtain third-party security audits every two years for the next 20 years. [InformationWeek

US – FTC Reaches $3 Million Settlement with Game Sites

The operator of 20 online gaming sites has agreed to a $3 million settlement with the FTC for violating the Children’s Online Privacy Protection Act (COPPA). The Playdom, Inc., settlement is the largest to date for a COPPA violation. The FTC complaint alleged that the defendants, Playdom, Inc., and its executive, Howard Marks, violated COPPA when, without notifying parents or receiving parental consent, they “collected children’s ages and e-mail addresses during registration and then enabled children to publicly post their full names, e-mail addresses, instant messenger IDs and location, among other information.” COPPA requires websites directed at children to obtain parental consent before collecting and using children’s personal information. FTC Chairman Jon Leibowitz said of the ruling, “Let’s be clear: Whether you are a virtual world, a social network or any other interactive site that appeals to kids, you owe it to parents and their children to provide proper notice and get proper consent. It’s the law, it’s the right thing to do and, as today’s settlement demonstrates, violating COPPA will not come cheap.” [Source]


US – N.J. Unveils Enhanced Driver’s License

With the backdrop of airline passengers presenting driver’s licenses at security checkpoints to board airplanes, state officials unveiled the new Enhanced Digital Driver’s License that they say puts New Jersey among the top 10 states with the most secure document. The new license will once again allow drivers to renew their licenses by mail or online once during an eight-year renewal cycle, instead of having to do it in person at a Motor Vehicle agency. But that convenience will not be at the expense of security. Many of the security enhancements meet federal requirements and are undetectable by drivers, but can be spotted by law enforcement and other trained people, including Transportation Security Administration officers at airports, he said. The new license, which will be issued to drivers at their next license renewal, is now being implemented at the MVC’s 39 agencies through a computer upgrade and the MVC’s ability to use facial-recognition technology to fight fraud. It is the end result of a $19 million program to upgrade the MVC’s computer systems, agency hardware and software in order to roll out the new license. The new technology will be used to scan the MVC’s 16 million records for any duplicate licenses a person may hold and to detect fraud. Martinez said the new license meets federal standards and is considered in the top 10 for secure documents. Motorists will still need to present six pieces of identification when the apply for a license, but once those documents are in the database, a driver won’t need to present them at the next renewal. The new licenses are almost identical in appearance to the state’s original digital driver’s license, which was implemented in 2004. Dow said the enhanced license is a key tool to fight crime ranging from identity fraud to terrorism and gang activities because a valid driver’s license is a gateway document for identification and other purposes. [Source]


US – White House Issues International Cyberspace Strategy

The White House has released the text of its International Strategy for Cyberspace. Last week, the administration sent Congress a proposal for a reworking of securing domestic networks. The International Strategy says “The United States will pursue an international cyberspace policy that empowers the innovation that drives our economy and improves lives here and abroad. In all this work, we are grounded in principles essential not just to American foreign policy, but to the future of the Internet itself.” [NextGov] [Whitehouse.gov]


US – FBI Reluctant to Identify ISPs Participating in Surveillance Programs

The FBI says it does not want to divulge the names of telecommunications and internet service providers that help US law enforcement agencies by supplying user information without warrants because customers would become angry with the companies and cancel their service or even file lawsuits. A top FBI official made the statement in a court declaration arguing against having to provide the information under a Freedom of Information Act (FOIA) request from the ACLU. The official also noted that the companies might also be upset if they were identified. [Source] [ACLU] [ACLU] [ACLU

US – PC Rental Company Used Webcam to Take Pictures of Customers Remotely

A Wyoming couple has filed a lawsuit against a store through which they had a rent-to-own computer agreement. The suit alleges that the store spied on them. Crystal and Brian Bird discovered that someone at the store had used remotely activated software to take a picture of Brian when a store employee came to their home and attempted to repossess the computer. The lawsuit also names the company that developed the software allegedly used to take the picture. Evidently a picture was taken each time the couple received a pop-up reminder to register their software. The Byrds are seeking class action status for their lawsuit. [Source] [Source] [Source

AU – Taxi Plan to Record Conversations to Boost Security Alarms Civil Libertarians

Every word uttered in a cab could soon be recorded and stored under proposed State Government changes to the operation of taxi security cameras. Simply opening the door or starting the meter would activate the recording of trips in an industry that claims to transport 90 million passengers in Queensland each year. The move has alarmed civil libertarians, the state Opposition and even concerned some members of the taxi industry. Queensland’s Privacy Commissioner Linda Matthews, who was not consulted about the proposal detailed in a Transport and Main Roads’ discussion paper, said there would be no such thing as “an anonymous taxi ride” once audio recordings were introduced. “The public would want to be reassured the record is used for genuine law enforcement purpose and the protections that are in place should be sufficient. I guess time will tell,” she said. [Source

KE – Kenya: NCIC Snooping on Your Text Messages

The Kenyan National Cohesion and Integration Commission (NCIC) has revealed that it has been snooping on Kenyans’ text messages for the past one year, looking out for hate speech. NCIC Commissioner Halakhe Waqo said the move was aimed at sustaining harmonious relationships among Kenyans as well preventing tribal conflicts in the future. He argued that the overriding need to facilitate integration in the country superseded the right to an individual’s privacy as it risked threatening national security. “Yes, we do recognise that privacy is very important for an individual but public security and safety is much more important. We want to pin down that breach in public safety and security,” he said. Commissioner Waqo further explained that NCIC had been partnering with mobile service providers as well as security agents in the country to facilitate the scrutiny. He added that the NCIC would also broaden its partnerships with other like-minded institutions in order to promote harmony. The NCIC further said that it would soon release a detailed report of its findings on the SMS survey. [Source

CA – Street Cams Get Committee’s Nod

Ten police cameras are on track to become permanent in Winnipeg’s core. Winnipeg police Chief Keith McCaskill told council’s protection and community services committee the closed-circuit television cameras have helped officers investigate serious crimes, including one homicide. Winnipeg police installed 10 closed-circuit television cameras in six high-crime locations downtown in January 2009 as part of a $440,000 pilot project to deter crime, collect video evidence and increase public safety. McCaskill said “it’s debatable” whether the cameras deter crime, but he noted they have been a valuable tool when officers need to collect video evidence. During the project, officers requested video for 39 events, and of those, 22 videos were downloaded and used as evidence in court. That’s just a fraction of the total number of violent-crime incidents, according to a report released last week that found 1,843 incidents were reported within 250 metres of cameras during the project. Council’s protection and community services committee voted in favour of making the closed-circuit cameras permanent and gave the Winnipeg Police Service the go-ahead to hire a technologist to maintain the equipment. Police will absorb the $129,898 cost of the technologist in their existing budget this year, but will request the additional amount on an ongoing basis, starting next year. Executive policy committee and city council still need to vote on the plan. [Source]

Telecom / TV 

US – Senate Panel Grills Apple, Google on Location Data

Executives from Apple and Google told lawmakers that users have control over information used to pinpoint the location of iPhones and smart phones running Google’s Android software. The hearing by the Senate Judiciary Subcommittee on Privacy, Technology and the Law follows Apple’s recent admission that its popular iPhone stores data used to help the device locate itself for up to a year. Apple also said that a software bug has caused iPhones to continue to send anonymous location data to the company’s servers even when location services on the device were turned off. Sen. Al Franken, D-Minn., who chairs the Senate Judiciary Subcommittee, challenged executives from both companies to require all outside apps developers that make programs for their mobile platforms to adopt formal privacy policies. Tribble said Apple believes that privacy policies alone are not enough. He explained that privacy needs to be baked into products — for instance, in the form of clear on-screen disclosures that notify users how their personal data is collected and tools to control that data collection. Davidson said he would bring the suggestion back to Google’s top executives. [Source] See also: [Google destroys Aussie Wi-Fi data

US – FTC Statement on Protecting Mobile Privacy

Several cases brought by the FTC demonstrate the applicability of section 5 of the FTC rules to the mobile area, e.g. a company was charged with deceptively endorsing mobile gaming applications by posting positive reviews of the apps and giving the impression that the reviews came from disinterested users (when in fact they came from the company itself), and the sender of over 5 million unsolicited text messages was found to have engaged in deceptive and unfair practices; the FTC has also brought allegations against companies for having deceptive privacy notices (e.g. a company collected information from mobile users to generate its social networking site and made associations with the users’ frequent email contacts, all without the users’ consent) and insufficient technical safeguards (e.g. a social networking site failed to secure its users data, allowing hackers to obtain unauthorized administrative control of the site and access to users’ mobile phone numbers). Mobile devices can facilitate data collection among many entities and allow companies to collect users’ data over time to reveal habits and patterns; to protect the privacy and security of users’ data on mobile phones, companies should provide stream-lined privacy choices (these should be readable and accessible on a mobile phone’s screen), and not collect or retain more data than needed to provide a requested service or transaction. [Source]

EU – Telecom KPN Denies Violating Privacy Rules By Using DPI

On Friday, Dutch telecommunications provider KPN denied it violated the terms and conditions of its contracts when it used deep packet inspections (DPI) to view the Internet activity of its customers. The company “came under fire” on Thursday after it revealed it uses DPI to find out if customers use instant messaging applications. A spokesman for a civil rights organization said it is “theoretically possible” to read the mail’s content when using DPI. KPN said an internal investigation “found no wrongdoing,” but the company would cooperate with an external investigation. [The Wall Street Journal]

US Government Programs 

US – California Utility Commission Proposes SmartMeter Privacy Rules

A proposed ruling by the California Public Utilities Commission would impose privacy rules on home device platforms that automatically use smart meter data. The ruling would require the state’s three big utilities to impose tariffs on third parties that request certain customer utility data, the report states, and would require them to impose CPUC’s privacy guidelines on those parties. Utilities using home device platforms that don’t automatically transfer utility data to a third party would be required to provide those customers with information on potential uses of their data. The utilities have three months to establish tariffs. [Source: GigaOM] See also: [European Commission – Communication From The Commission To The European Parliament, The Council, The European Economic And Social Committee And The Committee Of The Regions – Smart Grids: From Innovation To Deployment]

US Legislation 

US – Obama Offers Breach Notification Bill

The Obama administration has proposed adoption of a federal data breach notification policy that would supersede the divergent laws now in effect in most states. The policy is a component of a comprehensive cybersecurity legislative agenda that the White House unveiled this week. The proposed policy would not apply to healthcare organizations and their business associates that already must comply with the HITECH Act breach notification rule, which has similar requirements. Otherwise, the policy would apply to for-profit and not-for-profit business entities that engage or affect interstate commerce and use, access, transmit, store, dispose of or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period. The policy would require the reporting of security breaches to the FTC, and the individuals affected, within 60 days unless there is no reasonable risk of harm or fraud. The FTC can grant a business entity an extension of up to 30 days to allow time for the entity to conduct further investigation. The proposal defines a breach as a “compromise of the security, confidentiality or integrity of, or the loss of, computerized data” that results in “unauthorized acquisition of sensitive personally identifiable information or access to that information that is for an unauthorized purpose.” The proposed policy would include two major exemptions, or safe harbors. A business would be exempt from the notification requirements if it conducted a risk assessment that concluded that there is no reasonable risk that a security breach has harmed individuals whose sensitive personally identifiable information was subject to the breach. Also, a breach would not have to be reported if the data were rendered unusable, unreadable or indecipherable through a security technology or methods generally accepted by IT security experts. The FTC would be responsible for enforcement, along with state attorneys general, who could take civil action against violators. Civil penalties would total up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct is found to be intentional. Besides notifying the FTC and individuals affected, businesses would have to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For these larger breaches, businesses also would have to notify national credit reporting agencies. [Source] See also: [New Zealand Row brewing over privacy ‘crime’ ] [HHS – Office of the National Coordinator for Health Information Technology – Federal Health Information Technology Strategic Plan 2011-2015

US – Sen. Rockefeller Announces Anti-Online-Tracking Bill

The head of the Senate’s powerful commerce committee said he’ll introduce a bill that forces online advertising and tracking companies to let users easily opt out of online tracking. Chairman Jay Rockefeller (D-West Virginia) said the bill, to be introduced next week, will create a “universal obligation for all online companies” to not track people who set a browser flag or cookie saying they don’t want to be tracked. Rockefeller’s move complements a recent privacy bill introduced by Sens. John Kerry (D-Massachusetts) and John McCain (R-Arizona) that would enshrine a consumer bill on online rights, though it does not explicitly say that companies must obey the so-called ‘Do Not Track’ flag. According to Rockefeller, the bill will empower the FTC to go after companies that disobey the flag. Companies can collect info needed for their service to work from users who set the flag, but must destroy it or anonymize it once it’s no longer needed. While Rockefeller promises the bill will be universal, it’s not clear how any such legislation could apply to companies outside the United States. Critics of the Do Not Track idea argue that it’s still unclear what counts as tracking and that mass adoption of the setting will harm innovation on the web, as many services and publications rely on the higher payouts of targeted ads to provide free information and services to users. [Source] See also: [Innovation in online advertising: Mad Men are watching you

US – Do-Not-Track Bill Gets State Senate Hearing

California Sen. Alan Lowenthal (D-Long Beach) gave testimony to the Senate Judiciary Committee on his proposed do-not-track bill, SB 761. If passed, the bill would enable Internet users to opt out of being tracked by websites; require businesses to disclose how tracked data is being used, and subject violators to civil action for damages. Lowenthal was joined by three witnesses in support of the legislation, but several witnesses were present to oppose it, saying it would hurt business and the job market. [Source

US – Lawmakers Propose Expansion to COPPA

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have presented a draft of their Do Not Track Kids Online Bill that proposes to ban behavioral targeting to minors–users under 18—and limit the collection of teens’ information to those companies that adhere to Fair Information Practice Principles. The bill would also broaden the definition of personal information under the Children’s Online Privacy Protection Act (COPPA) to include “unique identifiers, IP addresses and anything that permits the identification of a computer.” A recent study by Carnegie Mellon researchers found that only 22 ad networks out of 58 that belong to the self-regulatory group Network Advertising Initiative stopped collecting tracking data after users opted out. [MediaPost News

US – Texas Bill Bans Patient Record Sales

Privacy advocates say that State Rep. Lois Kolkhorst’s (R-District 13) bill aiming to protect Texans’ healthcare privacy is a vast improvement over federal law. The bill would ban the sale of Texans’ healthcare records and notify them when their electronic health records have been transferred, the report states. Penalties for noncompliance would carry fines of up to $3,000 per violation with up to $1.5 million in legal damages. Opponents say the bill will stifle business. Kolkhorst says the bill, which will see a final vote in the house this week, “is to protect your health records as we move into the electronic age.” [The Texas Tribune

US – Calif. Bill Protects Customers’ Reading Records

Government agencies would have to get a warrant or court order to obtain customers’ reading records from bookstores and online booksellers, under a bill approved by the California Senate. The legislation by Sen. Leland Yee is patterned after similar privacy protections that currently are in place for library records. The bill, SB602, passed the Senate unanimously and without debate Monday. It now goes to the Assembly. Yee, a Democrat from San Francisco, says digital book services can collect details about the books readers browse, even the notes they write in the margins. His bill is supported by the American Civil Liberties Union, Electronic Frontier Foundation and Google, among others. There was no registered opposition. [Source]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: