01-31 June 2011

Biometrics

CA – B.C. Insurer’s Use of Driver’s Licences to Catch Rioters Alarms Privacy Experts

Critics are asking pointed questions about a proposal by B.C.’s public insurer to use driver’s licence photos and face-recognition software to identify culprits in Vancouver’s infamous hockey riot. The Crown-owned Insurance Corporation of British Columbia is offering to take photos from Vancouver police that are the subject of active investigations and run them against its licence database. ICBC spokesman Adam Grossman said that if there is a confirmed match, ICBC will let the police know — but it will only turn over personal data if the police get a court order requiring it. It is the most high-profile example to date in this country of what Simon Fraser University communication professor Peter Chow-White calls “function creep” — using a technology or process designed for a specific purpose for other purposes. Thanks to face-recognition technology, data collected for drivers’ licences could be used for everything from naming rioters to providing police with personal data on people caught committing crimes. “The function of the ICBC database is not for law enforcement as far as I know,” said Chow-White. “They don’t tell me when I get my picture taken this could be used in a police investigation.” [Source] [Privacy commissioner to audit ICBC court proceedings into riot] [Canadian privacy lawyer questions police access to ICBC’s facial recognition technology to help identify rioters] See also: [Russian Bank Puts Lie Detector in ATM Machine] and [RU: Oh, Crap! Moscow Mulls Terrorist-Proof Toilets]

IS – Government to Establish Biometric Database

Despite concerns from privacy groups, the Knesset Science and Technology Committee has approved the ordinances necessary to establish a biometric identification database. The Knesset passed a law allowing for the database in 2009, and the Interior Ministry will begin a two-year pilot of the database in November, the report states. The project allows citizens to voluntarily choose biometric identification cards and passports that include a computer chip containing such information as photos, dates of birth and fingerprints. The Association for Civil Rights in Israel is among the groups opposing the policy due to privacy concerns. [Jerusalem Post]

US – Privacy Groups Push for U.S. Facebook Probe

Several privacy groups are asking U.S. regulators to force Facebook to halt plans for its facial recognition service. The Electronic Privacy Information Center and three other advocacy groups today filed a complaint asking the U.S. Federal Trade Commission to force Facebook to end plans for a new facial recognition service. U.S. Rep. Ed Markey (D-Mass.) quickly threw his weight behind the initiative and called for the FTC to investigate the Facebook service. “When it comes to users’ privacy, Facebook’s policy should be: ‘Ask for permission, don’t assume it,’” said Markey, co-chairman of the bi-partisan Congressional Privacy Caucus, in a statement today. “Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue.” [Source] [Facebook Turns On Facial Recognition, Prompting Concern] [Facebook facial recognition under fire]

Canada

CA – Alberta Privacy Commissioner Seeks Leave to Appeal to the Supreme Court

Alberta’s Information and Privacy Commissioner has applied for leave to appeal to the Supreme Court of Canada from the Alberta Court of Appeal’s decision in Leon’s Furniture v. The Information and Privacy Commissioner of Alberta. In the case, a majority of the Court of Appeal held that an organization’s methods of collecting personal information must only be reasonable and need not be the least intrusive method. The case arose due to Leon’s policy of collecting driver’s license and license plate information from customers who accept delivery of merchandise after they pay for it. The Privacy Commissioner held that the policy was unlawful under Alberta’s Personal Information Protection Act (PIPA) since organizations must implement the least intrusive policies possible. The Court of Appeal found the Commissioner’s interpretation of the PIPA incorrect, holding that as long as the business is being conducted reasonably, it does not matter that there might also be other less intrusive ways of conducting the business. It further stated that the “reasonableness” standard imposed under Section 11 of the PIPA only requires organizations to collect personal information to the extent it is reasonable for meeting the purposes for which the information is collected, and “[i]t is not open to the [Commissioner] to change “reasonableness” to either “necessity”, “minimal intrusion”, or “best practices”. These are not interpretations that are available given the plain wording of the statue.” The Privacy Commissioner argues that the Court of Appeal’s decision allows businesses to circumvent the PIPA. In addition, he argues that the decision is inconsistent with the laws of British Columbia and Canada, and makes Albertans a target for fraud. [Source] [Alberta’s privacy watchdog wants top court to overturn decision involving retail giant]

CA – Google May Face Third Party Audit

The office of Canada’s Privacy Commissioner, Jennifer Stoddart, is recommending Google bring in an outsider to assess internal privacy policies. The recommendation comes in the wake of an investigation which revealed the Mountain View, California company inadvertently collected unsecured personal data while creating its Street View service. Despite the fact that Google has agreed to implement several measures that will reduce the risk of future privacy violations, the Commissioner has requested an independent audit of Google’s privacy programs, to be concluded within the next year, with the findings reported back to the Commissioner’s office. It is the first time Canada’s Privacy Commissioner has made such a request, and, though Google has not officially responded, it is difficult to conceive of the tech giant complying, given that it might result in unprecedented third party access to Google’s business practices. That said, Google did announce a new initiative that will see independent auditors examine the company’s privacy policies, issuing a report card every other year on the company’s ability to safeguard user data. [Source] [Commissioner satisfied with Google’s privacy fixes] See also: [Canadian privacy commissioner Jennifer Stoddart recognized for impact] and [Commissioner Cavoukian receives International Privacy Award]

CA – Jailed Killer Wins $6K Settlement

A high-profile convict has won a $6,000 out-of-court settlement from Correctional Services of Canada after guards distributed a newspaper article about him to other prisoners. Inmate Gregory McMaster said the guards violated the prison system’s own rules and put him at risk by posting a Toronto Sun news article. [Source] See also [Careful what you say, we’re listening: Saskatchewan prisons tell inmates]

CA – Annual Report Issued: Company’s Improvements Insufficient

An audit by the privacy commissioner of canada has found that Staples Business Depot stores failed to wipe clean the hard drives of devices intended for resale, despite commitments to address such problems. Included in a report to parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today and includes information on other ongoing investigations, Commissioner Jennifer Stoddart’s audit found that the office supply store “did improve procedures and control mechanisms after our investigations,” but they were “not consistently applied nor were they always effective, leaving customers’ personal information at serious risk.” The company had said it would take corrective action following two complaints to the commissioner. The audit found that of 149 data storage devices, one-third still contained customer data. [Source]

Consumer

WW – United Nations Report: Is Internet Connectivity a Human Right?

A new report for the United Nations Human Rights Council takes Internet access a step further, however, characterizing it as a human right. The report, written by Frank La Rue, the U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, took the political world by storm when it was released several weeks ago. (La Rue is also an internationally regarded human rights expert who was once nominated for the Nobel Peace Prize.) The report explored the need to ensure that citizens have Internet connectivity, and also the rules associated with that access. As a result, it was highly critical of policies that block access to content, threaten to cut off Internet access due to allegations of copyright infringement, and fail to safeguard online privacy. It notes “any restriction to the right to freedom of expression must meet the strict criteria under international human rights law. A restriction on the right of individuals to express themselves through the Internet can take various forms, from technical measures to prevent access to certain content, such as blocking and filtering, to inadequate guarantees of the right to privacy and protection of personal data, which inhibit the dissemination of opinions and information.” [Source] See also: [Wanted: Privacy Policies Written for Human Beings]

NZ – NZ Post Defends Selling Information

New Zealand Post says it was doing nothing improper in selling information garnered in a wide-ranging public survey of personal data. Privacy Commissioner Marie Shroff has criticised the state-owned enterprise for breaching the privacy of thousands of people by selling the information to marketing companies. The 2009 survey, sent to 800,000 letterboxes and via email, asked a series of questions covering areas including income. Ms Shroff commissioned two reports from privacy law and marketing experts and has concluded the survey was a systematic and large-scale breach of privacy principles. She was concerned that people were unaware that their private information was being sold. [Source]

WW – Report: Breach Victims More Susceptible to Fraud: Study

Victims of a data breach are more than four times as likely to become victims of fraud than other consumers. That’s according to the Javelin Strategy and Research annual report, which says credit card companies should be doing more to alert customers to potential dangers, such as notifications when issuing new cards or changing billing addresses. The report also notes that hackers have become more sophisticated, threatening “the current security model, resulting in a call to action for issuers to take a strong look at the processes in place for detection and prevention of fraud,” said Javelin’s Philip Blank. [Reuters]

US – Taxpayer Identity Theft Is on the Rise

A new Government Accountability Office (GAO) report indicates that taxpayer identity theft is increasing in spite of Internal Revenue Service (IRS) attempts to prevent it. The number of reported IRS identity thefts rose from 51,702 in 2008 to almost 250,000 in 2010. The report noted that employment fraud is also difficult to spot. “By the time both the victim and the IRS determine that an identity theft incident occurred,” the report states, “well over a year may have passed since the employment fraud.” The GAO said the IRS is taking additional steps to address the issue. [Source]

E-Government

UK – Government to Create Market for Personal Identity Data

The government is preparing to create a marketplace for citizens’ personal data to be used for accessing online public services, according to documents that were issued to industry in preparation for the coalition’s next-generation identity scheme. The plan may prove highly controversial, as it offers only limited assurances over how much control people would have over how their data is used. The coalition intends to “create the commercial, legislative and regulatory environment” in which a private sector ID industry may thrive, it said in briefing papers sent to industry in April. The proposals would create a personal data marketplace populated by banks, phone companies, the Post Office and others that may involve government departments selling access to their own citizen databases. The government has proposed that it may join the market by selling data services to private ID companies and data agents. [Source]

AU – Taxpayer Data Being Sold Without Notice

Taxpayer assessment records—including the name, address and property value of individuals—can be purchased from town councils by businesses and other entities without individuals’ consent. Several real estate companies are using the purchased information to create databases in order to personalize marketing campaigns, the report states. Currently, there are not existing laws to prevent the sale of such information for profit. An investigation by the paper revealed that taxpayer data can be accessed through council computers without charge or registration and, though individuals can opt out, most are not aware of the process. [Adelaide Now]

UK – Privacy Group Hits Out at HMRC Spying Robot

The HM Revenue and Customs (HMRC), has decided to employ “web robot” software to help it spy on people it believes are guilty of dodging their tax duty. The government department hopes that by putting this in place it will be able to find out information about certain people and companies silently trading and evading their taxes. The moves have however been described by privacy groups as “outrageous” while security experts have said there could be a possibility of “false alarms.” The HMRC’s spies are basically pieces of code, which can be unleashed to run searches over the internet. Through this they then analyse and file information from web servers. This information is then crossed referenced with the department’s Connect computer system to find people who are trading without telling it by looking at previous tax dodgers and looking to see if there were any missing links between interest, property income and lifestyle. [Source]

US – City Database Sparks Concern

A database created to enable information sharing across city agencies has provoked privacy concerns. It contains information on four million residents, linking together “vast amounts of information gathered by city agencies that previously maintained their files separately,” the report states. Some are expressing concern about the number of city workers who will have access to it and the potential for misuse. But Deputy Mayor for Health and Human Services Linda Gibbs says controls have been built in to address such concerns. “Not everybody is allowed to see the big picture,” she said. “There are a number of doors that open and close.” [The New York Times]

US – OPM Moves Forward on Data Warehouse

The Office of Personnel Management’s (OPM) plans to build a large, centralized database despite privacy concerns. The OPM released two formal notices on the Health Claims Data Warehouse in the Federal Register this week, and work will begin on July 15. The OPM had delayed plans for the database due to privacy groups’ concerns about vulnerabilities. Revised plans for the database–which will store information including names, addresses, Social Security numbers and birth dates–include a downsized scope of the database and limits on how information from it can be used, with only de-identified data to be released beyond the OPM. [Computerworld]

CA – Federal Tory Donor Database Hacked

Hackers, not hash browns, were the cause of Prime Minister Stephen Harper’s distress in early June, as the federal Tories confirmed their website had been compromised and private information of financial supporters taken. In January, networks of both the Treasury Board of Canada and Finance Canada – the economic hubs of the government – were also penetrated, resulting in data being “exfiltrated,” according to a government memo written on the 31st and obtained by CBC. [Source] and see also [NZ: Labour says donor database use breaches privacy] [Conservative party website hacked] and also: [The International Monetary Fund (IMF) confirms it was hacked, with suggestions the attack was state sponsored]

CA – Sex Offenders Website in Ontario: Public Protection or Tool for Vigilantes?

Ontario could be the first province in Canada to create a website listing the names and addresses of its registered sex offenders — a controversial proposal that’s sparking a larger debate about whether it’s an effective tool to stop crime. Some experts say it would better protect children from predators, while others are concerned that it may lead to vigilante action or weaken a system that currently allows police to keep track of sex offenders. If it comes to pass, the election promise by the Progressive Conservatives would go further than any other program in Canada that’s designed to warn the public about high-risk offenders. Alberta is currently the only province that has a website listing the names and photos of high-risk offenders. However, it doesn’t provide their addresses for safety reasons. [Source]

CA – Open Text Launches Social Media Site for Government Policy Workers

The world is a “global village” now that social media networks are filled with conversations between people in different countries. But those who do serious government work can’t collaborate using tools such as Facebook or LinkedIn, because of concerns around security, privacy and who owns the information. Now, Waterloo software developer Open Text has joined forces with the Institute of Public Administration of Canada (IPAC) to launch Public Service Without Borders, a social media site where people working on government policies around the world can communicate and collaborate in a secure, cloud-computing setup. “The objective is global co-operation and networking,” he said. The network will be accessible over the internet or through mobile devices. Experts in areas such as information policy, governance, environmental or health care policy will share their biographies and information about polices they have helped develop and implement, as well as lessons learned. They can share documents, blog about their experiences and meet in virtual “community rooms” for discussions.The site is hosted “in the cloud,” which means IPAC doesn’t need an array of servers, Benay said. “It is using an existing infrastructure we have adapted to meet their policy and legal requirements.” It meets stringent security requirements, he added. “It is as secure as the online banking system.” [Source] See also: [Courts use Facebook to reach those who exist only online]

CA – Florida State Supreme Court Approves Privacy Rules

The Florida Supreme Court has issued new privacy rules for the state court system in order to protect personal information filed in court cases. The rules, which will temporarily not cover traffic and criminal cases, have been approved to ensure that personal information is protected before full electronic access to court cases is provided to the public. Driver’s license, credit card and Social Security numbers as well as e-mail addresses, passwords, birth dates and full names of minors will either be truncated or not included in court documents. The justices who approved the rules said that defense lawyers, prosecutors, law enforcement and others will still have access to the full information. [Wink News]

US – Kundra to Leave Federal CIO Post for Harvard Fellowship

Vivek Kundra, who was appointed the US’s first federal Chief Information Officer (CIO), will resign his position in mid-August for a fellowship at Harvard University, according to the Office of Management and Budget (OMB). A successor has not yet been named. Some have expressed concern that Kundra’s departure will hinder the projects he has begun, but others are more confident that “his legacy of defining incremental improvements and managing project teams to meeting identified goals should and likely will continue due to the momentum that he has created.” [Source] [Source] [Source]

E-Mail

CA – Canada’s Antispam Enforcer Ready to Fight

When Canada’s anti-spam law comes into effect, Andrea Rosen of the Canadian Radio-television and Telecommunications Commission will be charged with enforcing it. Speaking at a conference on Wednesday, Rosen stressed that the she has “the tools to find the spammers wherever they’re hiding and the power to shut down their operations.” Under Bill C-28, consumers have to give consent to receive unsolicited e-mails, and businesses could see fines of up to $10 million for serious infractions, while fines for individuals could reach $1 million. According to the report, Rosen hopes the law will come into effect this fall. [ITWorld]

Electronic Records

US – Supreme Court Strikes Down Prescription Drug Law

The U.S. Supreme Court struck down a Vermont state law today that had prohibited the use of patients’ prescription drug records for marketing purposes. In what Reuters described as “a case pitting free-speech rights against medical privacy concerns,” the court heard arguments in Sorrell v. IMS Health earlier this year, issuing its opinion this morning. The case was brought forward by pharmaceutical and data mining companies that contested a Vermont law prohibiting the sale of such information as records of which doctors prescribe specific drugs to their patients. “The high court handed a victory to data mining companies IMS Health, Verispan and Source Healthcare Analytics, a unit of Dutch publisher Wolters Kluwer, that collect and sell such information and that challenged the law,” Reuters reported following the Supreme Court’s decision this morning. In a joint media release officials from the companies hailed the decision. “Today’s ruling is clear and unmistakable–these types of laws violate the Constitution and do nothing to improve healthcare, reduce costs or protect privacy as proponents had claimed,” said Harvey Ashman of IMS Health. Prior to the 6-3 decision by the court, privacy experts weighed in with varying insights on the potential impact of the case, with some warning that for the court to rule as it did today could mean “significant implications” for patient privacy. “From the privacy perspective, the court rejected the efforts of Vermont and others to turn this case into a privacy case, and focused instead on the impact of the law as a commercial speech issue,” Kirk Nahra, CIPP, of Wiley Rein told the Daily Dashboard. “There are many current means of regulating patient privacy directly, and it would not have been useful to the overall protection of patient privacy to address these issues in an essentially unrelated context, through the back door.” [Reuters]

US – Experts React to Supreme Court Ruling on Prescription Records

In the wake of the U.S. Supreme Court’s decision in Sorrell v. IMS Health, experts have been weighing in on the implications for privacy protection. In a 6-3 ruling, the nation’s highest court struck down a Vermont statute that prohibited the use of physicians’ prescription drug records for pharmaceutical marketing and data-mining purposes. This article exclusive examines some of the immediate reactions to the ruling, which include different perspectives on the implications for privacy protection. One legislator suggests the decision is “a loss for those of us who care about privacy,” while other experts suggest the case was not about privacy at all. [Source]

CA – Ontario Health Records Proposal Would Breach Privacy, Experts Say

Ontario is proposing to create electronic health records that contain information about a patient’s education, employment, financial status, legal history, residence history, sexual orientation, spirituality and other psycho-social traits. But so comprehensive and sweeping is the proposed database that privacy and legal experts say they are “appalled” and “stunned.” The province’s plans, sketched at an e-Health conference in Toronto, Ontario earlier this month by Grant Gillis, director of ehealth standards for eHealth Ontario, would see the creation of comprehensive profiles about all Ontario patients, including their “social history.” Gillis also indicated that the information could include a category called “risk.” eHealth Ontario later indicated in an email that risk is a “general” category. Some examples found on forms provided by stakeholders during our engagement process include: Risk of falls/wandering; Risk of harm to others; (and) Risk of patient having perhaps been exposed to an infectious disease.” The aim is to create “an overall clinical information model for Ontario,” Gillis said. Information and Privacy Commissioner of Ontario Ann Cavoukian said in a statement prepared for CMAJ that she has contacted Greg Reed, CEO of eHealth Ontario, to discuss the proposed health records. “He assured me that they will be consulting with my office on possible data fields that practitioners have expressed interest in,” Cavoukian writes. “Nothing will be finalized until my office and other privacy specialists are consulted. One thing is clear — patient privacy must be directly embedded into the design of our electronic health records from the outset, not as an afterthought.” eHealth Ontario conducted public consultations on its specifications for the new health records last January and published a list of parties who responded. Those included some health institutions and technology companies but not legal, privacy or civil rights experts (www.ehealthontario.on.ca/programs/clinicalDocument.asp). The Office of the Information Commission of Ontario was not aware of the consultations at the time, spokesman Angus Fisher says. Nor had el Eman heard of the consultations. “I would be surprised if there was a real public consultation that no legal and civil liberty groups would have responded or reacted,” he says. [Source] See also: [US: Can Privacy, Electronic Medical Records Coexist?] and [US: Proposal protects medical records]

US – Fraud Case Involved Privacy Violations

Danish pharmaceutical company Novo Nordisk Inc. has entered a $1.725 million civil settlement agreement to resolve allegations that the company accessed and misused private patient information and filed false or fraudulent Medicaid claims. The civil settlement agreement alleges the drug company’s sales representatives made payments to Rite Aid pharmacists in exchange for them recommending two diabetes drugs. The pharmacists, together with Novo Nordisk sales representatives, identified patients who were candidates for the drugs and communicated with physicians, patients and other pharmacists to encourage them to use or recommend the use of the drugs, according to the agreement. In addition to entering the civil settlement, the company, which has not admitted to engaging in the conduct, also has entered into a “corporate integrity agreement” with the Department of Health and Human Services, Office of the Inspector General. [Source]

US – Verizon Enhances Security Programs for Healthcare Organizations

Verizon has added new capabilities to two of its security programs, capabilities that should help health delivery organization strengthen security across their health systems and assess the security practices of partners they do business with. Announced this week, the company said its Verizon Security Management Program-Healthcare (SMP-H), an online dashboard that helps organizations assess and strengthen their security, will now include a new module based on the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), a widely adopted set of healthcare industry data protection guidelines. The company has also enhanced the Verizon Partner Security Program (PSP). Now, by fielding a questionnaire to business partners, healthcare organizations can assess the security compliance of these partners and their internal business units against Health Insurance Portability and Accountability Act (HIPAA) interim rules that extend data security and privacy requirements to the business associates of healthcare organizations. PSP is a platform that allows healthcare delivery organizations to conduct risk and compliance assessments and reporting tasks as well as manage their compliance and security across thousands of partners and multiple regulations. To improve HIPPA’s security rules, HHS announced this week proposed changes to the HIPAA Privacy Rule that would give people the right to get a report on who has electronically accessed their protected health information. [Source]

US – HHS Proposes Privacy Rule on Medical Records

Patients could obtain a list of everyone who has accessed their electronic medical record under a rule proposed by the U.S. Department of Health and Human Services. Healthcare providers must currently keep track of everyone who accesses private medical records, but they do not have to provide that information to patients. Under the rule, patients would be able to request an access report, which would document the identities of those who electronically viewed their protected health information. The new rule would add to regulations already in place under HIPAA, which protects patient privacy and sets security standards for electronic health records. [Source]

US – HHS Calls for More Protections, ONC Responds

The Health and Human Services (HHS) Inspector General’s Office recently released a white paper criticizing the Office of the National Coordinator for Health Information Technology (ONC) for not doing enough to protect healthcare information. ModernHealthcare reports that the inspector general called on the ONC to improve security measures for online health information with encryption and recommended it use its power to push data handlers to be more security-conscious. Joy Pritts, CPO of the ONC, says it is headed in that direction, adding that it has provided training tools and videos and is using the HHS’s data breach list to help “identify the issues where we should devote our efforts to educating people.” [Source]

US – Maine Law Allows Opt Out of EMRs

Forbes reports on a new law in Maine that will give two-thirds of its citizens the choice to opt out of the state’s electronic medical records program. The HealthInfoNet database contains citizens’ full medical records in order to enable medical providers to share data. The bill strikes a compromise between those concerned about patients being enrolled in the database without their knowledge and those who seek to expand its scope. In April, groups debated a bill to make the system opt-in; supporters said it would give patients more control over data, but opponents were concerned about getting enough patients to opt in to make the system effective. [Source]

EU – ICO: Systemic Problem in Health Data Storage

Information Commissioner Christopher Graham has said that the health service is not doing enough to keep patients’ personal information secure. “The security of data remains a systemic problem,” Graham said, pointing to the loss of up to eight million patient records at NHS North Central London and five health organizations recently found to have breached the Data Protection Act. “The health service holds some of the most sensitive personal information of any sector in the UK,” Graham said, adding that “policies and procedures may already be in place, but the fact. [Public Service]

Encryption

WW – Data Encryption on the Rise

As data breaches continue to rise, U.S.-based companies are increasingly adopting encryption to secure their IT infrastructures, and their main reason is to comply with privacy and data protection regulations, a new study has found. In the past, protecting data and mitigating data breaches drove encryption adoption. This year, for the first time, regulatory compliance became the top reason for implementing encryption technologies, according to the Ponemon Institute’s annual U.S. Enterprise Encryption Trends report. [Source] See also: [Opinion: Management Lessons from Breaches]

US – Council Releases PCI Standards Guiding Document

The Payment Card Industry Security Standards Council has released a set of guidelines for companies to ensure compliance with industry standards. The 39-page document describes how each of the 12 PCI security requirements can be applied in a virtual environment, the report states, and offers recommendations on how to stay compliant in the cloud, delineating between entities’ and cloud vendors’ responsibilities. “Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider,” the document states. The guidance is the “best document that the PCI Security Standards Council has written to date,” an independent PCI consultant said. [Computerworld]

WW – RSA Faces Angry Users After Breach

Industry experts say RSA Security’s admission—after a hacking attack in March—that its SecurID tokens are vulnerable came too late. Computer security consultants “have been increasingly critical of how long it took the company to acknowledge the severity of the problem,” the report states, raising the possibility that customers will seek other technologies for their computer networks. RSA had previously stated that replacement tokens were unnecessary but now offers replacements. “They got pushed really hard by some of their customers,” said one chief technology officer, adding, “They came around, but they came around late.” [The New York Times]

EU Developments

EU – EU Banks and Other Businesses Will be Required to Report Serious Data Breaches

European Union Justice Commissioner and Vice-President of the European Commission Viviane Reding has said that financial institutions and other businesses will be compelled to disclose serious data security breaches. EU telecommunications companies and ISPs already have mandatory breach notification requirements in place. The new requirements will affect all businesses that store customer data. [Source] [Source] [Source] [Source]

EU – Germans Take a ‘Black-And-White View’ of Online Privacy

Some 30% of Germans either don’t care about online privacy or entirely avoid putting personal data online, according to a study published by the Federal Association for Information Technology, Telecommunications and New Media (BITKOM). “Many Internet users have a black-and-white view of privacy on the Internet,” said Dieter Kempf, the industry trade group’s head, in a statement, adding that need to find a balance between carelessness and overprotection. The study showed that 14% of German Internet users did not care how their personal information was collected and used online while 16% of the 1,002 people polled said privacy concerns kept them from using online banking or buying or selling goods via the Internet. [Source]

EU – EU to Web Companies: “Sort out Privacy by 2012, or Else!”

The European Commissioner for the Digital Agenda has told Web companies to come up with a do-not-track standard by mid-2012, or the Commission will have to impose new rules. Commissioner Neelie Kroes said that a failure to agree on a workable standard would have consequences for the Web industry as well as consumers. “I am worried by what we see happening: data breaches affecting thousands if not millions; social networking sites rolling out new features with very open default settings; exposure and identity theft. One target of the Digital Agenda is to have 50% of Europeans buying online by 2015. We will not reach this without reinforcing trust and confidence,” she said. [Source] SEE ALSO: [Privacy watchdog Jennifer Stoddart makes the Web a priority] [Source] [Source]

EU – Dutch Parliament Passes Legislation on Cookies Opt-In

The lower house of the Dutch parliament has passed legislation requiring websites to get visitors permission before installing tracking cookies. The controversial legislation went through various versions before passing, from requiring permission for all cookies to mandating an opt-in only for third-party cookies that collect personal information or pass that information on to third parties. In the end all cookies will be subject to the Law on the Protection of Personal Information, meaning they can be questioned by the privacy regulator CBP and in court. The final version of the law passed implements EU privacy legislation, but goes further than proposals from the European Commission by requiring that website publishers have proof they have acquired the user’s permission. The Dutch publishing industry mounted a campaign against the bill, saying it will make the internet unusable and sites such as the popular news portal Nu.nl could disappear. They said self-regulation was the only workable solution to manage cookies. The cookie rule was drafted by MPs from two political parties, the right-wing PVV and the labour party PvdA. The MPs say the original version was indeed too far-reaching, as it affected all cookies. However, tracking cookies that build up a general profile of a user must fall under a stricter policy, in line with regulations on collecting personal data. They said concessions were made at the industry’s request, such as allowing for a general permission from the user, rather than the need for repeated requests from a site. The cookies rule is part of a larger revision of the Telecommunications Act. While the lower house approved the amendment, it must still vote on the larger text, which it is expected to pass a vote later in the week. [Source] [Source] [Source]

EU – ICO Fines Former Telecom Employees

Two former employees of T-Mobile have been fined by the Information Commissioner’s Office (ICO) for stealing and selling customer data. The fines totaled £73,000, and for the first time, the ICO will receive part of the settlement to train investigation staff. Information Commissioner Christopher Graham hopes the case will show that his office is being tough on data theft. “Those who have access to thousands of customer details,” he added, “may think that attempts to use it for personal gain will go undetected. But this case shows there is always an audit trail, and my office will do everything in its power to uncover it.” [V3.co.uk]

UK – Privacy Committee to Grill Editors and Tech Companies

Paul Dacre, the lord chief justice, and executives from Twitter and Google are expected be asked to give evidence to the parliamentary committee looking into privacy injunctions, as work on setting up the body created by David Cameron last month finally begins to move forward. Those who are expected to sit on the committee say they want to call newspaper editors, including the Daily Mail’s Dacre, judges and technology companies to public hearings – and there is even hope that it may prove possible to ask one of the celebrities involved in the injunction battle “to add to the gaiety of proceedings”. The committee is expected to complete its work by the end of the year. [Source]

EU – Commission: Social Networks Should Better Protect Minors

A European Commission (EC) study of 14 social networks includes in its findings that just two “have default settings to make minors’ profiles accessible only to their approved list of contacts,” The Wall Street Journal reports. The study comes as the EC continues exploring Internet regulation, the report notes. Commissioner Neelie Kroes reacted by saying she is “disappointed” in the results, urging social networks “to make a clear commitment to remedy this in a revised version of the self-regulatory framework we are currently discussing.” A spokesman said the EC will be “sitting down with them over the coming months, and we want them to do more.” [Source]

EU – Commission’s Lawyers: PNR Agreement Illegal

The European Commission’s legal counsel has warned that an agreement between the EU and U.S. to store airline passenger data for 15 years is unlawful. The passenger name record (PNR) deal is now being finalized and needs the approval of the European Parliament, but the legal counsel’s May 16 document raises “grave doubts” that the agreement complies with data protection law. The legal opinion particularly lists the provisions requiring data storage for 15 years, the lack of independent oversight and proper legal recourse if data is misused. One parliamentarian said the legal advice is an indication that the commission should drop the PNR agreement and go “back to the drawing board.” [The Guardian]

EU – Parliamentary Committee Adopts Draft Resolution

The European Parliament Civil Liberties Committee has adopted a draft resolution intended to influence the revision of the EU Data Protection Directive. According to a press release, the resolution includes provisions to allow people to access and alter or delete their data online and recommends “severe and dissuasive sanctions” for misuse or abuse of consumer data. The committee is calling for a modern data protection law that will improve international data transfer processes and better protect children–especially on social networking sites. The committee has also put its support behind a requirement for organizations to appoint data protection officers. [Source]

EU – EDPS to Increase Inspections This Year

European Data Protection Supervisor (EDPS) Peter Hustinx will carry out more on-the-spot inspections this year in cases where he believes an EU institution is failing to comply with EU law. That’s according to the EDPS annual report, released yesterday. The report also says the office will focus on member states’ and the European Commission’s implementation of new legislation on border security checks and an EU-wide system on airline passenger data. The EDPS received 25 admissible complaints last year, and 11 of those were deemed privacy breaches. [European Voice]

EU – José Luis Rodríguez Álvarez Nominated Director of Spanish DPA

The Spanish Council of Ministers approved on June 17 the nomination of José Luis Rodríguez Álvarez as director of the Spanish Data Protection Agency. The lawyer and professor of constitutional rights in the Faculty of Law of the Complutense University of Madrid was nominated director of the Cabinet of the Spanish Ministry of Justice in February 2009–a role he has now given up due to the circumstances. Rodríguez Álvarez will replace outgoing director Artemi Rallo Lombarte. (Article in Spanish)

EU – Swiss Commissioner Calls for Privacy by Default

There is a need for greater transparency in the processing of personal data, according to Swiss Data Protection Commissioner Hanspeter Thϋr. In his annual report, Thϋr said changes are needed due to the “rapid pace of development in the area of communication technologies,” and that “data protection principles must be included in all projects and taken into account from the very outset.” The report notes that Thϋr handled many cases related to new technologies in the last year. An issue of particular concern is “evercookies,” Swissinfo.ch reports. [Source]

EU – Associations Call on EC to Recognize CILs

Four data protection associations are appealing to the European Commission to recognize the role of the data protection officer when considering revisions to the EU Data Protection Directive. The groups–the French Association of Data Protection Correspondents, Spanish Association of Privacy Professionals, German Association for Data Protection and Data Security and the data protection association of the Netherlands—feel that the role of the data privacy controller should be strengthened. In a recent press release, they say that data protection officers are “key players in protecting the privacy of consumers, employees and citizens,” and their roles, missions and legal status should be defined and harmonized across Europe. [Source]

Facts & Stats

US – Study: Breaches More Frequent and Severe

A Ponemon Institute study has found that 90% of businesses experienced a data breach in the past year, and attacks were more severe and difficult to prevent. Network World reports that mobile devices–employee laptops, smartphones and tablets–are responsible for most breaches, while business partnerships also elevate risk. 53% of businesses reported a low level of confidence in their ability to avoid future attacks, which the authors attribute to “the fact that so many organizations are having multiple breaches.” An MSNBC report outlines ways for individuals to protect themselves in light of the recent “seemingly endless string” of data breaches, and according to the report, most aren’t made public. Meanwhile, CIO has posted an online quiz to test readers’ knowledge of data breaches. [Source] See also: [Breaches Build Federal Data Security Momentum]

WW – “Cyberinsurance” in High Demand

The “cyberinsurance” industry is experiencing an up-tick in business with recent high-profile breaches driving companies’ desire to protect themselves from spending potentially millions of dollars on breach-related costs. Companies are upgrading IT and human resources practices and training employees in order to get coverage–in some cases worth hundreds of millions of dollars. “Consensus is building” on what policies cover, but standardization remains a hurdle, says one insurance expert who predicts, “One day the industry will actually be so robust that…we’ll have the leverage to actually create standards.” A Ponemon Institute study shows the average breach cost $7.2 million last year, “But with the scale and scope of hacking attacks growing daily, some companies cannot be cautious enough,” the report states. [Source]

Filtering

CA – Guelph-Based Software Censors the Internet in the Middle East

Web-filtering software developed in Canada is being used in the Middle East to censor the Internet, according to the University of Toronto’s Citizen Lab. Netsweeper Inc., a leading developer of content-filtering software based in Guelph, lists telecommunications companies in Yemen, Qatar and United Arab Emirates among its foreign clients. According to the company’s promotional material, its software blocks websites using a “list of 90+ categories to meet government rules and regulations — based on social, religious or political ideals.” Web-filtering technology was developed in the 1990s as a way to restrict access to pornography, among other things. It is commonly used to block access to specified websites in many Canadian schools, libraries and businesses. But beyond our borders that same technology is being used to quash social media-spurred uprisings in the Middle East — and the companies providing the software have come under fire for being the means through which foreign governments repress free speech online. [Source]

SY – Syria Temporarily Shuts Down Much of Internet

Internet service in Syria has been restored after the government cut off access to citizens on Friday, June 3 during some of the largest anti-government protests the country has recently seen. Following the shutdown, only Syrian government sites remained available in that country. Internet in Syria was once again available by 7AM local time the next day. Other Middle Eastern governments have severed Internet access in an attempt to quell protests. [Source] [Source] [Source]

Finance

US – FTC Levies $1.8 Million Fine for FCRA Violations

The Federal Trade Commission (FTC) has fined Teletrack Inc. $1.8 million dollars for Fair Credit Reporting Act (FCRA) violations. According to an FTC press release, Teletrack sold credit reports to marketers, which violates the federal law. “The FCRA says a credit reporting agency like Teletrack can’t sell a consumer’s sensitive credit report information for merely sales pitches,” said FTC Bureau of Consumer Protection Director David Vladeck. The settlement requires that the company pay a civil penalty of $1.8 million and only provide credit reports to those deemed permissible to receive them under FCRA. The settlement also spells out record-keeping requirements to ensure compliance with the order. [Source]

WW – Study: Hackers Outpacing Bank Security

Evidence in a recent study suggests that large credit card-issuing banks are not keeping up with the technological sophistication of hackers, TIME reports. One research firm analyzed and graded the online security practices of the financial sector’s 23 largest card-issuing institutions. Based on a 100-point scale, the average score was a 59. “The good news is issuers are doing a better job overall of resolution, but that’s the easiest thing to do,” says the study’s lead author. “Prevention is the hardest to do, but it’s got the biggest payback.” The study also noted that banks have a strong record of eliminating fraudulent charges from individuals’ bank accounts. [Source]

WW – Mastercard.com Slammed Again as Punishment Over WikiLeaks

MasterCard’s main website was unavailable for some time as it appeared hackers were again targeting the company for its refusal to process donations for the whistle-blowing site WikiLeaks. MasterCard along with companies such as Visa, PayPal and the Swiss Bank PostFinance stopped processing payments for WikiLeaks shortly after the site began releasing portions of 250,000 secret U.S. diplomatic cables in November 2010. The hacking collective known as Anonymous spearheaded a drive to conduct distributed denial-of-service (DDOS) attacks against those sites. A DDOS attack involves sending large quantities of meaningless traffic to the website, which can knock it offline. [Source] [Anonymous, LulzSec bring bragging rights back to hacking] See also: [Reports: Sega customer database hacked]

CA – US Tax Law Poses Privacy Risks to Canadians

Ottawa’s privacy watchdog is examining whether a U.S. campaign to pursue tax cheats among the roughly one million Americans living here violates Canadian privacy laws. Jennifer Stoddart is closely monitoring privacy concerns as U.S. tax authorities prepare to force all foreign financial institutions to identify Americans and the money they have stashed in accounts around the world. Among the potential problems with the American law, slated to come into force in 2013, is that it would compel Canadian banks, brokers, insurers and mutual funds to collect U.S. Social Security number and report account balances directly to the Internal Revenue Service. Under Canadian law, customers are only required to provide identification that shows where they live – not their immigration status or citizenship. Finance Minister Jim Flaherty said last week he’s seeking an exemption for Canada, arguing that the country is not a “tax haven” and that Ottawa already cooperates extensively with tax authorities in the U.S. through a tax treaty. [Source] [Banks battle over US tax law]

US – Recent Breach Puts Spotlight on Security

Regulators are pressuring banks to improve data security measures, and some experts are forecasting a “systemic overhaul” of the industry’s practices after a recent breach exposed data on as many as 200,000 credit cardholders. The breach is drawing attention to ongoing vulnerabilities in bank security, and The New York Times reports that the prevalence of outsourcing and the “patchwork of data protection law and regulatory agencies” make matters worse, the report states. An Identity Theft Resource Center report states that in the past six years, 288 breaches at financial institutions have exposed 83 million customer records. [Source] See also: [Why it’s still too early to adopt NFC-enabled mobile payments]

FOI

CA – Ontario Must Get With The Times on Transparency, Watchdog Says

Ontario’s Ombudsman is calling on Premier Dalton McGuinty to embrace the worldwide trend toward open government by giving the public real-time access to information about programs and services. The practice of having to file a complicated access-to-information request is “literally last century,” André Marin said in his annual report, released on Tuesday. “People want information on what their government is doing, they want it to be easy to find and understand, and they want it now,” he said. Mr. Marin has been urging the McGuinty government for several years to open up the so-called MUSH sector – municipalities, universities, school boards and hospitals – to scrutiny. The government has in part responded to that pressure by making the province’s 156 hospitals part of Ontario’s Freedom of Information and Protection of Privacy Act. In his sixth annual report, Mr. Marin is going one step further by asking the government to make information available without the public having to ask for it. [Source]

CA – Vancouver Upholds Freedom of Information Release Policies

Vancouver won’t be engaging in the odious practice of “simultaneous disclosure” when it comes to responding to Freedom of Information requests. No matter what City Manager Penny Ballem might like. The city council unanimously supported a revised motion from Coun. Suzanne Anton that specifically upholds the current practice of releasing FOI materials to the requester before handing them out to others or posting them surrepticiously on a website without notification. The motion flows from a finding by the provincial Information and Privacy Commissioner Elizabeth Denham that BC Ferries’ FOI policy of simultaneous disclosure, while not illegal, violated the spirit of the FOI legislation. BC Ferries, which only recently came back under FOI jurisdiction, sought to try and discourage media from filing requests by making the results available to everyone at the same time. As a result, many journalists felt disinclined to file requests if it meant they’d see the story immediately on someone else’s website. [Source]

CA – Critics Blast Spike in Deaths Among Children in Care

Revelations that six children in provincial care died last year and 20 were hospitalized have critics demanding the removal of the secrecy around Alberta Children and Youth Services. Opposition critics urged the Alberta government to act immediately to disclose what happened to the children, whose deaths and injuries were summed up in a few lines in the ministry’s annual report. The deaths were double and the injuries more than triple the previous year when the government launched a review into the way children in care are managed. [Source]

UK – Hackers Leak Former British PM Tony Blair Data

Hackers have released what looks like personal information on former British Prime Minister Tony Blair, including the contents of his electronic address book, with contact data for members of Parliament and for what could be Blair’s dentist and his mechanic. A link to the data on the Pastebin Web site was sent out on Twitter from the account of “TeaMp0isoN” along with a message saying “Tony Blair should be locked up, he is a war criminal.” Earlier in the day, the TeaMp0isoN account had featured a tweet that said the group was targeting Blair for his support of the war in Iraq. [Source] See also: [LulzSec Denies Taking U.K. Census Data] and [US: CIA Web site hacked; group LulzSec takes credit]

Genetics

AR – Court Demands DNA Samples

An Argentine court has ruled that the adult children of adoptive parents must submit to DNA testing in order to determine whether they were born to military prisoners during the country’s Dirty War from 1976 to 1983. BBC News reports that Marcela and Felipe Noble Herrera must submit blood or saliva samples. They will be compared to those of military prisoners from that period whose babies were kidnapped by the military junta. The Noble Herreras have objected to the testing, saying that it’s a violation of their privacy. A 2009 bill passed by the Argentine congress allows for the forcible extraction of DNA in certain cases. [Source]

US – Apartments Using Dog DNA to Catch Poop-Scoop Scofflaws

The Timberwood Commons in Lebanon, N.H., opened this year and already has had problems with some residents who aren’t cleaning up messes their dogs leave. So the manager is going to use commercially available DNA sampling kits to check the DNA that dogs leave behind when they go. “We’ve tried doing the warning letters. We’ve tried all sorts of things,” she said Friday. “It’s always a problem. It’s just that the majority of people are responsible pet owners and there are a few who are not.” [Source]

Health / Medical

US – Suffolk Doctor Faces Federal Privacy Law Charges

In a rare prosecution of a possible health privacy violation, a federal grand jury has indicted a Suffolk psychiatrist on charges he disclosed personal medical information. Dr. Richard Kaye, 62, a former medical director of the psychiatric unit at Sentara Obici Hospital in Suffolk, was indicted in U.S. District Court in Norfolk. According to the indictment, he treated a patient with a mental health problem PHI health information about her on three different occasions to an “agent” of the patient’s employer without authorization. The indictment from the U.S. attorney for the Eastern District of Virginia said Kaye disclosed the information under false pretenses, saying she was of “serious and imminent threat to the safety of the public.” The indictment said the doctor knew the patient was not a threat to the safety of the public. If convicted, Kaye faces a maximum of five years in prison. [Source] See also: [London Health Sciences Centre probes confidentiality breach] and [US: Alabama Woman Charged With Stealing Records of 4,500 Surgical Patients] and [Hospital Fires Employees for HIPAA Violations]

WW – Mobile Phones Being Embraced to Strengthen Health Services

Eight in 10 countries are using mobile phone technology to improve health services, from free emergency calls to appointment reminders, the World Health Organization said. The global health body found that only 19 of 114 countries surveyed had no mobile health initiative, known as mHealth. But most of those countries have several projects running. [Source]

CA – Medical Records Found In Library Book

A Red Deer library user was shocked recently to discover a list of Red Deer Regional Hospital Centre psychiatric patients and their diagnoses tucked inside a library book. What he found was a recent patient care list for 14 patients on Unit 34, one of two adult psychiatric units at the hospital. Diagnoses ranged from bipolar to depression to suicidal. Red Deer doctors were listed beside patient names. The document did not have a date. [Source] See also: [UK: Privacy fear as NHS laptops and patient records are lost]

Horror Stories

AU – Sydney University ‘Breached Student Privacy’

An investigation has found the University of Sydney failed in its obligations by not securing students’ private details on its website. A section of the university’s website was shut down in January after it was found sensitive information could be obtained by entering a student’s identification number. No password was required to access the name and address of the student, along with the subjects they were enrolled in and the fees they owed the university. The Acting New South Wales Privacy Commissioner, John McAteer, has found the university breached the Privacy Act by failing to have reasonable safeguards to protect the data. [Source]

CN – Breach of Privacy as Students’ Details for Sale Online

Beijing – Private information about elementary and secondary school students and their families is for sale online, which legal experts say constitutes an invasion of privacy. On the list, information about the capital’s 70,000 students who sat the recent college entrance examination sells for more than 1,000 yuan ($155). Information on the list includes names, cell phone numbers and home addresses of students from across the country. The information usually sells as a package for different regions and the prices for each package could be up to 1,000 yuan ($155). The buyers are generally private educational companies or training institutions, which are looking for students who failed the college entrance examination on June 8 and might be suitable for a one-year training course. Sellers leave their contact details as well as a sample of the private information online to attract buyers. The final deal is conducted face to face after negotiations with interested parties, according to an online advertisement. [Source]

US – Missing Laptop Holds Unencrypted NHS Patient Data

A laptop computer stolen from a National Health Services (NHS) subsidiary in London contains unencrypted personal health information of more than 8.6 million people, including records of 18 million hospital visits, operations and procedures. Three weeks ago, the laptop and 19 other computers were reported missing from a storeroom at the London Health Programmes medical research organization. The incident is being investigated by the UK Information Commissioner’s Office (ICO) and police. [Source] See also: [California Public Health Dept. Reports Second Breach]

IN – Groupon India Data Published on Internet, Said Researcher

The user database of Groupon’s Indian subsidiary, SoSasta, was published on the Internet and indexed by Google, according to an Australian security consultant. “I found the data via Google. Sosasta was notified ASAP,” said Daniel Grzelak in a message on Twitter. He said he had no clue as to how the database was published on the Internet. [Source] See also: [US: Arlington Cemetery Records Found in Abandoned Storage Unit, Criminal Investigation Launched]

US – Citigroup Hackers Stole $2.7 Million

Citigroup has confirmed that about $2.7 million was stolen from 3,400 customers in May following a major data breach. Citi had previously said that the data breach had exposed 360,083 bank accounts, revealing names, account numbers and email addresses of customers. Citi said other sensitive information including social security numbers, dates of birth, card expiration dates and card security codes had not been exposed. However, it now appears that customers did suffer financial losses. A Citi spokesperson said he could not comment on how the money had been stolen, but that the breach itself had not contributed any information that was sufficient to perpetrate fraud. [Source] [Source] [Source]

CA – Hackers Attack Richmond-Based Grocery Chain

T&T Supermarket Inc., a Richmond-based Asian grocery store chain, has been hit by hackers who may have stolen personal information from about 58,000 people. The company announced security breaches to its website, http://www.tnt-supermarket.com, that happened on June 6, 7, 11, and on June 14 through to June 17. T&T’s databases may have been accessed by “unauthorized intruders,” the company says. Stolen data could have included names, usernames, passwords, gender, email, telephone numbers and home addresses, the company says. T&T notes that it does not collect credit card information, driver’s license, dates of birth or social insurance numbers through its website. [Source]

WW – Attackers Steal Information from Acer Customer Database

Attackers claim to have stolen information from an Acer customer database. The compromised information appears to include the names, email addresses and purchase histories of about 40,000 customers. The attackers also claim to have stolen source code from the computer manufacturer. The attackers appear to have taken the information by gaining access to an Acer FTP server. [Source] [Source] [Source] [Source]

UK – Fines for Former T-Mobile Employees Who Stole and Sold Data

Two men who used to work for T-Mobile have been fined a total of GBP 73,700 (US $121,000) for stealing customer information and selling it to third parties. The action resulting in the decision was brought by the UK information Commissioner’s Office (ICO), which launched the investigation in 2008. [Source] [Source]

Identity Issues

CA – Ontario to Launch New Photo Identification Card

Ontarians without a driver’s licence to use as a quick and easy piece of identification can soon apply for a government-issue photo ID card. The new cards, to become available in late July, cost $35 and are valid for five years but are not suitable as a passport substitute on international trips, Transportation Minister Kathleen Wynne said. The wallet-sized cards are aimed at the estimated 1.5 million Ontarians over the age of 16 — including the blind and those with partial sight — who don’t have driver’s licences. Applications for the card will be taken starting next month at 20 Service Ontario centres throughout the province before the offer is expanded to every centre throughout the province next year. [Source]

CA – BC New CareCard and Our Privacy

The B.C. government is preparing to scrap the provincial CareCard and introduce a high-tech replacement. The new card will carry a photo, computer chip and anti-forgery features to combat identity theft or fraud. The $150 million changeover will be phased in. Once the card is in place, it will be renewed every five years. The existing card was introduced more than 20 years ago. It offers little by way of security. Worse still, there are an estimated nine million of these in circulation, for a population of only 4.5 million. The government doesn’t know what happened to all the excess cards, but it’s a safe bet some are in the wrong hands and being used to obtain medical services fraudulently. Unfortunately, the innovations don’t stop there. The new card will also carry a link to each person’s health file. The idea is that medical staff, perhaps in an emergency, can have access to a patient’s record of treatment, in particular drug history. You either enroll in the new system, or lose access to health services. There has been no public consultation on what is a significant shift in our approach to the privacy of medical records. [Source]

US – ID Proposal for Prepaid Phones Raises “Privacy, Access and Safety” Concerns

A measure intended to crack down on drug dealers and would-be terrorists is drawing fire over privacy, access and safety concerns. The Suffolk County Legislature is considering a requirement that buyers of prepaid cell phones provide two forms of identification before making the purchase, and that local retailers hold onto that information for at least three years. Jessica Glynn, supervising attorney for the Latino rights group SEPA Mujer, says the proposal violates a number of privacy rights, particularly for victims of domestic violence. “There are serious safety concerns when a victim’s identity is being kept by someone with no training whatsoever on domestic-violence issues, or on how to keep a record.” The measure would have major negative impacts for both documented and undocumented immigrants in the county, says Amol Sinha, director of the Suffolk chapter of the New York Civil Liberties Union. “The concern is that people who don’t have credit histories, who are low-income, generally buy prepaid cell phones – and won’t have access to those vital lifelines.” [Source]

CA – Store’s ID Checks a Privacy Invasion, Says Yukon Senior

At least one Whitehorse senior is accusing a local grocery store of invading his privacy by scanning his photo identification before selling him cigarettes. Kenyon Bennett, 76, said the Real Canadian Superstore in Whitehorse does not sell tobacco products to seniors — even if they have white hair and wrinkles — without an ID check. “They put this card of mine in a machine to verify it or to let them have a print-out on something. Seems like there’s some skullduggery going on that shouldn’t be,” Bennett told CBC News. Superstore officials say staff are required to check the photo identification and record the birthdates of everyone who buys tobacco at their stores. Yukon information and privacy commissioner Tracy-Anne McPhee said the Superstore may be close to overstepping its legal authority if it is collecting and storing personal data about customers. “Looking at a piece of ID is sufficient,” McPhee said. “Writing down information from that card — photocopying, swiping or scanning — is just not justified.” [Source]

IN – India Has Issued 9.5 Million Digital Identity Numbers

India has issued digital identities to about 9.5 million people so far, and plans to step up enrollment to 1 million a day from October, the head of the agency issuing the biometric identities said at a conference in Bangalore. The digital identities, called Unique Identity (UID) or Aadhaar numbers, will provide proof of identity to the large number of poor Indians who do not have house addresses, school certificates, birth certificates or other documents that are usually used to prove identity in India, said Nandan Nilekani, chairman of the Unique Identification Authority of India (UIDAI). The Aadhaar projects aims to issue identity numbers to 600 million people over the next three years or so, Nilekani said. Enrollment is currently voluntary. [Source] See also: [INDIA: Privacy issues come to the fore as govt plans big-ticket schemes] and [IN: Right to privacy may become fundamental right]

UK – Government Plans Next-Generation ID Scheme

The government has been coy about the pilot identity system it has been running with Mydex, the East London start-up whose trials with Brent Borough Council created in March what was dubbed “a Google moment”. Departments including HMRC, DirectGov and DWP are designing systems that will use it, but have not said what exactly they are doing. The Cabinet Office led the Mydex pilot, while Maude’s Conservative Party had made Mydex’s raison d’etre a manifesto commitment (though not by name) for the 2010 general election: “Wherever possible, personal data should be controlled by individual citizens”. The pilot came in the wake of the identity card scheme as a means for people to hold their own personal data and choose their own means of authenticating their identity. Maude assured Parliament “NO2ID and other privacy advocates” would be given an opportunity to scrutinise the plans, or at least would be “kept closely informed”. Guy Herbert, NO2ID National Organiser, told Computer Weekly the plans as they stand might not give the individual enough power over their own data. He feared both government departments and private companies were hungry alike for power over identities and personal data. [Source] See also: [US – E-Authentication Best Practices for Government]

US – DOT Sells Drivers’ Personal Information

There are about 4.5 million drivers in Wisconsin, and more than half may not know their personal information is being sold by the state Department of Transportation. There are laws but almost no oversight to how the Wisconsin DOT uses drivers’ information. In all, the state makes millions of dollars by selling drivers’ information. The entire driver record file containing information on 2.5 million drivers can be purchased for $250. “We produce a CD containing the record file and then we send that. Those funds are sent to the registration fee trust,” said the director for the DMV’s Bureau of Driver Services. In 2010, the DOT made $22,250 selling driver record files. The state of Wisconsin is making millions off of selling a second list with drivers’ personal information. The department makes more money and has more requests for full driving records. These contain the same information as the driver record file plus information on traffic crashes, tickets and withdrawals like revocation or suspensions. While the driver record file costs $250, full driving records cost between $5 and $7 per driver record. In 2010, the DOT made more than $16 million selling full driving records. [Source]

US – Court: Ohio Data Selling Practices Not In Violation

A federal appeals court has overturned a lower court decision, dismissing a 2009 lawsuit against the state of Ohio that alleged privacy violations stemming from the state’s practice of selling driver’s license data. While the lower court’s ruling allowed officials to be sued for “disclosing personal information not permitted by the Driver’s Privacy Protection Act,” the appeals court found the “rights under the law weren’t sufficiently clear.” Three Cincinnati residents filed the lawsuit, and their lawyer has said they haven’t decided if they will appeal to the U.S. Supreme Court. [The Republic] [IAPP Dashboard]

Internet / WWW

WW – OECD Communiqué Pleases Some, Nettles Others

At a high-level meeting on the Internet economy this week, the Organisation for Economic Co-operation and Development (OECD) released a Communiqué on Principles for Internet Policy-Making, which outlines the OECD’s commitment toward promoting the free flow of information; investing in high-speed networks and services; enabling cross-border delivery of services, and strengthening “consistency and effectiveness in privacy protection at a global level,” among other areas. While some have lauded the principles—U.S. NTIA Administrator Lawrence E. Strickling described it as a “major achievement that will support the continued innovation…of the global Internet economy”–others have criticized plans to make Internet service providers more responsible for policing copyright infringement, something the Civil Society Information Society Advisory Council says could “lead to network filtering.” [Source]

WW – Google Now Lets You Manage Your Online Reputation

Google has unveiled a tool to help users manage their online reputations. Called Me on the Web, it can be found on the Google dashboard, right below Account Details, when you sign on to your account. According to the Google Public Policy Blog, Me on the Web “makes it even easier” to set up Google Alerts for mentions of your name or email address as well as automatically suggesting some search terms you might want to monitor. It also “provides links to resources offering information on how to control what third-party information is posted about you on the Web.” The tips include information on how to reach out to the webmaster of a site to ask to have the information taken down as well as how to publish additional information on your own to make less relevant websites appear further down on your search results. To use the tool, you must first sign in. You’ll be asked to create a profile if you haven’t already. Then you are given a number of options on how to control your reputation, including links on how to set up notifications when your personal information appears on the Web. [Source] [Google intros ‘Me on the Web’ identity management tool]

WW – World IPv6 Day is June 8th

On Wednesday, June 8, web sites around the world will test the IPv6 standard, which will ultimately allow many more IP addresses than IPv4 with faster connectivity. Among the organizations participating in World IPv6 Day are Microsoft, Google, Yahoo and Facebook. The test runs from 8PM EST on June 7 until 7:59PM EST on June 8. The event is designed to allow network engineers to see how well the new protocol works on a large scale and to identify technical problems like misconfigured systems. The event is also aimed at raising awareness of IPv6 deployment, which is necessary because the Internet is running out of IPv4 address space. IPv6 is not compatible with IPv4, which means web sites will need to upgrade network equipment and software. [Source] See also: [IPv6 Rollout Could Necessitate Privacy Rethink]

Law Enforcement

US – F.B.I. Agents Get Leeway to Push Privacy Bounds

The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. Valerie E. Caproni, the F.B.I. general counsel, said the bureau had carefully considered each change to its operations manual. The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. [Source] See also: [Toronto Police nab first ‘upskirt’ photographer of the summer]

UK – Police Database Will Share Data on 15 Million People

Police have set up a computer system which will allow UK forces to share intelligence on 15 million people. A Police National Database was the key recommendation from the Bichard Inquiry into failings by police into the Soham murders in 2002. It found that police failed to disclose details of allegations against Ian Huntley a year before he murdered Holly Wells and Jessica Chapman, both 10. Privacy campaigners say non-criminals should not be on the system. The database, which brings together 150 separate computer systems, combines intelligence from the 43 police forces in England and Wales. It also links to the eight police forces in Scotland, the British Transport Police, the Police Service of Northern Ireland, the Child Exploitation and Online Protection centre (Ceop), the Serious and Organised Crime Agency (Soca) and the military police. Collectively the forces hold information on between 10-15m people. These include convicted criminals, suspects and victims of crimes, as well as the details of people who have been questioned by police but not charged. The database is run by the National Policing Improvement Agency (NPIA). The Bichard inquiry said police should be able automatically to access information on suspects held by another force. Privacy campaign group Big Brother Watch said it was concerned that details of members of the public could be logged on the database. Spokesman Daniel Hamilton said: “Nobody has a problem with a database of criminals but we should never build a database of innocent people and crime victims. “The risk of this data falling into the hands of criminals is too horrifying to comprehend.” [Source]

Location

US – Court Case Raises Privacy Issues

The Advertiser reports on a Delaware Supreme Court case that “could help define personal privacy and set limits on how far police can go when using electronic surveillance in Delaware and perhaps across the U.S.” The case, Delaware v. Michael D. Holden, involves police use of GPS without a court-approved warrant to track a suspect for more than 20 days. The case was initially overturned in a lower court because the judge ruled it was an illegal search. One attorney noted the case could raise the issue of the “reasonable expectation of privacy.” [Source]

WW – Nissan Leaf Sends Location Data in RSS GET Requests

A blogger has determined that the Nissan Leaf electric automobile leaks information about the vehicle’s location, speed and destination through the car’s RSS reader. The Leaf is equipped with technology that allows drivers to select RSS feeds which are then read to them. The blogger, Casey Halverson, discovered that the GET request sent from the car for the feed contains the vehicle’s latitude, longitude, speed, direction and the latitude and longitude of the car’s destination. [Source] [Source] [Source]

WW – Free Site Helps Find Stolen Cameras

A clever experiment may make it possible for you to recover a stolen camera, find people using your photos without permission and help police catch child pornographers. The experiment is a collaboration between GadgetTrak, a software company that makes data-protection and tracking software for computers and phones, and CPUsage, a company that gets home computers to collaborate on crunching data when they aren’t in use (similar to SETI at home). The collaboration, called GadgetTrak Serial Search, works by searching the Web for information that is commonly embedded in today’s photographs. Digital cameras often stamp photos with the camera’s serial number, as well as information on exposure, shutter speed, time and date taken and in some cases, where it was taken. The free service uses the computing power of its collaborative network to search the Web for photos and then catalogs the images and associated cameras it finds. You can go to the Web site, enter a camera’s serial number and see if your photos register. It has logged more than 3 million serial numbers in a little over a week. [Source]

Offshore

IN – Leaking Health Information May Land You in Prison

Leaking information on the health of an individual may earn a term in prison for six months and also a fine up to Rs 1 lakh. According to the new Privacy Bill, 2011, which is slated to be tabled in Parliament during the forthcoming session, any health information of any citizen of India collected with his consent shall be kept by the person till the time the individual wants and later it should be returned or destroyed. [Source]

IN – Right to Privacy May Become Fundamental Right

The law ministry is working on a proposal to make right to privacy a fundamental right in the Indian Constitution. Corporate lobbyist Niira Radia’s phone tapping row and new-age surveillance techniques being extensively used to crack down on economic offences are the trigger behind the move. “We are working on making right to privacy a fundamental right. It is likely to be tabled in the monsoon session of Parliament. However, it’s difficult to commit the timeframe,” law minister Veerappa Moily said. The right to privacy would include the right to confidentiality of communication, confidentiality of private or family life, protection of his honour and good name, protection from search, detention or exposure of lawful communication between individuals, privacy from surveillance, confidentiality of banking, financial, medical and legal information, protection from identity theft of various kinds, protection of use of a person’s photographs, fingerprints, DNA samples and other samples taken at police stations and other places and protection of data relating to individual. If the legislation is passed, it would address several concerns expressed by some sections of the civil society. For instance, there has been outrage over the `compromise’ of an individual’s privacy in a project like UID, where all personal data will be available at the click of a mouse. [Source]

Online Privacy

US – Most Websites Regularly Leak Sensitive, Personal Data: Survey

A team of university researchers examined more than 100 “popular” Websites and found three-quarters of the sites leaked private information or users’ identifying data to third-party tracking sites. The survey results were released shortly after Facebook came under fire for inadvertently passing user data to other parties. More than half (56%) of sites “directly leak” private information, and the number goes up to 75% if the user ID is included under private data, according to an academic paper. The researchers, Balachander Krishnamurthy of AT&T Labs, and Konstantin Naryshkin and Craig E Wills of Worchester Polytechnic Institute, found that information is leaked in various ways to third-party sites that track user behavior for advertisers. The researchers presented the report at the Web 2.0 Security and Privacy conference in Oakland, Calif., on May 26. In some cases, information was passed “deliberately” to other sites, but in others, it was included as part of routine information exchange. The researchers were unable to tell conclusively whether the inclusion was deliberate or inadvertent. Data leaks could have occurred as users were creating, viewing, editing or just logging into their accounts. They could also have occurred while navigating the site as many of them exposed search terms. “We believe it is time to move beyond what is clearly a losing battle with third-party aggregators and examine what roles the first-party sites can play in protecting the privacy of their users,” said Wills. Efforts made to date to address information leakage have been “largely ineffective,” the researchers found. Websites need to take greater responsibility for privacy protection. “Despite a number of proposals and reports put forward by researchers, government agencies and privacy advocates, the problem of privacy has worsened significantly,” Wills said. Leaked information included email addresses, physical addresses and the user’s Web browser configuration details, according to the paper. Researchers classified the user data as either identifiable or as sensitive. Health information, such as searching for an illness or physical condition, was considered highly sensitive, while name and email address was highly identifiable. They focused on sites that encourage users to register, since users often share personal and personally identifiable information, including names, physical address and email address, during the registration process. They also examined heath and travel sites, since users conduct searches on these sites that can be used to identify health issues or travel plans. The same team had previously examined 12 social-networking sites, including Facebook, MySpace and Orkut, to determine what kind of information was being leaked. Researchers noted that since users logged into Orkut using their Google account credentials, third-party firms could correlate the leaked Orkut user identifier with other activity on Google services, such as search or videos viewed on YouTube. Sites may be passing the user ID to referrer sites, such as Digg, but that information is actually being forwarded to Omniture, an analytics firm. [Source]

US – Judge Approves Flash Cookie Settlement

U.S. District Court Judge George H. Wu has approved a final class-action settlement requiring Quantcast and Clearspring to pay $2.4 million. The settlement was first announced last December but received final approval on Monday. The case stems from the companies’ use of Flash cookies to track users for targeted advertising. According to the article, the majority of the settlement will go to universities and research groups, but approximately $550,000 will go to the plaintiffs’ attorneys for fees and expenses. [paidContent.org]

WW – Google Introduces Facebook Competitor, Emphasizing Privacy

Google took its biggest leap yet onto Facebook’s turf by introducing a social networking service called the Google+ project — which happens to look very much like Facebook. The service, which will initially be available only to a select group of Google users who will soon be able to invite others, will let people share and discuss status updates, photos and links. But the Google+ project will be different from Facebook in one significant way, which Google hopes will be enough to convince people to use yet another social networking service. It is designed for sharing with groups — like colleagues, college roommates or hiking friends — instead of with all of a user’s friends or the entire Web. It also offers group text messaging and video chat. The debut of Google+ will test whether Google can overcome its past flops in social networking, like Buzz and Orkut, and deal with one of the most pressing challenges facing the company. [Source] See also: [Protecting privacy in the digital age: two new reports by Canadian privacy commissioners] and [US: How to do a social background check the legal way]

WW – LinkedIn Privacy Changes Point to Social Ads

LinkedIn privacy policy updates hint at the introduction of “social ads” based on users’ activities. LinkedIn “appears eager” to avoid privacy issues, the report states, and will allow users to opt out of social ads. “Most importantly, we do not provide your name or image back to any advertiser when that ad is served,” one LinkedIn official noted, while another said, “This upcoming change to the privacy policy reflects the evolving ways in which our members are using the LinkedIn platform, and it allows us to explore this area should we choose.” [MediaPost News]

CA – Winnipeg School Officials Ban Posting of Student Photos Online

Manitoba’s largest school division seems to be trying to put the social-media genie back in the bottle just in time for graduation. The Winnipeg School Division has adopted stringent privacy policies — ramping up its already rigid standards — in an effort to keep photos and video of its students off the Internet. Anyone recording a public event at the school, including those held after school, off-campus or at a school in another division, may do so only for personal use, and may not post on the Internet, the division says. It’s a policy proponents say is meant to protect young children. But just how school officials can enforce it in the era of Facebook and social media remains unclear. [Source]

Other Jurisdictions

HK – Hong Kong Banks Sold Customer Data: Watchdog

Hong Kong’s privacy watchdog has scolded four banks for releasing customers’ personal data to third parties, accusing three of them of selling the information. he four banks – Citibank, ICBC, Fubon Bank and Wing Hang Bank – had all released customers’ personal data, while Citibank, ICBC and Fubon Bank also used the information for financial gain. (I am) disappointed that the banks are less than forthcoming in following good privacy practices,” Allan Chiang, the city’s privacy commissioner for personal data, told reporters after releasing the results of a probe into the firms.”We trust that the practice of naming data users will invoke the sanction and discipline of public scrutiny. In turn, it will serve to encourage compliant behaviour by data users concerned,” he added. [Source]

NZ – Privacy Commission Welcomes Cyber Security Strategy

The Privacy Commission says the Government’s new cyber security strategy is a “welcome start” towards protecting New Zealanders’ online identities, but it won’t guarantee online safety. The new cyber security strategy aims to improve the country’s protection against cyber threats and increase initiatives aimed at improving online security for individuals, businesses, infrastructure and the Government. Privacy Commissioner Marie Shroff is “very pleased” to see the launch of the cyber security strategy, and says she looks forward to learning how its implementation will support existing efforts providing information about online protection. [Source] See also: [NZ: Ministry’s fraud data found in car park]

CR – Costa Rica Privacy Legislation Moves Forward

Costa Rica’s quest for an omnibus privacy law took a major step forward on April 27, 2011, when the Supreme Court of Justice of Costa Rica gave its stamp of approval to a far-ranging piece of privacy legislation, finding that it had no constitutional defects. In March 2011, the bill, known as the law of “Protection of the Person in the Processing of His Personal Data” (Protección de la Persona Frente al Tratamiento de sus Datos Personales), survived an initial vote in the unicameral Legislative Assembly. The bill has now been returned to the Legislative Assembly. If passed in its current form, the law would impose a legal regime modeled on the European Union data protection framework and would regulate almost all processing of all personal data. It would require express written consent for many processing activities, and it would create a new data protection authority within the Ministry of Justice, the “Agency for the Protection of Citizens’ Data” (Agencia de Protección de Datos de los habitantes). This agency, also known as Prodhab, would have authority to inspect databases suspected of being mismanaged, and it could impose sanctions for noncompliance with the law. [Source]

HU – Ombudsman Voices Concern Over Citizen Survey

Hungarian Data Protection Ombudsman Andras Jori says government questionnaires sent to more than six million Hungarian citizens are not anonymous, and he’s asking for personal information to be deleted from the database. Jori last month launched an investigation into bar codes on the questionnaires that he suspected could reveal subjects’ identities. The questionnaires ask about pensions, welfare and education, and, according to Jori, the responses–and whether a citizen participates–could be interpreted as “giving a political opinion.” A spokesman for the prime minister said Jori’s office was consulted prior to sending the questionnaires and raised no personal data protection concerns. Jori has refuted that assertion. [The Budapest Times]

AU – Committee: Small Business Should Not Be Exempt

A parliamentary committee is calling on the government to scrap a provision exempting small businesses from Australia’s Privacy Act. The Australian Parliamentary Cyber-Safety Committee tabled a report raising concerns that small businesses with annual revenues of $3 million or less were exempt from the Privacy Act 1988. The committee recommends that the government drop the exemptions and undertake a review of businesses with “significant personal data holdings” since a “large proportion of the Australian private sector is not subject to any privacy laws.” The Australian Law Reform Commission said in 2008 that the exemptions were “neither necessary nor justifiable.” [Source]

AU – Australia’s New Data Retention Law

New legislation in Australia will require ISPs and other telecommunications carriers to retain data at the request of law enforcement authorities. Retention requests may be made without a warrant, but the authorities will need to obtain warrants to view the information. The legislation will “allow Australia to sign the Council of Europe Convention on Cybercrime treaty.” [Internet Storm Center] [Source] [Source]

PH – Lack of Legislation Raises Concerns

Manilla Bulletin reports on the Joint Foreign Chambers and the business processing outsourcing (BPO) industry’s warning that a lack of data privacy legislation is a growing concern for prospective investors. The country’s proposed Data Privacy Bill aims to benefit the growth of IT and BPO, while also protecting “citizens whose personal data are stored by government offices and commercial establishments,” the report states. In a statement to the Senate Committee on Science and Technology, industry leaders warn that without a law in place, there is a “real danger of losing investors to countries with a more favorable legislative framework” for privacy protection. [Source]

MY – Data Protection Office to Be Established

The Malaysian Ministry of Information, Communication and Culture plans to establish a government department to help implement the country’s new data protection law. According to Deputy Minister Datuk Joseph Salang, the office should be up and running by next year. At a press conference, Salang underscored the urgent need for personal data protection laws, saying, “Prior to the implementation of this act, personal data is only bound by contractual agreement or common law.” The Personal Data Protection Act was passed in 2010 and is expected to go into effect early next year. [Source]

PE – Personal Data Protection Law Expected in July

The Congress of the Republic of Peru has passed the Personal Data Protection Law (Ley de Protección de Datos Personales, Proyecto de Ley 4079/2009-PE), Hunton & Williams’ Privacy and Information Security Law Blog reports, noting that if it is signed into law, Peru will have “EU-style omnibus privacy legislation.” The law would include provisions establishing the National Personal Data Protection Authority within the Ministry of Justice, requiring consent for the processing of personal data, limiting communications monitoring and restricting cross-border data transfers. Peruvian President Alan García is expected to sign the law before his term ends on July 28, the report states. [Source]

Privacy (US)

US – Portion of Settlement to Establish Undergrad Privacy Program

Fourteen privacy organizations and nonprofits will split $6 million of the $8.5 million settlement approved by a federal judge in the Google Buzz case. Originally, 12 entities were to split the settlement, but U.S. District Court Judge James Ware has ruled that Markkula Center for Applied Ethics at Santa Clara University (SCU) and the Electronic Privacy Information Center should each receive $500,000, the report states. SCU’s Markkula Center says it will use the money to create an undergraduate curriculum on Internet privacy and a site that discusses users online choices about privacy. [MediaPost News]

US – Class-Action Status Sought for TCPA Violations

Lawsuits have been filed in a California federal court that claim Twitter and American Express Centurion Bank violated the Telephone Consumer Protection Act when they sent opt-out confirmation texts to the plaintiffs, Hunton & Williams’ Privacy and Information Security Law Blog reports. In each case, the defendants sent the plaintiffs a single text to confirm the requested opt-out. Both lawsuits are seeking class-action status and highlight “a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices,” the report states. [Source]

US – Supreme Court to Consider Issue of Warrantless GPS Tracking

The US Supreme Court will review the constitutionality of surreptitiously placing GPS devices on suspects’ vehicles without a warrant. The Justice Department maintains that “a person has no reasonable expectation of privacy in his movements from one place to another,” and is seeking to overturn a lower court decision that reversed the conviction and subsequent life sentence in prison for a cocaine dealer whose movements were tracked in this way. That case was decided in the US Court of Appeals for the District of Columbia Circuit; three other circuit courts of appeal have ruled that using a GPS device to track a vehicle does not require a warrant. The court will not make a decision before its next term begins in October. [Source]

US – Supreme Court to Review Privacy Harms Case

The U.S. Supreme Court has agreed to review a ruling that said an individual could sue a federal agency for emotional distress because of the release of personal information. The case, FAA vs. Cooper, 10-1024, involves a pilot who filed a lawsuit against federal agencies for disclosing his medical records during a fraud investigation, the San Francisco Chronicle reports. In February 2010, the Ninth Circuit Court of Appeals ruled in favor of the pilot, but the Obama Administration has argued that the 1974 Privacy Act does not allow damages for emotional distress. The plaintiff’s lawyer said, “More often than not, embarrassment and humiliation are the only damages…Unless these are compensable, it’s a free license to the government” to circumvent the law. [Source]

US – FTC Settles Charges Against Ad Network

The FTC has finalized its order settling charges that online ad network Chitika tracked consumers online after they’d opted out. The FTC alleged that from at least May 2008 to February 2010, Chitika’s cookies resumed tracking users 10 days after they’d opted out. Chitika said the opt-out was meant to last 10 years, but a glitch caused the error. The settlement bars Chitika from misleading consumers about the extent of its data collection and the control users have over the collection, use or sharing of their data. Additionally, every targeted ad must include a hyperlink allowing users to opt out for at least five years. [Source]

US – Vermont Law Barring Prescription Data Use for Marketing Found Unconstitutional

The US Supreme Court has struck down as unconstitutional a Vermont law that forbids the use of prescription data pharmacies collect to be used for marketing. In a 6-3 decision, the Court ruled that Vermont’s law violated the pharmaceutical industry’s First Amendment right to market their products. The Vermont law banned the use of the information collected by pharmaceutical companies for marketing purposes, but did allow the information to be used for health care research and educational purposes and could also be accessed by journalists, insurance companies and law enforcement agencies. The ruling is likely to quash the passage of similar laws in other states. [Source] [Source] [Source]

US – Committee Focuses on Do Not Track

“Consumers should not be expected to make tracking choices on a company-by-company basis,” said FTC Commissioner Julie Brill in an address on Monday at the Center for American Progress, adding that therefore, do not track should apply to mobile devices as well. The FTC published tips for consumers to protect their privacy when using mobile apps. Brill is also scheduled to testify at today’s Senate Commerce Committee hearing on privacy and data security. At the hearing, Consumers Union will present survey results indicating that 81% of Internet users favor a do-not-track mechanism, and the Commerce Department’s Cameron Kerry is expected to testify in support of consumer data privacy legislation, including do not track. [ClickZ]

Privacy Enhancing Technologies (PETs)

CA – Don’t Stop Anonymizing the Data

Two Canadian privacy experts have issued a new report that strongly backs the practice of de-identification as a key element in the protection of personal information. The joint paper from Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, and Dr. Khaled El Emam, the Canada Research Chair in Electronic Health Information at the University of Ottawa and the Children’s Hospital of Eastern Ontario Research Institute, comes as some privacy policy makers increasingly question the value of de-identification. Personal information can be routinely de-identified before it is used or disclosed for a wide range of purposes, such as research, where it is not necessary to know the identity of individuals. Recently, however, the practice of de-identification as an effective tool to protect privacy has been challenged by those who claim it is possible to re-identify individuals from seemingly anonymous data. Today’s report refutes this position, and further validates that anonymizing data is a reliable, safe and practical way to protect personal information. Launched at the University of Alberta’s National Access and Privacy Conference, the new paper entitled, “Dispelling the Myths Surrounding De-Identification: Anonymization Remains a Strong Tool for Protecting Privacy,” shows that the re-identification of properly de-identified information is not, in fact, an easy or trivial task, and rather requires concerted effort on the part of skilled technicians. De-identification is a vital first step in protecting privacy, by drastically reducing the risk that personal information will be used or disclosed for unauthorized or malicious purposes. [Source] [Ontario privacy boss slams geo-location as privacy risk] See also: [Is Anonymity on the Web Impossible?]

CA – Ontario Commissioner Calls for Privacy to be Embedded into Legacy Systems

Ontario’s privacy commissioner has released a white paper on how organizations can build privacy into legacy systems, reducing data loss risks. Replacing systems that have already been built without privacy considerations is often not an option, Commissioner Ann Cavoukian said at a Toronto event this week. Instead, organizations should create technologies that incorporate privacy as a default by limiting the amount of personal information collected, reducing the amount of time that it’s stored and encrypting retained data, among other initiatives. Cavoukian also shared concerns about WiFi systems’ ability to report users’ location data. [SC Magazine] [Source]

RFID

UK – Chips for Dinner: Edible RFID Tags Describe Your Food

A student at the Royal College of Art in London, Hannes Harms, has come up with a design for an edible RFID chip, part of a system he calls NutriSmart. The chip could send information about the food you eat to a personal computer or, conceivably, a mobile phone via a Bluetooth connection. The idea is that it could send nutritional data and ingredients for people who have allergies, or calorie-counting for those on diets, or maybe even telling your fridge when the food has gone off. It could even be used to market organic food, with a chip holding data about the origin of that tuna steak you just bought. [Source]

Security

US – FISMA Compliance Metrics Focus on Continuous Monitoring

New Federal Information Security Management Act (FISMA) compliance metrics released by the US DHS require agencies to report on their implementation of automated continuous measurement of critical security risks. The memo stems from 2010 guidance requiring government agencies to begin moving to continuous security monitoring. [Source] [Source] [Source] [Source] [Source]

WW – Many Top iPhone, Android Apps Face Security Woes

Some of the most popular applications available for the iPhone and Android handsets suffer from serious security issues, a recent study from security firm ViaForensics has found. According to the security firm’s appWatchdog study, a slew of companies, including Foursquare, LinkedIn, Netflix, and WordPress earned a “fail” rating on storing sensitive data securely. Netflix’s Android application, for example, failed to “securely store passwords,” ViaForensics said. Surprisingly, the iPhone version of the Netflix app earned the highest “pass” rating for securely storing passwords. ViaForensics’ study is all the more concerning when one considers that mobile applications are becoming far more popular. Earlier this week, In-Stat reported that users will download 48 billion mobile applications to their smartphones in 2015. On Monday, Apple revealed that 14 billion apps had been downloaded from its App Store since 2008. Over 4.5 billion applications have been downloaded from the Android Market. [Source] [Lawsuit Alleges Smartphone Data Misuse]

US – Investigation Finds Apps Put Data at Risk

A computer security firm has found that some popular mobile applications store users’ personal data in plain text on their mobile devices. The viaForensics investigation found information such as unencrypted user names, passwords and transaction amounts on smartphones, which goes against industry best practices. “Data should not be stored on a phone,” said Andrew Hoog, chief investigative officer of viaForensics. Hoog also said that while app developers are becoming more aware of data security issues, the fact that vulnerabilities still exist indicates security is not a top priority. One app maker’s spokeswoman said that it’s necessary for some information to be stored on phones, and the practice is allowed by the PCI Security Standards Council. [The Wall Street Journal]

US – Cloud Storage Vendors Have Privacy and Security Hurdles to Leap

While off-site services may have the potential to tame the voracious storage beast, most respondents to an InformationWeek Analytics research report are skeptical when it comes to moving valued business data to a public cloud. Security, privacy and regulatory constraints lead the list of concerns; absence of a concrete business case and worries about lack of control, potential data loss, data availability and reliability/performance also factor into companies’ reluctance to store their information in the public cloud. [Source]

US – Body Scanners to Get Privacy Updates

Transportation Security Administration head John Pistole has said the agency is on track to equip half of U.S. airport body scanners with privacy filters by the end of the year. Meanwhile, in a Salon.com article, Daniel Solove argues that, too often, debates about security vs. privacy employ inaccuracies to tip the scales in security’s favor. During times of crisis, Solove writes, the pendulum often swings towards greater security, with the promise that, when danger subsides, privacy provisions will again return. But, he writes, during “times of peace, the need to protect privacy is not as strong because we’re less likely to make such needles sacrifices.” [SecurityInfoWatch]

UK – British Intelligence Agency Replaces Online al Qaeda Article with Cupcake Recipes

The British intelligence agency MI6, along with GCHQ (the UK counterpart of the US National Security Agency), has broken into an online al Qaeda publication and replaced instructions for making a bomb with a series of cupcake recipes. The cyber infiltrators also removed several articles from the publication. [Source]

US – DHS Moves to Boost Security of Software

The Homeland Security Department unveiled a new system of guidance on Monday intended to help make the software behind Web sites, power grids and other services less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. The list, topped by SQL-injection vulnerabilities, is an attempt to address the “root-cause issues” behind cyberattacks, one official said. The announcement also includes a way to rate programming errors for importance in differing environments from embedded systems to web applications. The overall initiative is designed to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products. Colleges and trade schools need to take far more responsibility for ensuring their graduates who write programs can do so securely. [Source] [Source] [Source] [Source]

WW – Fifth Certificate Authority Suffers Breach

The security of a fifth certificate authority was breached earlier this month. While the attackers do not appear to have gained access to information that would allow them to issue valid certificates to themselves, the company, StartSSL, has indefinitely suspended issuing digital certificates. StartSSL says that existing certificates have not been compromised. In the past several months, several other certificate authorities have been attacked. A compromise at Comodo resulted in cyber thieves stealing valid certificates for some highly visible domains, including Google and Skype. [Source] [Internet Storm Center]

Smart Cards

US – Wireless Data Collection Suable Under Wiretap Act

A federal judge has found that Google can be sued for collecting private data from open wireless routers, saying that “plaintiffs plead facts sufficient to state a claim for violation of the Wiretap Act,” reports Wired. U.S. District Judge James Ware said, “In particular, plaintiffs plead that defendant intentionally created, approved of and installed specially-designed software and technology” used to intercept data from wireless networks. The report calls the ruling a “serious legal setback” for Google and notes that it also sets precedent for data collected through open WiFi networks in public spaces. Google maintains that the collection was a mistake and says the lawsuit is “without merit.” [Source]

Surveillance

CA – Civil-Rights Groups Wants Proposed ‘Spy’ Law Scrapped

Civil-rights groups are planning a summer-long campaign to raise awareness about a proposed law they say would force Internet companies to spy on their users. The law, called Lawful Access, would ask ISPs to implement technology that would intercept Internet communications of their customers. It would also require ISPs to give up basic identity information about their subscribers to law enforcement officials without a warrant. The law has been proposed in one form or another since 2002, but now it appears it will be included in an omnibus bill of tough-on-crime measures the Conservatives have pledged to table in the first 100 days of their mandate. Among those concerned by the proposed law is Canada’s privacy commissioner. “We have not yet seen a demonstrable need for the extent of access to personal information by law enforcement and national security authorities by the legislation that was introduced in the last parliament session,” said Chantal Bernier, the assistant privacy commissioner. “We believe any measure that seeks to put more personal information in the hands of government in general must be justified.” She said the office is concerned by the potential for abuse of power, especially since the proposed law doesn’t require authorities to get a warrant in order to obtain information, and has an internal control governed by the individual law enforcement bodies. The Net neutrality lobby group Open Media has embarked on a public awareness campaign about the proposed law. Labelled “stop spying,” 35,000 people have already signed a petition calling for the law to be scrapped, or at least dramatically changed. [Source] [Surveillance bill sparks privacy debate] [Bill C-51 will turn ISPs into Internet gatekeepers] and [Concealing data breaches like the Sony PlayStation hack punishable by jail under proposed US bill]

CA – Surveillance Cameras Deployed In Vancouver Despite Mayor’s Denial

The city manager’s office allowed the Vancouver Police Department to use 7 surveillance cameras downtown during the Stanley Cup playoffs to monitor crowds and guide emergency personnel. Mayor Gregor Robertson told the Courier prior to the start of the seven-game series between the Vancouver Canucks and the Boston Bruins that cameras wouldn’t be deployed. [Source] See also: [IN – Police halt Google Street View from filming in India until it gets security clearance]

CA – Cameras Keep Watch Over Sussex Drive

The town of Sussex is installing about three dozen video surveillance cameras in an attempt to safeguard its citizens and property. Six of the cameras have been installed at the community’s historic railway station. An unsolved case of arson last fall almost destroyed the structure. Town Hall also has cameras because youths have been climbing onto the roof. There are more cameras at a park that’s been repeatedly vandalized, as well as at the town arena, well houses and the reservoir. Sussex Mayor Ralph Carr said he did have some concerns about privacy. “But only people who have concerned about doing bad things have to worry. So, we find that people in general aren’t against it because they’re law-abiding citizens and they don’t mind,” he said. New Brunswick’s Privacy Commissioner is keeping an eye on the project. [Source]

US – Police Access City Cameras from Laptops and Smartphones

Officers of the Sandy Springs, Ga., Police Department will soon be able to use laptops and smartphones to browse and view video from various cameras located around the city. The project, which uses a software platform with a Google Maps interface, is part of the Police Department’s initiative to integrate technology from multiple vendors into one system. The department is currently in the process of integrating its computer-aided dispatch system, automatic vehicle locators and in-car police video cameras into the overall infrastructure. Authorized users will be able to view live and recorded footage from the city cameras by clicking on their location points on the Google map. For each camera, users will have the ability to pan, tilt and zoom, according to the department. [Source] See also: [CA – Pearson Airport worker used surveillance camera to spy on ex]

Telecom / TV

AU – Police Win Phone Data – New Laws to Invade Your Privacy

PY agencies and federal and state police will be able to order phone companies to seize customers’ personal data even before a warrant is issued under controversial changes to cyber security laws to be introduced. The cyber crackdown comes as the country’s intelligence agencies revealed they detected 250,000 cases of hacking in the past 6 months alone in which the passwords, account details and personal information of Australians had been stolen. However, authorities are being hampered from tracking evidence because phone companies are destroying personal data such as text messages often within 24 hours because of the sheer volume of data clogging their networks. Attorney-General Robert McClelland will introduce amendments to allow law enforcement and intelligence agencies to issue an immediate “non-destruction” order of cyber and phone data to phone and internet companies. It would allow them to preserve personal records of suspects before a formal warrant can be issued. Currently authorities can only order phone companies to hold data after a warrant is issued, often leading to the loss of crucial evidence in live cases. The new laws would also enable intelligence agencies to collect cyber evidence from other countries through an international treaty. The laws would apply to all electronic data including calls, texts messages, emails and computer or internet activity, and will require changes to both the cyber crimes laws and telephone intercept legislation. However, the laws would prevent agencies from actually accessing the seized information until the warrant was issued. If the warrant failed the data would be ordered destroyed. [Source]

WW – Info Retained by Smart Phones Raises Issues for Consumers

In recent months, controversy has swirled around the fact that smart phones, like Apple’s iPhone, store location information on its users, raising major privacy issues. But a leading computer forensics expert said that mobile devices store far more critical personal information on their owners – even after users think they’ve erased the data. Kris Haworth, president of The Forensics Group, one of the nation’s leading computer forensics companies, said consumers might be surprised to learn that the iPhone, iPad, Android, Blackberry and other mobile computing devices retain vital data in their memory despite attempts to delete it. “Most consumers have no idea when they trade in a smart phone or tablet computer that they’ve left a trail of very private and personal information behind – everything from private text messages and emails to their calling records, websites they’ve visited and even bank account passwords in some cases,” Haworth said. With the number of smart phones tripling in the U.S. over the past five years and many consumers regularly trading up for the latest models, the information retention could raise new privacy concerns for consumer groups – and create new opportunities for computer forensic companies. [Source]

CA – Watchdog Warns Smart Phones Lack Privacy Defaults

There are unintended consequences of having our smart phones and other wireless devices automatically collect data on our whereabouts, warns Ontario Information and Privacy Commissioner Ann Cavoukian. Privacy should be designed into cellphones and Wi-Fi systems to prevent the automatic collection and storage of personal data by the devices, which only continue to grow in popularity, Cavoukian said in a special report. There is a lot of concern about the capability of mobile systems to track our lives, without our knowledge, concludes Cavoukian’s report, “Wi-Fi Positioning Systems: Beware of Unintended Consequences,” which was jointly written with Microsoft’s former chief architect of identity, Kim Cameron. [Source]

IN – Mobile Phones in India: A Webless Social Network

India may be home to software giants, like Wipro or Infosys, which have thrived by harnessing the internet’s potential, but few of the country’s 1.2 billion people have so far embraced the web. Telecom Regulatory Authority of India reported that at the end of March the country had just 8.8m broadband connections. By contrast, it boasts some 812m mobile subscribers. According to Gartner, a market-research outfit, in 2013 Indians will send almost 192 billion text messages. [Source]

US – GroupM Takes Lead on Mobile Privacy Guidelines

GroupM has become the first agency to adopt mobile privacy guidelines. Those guidelines would limit the amount of data collected and shared from mobile devices in marketing campaigns by calling for publishers to mask UUIDs (universal unique identifiers that are on every phone) and giving users the opportunity to opt out of data collection and sharing. The guidelines are voluntary, but publishers and mobile ad networks that work with GroupM will be urged to adopt them. [Source]

US Legislation

US – Why Privacy Legislation is Hot Now (Peter Swire Op-Ed)

More than at any time in the past decade, privacy hearings and proposed legislation are spreading across Capitol Hill. Until now, you could always make money betting against a privacy law passing in Congress. Today, many experts are saying that momentum is building for major legislation, although the shape of that legislation is still unclear. This round of privacy action is driven by three historic trends, plus other factors that are coming together now. First is location data. Second is social networking. Third is online behavioral advertising. Along with these three mega-trends, Congress is seriously considering federal data-breach legislation, to harmonize state laws and address the Sony PlayStation and other high-profile recent breaches. Major cloud computing companies and civil liberties groups are supporting the Digital Due Process Coalition, which favors a judicial search warrant before law enforcement can gain access to the exabytes of data stored in the cloud. And, there is pressure on the international front, as the European Union considers tightening its own data privacy laws and as India, Mexico and other countries are in the process of putting EU-style privacy laws on the books. A flashpoint for action could be children’s privacy, where family-values Republicans and consumer-protection Democrats can most easily come together politically. Mark Zuckerberg has publicly discussed bringing under-13s directly into Facebook, but no one knows with what rules. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of the “Do Not Track Kids Act of 2011” to offer the choice not to have behavioral advertising and related tracking for those under the age of 13. And no one knows who will get to see the location information of children — parents will and stalkers won’t, but there are still-to-be-developed rules for those in-between. The biggest legislative question might be whether to go with general privacy principles or sector-specific rules. For the first time in history, the administration itself has come out in favor of broad-based privacy legislation for the private sector. The closest fit to the administration vision is the Kerry-McCain “Commercial Privacy Bill of Rights,” which notably would provide individuals with the legal right to opt out of having their information shared for marketing purposes. This sort of general legislation contrasts with sector-specific proposals, such as a recent bill by Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) that targets smartphone location information. With the convergence of all of these technical changes, the current period most resembles the late 1990s. [Source] See also: [US: Senator renews pledge to update digital-privacy law] and [US: Franken, Blumenthal introduce mobile privacy bill] and [US: Focus on Data Breaches Tops House Commerce Privacy Agenda]

US – Senate Lawmakers Call for Data Security Law, Less Certain Over Privacy

As federal officials grapple with ways to better protect the privacy and security of Internet users, participants at a Senate Commerce Committee hearing appeared to be in broad agreement over the need for data breach laws. But there was less agreement over online privacy laws, with lawmakers, regulators and companies debating “do not track” proposals and general privacy laws that consumers say they want but companies fear will hurt their bottom lines. [Source]

US – Proposed US Legislation Would Require Breach Notification Within 48 Hours

Proposed data breach legislation introduced by US Representative Mary Bono Mack (R-Calif.) would require companies to notify law enforcement authorities of data breaches within 48 hours. If the data compromised in a breach could be used to commit identity fraud, the company must notify the Federal Trade Commission within 48 hours and start contacting affected customers. The bill would also require companies to take reasonable steps to protect personal data, including collecting and storing only data they need. [Source] [Source]

US – CA Senate Again Take Up Bill on Web Privacy Info

California lawmakers took up a bill that has irked Facebook, Twitter and other social networking companies because it would require their websites to automatically set personal information to private. Senators began voting for a second time on SB242, after the bill failed a vote last week. An initial round of voting failed to generate the majority support needed. State Sen. Ellen Corbett, D-San Leandro, said her bill would protect users from identity theft and give parents better control of private information about their children. She said people often are unaware that personal information such as their home address and Social Security number can be available online for others to see. In addition to opposition from social networking sites, Internet companies such as Google, Yahoo and Skype have lobbied against the proposal, saying such regulation isn’t needed because companies already go to great lengths to protect individuals’ privacy. [Source] UPDATE: [CA Social Networking Bill Fails Again]

US – Proposed Bills Address Geo-Location Data Privacy

US legislators have introduced two bills aimed at privacy issues arising from geo-location data generated by wireless devices. Senators Al Franken (D-Minnesota) and Richard Blumenthal (D-Connecticut) have introduced the Location Privacy Protection Act, which would require companies to obtain permission from consumers before sharing geo-location data with third party entities. It would also require providers to inform users about what type of information is being collected. Senator Ron Wyden (D-Oregon) and Representative Jason Chaffetz (R-Utah) have introduced the Geolocational Privacy and Surveillance Act that would require law enforcement authorities to establish probable cause and obtain a warrant to request geolocation data. It would also prohibit sharing the data without users’ consent. [Source] [Source] [Source] [Source] [Source]

US – States Legislate Healthcare, Employee Privacy

Texas Governor Rick Perry has signed a healthcare privacy law that goes beyond HIPAA’s requirements. Rep. Lois Kolkhorst (R-District 13) says the push for electronic health records in the HITECH Act’s incentive program and the lack of federal HIPAA enforcement spurred the legislation, which will go into effect September 12 and will establish an infrastructure for state oversight and enforcement of healthcare privacy. Meanwhile, Oklahoma’s Supreme Court has upheld a lower court’s decision barring “state personnel officials from releasing the birthdates of state employees,” NewsTimes reports. The court said releasing such information could result in identity theft. [GovInfoSecurity]

US – Court: State Law Trumps HIPAA

A Michigan court case ruling could restrict the information physicians can release during legal proceedings. The decision follows a 2009 lawsuit, in which Michigan doctor Isidore Steiner alleged former colleague Marc Bonanni stole patients after leaving the practice, violating an established agreement. Steiner asked for a list of patient names Bonanni had seen at his new practice, citing the Health Insurance Portability and Accountability Act (HIPAA). But the court ruled that Michigan law, which prevents such disclosures, trumps HIPAA. A Michigan-based attorney predicts that “When entities do not want to disclose information, they’re going to use this case as their response.” [American Medical News]

+++

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: