16-31 May 2011


CA – Calgary: Technology Speeds Up Volunteer Police Checks

The Calgary police have unveiled a new digital fingerprinting process that will allow non-profit organizations to quickly run police checks on their volunteers. Calgary police process about 100,000 criminal record checks a year. The new identification system will not only help police solve crimes, but means fingerprints of potential volunteers can be checked within minutes instead of weeks or months. Of course, the system only flags people who have a conviction, said Chief Rick Hansen. Running police checks on 2,500 volunteer coaches and assistant coaches in the minor hockey system is painstaking work for Hockey Calgary. [Source]

WW – Schmidt: No Facial Recognition for Google

Google CEO Eric Schmidt, talking this week at the company’s “Big Tent” conference in the UK, said that Google is “unlikely” to create a facial recognition database, adding that the accuracy of the technology is “very concerning” and popularizing the technology may cause governments to pass broad-reaching laws with unintended consequences. Schmidt also announced Google’s new Dashboard, a service that allows users to see the information Google has collected about them and opt to delete certain data. “It is worth stressing that we can only do this with data you have shared with Google. We can’t be a vacuum cleaner for the whole Internet,” said Schmidt. [Source: No Facial Recognition for Google]


CA – Anonymity of Sperm, Egg Donors Ruled Unconstitutional

The BC Supreme Court has decided children of anonymous sperm donor fathers do have the right to learn who their dads are. Olivia Pratten has asked the courts to ensure donor records are preserved indefinitely and children can access them when they turn 19. The 28-year-old fought for years to learn the identity of her biological father, but was eventually told the doctor destroyed the records in the 1990s. The BC Supreme Court ruled it’s unconstitutional for the government to keep records secret or destroy them at any time. The government has 15 months to comply. [Source]

CA – “Lawful Access” Legislation Represents Unprecedented Invasion of Privacy

The internet is no longer simply an information revolution; it has become an integral part of our lives, and our increasing reliance on it has become a serious vulnerability. The Canadian government will soon table “lawful access” legislation, which will require internet service providers (ISPs) to record our contact information, set up a constant internet surveillance system, and report specific online exchanges upon request. This information would then be made available to law enforcement officials even if they did not have a court order or a warrant. When this legislation was initially proposed, Canadian privacy and information commissioners expressed grave concern about the implementation of such drastic measures. They noted that the range of information obtained could exceed that gleaned from a lawful wiretap, and that there were many gaps in the proposed oversight model. [Source]


CA – Court Rules Company Laptops Now Private Affair

The recent Ontario Court of Appeal decision in R v. Cole establishes that employees have a reasonable expectation of privacy in the personal use and contents of their work-provided laptop computers. The case involved a Sudbury high school teacher whose work-provided laptop was investigated by a school board computer technician after a higher than normal amount of network use was noticed. The technician accessed the content on the teacher’s laptop through the school server and found sexually explicit images of a student on the hard drive. The school obtained the laptop and turned it and two discs over to the police who searched both without a warrant and charged the teacher with possession of child pornography and unauthorized use of a computer. The Court of Appeal ruled that the teacher had a reasonable expectation of privacy in the personal use of his work laptop and in the contents of his personal files on the hard drive. Even though the laptop was owned by the school board and issued for work purposes, the court found that a reasonable expectation of privacy existed. The Court of Appeal ordered a new trial and that certain of the evidence obtained without a warrant could not be used. [Source]

WW – Groups Worry DHS Pushing EU to Weaken Privacy Protections

Privacy groups are concerned about data sharing talks between the U.S. Department of Homeland Security (DHS) and the European Commission, The Hill reports. In a letter to President Barack Obama and the Senate Foreign Relations Committee, the 11 groups said, “We fear that the United States may be pushing the Europeans to weaken their comparatively strong protections of privacy and other fundamental rights, rather than agreeing to strengthen U.S. protections and respect such principles.” The groups, which are also calling for a hearing on the topic, include the American Civil Liberties Union and the Consumer Federation of America. This week, a DHS spokesman said the belief that the “U.S. doesn’t care about privacy” is a misconception. [Source]

EU – CNIL to Increase Compliance Checks

The French data protection authority (CNIL) is warning companies and individuals that they should “exercise caution” when transferring data in and out of European countries as it plans to increase its compliance inspections. The CNIL said in an April statement that it plans to increase inspections by one third compared to last year, aiming to complete at least 400 this year. The checks, which will especially look at companies enrolled in the U.S.-EU Safe Harbor Program, will focus on telemedicine, storage of health data and consulting firms’ use of data from the Program of Medicalization of Information Systems, the report states. The CNIL has the ability to impose sanctions for violations of French data privacy law. [Source]


CA – Police Site to List People Charged With Drunk Driving

A Northern Ontario police department is launching a highly unusual program to publicize the names of all motorists charged with impaired driving, raising concerns it will stigmatize suspects before any guilt has been determined. The impaired drivers list, which will be released every Tuesday on the force’s website, starting on June 7, is meant to “detect, deter, and prevent the commission of impaired driving.” Many Canadian police forces regularly release lists of a range of charges laid against people -everything from murder to robbery to assault. But what appears to make Sudbury different is the intention to issue a specific list of just those charged with impaired driving, and make that information easily available. This is not the first time that police departments in Canada have tried similar tactics. In a number of jurisdictions police have released the names of “johns” as a way to discourage prostitutes and shame customers. Two years ago, a public list of accused johns was proposed by police in Lethbridge, Alta., and in 2004, Winnipeg police began posting clips of men soliciting sex on the Web but with faces and automobile licences blurred. The most daring attempt to shame potential criminals came in Cornwall, Ont., in 2009 when police began posting lawn signs in front of homes in which drug warrants had been executed and charges laid. The province’s privacy commissioner ultimately ordered the practice stopped. [Source]


EU – DPAs Release FAQs on Breach Requirements

Two German data protection authorities (DPAs) have issued a paper that addresses the data breach notification requirements under Section 42a of the German Federal Data Protection Act. The paper includes frequently asked questions that address breach notification procedures that private organizations and some public entities must follow to achieve compliance. The paper contains “practical guidelines” to help organizations identify when notification is required and appropriately comply with notification obligations. [Hunton & Williams’ Privacy and Information Security Law Blog]


US – Complaint Filed Against File-Sharing Service

A complaint was filed with the Federal Trade Commission last week alleging that a file-sharing service has been misleading customers about their privacy. Dropbox, a file synchronization and online backup service with more than 25 million customers, stated in its terms of service that all files were encrypted. However, security and privacy researcher Christopher Soghoian, who lodged the complaint, says the service uses a technique called “deduplication,” which usually results in poorer security and has “significant flaws,” and suggests Dropbox instead assign users individual encryption keys. A spokeswoman for the company said the complaint is “without merit,” and the issues were addressed in a company blog post in April. [InformationWeek]

EU Developments

UK – Websites Given 12 Months to Abide Cookie Law

Organisations and business that run websites aimed at UK consumers have been given up to 12 months to take action before enforcement of the new EU-conceived rules on cookies begins. The Information Commissioner’s Office, tasked with enforcing the stricter requirements for website owners, said the Privacy and Electronic Communications regulations do not contain a transitional period. But as the necessary technological changes to browsers to allow users more control over cookies “aren’t there yet,” the requirement that their “explicit consent” is given for the files to be used will not be enforced straight away. “So we’re giving businesses and organisations up to one year to get their house in order, “the ICO explained, releasing fresh guidance for website owners and consumers alike. [Source] See also: [Almost entire EU now violating Brussels cookie privacy law]

EU – EDPS Condemns Data Retention Directive

European Data Protection Supervisor Peter Hustinx said Tuesday that the 2006 directive on data retention does not adequately meet privacy and data protection requirements, Deutsche Welle reports. The directive has “failed to meet its main purpose,” Hustinx said in his 16-page opinion, adding that the need for data retention “as provided for in the Data Retention Directive has not been sufficiently demonstrated.” Hustinx is calling on the European Commission to consider repealing the directive for a more “targeted EU measure.” Cecilia Malmström, commissioner for home affairs, recently said the five countries that have not yet implemented the directive would face legal action, though she noted the directive’s “serious shortcomings.” [Source]

EU – European Commission Vows to Simplify Data Protection

The European Commission has vowed to simplify rules on data protection and is considering establishing a voluntary register for companies in non-E.U. countries that agree to abide by the region’s data protection standards. “The current lack of harmonization on data protection at European Union level comes at a huge cost and is detrimental to everyone, companies and citizens alike,” said Justice Commissioner Viviane Reding, adding that she plans to harmonize rules across the E.U. and clarify which law applies to a company active in several member states. This is good news for businesses. She also vowed to cut “excessively bureaucratic, unnecessary and ineffective” notification requirements, while at the same time saying she wants to introduce a mandatory data breach notification requirement, for all sectors: banking data, data collected by social networks or by providers of online video games. Echoing an opinion taken by the Article 29 Working Group (an independent data watchdog) earlier this week, the Commissioner also agreed to designate geolocation information as private data. “Movements of citizens should not be tracked without their explicit consent. Storing location data may lead to betraying the location of users,” said Reding. [Source]

EU – Breaches, CCTV Use Examined in Irish DPA Annual Report

Data Protection Commissioner Billy Hawkes released his annual report, and among the findings was a “dramatic increase in the number and significance of organizations that have lost personal data,” he said, up from 119 reports in 2009 to 410 in 2010. The report points to increased demands in a new code of practice as the reason, “rather than an increase in the absolute number of data breaches.” The report also looks at specific issues related to the use of biometrics and closed-circuit television (CCTV), highlighting one case where a school was required to remove CCTV cameras from its restrooms. The annual report also includes details on recent investigations. [Source

Facts & Stats

EU – Increase in Reported Data Breaches Likely Due to Code of Practice

The number of data breaches reported to Ireland’s Data Protection Commissioner (DPC) rose 350% in 2010. In 2009, the DPC received reports of 119 breaches, while in 2010, 410 breaches were reported. In a report, the DPC attributed the increase to “the more exacting demands placed on organizations by the code of practice rather than an increase in the absolute number of data breaches.” Data breaches from compromised websites have increased, while data breaches from lost or stolen laptops have declined. [Source] [Link to the DPC and the Code of practice]

CA – Execs Break Their Own Rules When it Comes to Mobile Policy

As awareness of the security risks around corporate mobile devices grow, the number of Canadian companies employing mobile device management (MDM) tools has jumped. However, a recent survey indicates that the leading violators of mobile security policies are company executives. In an online survey of 500 information security professionals from all industry sectors across Canada, Telus Corp. found that 45% of the respondents are willing to invest in MDM products. Revenue growth in the space, according to Telus, actually jumped from 13% in 2010 to 24% in this year. The telecom company also found that flouting company mobile security rules appears to more prevalent at the top of the corporate ladder. Executives are most likely to bring personal mobile devices into the company network. The breach of security policies by execs is partly attributed to their need to boost their productivity. BlackBerry seen as most secure smartphone. The loss of a mobile device containing corporate data for instance, he said, was identified as the number one concern among survey respondents in the government, private and public sectors who were asked to rank security issues on a scale of one to six. The use of another device to access the company network was a close second. Respondents in the private and public sector marked it as number two while respondents in the government sector gave it a three. Interestingly, the use of “untrusted application ecosystems” or third party apps ranked low. Respondents in the government gave apps a six, those in the private sector marked apps as five and the public sector said four. One Canadian security expert said that a two-tiered security policy is common place in both small and large companies. “Executives and managers are the very first ones to sign off on security policies and unfortunately the very first to break them,” said Claudiu Popa, president of security and privacy firm Informatica in Toronto. Companies need to take steps to protect company resources and data using steps such as:

  • Restricting what type of data and resources can be accessed using personal devices
  • Restricting access to data and resources through role-based rules
  • Encrypting company data and employing complex passwords
  • Using technology that remotely wipes data from lost or stolen devices
  • Employing web-based virtual desktop services such as Citirx and VMWare [Source]


AU – Aussie Banks Cancel 10,000 Credit Cards

The Australian banking system has been rocked by a mystery security breach which caused the immediate cancellation of over 10,000 cards. The Commonwealth Bank and the St George Bank initiated the alert via SMS to customers notifying them that their cards would be cancelled as part of precautionary measures. [Source]

NZ – Commissioner Proposes Changes to Credit Reporting

Privacy Commissioner Marie Shroff has proposed several changes to New Zealand’s Credit Reporting Privacy Code. A press release issued by the privacy commissioner noted that Amendment No. 5 will introduce a style of credit reporting similar to the system employed in the U.S. The new amendment will include ongoing reporting of repayment history, give credit reporters additional tools to assess creditworthiness and allow victims of identity theft to exercise a “credit freeze.” Supporters of the changes claim they will help New Zealand “climb” out of the recession, whereas skeptics are “very suspicious,” saying it is not a “transparent system.” Shroff noted, “There is no doubt that this would be a more intrusive regime, but I have tried to ensure that there will be benefits to individuals and the community as well as to business members.” [Source] [Report and Recommendations


US – Open Government Sites Scrapped Due to Budget Cuts

Budget cuts are forcing the White House to abandon plans for two new Web sites tied to President Obama’s ambitious open government efforts. Officials with the Office of Management and Budget said they’re scrapping a site that would have allowed federal employees to swap work tips and information and another that would have provided information on the quality of federal services to the general public. The cuts come after budget negotiators last month slashed the Electronic Government Fund from a requested $35 million to just $8 million. The fund helps finance government sites that track federal data, government contracting, government information technology and overall performance (respectively, Data.gov, USASpending.gov, the IT Dashboard and Performance.gov). Those sites will continue at current levels, but “several projects will experience a sharp decline given the limited amount of funding,” White House Chief Information Officer Vivek Kundra said in a letter to Sen. Thomas R. Carper (D-Del.) Tuesday. “No project will go unaffected.” [Source]

US – Hacktivists Scorch PBS in Retaliation for WikiLeaks Documentary

A hacker group unhappy with PBS Frontline’s hour-long documentary on WikiLeaks has hit back at the Public Broadcasting System by cracking its servers, posting thousands of stolen passwords, and adding a fake news story to a blog belonging to the august PBS Newshour that was indexed by Google News, and spread rapidly through Facebook and Twitter, even after PBS pulled it down. In addition to the fake news story Sunday, the group tweeted links to pastebins of the internal IP addresses and names of PBS servers, a top-level view of PBS’ website database, and large caches of e-mail addresses and passwords, including those for 200 PBS affiliates around the country, dozens of PBS bloggers, and 1,500 third-party newspaper and media reporters who’d signed up for access to PBS’s “pressroom” of photos, clips and press releases. [Source] See also: [Mayor Nenshi releases names of visitors


CA – Youth DNA Collection a Burning Issue

There’s a good chance that an Ontario Court of Appeal ruling deeming automatic DNA collection for certain youth criminals to be constitutional will go all the way to the Supreme Court of Canada. David Rose believes the appeal court erred in its decision because society treats youth differently than adults in court. The appeal court released its decision in April in the cases of three convicted youths, K.M., J.B., and D.R. It followed arguments last November in a constitutional challenge of the mandatory collection of DNA from youth convicted of certain crimes such as robbery and assault causing bodily harm. The court ruled the practice is constitutional and thereby overthrew a decision by Justice Marion Cohen of the Ontario Court of Justice in 2009 in which she, after lengthy court proceedings, eventually ruled it infringes the privacy and security rights of youth. Cohen refused to make DNA collection orders in respect to the convicted youth. Cohen “said it was unconstitutional when it comes to young persons because young persons have certain statutory rights and enhanced privacy rights different from adults,” says David Rose, who represented the Canadian Civil Liberties Association in the appeal. [Source

Health / Medical

US – Report: Electronic Health Record Security Lacking

The Department of Health and Human Services Office of the Inspector General (OIG) has released two reports that offer “harsh” critiques of the department’s efforts to protect electronic health records. One report asks the Office for Civil Rights (OCR) to “ramp up” its compliance review efforts in order to make sure appropriate security controls are in place in healthcare facilities. The OIG found “a lack of general (information technology) security controls during prior audits at Medicare contractors, state Medicaid agencies and hospitals.” The OCR has noted the federal final rule covering changes to HIPAA will not mandate encryption. The second report, which addressed the HITECH Act electronic health record incentive program, concluded that the program did not adequately meet several security issues. One expert notes this is a “wake-up call to the healthcare industry.” [HealthcareInfoSecurity] See also: [CA – E-health Raises Issues of Data Management, Privacy: Panel]

US – HHS Proposes Changes to HIPAA Privacy Rule

The US Department of Health and Human Services has proposed changes to HIPAA that would allow patients to see the names of every person who accesses their electronic health records. Paper records would be exempt from the new rule. HIPAA currently gives consumers the right to know when their health information has been shared with 3rd parties, but patients must request that information. [Source] [Source] [Source] [Text of Proposed Rule]

US – HHS Releases Notice of Proposed Rulemaking

The Department of Health and Human Services has released its notice of proposed rulemaking on the HIPAA accounting for disclosures rule. The rulemaking would modify the HIPAA Privacy Rule “to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment and healthcare operations if such disclosures are through an electronic health record.” Said Wiley Rein partner Kirk Nahra, “This is a very worrisome and burdensome proposal that goes well beyond the approach identified by the statute. Companies across the healthcare industry and their business associates should be considering appropriate comments to address these burdens and complications.” [Source

Horror Stories

WW – 35m Google Profiles Dumped Into Private Database

Proving that information posted online is indelible and trivial to mine, an academic researcher has dumped names, email addresses and biographical information made available in 35 million Google Profiles into a massive database that took just one month to assemble. University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled the database as an experiment to see how easy it would be for private detectives, spear phishers and others to mine the vast amount of personal information stored in Google Profiles. The verdict: It wasn’t hard at all. Unlike Facebook policies that strictly forbid the practice, the permissions file for the Google Profiles URL makes no prohibitions against indexing the list. What’s more, Google engineers didn’t impose any technical limitations in accessing the data, which is made available in an extensible markup language file called profiles-sitemap.xml. The code he used for the data-mining proof of concept is available here. “I wrote a small bash script to download all the sitemap-NNN(N).txt files mentioned in that file and attempted to download 10k, then 100k, than 1M and then, utterly surprised that my connection wasn’t blocked or throttled or CAPTCHA’d, the rest of them,” Koot wrote. In an accompanying blog post he said the exercise was part of a research project he’s doing on online privacy. “I’m curious about whether there are any implications to the fact that it is completely trivial for a single individual to do this – possibly there aren’t,” he wrote. “That’s something worth knowing too. I’m curious whether Google will apply some measures to protect against mass downloading of profile data, or that this is a non-issue for them too.” The database compiled by Koot contains names, educational backgrounds, work histories, Twitter conversations, links to Picasa photo albums, and other details made available in 35 million Google Profiles. It comprises the usernames of 11 million of the profile holders, making their Gmail addresses easy to deduce. The 35 GB of data excludes the full-text indexes and profile photos of the users. [Source]

CA – Honda Canada Facing Class Action Lawsuit Following Breach

Lawyers representing Honda Canada customers have filed a class action lawsuit against the automobile company over a data security breach that compromised information belonging to 283,000 customers. The breach occurred in March 2011, but Honda Canada did not start notifying customers until May. The compromised information included names, addresses, vehicle identification numbers (VINs) and Honda Financial Services account numbers stored on personalized web pages. Some customers who never entered the information are affected by the breach because the company pre-populated pages with customer data before asking them to customize their own pages. [Source] [Source] See also: [Sony reports new online security breach in Canada] and [Privacy concerns haunt Sony] and [Sony, Epsilon To Testify Before Congress] OTHER REPORTED BREACHES: [Banks on alert after merchant data breach] and [4,000 Employees’ Personal Data Compromised] and [Michaels Stores: PIN Pads Tampered

Identity Issues

WW – Facebook Adds Security Feature

Facebook has introduced an added layer of security to prevent account hijacking. Users must opt-in to the two-factor authentication feature, called Login Approvals, which requires supplying Facebook with a mobile phone number to which a one-time security authentication code will be sent when users try to login to Facebook from new devices. A new code will be required every time users attempt to login from a device that they have not designated as safe. [Source] See also: [AU – Journalist arrested after exposing Facebook security flaw]

US – Senator: Facebook Needs to Protect Children’s Privacy

During last week’s senate hearing on consumer privacy, Sen. Jay Rockefeller (D-WV) criticized Facebook’s efforts to protect children’s privacy. To ensure children under the age of 13 are not using the site, the company tasks 100 employees to monitor the posts of about 600 million users–a policy that Rockefeller said is “completely indefensible.” The publisher of Consumer Reports has written a letter asking Facebook CEO Mark Zuckerberg to strengthen efforts to protect children’s privacy. At a recent event, Zuckerberg said that he wants children under the age of 13 to use Facebook and that restrictions mandated under COPPA should be changed. “That will be a fight we take on at some point,” Zuckerberg said. Meanwhile, a bill in the California state legislature, SB 242, calls for social networking sites to have comprehensive controls to protect children and guidelines for privacy policies. [Source] [Facebook should allow under 13s says Mark Zuckerberg

Internet / WWW

WW – Hit Spammers at their Payment Processors

Nearly all financial transactions arising from spam operations are handled by just three banks, according to a paper from 15 researchers from the University of California at Berkeley, the University of California at San Diego, the International Computer Science Institute and the Budapest University of Technology and Economics. The paper, which “follows the money” from spam around the world, is scheduled to be delivered next week at the IEEE Symposium on Security and Privacy 2011. The researchers gathered real spam data and made more than 100 purchases from the sites the messages led to. The three banks are Azerigazbank in Azerbaijan, DnB NOR in Latvia, and St. Kitts-Nevis-Anguilla National Bank in the Caribbean. As potential solutions, the researchers recommend that issuing banks in the US refuse to conduct “card not present” transactions for known spammers. [Source] [Source]

WW – G8 Leaders Agree to ‘Key Principles’ on Digital Policy

G8 leaders agreed to “key principles” concerning freedom, privacy, intellectual property, crime and cyber-security in a communiqué last week following their meeting in Deauville, France. For the first time, an e-G8 summit—which featured prominent executives from Google Inc., Facebook Inc. and dozens of other leading companies—was held in Paris ahead of the leaders’ meeting May 26-27. The communiqué calls the Internet “the public arena of our time” as well as “a lever of economic development and an instrument for political liberty and emancipation.” “Freedom of opinion, expression, information, assembly and association must be safeguarded on the Internet as elsewhere,” it states, while “arbitrary or indiscriminate censorship” are contrary to international obligations and damaging to social and economic growth. However, the leaders also called for “national laws and frameworks for improved enforcement” to protect intellectual property, including international cooperation involving private sector. The communiqué calls for a stronger commitment “to ensuring effective action against violations of intellectual property rights in the digital arena, including action that addresses present and future infringements.” It says the G8 leaders support “the multi-stakeholder model of Internet governance” and called for “flexibility and transparency” to keep up with the fast pace of technological change. Also last week, U.S. President Barack Obama appointed Twitter CEO Dick Costolo to an advisory committee on national security and telecommunications [Source]

US – Privacy: Users Aren’t Turning on Do Not Track Browser Features

Last year, the FTC suggested that consumers needed a way to tell online advertisers to bug off and not to follow their every online move. And Microsoft and Mozilla built Do Not Track tools into Internet Explorer 9 and Firefox 4, respectively. The problem? Very few online surfers are using those privacy features. At a recent privacy conference, Alex Fowler, Mozilla’s Global Privacy and Public Policy Leader, said only 1 to 2% of folks are using the new Do Not Track feature in Firefox 4. Part of the reason may be that the feature is difficult to find within Firefox’s setup options. Future versions of the Firefox browser-including the new Firefox 5 for smart phones just entering public beta testing now-will have the Do Not Track function “much more prominently displayed,” Fowler said at the conference. Making privacy protection tools easier to see and use could be a good step toward wider adoption among consumers. In Consumer Reports’ latest State of the Net survey, we found that one in five of respondents who are active on Facebook aren’t using the social network’s revamped privacy tools. Nearly two-thirds of those users don’t even know the privacy tools exist. Increased attention from federal lawmakers and regulators will help raise awareness of online privacy tools and issues as well. [Source]

EU – EU Commission May Publish Standardised Cloud Computing Terms

The European Commission (EC) has released a proposal that considers standardizing terms and conditions for using cloud computing services, how to address cloud security and who is responsible for data protection in the cloud. The commission is looking to businesses and public organizations for feedback on its consultation on “data protection and liability questions, in particular in cross-border situations.” The consultation looks at the existing legal framework for data protection in the cloud and asks respondents for specific updates that could be applied to the EU Data Protection Directive. Neelie Kroes, EC vice president for the digital agenda, said businesses can benefit from lower costs, improved services and new opportunities that come with cloud computing, adding, “We need a well-defined cloud computing strategy to ensure that we make the best use of this potential.” [OUT-LAW News] [The European Commission cloud computing consultation] [The European Commission press release

Law Enforcement

US – Buzz Settlement Approved; EPIC Gets Portion of Funds

A U.S. District Court judge has approved a settlement reached in a class-action suit over Google’s Buzz social networking feature. The settlement will see more than $6 million in funds distributed to privacy advocacy groups and mandates that the company undergo independent privacy audits for the next two decades. In approving the settlement, Judge James Ware also awarded the Electronic Privacy Information Center (EPIC) $500,000 in settlement funds, saying that “EPIC has demonstrated that it is a well-established and respected organization within the field of Internet privacy.” [Source


EU – EU Demands Explicit Geo-Location Permissions

The hopes of companies planning to use geo-location data to push products and services to mobile device users have taken a beating in the European Union, following a pronouncement from the European Data Protection Supervisor (EDPS) Peter Hustinx. His opinion that geo-location data should be considered private has been approved by the Article 29 Working Group. This means that mobile service providers will have to gain the user’s explicit permission to collect or relay location data. Implicit Permission Is Not Good Enough: The opinion document released by the working party states: “If telecom operators want to use base station data in order to supply a value-added service to a customer, according to the revised e-privacy directive they must obtain his or her prior consent. They must also make sure the customer is informed about the terms of such processing.” When it comes to phones and tablets using satellite geo-location, the situation is much the same. The report points out that processing location data and seeking patterns in a user’s daily travels is a sensitive area. Here too, prior “informed” consent should be sought, the group said. This position also applies when the device belongs to a company and is issued to a staff member. A company has to make a case that expresses why it is “demonstrably necessary” to geo-locate the user and this must be weighed against the fundamental rights and freedoms of the employee. [Source


SK – Comprehensive Data Protection Law Passed

On March 29, Korea passed the Personal Information Protection Act (PIPA), which will go into effect September 30. The law broadly restricts the collection, use and retention of personal data and puts limits on the use of closed-circuit television, while also providing for internal controls and litigation of data protection disputes. PIPA applies broad definitions to “personal information” and “data handlers” and will overlap the two data protection laws covering telecom service providers and entities handling credit information, respectively. It also requires data handlers to publish personal data handling policies and appoint an individual to be responsible for the data. [Source

Online Privacy

WW – Firefox Extension Collects Surfing Habit Data

A popular Firefox add-on has been found to collect data about every website the user visits through that browser. The extension, called Ant Video Downloader and Player, has been downloaded more than 7 million times. The tracking occurs even when users have turned on the browser’s private browsing mode or are using anonymity services. A Mozilla spokesperson said that the company vets every non-experimental public extension against a list of criteria. She acknowledged that Ant Video Player collects “information about websites users visit in order to power its ranking feature … and also includes a unique identifier in this communication.” She added that the practice was not disclosed in the extension’s description and that Mozilla has contacted that company and asked them to amend the description. [Source

Other Jurisdictions

WW – G8 leaders Agree to ‘Key Principles’ on Digital Policy

G8 leaders agreed to “key principles” concerning freedom, privacy, intellectual property, crime and cyber-security in a communiqué last week following their meeting in Deauville, France. For the first time, an e-G8 summit—which featured prominent executives from Google Inc., Facebook Inc. and dozens of other leading companies—was held in Paris ahead of the leaders’ meeting May 26-27. The communiqué calls the Internet “the public arena of our time” as well as “a lever of economic development and an instrument for political liberty and emancipation.” “Freedom of opinion, expression, information, assembly and association must be safeguarded on the Internet as elsewhere,” it states, while “arbitrary or indiscriminate censorship” are contrary to international obligations and damaging to social and economic growth. However, the leaders also called for “national laws and frameworks for improved enforcement” to protect intellectual property, including international cooperation involving private sector. The communiqué calls for a stronger commitment “to ensuring effective action against violations of intellectual property rights in the digital arena, including action that addresses present and future infringements.” It says the G8 leaders support “the multi-stakeholder model of Internet governance” and called for “flexibility and transparency” to keep up with the fast pace of technological change. Also last week, U.S. President Barack Obama appointed Twitter CEO Dick Costolo to an advisory committee on national security and telecommunications. [Source]

SV – Slovakia: Anonymity of Census Data Questioned

Some citizens are refusing to fill out census forms or are returning completed forms without their numerical identifier, arguing that the procedures of the 2011 census violate their right to privacy. Critics also charge that residents are poorly informed about the census procedures. These were at least some of the reasons why 40 census-takers in Bratislava’s Old Town district resigned from their jobs mid-way through the census while another 100 were reported to have quit in the Petrzalka district of the capital. Concerns about anonymity seem to be the biggest source of controversy in the Slovakia’s census. [Source

Privacy (US)

US – Senators Want Laws to Address Smartphone Data Privacy

US legislators are calling for laws that protect smartphone users from having their location tracked. Senators Jay Rockefeller (D-WVa.) and John Kerry (D-Mass.) told the Senate Commerce, Science and Transportation Committee Subcommittee on Consumer Protection that there needs to be legislation that gives consumers control of their location information on smartphones and personal data on the Internet. They also said that the smartphone app market needs to be regulated; because this particular sector of the market is expanding so rapidly, “many consumers do not understand the privacy implications of their actions.” [Source] [Source] See also: [FCC steps into privacy debate over location-based data, announcing forum]

WW – Google Introduces TRUSTe Seal in App Marketplace

In response to concerns about the data handling practices of Web apps, Google has introduced a TRUSTe certification in its Apps Marketplace–the online store offering business-oriented Android applications, reports InformationWeek. The certification applies to installable applications and aims to clarify the makers’ privacy practices. To get certified, app makers need to answer a series of questions about data sharing and security. Certified apps will display the green TRUSTe seal. The report stresses, however, that the certification is “not a guarantee of security or proper data handling; it’s merely an assessment of whether a particular vendor’s self-reported practices fall within industry norms.” [Source]

US – Proposed Update to Electronic Surveillance Law Addresses Cloud Privacy

US Senator Patrick Leahy (D-Vermont) has introduced legislation that would reform electronic surveillance law. The Electronic Communications Privacy Act Amendments Act would require US law enforcement agencies to obtain probable cause warrants prior to accessing data stored with third-party providers, an increasingly timely issue with the growing popularity of cloud services. The ECPA, enacted in 1986, allows law enforcement agencies to access certain email and files stored in the cloud for more than 180 days with a subpoena. The proposed legislation would also require warrants when law enforcement agencies want to obtain geolocation information of mobile phone users. [Source] [Source] [Source] See also: [Editorial: Why Privacy Matters Even if You Have ‘Nothing to Hide’ by Daniel J. Solove ]

US – Does Sale of SAT, ACT Student Questions Violate Privacy?

U.S. representatives Ed Markey and Joe Barton will ask the College Board, owner of the SAT college entrance exam, for details on how it collects and stores data from students as the government seeks to bolster teen privacy laws. Markey, a Massachusetts Democrat, and Barton, a Republican from Texas, will request the same information from College Board competitor ACT Inc., including disclosure and privacy policies, in letters to the nonprofit organizations. Both companies collect data from millions of teenagers annually as they register for SAT and ACT tests, and then sell their names and personal information to colleges, which use them in direct marketing to potential applicants. While Markey and Barton introduced a bill this month to expand a children’s online privacy law to teenagers, the proposal doesn’t cover nonprofit companies, such as the College Board and ACT. “There should be some kind of regulatory control over what even a nonprofit can be culling from students,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group in California. [Source]

US – Report: Device Searches Need Probable Cause

A U.S. think tank released a report recommending that the U.S. Department of Homeland Security (DHS) have probable cause before searching electronic devices at its borders. “Technology is developing so much more quickly, and the law needs to catch up,” an expert said. By carrying electronic devices, travelers “are unknowingly subjecting volumes of personal information to involuntary search and review by federal law enforcement authorities,” the report said, and the “problem is compounded” because the devices often contain “personal and business-related information.” [The Globe & Mail] [Press Release] [Suspicionless Border Searches of Electronic Devices: Legal and Privacy Concerns with The Department of Homeland Security’s Policy]

US – California Proposes Smart Grid Data Privacy Standards

The California Public Utility Commission has issued a proposal on security and privacy requirements for smart meter data. The proposal would implement Fair Information Practices, requiring the state’s three utility companies and other smart meter operators to minimize collected data, use it only for the intended purpose unless consent is acquired for other uses and take reasonable steps to protect it. The commission’s report said, “access to detailed, disaggregated data on energy consumption can reveal some information that people may consider private.” An attorney at Hogan Lovells said the commission’s decision “represents a significant step towards a set of smart grid privacy rules in the United States” and noted Europe’s recently released guidelines. [Source] [Report

Privacy Enhancing Technologies (PETs)

US – Future of Privacy Forum Launches App Privacy Site

With hundreds of thousands of online and mobile applications already in use and more being developed, the Future of Privacy Forum (FPF) launched a new website to help application developers provide users with privacy protections. Supported by app developers, platforms and tech companies, ApplicationPrivacy.org is the only hub of its kind containing emerging standards, best practices, privacy guidelines, platform and application store requirements, as well as relevant laws and regulatory guidance. A recent survey by FPF found that 22 out of the 30 most popular mobile apps lacked even a basic privacy policy where consumers could learn about what data is collected or exchanged when they download the app. A recent study estimated that by 2016 the worldwide mobile app industry could achieve 44 billion downloads, and according to Facebook, people install 20 million applications every day on their site. Christopher Wolf, FPF’s founder and co-chair noted the importance of educating app developers on key data protection principles. “Apps often provide valuable services using people’s contacts, location and profile information. But unless users trust that their privacy will be protected, the use of Apps will decline and that would be unfortunate, as Apps provide innovative ways to interact over the Internet and contribute to the Internet economy.” FPF’s director and co-chair Jules Polonetsky emphasized the need to educate more developers about the importance of responsible data practices, “App developers with limited staff or resources can end up being responsible for the data of millions of users. Platforms and operating systems have roles to play, but app developers themselves need to be responsible for their own practices. We hope that Applicationprivacy.org will provide a one-stop shop for the one person start-up or the large scale company.” Facebook & AT&T will also be promoting the site to developers to help them navigate the development process. FPF’s leaders are urging other companies to do the same to help provide developers with this information. The site will also have an active presence on Facebook and on Twitter, using the handle @AppPrivacy. [Source


US – Attack on Lockheed Martin Network Linked to RSA SecurID Breach

Lockheed Martin has acknowledged that it was the target of a “significant and tenacious” cyber attack earlier this month. The US defense company’s security team detected the threat “almost immediately” and took action. Lockheed Martin released a statement saying that “our systems remain secure; no customer, program or employee personal data has been compromised.” The company suspended remote access to email and corporate applications after detecting the attack. The breach involved the use of RSA SecurID tokens to gain access to accounts, suggesting that the incident is linked to the security breach at RSA in March, in which cyber intruders broke into an RSA network and stole information related to SecurID. RSA has not said what information the intruders took. The Pentagon and the Department of Homeland Security (DHS) are helping Lockheed with the investigation into the incident. [Source] [Source] [Source] [Source] [Source] [Source]

WW – Microsoft Safety Scanner Finds Evidence of Attack or Infection on 5% of PCs

According to information compiled from Microsoft’s Safety Scanner, nearly five percent of PCs running Windows are infected with malware. The free malware scanning and scrubbing tool was launched on May 12; since then, it has been downloaded 420,000 times and removed malware or evidence of previous attacks from more than 20,000 machines. Seven of the top ten threats found by the tool were Java-based exploits. [Source]

WW – Windows Users Falling Prey to Social Engineering Tactics

About one out of every 14 programs downloaded by Windows users turns out to be malicious, Microsoft said. And even though Microsoft has a feature in its Internet Explorer browser designed to steer users away from unknown and potentially untrustworthy software, about 5% of users ignore the warnings and download malicious Trojan horse programs anyway. Increasingly, instead of hacking the browsers themselves, the bad guys try to hack the people using them. It’s called social engineering, and it’s a big problem these days. [Source

Smart Cards

CA – B.C. Privacy Watchdog Fears Smart CareCards

A B.C. privacy watchdog says he plans to investigate the introduction of smart B.C. CareCards by the province’s Ministry of Health. Darrell Evans — program director for the BC Freedom of Information and Privacy Association — says he’s concerned the smart cards will open the door to more sharing of sensitive personal information. The enhanced CareCards — with a photo and a security chip — will help reduce fraud, according to B.C. Health Minister Mike de Jong. De Jong said that, ideally, the smart cards could also be upgraded to include other government services. “I think the notion of having a card that allows citizens to access a broader suite of services from government, from the state, is an obvious next step,” the minister said. “But we’re going to do this one step at a time.” That rationale is just what worries Evans. “This card isn’t for empowering citizens,” he said. “This card is for empowering others to have access to data.” [Source]

US – Real ID-Compliant Drivers’ Licenses Adopted by Connecticut, New Jersey

New Jersey and Connecticut are the latest states to modernize their drivers’ licenses to comply with Real ID, the 2005 federal legislation that bolstered security and issuance requirements for drivers’ licenses and ID cards in response to the 9/11 terrorist attacks. New Jersey’s Enhanced Digital Driver License was adopted by all 39 Motor Vehicle Commission (MVC) agencies on May 11. “The new license, while similar in appearance to the old license, features more than 25 covert and overt features designed to reduce fraud and abuse through updated technology and enhanced security features that are known only to the MVC and its law enforcement partners,” according to an announcement from state officials. Connecticut is taking a different approach to the issuance of its Real ID-compliant drivers. Connecticut’s program, called SelectCT ID, will be phased in during the next six years in an effort beginning this fall, state officials announced last month. For those who are renewing their licenses, the Real-ID license appears to be optional. Those who wish to present original documents such as a birth certificate or U.S. passport will receive a gold star on their license or ID card that indicates it complies with Real ID. Those who decline the additional identity verification will receive a card marked “Not for Federal Identification.” [Source


US – White House Cyber Security Proposal Met With Criticism From Legislators

Critics of a White House cyber security legislation proposal say that it would allow government broader access to private information. The proposal calls for private organizations to share cyber attack data with DHS. It would take precedence over other laws’ limits on government access to private information. Companies sharing cyber attack information with the government would be immune from prosecution, harking back to the controversial immunity granted to telecommunications companies participating in the government’s warrantless wiretapping following the September 11 attacks. [Source] [Source

Telecom / TV

US – Senator Calls for Privacy Policies on Location-Aware Apps

In a letter to Apple and Google executives, Senator Al Franken (D-Minn.) has asked that the companies require privacy policies for “location-aware” apps sold for their products. Computerworld cites a recent study by TRUSTe and Harris Interactive that found less than 20% of the most popular free apps available through mobile devices are linked to privacy policies. Franken would like to see apps that track location data have straightforward privacy policies that clarify exactly what information is collected, how the data are collected and with what parties they are shared. [Source] [Source]

WW – Google Pulls Apps from Chrome Web Store Over Privacy Issues

Google has removed at least two games from its Chrome Web Store after learning that they were able to access all browsing history, website data and bookmarks on users’ computers. Google was alerted to the problem by a blogger who dug down into layers of links in the fine print to find a page that read, “This item can read every page that you visit… Besides seeing all your pages, this item could use your credentials (cookies) to request data from websites.” The broad permissions are the default installation setting for the extension. [Source] [Source] [Source]

WW – Mobile Phones are Great for Phishers, Researchers Find

Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them. Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim’s user name and password on websites such as Facebook or Twitter. The problem is that mobile users are being trained to enter their passwords and user names into mobile apps. In tests, researchers have shown that it’s almost impossible for mobile-phone users to distinguish real websites from fakes, thanks to the small screens on mobile phones. The Berkeley researchers said it would be easy for a criminal to develop a malicious program that could either spy on users as they typed in their passwords, or direct them to a phishing site that looked exactly like the real thing. [Source

US Government Programs

CA – Opposition Slams ‘Flawed’ Consultations on Border Security

The Harper government is pressing ahead with plans to develop a joint Canada-U.S. border agreement on “perimeter security” and is giving Canadians until the end of this week to offer their views on the matter. But critics are calling the public consultations a sham because they involve a four-question online questionnaire most Canadians don’t even know about. “The process is entirely flawed when you have a closed-door consultation,” said the NDP foreign affairs critic Paul Dewar. The broad outlines of the border agreement were contained in a declaration released in February by Prime Minister Stephen Harper and U.S. President Barack Obama. Since then, officials from the two countries have been working behind the scenes on the details. The purpose of the negotiations is to establish an “action plan” on border security aimed at tightening protection against terrorists and easing the flow of cross-border traffic. On security, Harper and Obama want their governments to share more intelligence to disrupt threats early. There could be changes to passenger screening and improvements to verify identities of travellers. The countries could share more information about when someone has entered or exited the border. Parliament has been shut out of the picture and MPs have very little information about what is on the negotiation table. In Canada, the government has established a website — www.BorderActionPlan.gc.ca — which allows people to provide their “thoughts on initiatives that would improve security while supporting economic competitiveness, job creation and prosperity.” The deadline for submissions is June 3. [Source] See also: [US: One Brain, Hundreds of Eyes: Darpa Plots Manhunt Master Controller]

US – Pentagon to Release Cyber Warfare Strategy

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. One idea gaining momentum at the Pentagon is the notion of “equivalence.” If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a “use of force” consideration, which could merit retaliation. The Pentagon will release a plan that can serve as a warning and deterrent to would-be attackers. [Source] [Source] [Source] [Source] [Source] [Source] [Source]

US – NHTSA To Require Automotive Black Boxes

Next month, the National Highway Traffic Safety Administration is expected to declare that all vehicles must contain an event data recorder, known more commonly as a “black box.” The device, similar to those found in aircraft, records vehicle inputs and, in the event of a crash, provides a snapshot of the final moments before impact. That snapshot could be viewed by law enforcement, insurance companies and automakers. The device cannot be turned off, and you’ll probably know little more about it than the legal disclosure you’ll find in the owner’s manual. The pending mandate looks to some like a gross overreach of government authority, or perhaps an effort by Uncle Sam, the insurance industry and even the automakers to keep tabs on what drivers are doing. But if you’re driving a car with airbags, chances are there’s already one of these devices under your hood. [Source

US Legislation

US – Proposed Legislation Would Reform Digital Privacy Law

A bill introduced in the U.S. Senate would update a 25-year-old digital privacy law to require authorities to obtain a court-issued search warrant before retrieving a person’s email and other content stored in the cloud. The proposed legislation, introduced by Sen. Patrick Leahy, D-Vt., would amend a law enacted in 1986 called the Electronic Communications Privacy Act (ECPA), which set standards for government surveillance of telephone conversations and other electronic communications. “This law is significantly outdated and outpaced by rapid changes in technology,” Leahy said in a statement. He authored both the 1986 law and the proposed bill to amend it. The newly introduced ECPA Amendments Act would require authorities to obtain a search warrant based on probable cause before obtaining customer information from electronics communications, cloud computing or other technology service providers. Under current law, law enforcement does not need to acquire a search warrant to obtain email communications that have been stored for longer than 180 days. The proposed legislation would eliminate this rule and require a search warrant regardless of how old an email is. It would also implement new protections for geolocation information that is collected, used or stored by smartphones or other mobile technologies. If enacted, the bill would mandate a warrant to access or use an individual’s smartphone or other electronic communications device to obtain geolocation information. Leahy’s measure, however, does not do away with the FBI’s authority, under the national security letters, to obtain digital information about a person, without a court order, if authorities consider it relevant to a terrorism or national intelligence case. [Source]

US – Wyden Blocks Anti-Piracy Bill

US Senator Ron Wyden (D-Oregon) has put a hold on a bill unanimously approved by the Senate Judiciary Committee that would expand the government’s power to block and shut down web sites “dedicated to infringing activities.” The Protect IP Act (PIPA) would give the government the authority to bring lawsuits against the sites and get court orders that would require search engines to cease providing links to the sites. In a statement, Wyden said, “By ceding control of the Internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the Internet, PIPA represents a threat to our economic future and to our international objectives.” Wyden put a hold on similar legislation last year. [Source] [Source]

US – California’s Privacy Legislation Prompts Opposition

Dozens of companies—Including Facebook and Google—are teaming up to curtail two privacy bills that have been introduced in California’s state legislature. SB 761 proposes an online do-not-track mechanism, and SB 242 would require social networking sites to implement stronger privacy policies for users. In a letter opposing SB 761, the companies wrote, “Prohibiting the collection and use of this data would severely harm future innovation,” and in a separate letter opposing SB 242, the companies argued the bill is “unnecessary and would be difficult to implement,” The Wall Street Journal reports. A spokesman for one of the bill’s sponsors said, “We’ve had favorable feedback on the bill from constituents and the general public.” [Source]

US – Tennessee Law Prohibits Sharing Login Credentials

Tennessee’s governor has signed into law a bill that makes it illegal to share login information – usernames and passwords – with anyone, including family members. The law takes effect July 1 and applies only within the borders of that state. The bill is an expansion of laws that allow prosecution of people for stealing cable service or not paying for restaurant meals. People convicted under the law of stealing up to US $500 worth of entertainment could face a year in jail and a fine of up to US $2,500. For those convicted of stealing more than US $500 of content, penalties are greater. [Source] See also: [RI Senate Passes SSN Bill]

US – California Social Networking Bill Fails in Senate

A California bill aimed at protecting the privacy of online social network users was voted down in the state senate last week. The bill, by Sen. Ellen Corbett (D-San Leandro), would change social networking sites’ practices to set privacy defaults to “private” and allow users to customize privacy settings upon registering—before their information goes public. Opponents of the bill—which include some CA-based Internet giants—say the bill will hurt technology companies and ignores “the extraordinary lengths” online companies are going to protect consumer privacy. Corbett says she will reintroduce the bill for another vote this week. [San Francisco Chronicle]

Workplace Privacy

US – NLRB Takes Enforcement Action re: Facebook Firings

Organizations planning to fire employees based on comments they’ve made using social media may want to know about three recent enforcement actions taken by the National Labor Relations Board (NLRB). In an Info Law Group blog post, partner Boris Segalis provides details on the actions, the latest of which, he says, “makes a strong statement about the agency’s view on the scope of employee social media protection, including the discussion topics the agency views as protected. The action item for employers is to carefully review and, as appropriate, revise their social media and employee conduct policies to ensure consistency with the NLRB guidance.” [Source] See also: [Can Workplace Surveillance Tapes Be Used as Evidence in Canada?]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: