01-31 July 2011

Biometrics 

US – Law Enforcement to Begin Iris Scanning Amid Privacy Concerns

New iris- and face-scanning technology could improve the speed and accuracy of police work but raises privacy and civil liberties concerns. The Mobile Offender Recognition and Information System (MORIS) scans an individual’s iris to detect unique patterns so that law enforcement can identify a suspect more quickly. The MORIS technology can also be attached to smartphones and photograph a person’s face, which then runs the image through a database to identify the individual. A representative from the technology’s manufacturer says the application will not be intrusive because “it requires a level of cooperation that makes it very overt—a person knows that you’re taking a picture for this purpose.” [Source

WW – Study: Facial Recognition Technology Powerful, Intrusive

Research conducted at Carnegie Mellon University has successfully identified approximately one-third of participants using the same facial recognition technology recently acquired by Google. Using profile data from Facebook, the study’s author could also correctly predict the first five digits of the participants’ Social Security numbers nearly 27% of the time. One law professor notes that the combination of available, “anonymous” online data and the technology makes re-identifying people possible. The study’s author says, “This paper really establishes that re-identification is much easier than experts think it’s going to be.” [The Wall Street Journal] See also: [Facebook facial-recognition feature won’t be available to Canadians] [Facial-recognition technology needs limits, privacy advocates warn] and [Ontario Commissioner: Facial Recognition With Privacy Is Possible] See also: [What Caricatures Can Teach Us About Facial Recognition] and [Barry: Cycling leads the pack in drug testing

Canada 

CA – Privacy Group Fears New “Lawful Access” Laws

A group of privacy advocates is raising alarm about several government initiatives they say could have serious privacy repercussions for Canadians. Sharon Polsky, the national chairperson for the Canadian Association of Professional Access and Privacy Administrators. Polsky’s group is concerned by the Lawful Access law, slated to be introduced soon after Parliament resumes its fall session. The group says the law as proposed would make ISPs agents of the state by requiring them to monitor Internet behaviour and pass on identifiable information to law enforcement officials without the need of a warrant. The group is also concerned about an international agreement called the Anti-Counterfeiting Trade Agreement, which has been negotiated in secret by 37 different countries, including Canada. While Canada has not yet signed on, ACTA would force the government to harden its copyright rules to be in sync with those negotiated by the member countries, and could cut off Internet access for a year to those suspected of illegally downloading copyrighted songs or movies. “People are not concerned, because people don’t know about it; (ACTA) was negotiated in secret,” Polsky said. She added that she’s also concerned the proposed Lawful Access law would give law enforcement officials from other countries access to the Internet habits of Canadians, because she said police forces often share information with each other. [NIST Release] [Source] [Source] [The What and Why of NIST’s Privacy Appendix] See also: [U.S. ambassador says perimeter security deal with Canada will respect privacy] and [Adopting U.S. privacy standards could hurt Canada’s reputation: watchdog

CA – Canada’s Privacy Chief Prepares to Take On Google

The Privacy Commissioner of Canada is preparing to take on Google Inc. over concerns about how the firm collects, retains and uses personal data. In a little-noticed 46-page report, Jennifer Stoddart has outlined a year-long consultation into issues about online tracking, profiling and targeting. In her review, the commissioner found that Google and other Internet firms including Facebook and FourSquare, are collecting increasing amounts of data about users and not adequately informing people about the data collection or for what it is being used. The privacy commissioner is pushing for these companies to become more proactive in explaining how they collect user information and what they are using it for. [Source] See also: [Oshawa MPP says PC Party would slap GPS devices on sex offenders]

BC – BC Privacy Commissioner to Investigate Smart Meters

B.C.’s Information and Privacy Commissioner Elizabeth Denham will investigate BC Hydro’s Smart Meter program to ensure it complies with privacy laws. The Commissioner said she decided to launch her investigation after receiving numerous complaints that the information collected by the meters may breach personal privacy. “The privacy and security of energy consumption data is a very real issue for citizens throughout the province,” Denham is quoted as saying in the news release. “With an increase in the frequency of the information collected from smart meters comes an increased responsibility on BC Hydro to ensure that privacy and security is built into the smart grid.” BC Hydro is planning to spend $930 million to install 1.8 million smart meters across B.C. The project is due to be completed by the end of 2012. The new meters will also allow customers to log on to Hydro’s website and monitor their own electricity use in real time. [Source] See also: [Canadians deserve greater online protection: privacy commission

CA – Federal Privacy Commissioner Takes Prison Service to Court

The Office of the Privacy Commissioner (OPC) is taking the federal agency responsible for the country’s prison system to court for allegedly violating the Privacy Act. Stoddart says that on two occasions the Correctional Service of Canada has not appropriately responded to requests to provide inmates with the personal information the prison system keeps about them. The Privacy Act requires government agencies to provide personal information within 30 days of a request. The OPC’s communications director, Anne-Marie Hayden, says, “In both complaints, our investigators found that the Correctional Service of Canada had failed to give complainants timely access to their personal information.” [National Post]

Consumer

WW – Consumers Willing to Pay More for Privacy

A new study has found that consumers are willing to pay more for purchases from online vendors “with clear, protective privacy policies.” The Carnegie Mellon University study found that, for example, participants in the study shopping for batteries made “significantly more purchases” from sites rated high privacy—47.4%—than from sites rated no privacy—5.6%. Additionally, consumers were willing to pay, on average, 59 cents more from sites with strong privacy protection. “Our study indicates that when privacy information is made more salient and accessible, some consumers are willing to pay a premium to purchase from privacy protective websites,” the authors noted. [ScienceBlog]

E-Government 

US – Florida Makes Millions Selling DMV Data

Last year, the state of Florida made more than US $60 million from selling information held by the Department of Highway Safety and Motor Vehicles. It is legal in Florida to sell the data, which include names, addresses, dates of birth and vehicles registered. The data are available to employers and insurance companies, but the state is also selling them to companies that collect personal data and sell them to others. The companies purchasing the information from the state must sign contracts promising not to use the information to harass people. The state does not sell SSNs or driver’s license numbers. Judges and law enforcement officers may request that their information not be sold. [Source] [Source

UK – DVLA Teams Up With IBM in Bid to Curb Uninsured Driver Menace

The DVLA (Driver and Vehicle Licensing Agency) and Motor Insurers’ Bureau (MIB) have introduced a new system to help identify uninsured vehicles which they claim will improve road safety and reduce the cost of uninsured driving across the UK. The new system, delivered with the support of IBM, works by comparing the Motor Insurance Database with DVLA’s vehicle database and is the foundation of the new Continuous Insurance Enforcement initiative, a collaboration between DVLA, DfT, and MIB to reduce the number of vehicles being driven on UK roads without insurance. Under the new system, which took two years to develop, if a vehicle is suspected as being uninsured, the registered keeper will receive a letter from the MIB advising them to get insurance or declare the vehicle off-road. If they fail to do this enforcement action will be taken by DVLA consisting of a fixed penalty of £100, wheel clamping or Court prosecutions. [Source] See also: [Defeated MPs called ‘childish’ for destroying documents on immigration, citizenship cases] and [‘Most open government’ has a lot of catch-up to do] and [Privacy Advocates Fear Immigration ID Database

UK – Councils Compile Databases Containing Over 9,000 ‘Troublemaking’ Residents

It has been revealed that council bureaucrats have been keeping secret databases of residents who have been involved in disputes with them. At least 9,000 people are on the lists, kept by more than 40 councils around England. The reasons for placing people on the databases vary from council to council but many of them are exceedingly trivial, such as arguing with a council official or a dustman. [Source] SEE ALSO: [Blogger Sues To See If Government Kept a File on Him] and also: [It’s All About Transparency: Without proper laws governing public disclosure of data security hacks, Canadians remain at risk] and [Toronto’s data open but almost useless]

E-Mail 

CA – Comments Sought in Anti-Spam Regulations

The entities that will implement Canada’s Anti-Spam Legislation have each released draft regulations for comment. Industry Canada’s draft regulations define what constitutes family and personal relationships–both exceptions to obtaining user consent under the proposed legislation, which could affect “forward to a friend” marketing campaigns. The Canadian Radio-television and Telecommunications Commission draft regulations address commercial electronic message content; request for express consent requirements for sending commercial messages, and notice and consent requirements. [Hunton & Williams’ Privacy and Information Security Law Blog] [Electronic Commerce Protection Regulations – Department of Industry – Canada Gazette] [CRTC – Telecom Notice of Consultation CRTC 2011-400: Call for Comments on Draft Electronic Commerce Protection Regulations (CRTC) ]

Electronic Records

AU – Commissioner Eyes Tough E-Health Privacy Laws

Privacy Commissioner Timothy Pilgrim has proposed laws around e-health records in Australia that would tighten use and disclosure of data and penalise any privacy breaches. Pilgrim also proposed laws that would keep e-health record storage in Australia to combat data security concerns. The Privacy Commissioner made 32 recommendations in total on the operation of the Government’s planned $467 million personally-controlled electronic health record (PCEHR) system, which was to be implemented by the National E-Health Transition Authority (NEHTA). The proposed laws would regulate the permitted information flows of health records, restrict the secondary use and disclosure of records to avoid function creep, install transparent governance mechanisms and outline specific sanctions and remedies for breaches. Also sought were a set of minimum terms/rights and responsibilities for participation in the PCEHR by individuals and healthcare providers, and a mandate for uniform complaint-handling mechanisms. Lack of details and precise powers available to health users had upset key privacy organisations such as the Australian Privacy Foundation whose chair, Roger Clarke, lambasted the Health Minister Nicola Roxon over how the eHealth system would fulfil its privacy promise. [Source] See also: [Old Dominion U. professor is trying to save Internet history] and also: [Privacy concerns raised over Fiji electronic voter registration plans

US – Experts Discuss Patient Access, Privacy

The biggest factor in revolutionizing the healthcare system will be patients’ access to their healthcare data. That’s according to healthcare experts at a forum in New York earlier this month. Neil Calman, CEO and co-founder of the Institute for Family Health, said patients will soon expect records in downloadable form, and HIPAA and other regulations will be amended to meet those demands. Experts also discussed privacy and security issues in moving patient data to the cloud. As of mid-July, the U.S. Department of Health and Human Services had recorded 292 health data breaches. Although six percent were due to hacking, that number is expected to increase. [Source] See also: [HHS – Notice of Proposed Rulemaking – 42 CFR Part 401 – Availability of Medicare Data for Performance Measurement] and [IPC Ontario paper: Dispelling the Myths Surrounding De-Identification]

Encryption

US – DOJ – We Can Force You to Decrypt That Laptop

The Colorado prosecution of a woman accused of a mortgage scam will test whether the government can punish you for refusing to disclose your encryption passphrase. The Obama administration has asked a federal judge to order the defendant, Ramona Fricosu, to decrypt an encrypted laptop that police found in her bedroom during a raid of her home. Because Fricosu has opposed the proposal, this could turn into a precedent-setting case. No U.S. appeals court appears to have ruled on whether such an order would be legal or not under the U.S. Constitution’s Fifth Amendment, which broadly protects Americans’ right to remain silent. [Source]

US – RSA Parent Company Spent US $66 Million in Q2 to Address Cyber Attack

RSA parent company EMC spent US $66 million in the second quarter of 2011 to deal with the cyber attack that compromised the integrity of RSA security tokens. EMC provided transaction monitoring for corporate customers concerned about the security of their tokens; the company also offered replacement tokens to companies that requested them. In a conference call regarding the company’s financial results, EMC executive VP David Goluden offered additional information about the attack, saying that customers were notified within hours after the company became aware of the breach, and that the company suspects that the intruders were targeting defense and government information, not financial information. That assumption would be borne out if the breach did, as some have suggested, lead to attempted attacks on computer systems at US defense contractors Lockheed Martin and another on L3 Communications. [Source] [Source]

EU Developments

EU – Commission Begins Action Against States

The European Commission has started legal action against 20 member states for failing to implement telecommunications rules. The commission has written to the states to inquire about why they have not implemented the so-called telecoms package, which was to have been incorporated into practice by May 25. The rules include what has been a controversial mandate for websites to obtain users’ consent before placing cookies on their systems. To date, only Britain, Denmark, Estonia, Finland, Ireland, Malta and Sweden have implemented the rules. The states in question have two months to respond. [Reuters]

EU – Article 29 WP Issues Opinion on Consent

On July 13, the Article 29 Working Party, an independent advisory body to the European Commission, issued a 38-page opinion on the definition of consent. The opinion elaborates the meaning of key terms used in describing the conditions for valid consent, such as indication, freely given, specific, unambiguous, explicit and informed, and addresses the proper timing of consent. Numerous examples of valid and invalid consent are provided in this extended analysis, which also affirms the importance of using the appropriate legal grounds for processing personal data. The opinion paper concludes with a few recommendations relating to consent that the Working Party believes should be considered during the current review of the Data Protection Directive. [Coverage] See also: [German Supreme Court on the Admissibility of Marketing Calls – Federal Court, Press Office]

EU – Article 29 WP Issues Advice Paper on Special Categories of Data (“Sensitive Data”)

The Data Protection Directive categorizes some personal data as “sensitive”, including ethnic origin, philosophical beliefs, health data and criminal convictions; challenges interpreting the categories of sensitive data include difficulty in defining “philosophical beliefs” (one court recognized “belief in climate change” as a philosophical belief), photos of individuals (such images can reveal information about an individual’s ethnicity or health status) and major differences in the degree of sensitivity (e.g. health data may range from information about a simple cold to stigmatizing information about illnesses or disabilities). Challenges have also arisen applying the exceptions to the general ban on processing of sensitive data, e.g. as sensitive data may be processed by a health professional, but it is not always clear who is considered a healthcare professional, there are no exceptions that permit processing of health information by schools (in the case of injury) or insurance companies (to conclude a health insurance contract), and the requirement to have consent may be problematic in the online environment (citizens rarely use secure electronic signatures which are required for written consent). The categories of “sensitive data” should be expanded to include genetic and biometric data, and there is some interest in revising the approach to sensitive data to increase flexibility – i.e., where the general definition of “sensitive data” takes the context for processing into account and member states are given discretion to decide upon further data categories (e.g. creation of personal profiles, minors, information about financial situation, and geolocation data). [Source]

EU – European Commission Public Consultations on ePrivacy Directive

Comments are due by September 9 to resolve questions surrounding implementation of the ePrivacy Directive’s breach notification obligations which are aimed at determining whether additional measures are required to ensure harmonised national implementations; areas where there is a risk of divergence at the national level include the threshold for notifying individuals or subscribers (notification is only required where their data or privacy will be “adversely affected”, which is open for interpretation), how the sufficiency of technological measures is assessed (notification is not required when technological measures render data sufficiently unintelligible), what is considered an “undue delay” (breach notification should be provided without “undue delay”), and the fact that the Directive does not specify the means by which notification should be provided (the means of notification should be common across the EU). Other areas that require clarification include the contents of notification (are there additional elements that should be included), how to deal with cross-border breaches (what should occur when a data controller is established in a different member state than where the breach occurred), and whether there are circumstances where communications providers would be required to provide notifications under numerous laws (e.g. the Framework Directive also includes a notification obligation for providers of public communications networks or electronic communications services). [Press Release] [Consultation Document] See also: EU – European Parliament Resolution of 6 July 2011 on a Comprehensive Approach on Personal Data Protection in the European Union (2011/2025(INI)) ]

EU – EDPS: Commission Ambiguous on Cookie Advice

The European Data Protection Supervisor (EDPS) says that the European Commission has offered “inconsistent advice to website owners on how they should obtain users’ consent to cookies.” EU Commissioner Neelie Kroes said last month that European companies had one year to create a uniform way for users to opt out of cookies and that she supported self-regulatory efforts, but EDPS Peter Hustinx says that neither a self-regulatory model nor a do-not-track model comply with EU Directive requirements. Hustinx says the directive’s requirements should be “fully respected,” and “The Commission should avoid any ambiguity” in making sure that transparency and consumer control online are delivered in the EU. [OUT-LAW News] See also: [Data Protection Commissioner, Ireland – Guidance Note on Data Protection in the Electronic Communications Sector] and [Draft Hungarian Law on the Data Breach Notification Framework and the New Cookie Consent Rule]

EU – European Data Protection Supervisor (EDPS) Issues Annual Report 2010

Consultations by the EDPS in 2010 included the request for access to the identity of an informant (the protection of whistleblowers and informants should be the same after the closure of an investigation because the vulnerability of the whistleblower’s role and risks to their privacy do not change depending on whether the investigation is opened or closed with no follow-up); the further processing of data in an existing EU institution database for the purposes of providing its travel agency with ID data was determined to be serving a different purpose incompatible with the initial purpose of collection and processing, the data protection covenant between the EU institution and the travel agency was deemed to be unclear (e.g. the reasons why and circumstances when the travel agency acts as a processor and/or controller), and proper guarantees should be in place to ensure the rights of the data subjects and secure onward transfers by the travel agency to other recipients. In regards to a financial institutions management of IT administrators’ access to personal data stored in IT systems and applications, the principle of segregation of duties must be applied, and a combined balance of organisational and technical measures should be implemented and documented. The monitoring of telephone communications above a predefined threshold could be considered a breach of the right to privacy of employees; the institution was requested to ensure that the threshold figure (that would trigger the sending of a list to management) is sufficiently high so as to avoid non justified monitoring and enables the identification only of those cases in which there is clear or repeated abuse of the system, and to reassess the proposed system in order to determine whether other less intrusive methods could be used. Main objectives for 2011 include targeted monitoring exercises where the level of compliance at specific EU institutions and bodies is a cause for concern, on-the-spot inspections in those cases where the EDPS has serious grounds to believe that the compliance mechanism is blocked (this will be viewed as the final state before formal enforcement action), and inspections and audits in the field of large-scale IT systems falling within the remit of the EDPS. [Source]

EU – EU Lawmakers Upset by Microsoft Warning on U.S. Access to EU Cloud

Members of the European Parliament are expressing concern about the conflict between the European Union’s Data Protection Directive and the U.S. Patriot Act. Last week, Microsoft admitted that it may have to disclose European users’ data, found in its new cloud service, to U.S. authorities, while keeping transfer details secret. Such disclosure would be a violation of the directive, prompting MEP Sophie in’t Veld to ask, “Does the commission consider that the U.S. Patriot Act thus effectively overrules the EU Directive on Data Protection? What will the commission do to remedy this situation and ensure that EU data protection rules can be effectively enforced and that third-country legislation does not take precedence over EU legislation?” [Computerworld]

EU – New Dutch Law to Deter Privacy Breaches

A new law expected to become effective this year will allow for the imposition of fines for data privacy violations. “People’s personal data are being used by others all the time, without their realizing it in the least,” said Dutch Data Protection Commissioner Jacob Kohnstamm, who is assisting the justice ministry in drafting the law. “The new, steep fines will make sure that people’s privacy will be respected.” Violators risk fines from 25,000 to several million euros. Kohnstamm has also announced that his office is investigating the presence of regional electronic medical records. [Radio Netherlands Worldwide] See also: [EU – EDPS Opinion on Notifications for Prior Checking]

EU – DPA Fines Agency for Employment Data Collection

The Italian Data Protection Authority (Garante) has found that collecting and processing the sensitive personal information of job applicants violates the law and has censored and fined a real estate agency for asking applicants “a disproportioned quantity” of personal questions. The Garante found the practice violated Italy’s Data Protection Code, and further investigation and sanctions may be forthcoming. “It is incredible that notwithstanding strong data protection legislation, we still experience similar shocking data processing in the employment field,” notes Rocco Panetta of Panetta & Associati,” adding that such behaviors expose organizations “to enormous risks of sanctions.” (Article in Italian)

EU – EU Mulling Plans for New Rules on Data Breach Notifications

The European Commission is considering a set of “practical rules” to govern companies’ behavior in the case of a data breach. The announcement comes in the wake of a series of high-profile data breaches, including Sony’s announcement in April that the personal information of 78 million PlayStation users was stolen. The rules, which were outlined in Brussels, would specify the procedures and format for notifications. Until the early September deadline, the European Commission is seeking input from the public and from sources including national data protection authorities and consumer organizations. According to Neelie Kroes, the EU’s digital agenda commissioner, a section of the EU’s new telecoms rules came into force in May requiring companies to notify consumers and national data protection authorities of data breaches. But additional rules could ensure consistency throughout EU member nations. [Source]

EU – New Requirements for Data Protection Officers in Germany

German companies must appoint a data protection officer (“DSB”) when they employ more than 10 employees using automated processing, more than 20 employees using non-automated processing or process data in a manner that infringes intensely on personal rights (e.g. when using video surveillance, chip cards or non-transparent procedures); even if appointment of a DPO is not required, management is still responsible for meeting the provisions of the law by taking on the DSB’s tasks and prior reporting all automated processing to data protection authorities (a DSB may be appointed simply to avoid the prior checking requirements, and companies can hire external DPOs, such as a specialized lawyer). DSBs must have knowledge of relevant data protection provisions (including constitutional protections and any sector-specific legislation), data security technology (e.g. physical security of IT infrastructure, cryptography, spyware and network security), understanding of practical data protection management (e.g. executing controls, advising management, coaching employees, providing data protection strategies and recording data protection activities), and the enterprise’s technical and organizational structure (e.g. relevant process charts and internal organization). In order to enable independence for DSBs, they must report directly to company management, not be bound by company instructions regarding data protection, and be protected from dismissal (the DSB service contract should safeguard the autonomous fulfillment of his or her legal assignment for a term of 4 years if internal, or 2 years, if external). Failures to meet the minimum DSB specifications may result in a €50,000 fine to each manager personally; companies may want to consider appointing a DSB, even where not required, as previous non-compliance issues will generally not be punished. [Source]

UK – ICO Annual Report: Volunteer to Be Audited by Us, We Might Not Bust You

The Information Commissioner’s Office (ICO) released its annual report, which states that more companies should offer themselves up for voluntary audits. Last year, there were 603 reported data breaches, and 186 occurred in the private sector. Of those businesses, 19% accepted the ICO’s offer for a free data protection audit. In the public sector, 71% agreed to the voluntary audit, the report states. “These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consentual audit should count as a badge of honor, showing that the business takes data security seriously,” said Information Commissioner Christopher Graham. [The Register] See also: [UK Information Commissioner’s Office Auditing Data Protection: a Guide to ICO Data Protection Audits | North West London Hospitals NHS Trust – Data Protection Audit Report Executive Summary] and [EU Article 29 Data Protection Working Party – Advice Paper on Practical Implementation of Article 28(6) of the Directive 95/46/EC (how Data Protection Authorities make use of their supervisory authority under Article 28(6) of the General Directive)

UK – ICO: Jail Time Needed for Privacy Violations

A recent phone hacking scandal has prompted Information Commissioner Christopher Graham to call on the British government to implement prison sentences for those who use stolen personal data. The Information Commissioner’s Office previously recommended two-year prison terms for such offenses after a 2006 investigation into the sale of stolen personal data to journalists, the report states, but the government did not implement the proposal after journalists claimed it would limit free speech. In calling for stronger laws, Graham noted, “Unless people realize they can go to prison, it seems like a victimless crime.” [Bloomberg]

UK – ICO Publishes Guidance on Fines

The Information Commissioner’s Office (ICO) has released details on how it will use its new fining powers under the Privacy and Electronic Communications Regulations (PECR). Amendments to the PECR let the ICO fine up to £500,000 for offenses, and “It is possible that a single breach may be sufficient to meet this threshold,” the ICO says in its guidance, which offers insight into potential triggers for fines. Organizations will have the chance to weigh in on the guidance before it is adopted. [OUT-LAW.COM]

Facts & Stats

AU – Thousands of Privacy Breaches Going Unreported

There has been a 27% jump in the number of incidents of stolen or lost personal information reported to the Privacy Commissioner in the past year but inadequate laws mean thousands of incidents go unreported. The Privacy Commissioner, Timothy Pilgrim, revealed his office had received 56 data breach notifications in the year to June 30 – up from 44 in the previous year. However, Pilgrim warned that this only included responsible companies that voluntarily owned up to losing personal information as the government had failed to introduce mandatory data breach notification laws. Pilgrim also revealed his office had opened 59 “own motion” investigations in the past year – usually following media reports of privacy breaches. This includes investigations into Google, Telstra, Vodafone, Dell, Sony and most recently Medvet, which inadvertently left its order system for paternity and drug tests open to be accessed via search engines. [Source

CA – Statistics Canada to Stop Tracking Marriage and Divorce Rates

Statistics Canada will no longer collect and crunch numbers on the country’s annual marriage and divorce rates, a sign both of cost cuts at the agency and the changing nature of relationships, as definitions get fuzzier and harder to track. The national statistical agency published its last national figures on marriage and divorce rates last week. It has been collecting divorce data since 1972 and marriage data since 1921. It pegs the cost of reinstating the collection at $250,000. By the numbers:

  • 43.1% – Canadian marriages that are expected to end in divorce
    before the couple reach their 50th wedding anniversary
  • 26.8% – Marriages expected to end in divorce before a couple
    in Newfoundland and Labrador reach their 50th anniversary
  • 62.6% – Percentage of marriages expected to end in divorce
    by the time a couple in the Yukon reaches their 50th anniversary
  • 44 – Median age for Canadian men at divorce in 2008
  • 41 – Median age for Canadian women at divorce in 2008 [Source]

Filtering 

UK – Court Orders BT to Block Site Linked to Digital Piracy

A group of film studios represented by the Motion Picture Association (MPA), the international arm of the Motion Picture Association of America (MPAA), has won a court order against British ISP BT to block the Newzbin2 filesharing website. A British High Court judge has ordered BT to block users’ access to the members-only website that offers links to movies and television programs available on Usenet boards. [Source] [Source] [Source] [Source] [Newzbin2 response]

Finance

CA – OPC Guidance on Private-Sector Anti-Money Laundering Databases

To help financial institutions conduct their due diligence around identifying “politically exposed people” (i.e. people who may abuse their position of power for private gain), private-sector anti-money laundering database providers have emerged, who will compile databases of sanctioned individuals and entities (from publicly available government and NGO lists) and scrub the financial institution’s customer lists against the database. Privacy issues with these databases emerge as a person may be removed from a government list, but remain in the database provider’s list (the individual would have difficulty determining whether or not their name had been de-listed from the database and there is no indication of an appeal process being available) and jurisdiction issues arise (it may be difficult to make a claim regarding enhanced due diligence to the OPC by a foreign national taking issue with a Canadian financial institution or a Canadian taking issue with a foreign financial institution). Private-sector anti-money laundering database providers also identify “persons of special interest” who may be at high-risk, and there appears to be no limits on what information is being collected or how it is being incorporated into a risk assessment for possible money laundering risk (the determination of who is a “high-risk” is made without any transparency, and based on information that may or may not be correct, with potential harm to the individual’s relationship with the financial institution). [Source]

CA – Best Practices in Privacy and Anti-Money Laundering/Counter-Terrorist Financing

The federal Privacy Commissioner has published recommendations for Canada’s anti-money laundering regime include providing mechanisms for the sharing of information between financial institutions to help detect patterns of money laundering (PIPEDA does not currently permit such sharing as allowed under the USA PATRIOT Act), ensuring suspicious activity reports are only filed based on reasonable grounds that the transaction is related to the commission of a money laundering or terrorist financing offence (a “report all” philosophy and reports based on crimes like tax evasion raises questions on the proportionality of Canada’s financial intelligence unit’s activities), and providing practical guidance on privacy issues for those at highest risk of privacy transgressions (e.g. point-of-sale staff in real estate, insurance, accounting, or casinos). Other recommendations include imposing operational controls on the centralization of suspicious activity reports in an organization’s head office (e.g. enterprise-wide policies on the exchange of suspicious activity reports, well-defined procedures for transmission of sensitive data, and a regular review of the effectiveness of the arrangement in terms of meeting its objectives and adherence to policies) and creating legislation to ensure the confidentiality of the source of suspicious activity reports when responding to access requests or production orders (financial institution employees will hesitate in reporting their concerns if they believe the legal safeguards are insufficient to protect them and their families). [Source]

US – Banks’ Billion-Dollar Idea: Sell Your Shopping Data

Many of the nation’s leading banks and card issuers, including Wells Fargo, Citi, USAA, Sovereign Bank and Discover, are selling information about consumers’ shopping habits – how much they spend, where they shop and what they buy – to retailers. Retailers are using the data to offer targeted discounts via text, email and online bank statements. Each time a consumer cashes in on one of those deals, the retailer pays the bank a nice commission. At a time when government regulation is forcing banks to hike fees and eliminate consumers perks, selling consumers’ shopping data is an easy way to not only generate a decent chunk of revenue but also to drum up some much-needed customer loyalty. Aite Group, an independent Boston-based research firm specializing in financial services, forecasts that these merchant-funded incentives will drive $1.7 billion in annual revenue for card issuers by 2015. [Source] See also: [Morgan Stanley warns 34,000 customers of data breach]

UK – Banks Face More Privacy Complaints from Customers than Any Other Group

Banks have attracted more customer complaints than any other group over allegations of mishandling sensitive information, the privacy watchdog reveals today. Lenders routinely lost, released or wrongly recorded personal data, the Information Commissioner warned in his annual report which detailed 603 complaints. But the true scale of privacy and data breaches could be much higher, because the private sector is not obliged to report complaints to the Information Commissioner. [Source]

US – Financial Industry Group Releases Social Media Guidance

Financial services industry group BITS, a division of the Financial Services Roundtable, has released guidance addressing social media risks and use. “Social Media Risks and Mitigation“ analyzes issues such as compliance, legal, operational and reputational risks. The report discusses three main types of social media use, including communication between an institution and its customers; employees’ personal and professional use of social media within the institution, and employees’ and vendors’ use outside of the institution. [Hogan Lovells’ Chronicle of Data Protection]

US – Little-Known Firms Tracking Data Used In Credit Scores

Atlanta entrepreneur Mike Mondelli has access to more than a billion records detailing consumers’ personal finances – and there is little they can do about it. The information collected by his company, L2C, comes from thousands of everyday transactions that many people do not realize are being tracked: auto warranties, cellphone bills and magazine subscriptions. It includes purchases of prepaid cards and visits to payday lenders and rent-to-own furniture stores. It knows whether your checks have cleared and scours public records for mentions of your name. [Source] See also: [Comments of The Electronic Privacy Information Center To The Federal Trade Commission “Public Workshop and Request for Public Comments and Participation”]

EU – EU Exploring Its Own Funds-Tracking Program

In the wake of objections by many EU officials to a program that allows the U.S. to access European financial transactions as part of efforts to fight terrorism, the European Commission has presented its own proposals for tracking finances of suspected terrorists. The plans “are aimed at ending the primary role of the United States in those efforts,” quoting Commissioner Cecilia Malmström’s statement that an EU system “would need to fully respect fundamental rights and, in particular, ensure a high level of data protection.” One of the EU’s primary goals will be to limit the amount of data sent to the U.S. [The New York Times] See also: [European Data Protection Supervisor – Opinion on the Proposal for a Regulation of the European Parliament and of the Council Establishing Technical Requirements for Credit Transfers and Direct Debits in Euros and Amending Regulation]

WW – SpyEye Trojan Can Evade Fraud-Detection Algorithms

Banks are facing more trouble from SpyEye, a piece of malicious software that steals money from people’s online bank accounts, according to new research from security vendor Trusteer. SpyEyecan harvest credentials for online accounts and also initiate transactions as a person is logged into their account. In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to try and block fraudulent transactions.[Source] See also: [Mac OSX passwords can be pilfered with new tool]

FOI

CA – Saskatoon Privacy Concerns Made Public

The province’s information and privacy commissioner and the City of Saskatoon are again at odds over the city’s handling of access to information issues and the tension seems to be on the rise. In his annual report for the 2010-11 fiscal year released last week, Gary Dickson cited four different investigations relating to problems he found with the City of Saskatoon over different issues. [Source] See also: [Modernize Saskatchewan privacy law] and [Frank Work: Time for Alberta government to deliver on promise of greater transparency] and also: [OIPC BC – Data Sharing in a Gov 2.0 World – Commissioner’s June 2011 Keynote Address to the Edmonton Access and Privacy Conference]

CA – Police Board to Reconsider Policy of Simultaneous Release of FOI Requests

The Vancouver police board will review the department’s policy of releasing information requested under the Freedom of Information and Protection of Privacy Act simultaneously to both the requester and the public, after being told by FOI advocates it is not adhering to the spirit of the law. Vincent Gogolek, the executive director of the B.C. Freedom of Information and Privacy Association, said the Vancouver police department remains the lone holdout on a questionable policy that many view as a deterrent to people asking for information under the act. In May, provincial information and privacy commissioner Elizabeth Denham slammed BC Ferries’ practice of posting FOI requests online before or as it releases a copy to the original requester. Last month, Vancouver council unanimously adopted a policy of not engaging in such practices. And on Tuesday the provincial government changed its policy to give requesters at least 72 hours with the documents before posting them online for others to see. But the police board has so far refused to accept the position of the provincial FOI commissioner or city council’s motion. [Source] See also: [OIPC BC – Balancing Privacy and Openness: Guidelines on the Electronic Publication of Decisions in Administrative Tribunals]

Genetics

UK – Police to Retain DNA Profiles of Innocent People

Details of innocent people’s DNA will be retained by police despite a pledge by the government that they would be deleted, Home Office minister James Brokenshire has admitted. Rather than keeping an innocent person’s complete profile on the national DNA database, it will be retained in an anonymised form, which would leave open the possibility of linking the information with people’s names. This would mean that the profiles would be considered to have been deleted (even though the DNA profile record, minus the identification information, will still exist). Commenting on the latest developments, Daniel Hamilton, director of privacy lobby group Big Brother Watch, said: “James Brokenshire’s letter confirms that the details of more than a million innocent people will remain on the national DNA database. “This is a disgraceful U-turn on the part of the government. It represents a betrayal of an explicit commitment made in the coalition agreement and stands in contravention of a ruling by the European Court of Human Rights banning the retention of innocent people’s DNA.” [Source] [Source] See also: [Garante Per La Protezione dei Dati Personali – General Authorisation for the Processing of Genetic Data, June 24, 2011]

US – Appeals Court: OK to Check DNA of Those Arrested

A closely divided 3rd U.S. Circuit Court of Appeals has found that the collection of DNA samples from people arrested – but not yet convicted – of crimes is constitutional, in an opinion released today. In a precedent-setting ruling, the appeals court rejected U.S. District Judge David S. Cercone’s 2009 order finding that law enforcement could not collect DNA from Ruben Mitchell, who faces a federal charge of attempting to possess and distribute five kilograms or more of cocaine. Judge Cercone had found that requiring pre-trial detainees to submit DNA samples, which is done under the DNA Analysis Backlog Elimination Act of 2000, violates the 4th Amendment’s search and seizure rules. In an 8-6 ruling, the circuit judges found that people who are arrested have “a diminished expectation of privacy in their identities.” Outweighing their privacy, they found, is the importance to law enforcement of correctly identifying people who are charged with crimes, determining their criminal history, potentially linking them to unsolved crimes and promptly ruling out involvement in a crime in cases in which the DNA does not match that found at the scene. [Source]

US – FBI’s Next Gen Identification: Bigger and Faster but Much Worse for Privacy – EFF

This week, the Center for Constitutional Rights (CCR) and several other organizations released documents from a FOIA lawsuit that expose the concerted efforts of the FBI and DHS to build a massive database of personal and biometric information. This database, called “Next Generation Identification” (NGI), has been in the works for several years now. However, the documents CCR posted show for the first time how FBI has taken advantage of the DHS Secure Communities program and both DHS and the State Department’s civil biometric data collection programs to build out this $1 billion database. FBI’s NGI database will be populated with data from both FBI and DHS records. Further, NGI will be “multimodal.” This means NGI is designed to allow the collection and storage of the now-standard 10-print fingerprint scan in addition to iris scans, palm prints, and voice data. It is also designed to expand to include other biometric identifiers in the future. NGI will also allow much greater storage of photos, including crime scene security camera photos, and, with its facial recognition and sophisticated search capabilities, it will have the “increased ability to locate potentially related photos (and other records associated with the photos) that might not otherwise be discovered as quickly or efficiently, or might never be discovered at all.” The FBI does not just collect and store data from people caught up in the criminal justice system; about 1/3 of the data collected and reviewed in IAFIS is from civil sources such as attorney bar applications, federal and state employees, and people who work with children or the elderly. So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records. Once these records are combined into one database and once that database becomes multimodal, as we discussed in our 2003 white paper on biometrics, there are several additional reasons for concern. Three of the biggest are the expanded linking and tracking capabilities associated with robust and standardized biometrics collection systems and the potential for data compromise. The third reason for concern is at that once the collection of biometrics becomes standardized, it becomes much easier to locate and track someone across all aspects of their life. As we said in 2003, “EFF believes that perfect tracking is inimical to a free society. A society in which everyone’s actions are tracked is not, in principle, free. It may be a livable society, but would not be our society.” [Source: Electronic Frontier Foundation]

Health / Medical 

US – Snooping Celebrity Medical Records Cases Settled

Years after hospital employees were accused of snooping into the medical records of celebrity patients, UCLA Health System agreed to pay an $865,000 US settlement for potential violations of federal privacy laws. The settlement that UCLA reached with federal regulators did not name the stars involved and did not require the hospital system to admit liability. The investigation by the U.S. Department of Health and Human Services revealed that workers repeatedly accessed patients’ electronic health records between 2005 and 2008. The hospitals have agreed to report to a federal monitor on the implementation of its corrective plan over the next three years. In 2008, California Department of Public Health officials announced results of their own investigation into the privacy breaches and found that UCLA hospital workers inappropriately accessed records of 1,041 patients since 2003. The hospital later disciplined 165 employees through firings, suspensions and warnings. At least two former UCLA employees have faced criminal charges for medical privacy violations. The headline-grabbing breaches led California legislators to pass a bill boosting the maximum fine for privacy breaches at health facilities from $25,000 US to $250,000 US. The UCLA Health System includes Ronald Reagan UCLA Medical Center, Santa Monica-UCLA Medical Center and Orthopedic Hospital, and the UCLA Medical Group, a network of primary and specialty care satellite offices. [Source] See also: [Beth Israel Hospital Notifies Patients of Data Events] | Wake Forest Breach ] and also: [Brown v. Mortensen – 51 Cal. 4th 1052; 2011 Cal. LEXIS 6103 – Supreme Court of California]

US – Preliminary Settlement Reached in Class Action

WellPoint has reached a preliminary settlement in a class-action lawsuit involving the exposure of 600,000 health applicants’ sensitive data. The suit, filed in March 2010, alleged that the company failed to protect the privacy of those affected. The settlement would see WellPoint provide two years of credit monitoring to those involved and would entitle class members to reimbursement for instances of identity theft. The settlement will be approved or declined after a November fairness hearing. In July, the company agreed to pay a $100,000 fine in a settlement with the Indiana attorney general’s office for notification failures surrounding the incident. [American Medical News]

US – E-Health Records Still Scare Most of Us

Nearly 80% of consumers surveyed earlier this year said they’re wary of electronic health records because they’re concerned that their personal information might be stolen or lost it if were kept in an EHR system. The online survey, conducted by Harris Interactive for Xerox in February and released last week, polled 2,720 U.S. adults, the majority of whom felt that their personal information could be misused if it was stored electronically. Of those surveyed by Harris Interactive, 78% indicated they were concerned about hackers accessing EHR systems; 64% said they were worried about the threat of lost, damaged or corrupted files; and 62% cited concerns over the misuse of electronic healthcare information. 23% of the respondents said that they believe patients have the least to gain from a conversion to digital records. [Source] See also: [Will HIPAA Audit Program Become Model?] and [CA – Missing Cancer Care Ontario packages put health info of 12,000 at risk] and [Office of the Australian Information Commissioner – Submission to the Department of Health and Ageing on the Draft Concept of Operations: Relating To The Introduction Of A Personally Controlled Electronic Health Record (PCEHR) System]

US – HIPAA Audits to Begin Soon

The Department of Health and Human Services announced that it will soon begin its HIPAA compliance audits mandated under the HITECH Act with 150 onsite audits to be conducted by KPMG by the end of 2012. The scope of the audits, the selection process for being audited and whether audits will be used as an enforcement or education tool are all unknown. Due to the volume of covered entities, the likelihood of being audited is small, but organizations should review their programs and ensure they are effective and up-to-date. The report states that Booz Allen Hamilton has been contracted for “audit candidate identification.” [GovInfoSecurity]

CA – Physicians Reluctant to Share Patient Data

Even during the H1N1 pandemic in 2009, doctors in Canada were reluctant to disclose identifiable patient data to protect patient privacy, researchers say. Five focus groups with 37 family doctors from across Canada provided insights into the reasons they were reluctant to share patient data. The physicians said they were concerned about the privacy of their patients, and did not know whether the data uses would be limited to dealing with the pandemic. They did not perceive that they would get direct benefits back to them and their patients from giving data to public health and there were concerns about how the data could be used to evaluate their performance, the study says. “Patient data needs to be properly anonymized, and health care practitioners must be provided with timely and actionable feedback,” El Emam said. [Source]

US – Expert Analyzes Reported Health Data Breaches in 2011

The Mayo Clinic Center for Social Media’s Christopher Burgess reviews reported patient data breaches from January to June of this year to show how the various incidents could have been avoided. With more than 87 breach incidents affecting approximately five million patients in the first five months of this year, Burgess opines, “Sadly, being compliant is not synonymous with being secure.” Burgess breaks down the reported breaches into hardcopy, digital and identity theft incidents and provides recommendations to mitigate the risks surrounding patient data protection. [Source]

CA – Regina Doctor Responsible for ‘Largest Breach of Patient Privacy’ in History

Saskatchewan’s privacy watchdog is recommending the province consider prosecuting a Regina physician under the Health Information Protection Act (HIPA) in connection with several boxes of patient files that were discarded in a south Regina recycling bin in March. Calling it the largest breach of patient privacy the office has encountered since the act came into force in 2003, information and privacy commissioner Gary Dickson released a report that names Dr. Teik Im Ooi as the “trustee responsible for the records” that were hauled out of the blue bin. About 180,000 pieces of patient personal health information were recovered, including 2,682 patient files as well as daily activity reports from the Albert Park Family Medical Centre. [Source] [Report] [Sask. official slams doctor over major patient privacy breach] see also: [Beth Israel reports potential data breach] and [Patient alleges Tufts breached privacy]

Horror Stories

KR – Personal Data of 35 Million Hacked In Attack on South Korean Social Media Sites

The personal information of about 35 million Internet users in South Korea was stolen in an alleged hacking attack that originated in China, officials said. Hackers purportedly attacked popular Internet and social media sites Nate and Cyworld, stealing data such as user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. South Korean police said their investigation could take several months. [Source] [Source] See also: [Toshiba cops to data breach potentially affecting 7,520 US customers] and [UK: Dozens of students accessed in York Uni data breach] and [Privacy breach at Cape Breton health authority] and [South Korean Court Orders $1M Payment for Collecting iPhone Location Data Without Consent] [Korea: Apple may face class action over tracking] and [US: Post’s jobs section hacked, exposing 1.3 million user IDs, e-mail addresses] and [Toshiba Breach Could Affect 7,520 U.S. Customers]

CA – Officials: Missing Records Show EMRs Needed

Ontario’s privacy commissioner is investigating a breach that occurred when Cancer Care Ontario mailed about 12,000 cancer screening tests. Commissioner Ann Cavoukian, echoing the sentiment of Premier Dalton McGuinty, said the loss supports the case for reliable electronic medical records systems, adding, “In this day and age, how could Cancer Care Ontario decide to send hard copies of sensitive personal data of patients through the mail? How could Canada Post have lost track of the records?” Cancer Care Ontario alerted the commissioner’s office of the missing screening tests on June 27. A search for the records turned up about 5,000 in physicians’ offices. [itbusiness.ca]

US – Insurer Gets Fined for Slow Breach Notification

Indiana Attorney General Greg Zoeller announced on Tuesday that an Indiana-based insurer will pay a $100,000 fine and take other steps for waiting months to notify 32,000 customers of a data breach. Wellpoint has agreed to pay the fine; provide up to two years of credit monitoring and identity theft protection to affected customers, and reimburse up to $50,000 for breach-related losses. “This case should be a teaching moment for all companies that handle consumers’ personal data,” said Zoeller. A Wellpoint spokeswoman said the company has made security changes to prevent further breaches. [Associated Press]

AU – Commissioner: Breach Due to Human Error, Investigation Closed

Privacy Commissioner Timothy Pilgrim has closed his investigation of Telstra’s data breach, saying it “was caused by a one-off human error,” and the company “adequately dealt with the matter.” According to Pilgrim, the incident breached the Privacy Act, but it was “not a result of Telstra failing to have reasonable steps in place to protect the personal information of its customers, as required by the Privacy Act.” A Telstra spokesman acknowledged the commissioner’s finding and assured that the company has put measures in place to prevent a similar breach in the future. [ZDNet] [Report] [Press Release]

Identity Issues

AU – Victoria, Western Australia Fight ID Theft With Document Checks

Victoria and Western Australia have signed up to use a document-verification service, which aims to nip identity theft in the bud by cross-referencing documents between government agencies. When a government agency receives a document that requires verification, it sends an encrypted request to the document-issuing agency, which will return a positive or negative response. The service, which forms part of the government’s National Identity Security Strategy (NISS), ensures that proof-of-identification documents can be verified in real time, and that the documents are authentic, accurate and up to date, while ensuring that the individual’s privacy is maintained. Now that the two states have joined the service, government agencies from participating states will be able to confirm the validity of Victorian and WA driver licences, and Victorian birth certificates. The announcement comes shortly after a recent survey, which found that one in six Australians are affected by ID theft. [Source]

WW – Controversial Phone App Offering Background Checks is Back

A mobile application that allows people to conduct background checks is back in the marketplace. The app was first launched for the iPhone in 2009, but was pulled by Apple due to privacy concerns. BeenVerified has relaunched the app–which searches online public records for information on a name entered into the system by the user–saying that it merely modernizes the information databases that already exist. But some privacy advocates and cybersecurity experts say the risk of stalking and identity theft outweigh the benefits of the service. “There are deep implications for privacy even if it’s not certain these tools violate the law,” says an Electronic Frontier Foundation spokesperson. [The Star-Ledger

UK – Photographer’s Parakeet Pics: Did They Breach Privacy?

An amateur photographer whose pictures of government officials ‘destroying’ parakeet nests sparked police action, is unlikely to have breached UK data protection rules, the privacy watchdog has told Amateur Photographer (AP). Hertfordshire Police has been forced to publicly apologise after officers warned bird enthusiast Simon Richardson that he faced being sued for breach of privacy if his pictures were published in the press. [Source] See also: [Online critics of former Aurora mayor can remain anonymous: judge] and [Google+ Identity Crisis: Google Revised Real Names Policy] and [Privacy not a guarantee for war criminals] and [US: Neighbour from hell jailed 18 years for cyber ‘campaign of terror’]

Intellectual Property 

US – ISPs Agree to Copyright Violator Penalty System

Major US ISPs have agreed to a system that could allow them to disrupt Internet service for habitual copyright violators. Among the providers participating are Comcast, Time Warner and Verizon. The ISPs will issue warnings at first, but after six violations, the plan calls on the providers to take steps such as reducing Internet speed or redirecting users to “educational” pages about copyright infringement. The plan does not directly call for cutting off access altogether, although the services may do that if they choose. The agreement has the backing of the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). Critics of the agreement have expressed concern that users’ Internet access could be cut off with no judicial review. [Source] [Source

US – Judge Reduces Thomas-Rasset’s File Sharing Verdict to US $54,000

Calling the original amount “appalling,” US District Court Judge Michael Davis has reduced a US $1.5 million jury verdict against Jammie Thomas-Rasset to US $54,000. This is the third trial in a case brought by the Recording Industry Association of America (RIAA) against Thomas-Rasset for sharing 24 songs over KaZaA. Thomas-Rasset is the first person the RIAA took to court over illegal filesharing. Although the RIAA maintained that judges do not have the authority to lower jury verdict cases involving the Copyright Act, Judge Davis said that his decision was made in the interest of fairness; the verdict was “so severe and oppressive as to be wholly disproportionate to the offense and obviously unreasonable.” [Source] [Source] See also: [Sony insurer says it’s not liable for breach-related costs]

Internet / WWW 

EU – More Online Surveillance Needed, Officials in Europe Say

Days after the bombing and shootings in Oslo, politicians and police around Europe say they want increased Internet monitoring. Officials from Finland, Estonia and Germany have all called for expanded monitoring powers as a possible preventive measure. In the aftermath of the tragedy, a Twitter message, a YouTube video, and a 1,500-page manifesto have been found online written by the Norwegian who has confessed to the crimes. However, at least some law enforcement agencies seem to be aware of the delicate nature of striking a balance between surveillance and security. “Freedom of speech always comes first,” said Mikko Paatero, Finland’s national police commissioner, in an interview with YLE. “Writings on the Internet have to have a clear criminal intent if the police are to get involved and contact those people,” he added. [Source] See also: [Let’s Stop Deluding Ourselves About Online Privacy

CA – Google Adds Pedal Power to Its Street View of Toronto

Google is poised to make the online view of Toronto more detailed by adding a trike to its Street View fleet. The trike, a pedal-powered three-wheeler carrying cameras and guided by GPS, will be used to reach places around the city that are not accessible by the Street View car. The trike is an addition to a Street View fleet that includes a car, a snowmobile, and a hand trolley used for building interiors like museums and galleries. [Source] See also: [Privacy, contact updates added to Google+ Social network is tweaked with new tools for contacts and an opt out for gender identification] and [Google dealing with privacy bugs in Google+] and [Former Google Employee Offers Insight into the company’s attitude on privacy and efforts toward creating a social network]

US – Groupon Changes Privacy Policy to Collect, Share More Information

Groupon has e-mailed its 83 million subscribers to announce changes to its privacy policy, including that it will begin collecting more information about its customers to share with its business partners. It will also begin using geolocation information for marketing purposes. The expanded categories of information Groupon will now collect include user habits and interests, which it will share with third parties. It now shares contact, relationship, transaction and mobile location information. The company has also released details on the ways it collects and uses such information. [Washington Post] [Groupon Privacy Issue: Does Groupon’s New Policy Compromise Users?]

WW – Cloud Storage Company Sued for Breach

A class-action lawsuit filed in a U.S. District Court in California claims that a cloud storage provider failed to secure data or notify users of a data breach. The suit claims breach of express and implied warranties, invasion of privacy and negligence, among other transgressions, alleging that a system glitch allowed logged-in Dropbox users to view others’ data. A company blog post said the breach affected fewer than 100 people, and the company will implement additional safeguards. The suit seeks an order requiring the company to better secure its site, as well as damages, costs, injunctive relief and attorney fees, states the report. [News and Insight]

Law Enforcement

EU – Anonymous Hacks Italy’s Cybercrime Police

Italy’s specialist police unit responsible for combating cybercrime suffered an embarrassing hack by members of the loosely knit Anonymous hacktivist galaxy. In a communique posted on Twitter, the hacker group claimed to have obtained more than 8 gigabytes of internal data from what it called the “Homeland Security Cyber Operation Unit in Europe” and said it would publish all the material it had obtained from its Italian branch. The group said it had “owned” the server of the National Center for Computer Crime and the Protection of Critical Infrastructure (CNAIPIC) of the Italian police and would be publishing the material via the LulzSec and Anonymous communities under its #AntiSec campaign. [Source] See also: [Attackers Were in German Police Computers for Months | Source #2 | Source #3

CA – Ontario Police to Seal Non-Criminal Mental Health Records

Ontario police chiefs are moving to seal off sensitive mental-health information from being disclosed when their forces provide background checks for job seekers or would-be volunteers. The change is part of new guidelines unveiled by the Ontario Association of Chiefs of Police to address the patchwork of procedures used by forces across the province. Police verifications are common for people applying to be security guards, truck drivers, warehouse employees or casino workers. Schools, nursing homes and other organizations dealing with vulnerable people also use police checks to screen job seekers or volunteers. While not binding, members of more than 50 forces, including the Ontario Provincial Police, have started training to use the new guidelines. Police forces in British Columbia and Manitoba are preparing similar initiatives but Ontario is the first to draft consistent, province-wide guidelines. [Source] See also: [Toronto police strip searches increasing] [Austrian atheist wins the right to be shown on his driving-licence photo wearing a pasta strainer as “religious headgear”]

UK – Big Brother Watch: Over 900 Police Staff Caught Misusing Databases

More than 900 police personnel were disciplined for unlawful data protection practices in the past three years, privacy campaigners have said. Figures released by 36 police forces in England and Wales under freedom of information (FOI) requests by Big Brother Watch (BBW) stated that 904 police officers and civilian employees were disciplined for offences under the Data Protection Act in the three years up to 1 June 2011. The figures also showed that 98 police officers and civilian staff left the force after management discovered their unlawful activity. One police officer accessed information about their neighbour, while a police sergeant passed information about his ex-wife to his solicitor, the statement said. In Dorset a police officer resigned and was referred to crown prosecutors after disclosing information about the supply of class A drugs to a third party, the statement said. [Source] [UK: Police officers and staff breach data protection act]

UK – Lancashire Police Authority in Data Protection Breach

The CEO of Lancashire Police Authority has signed an undertaking with the Information Commissioner’s Office after it was found in breach of the Data Protection Act. The breach occurred when the authority accidentally published details of an individual’s complaint website. According to the ICO, the details were disclosed “after the authority failed to redact the information, which was marked as restricted, from two documents before they were published online”. The authority failed to remove the information for four days after the complainant contacted the Police Authority about the breach in January. [Source]

Location

US – Senate Committee Told NSA Phone Location Data Tracking is “Complex Question”

The subject of the National Security Agency (NSA) tracking US citizens through mobile-device location data arose during a hearing of the Senate Select Committee on Intelligence, which was part of the process of determining whether NSA general counsel Matthew Olsen should become head of the National Counterterrorism Center. Olsen said there could be circumstances under which the NSA would have the authority to use mobile device location data to track US citizens within the US. Olsen said the powers to do so were granted under the Patriot Act. He noted that “it is a very complex question.” A memo clarifying the issue is expected to be prepared for committee members. [Source] [Source

WW – Google Street View Cars Nabbed Locations of Wi-Fi Devices

Google Street View cars are at the center of a brand new privacy scandal after it was revealed that the search giant collected the street addresses and unique identifying information for millions of laptops, media players, and other wireless devices. And until recently, the data was available to anyone who put in the right Google search. The story emerged when the French data protection authority confirmed that its investigation had turned up the Street View cars’ questionable data collection practices. Back in March, CNIL fined Google 100,000 Euros, or $143,000, but at that time it was unclear if the issue extended to client devices. Google has been collecting this data despite an earlier public statement claiming that “we collect the publicly broadcast MAC addresses of Wi-Fi access points.” There’s no opt-out method. And as noted above, the data was available through the Google search engine until late June. [Source] See also: [Microsoft Releases Wi-Fi Data-Gathering Source Code | Source #2 ] See also: [In Re Google Street View Electronic Communications Litigation – 2011 U.S. Dist. LEXIS 71572 – United States District Court for the Northern District of California (subscription required)]

US – Proposed Alternative to Gas Tax Raises Privacy Concerns

Amid the growth of fuel efficiency and alternative fuel vehicles, governments are trying to find ways to recoup some of their gas-tax dollars by taxing mileage. Nevada residents were presented with the idea of using GPS systems to track mileage, and more than 80% opposed it, most often citing privacy concerns. Another method being tested is one in which a transponder mounted to the car tells the gas pump how many miles the car has travelled and tacks on the appropriate mileage tax to the gas price. The University of Nevada at Las Vegas is conducting the test with 25 drivers and says the transponders are not capable of tracking vehicles. [Las Vegas Sun]

Offshore

HK – Hong Kong Moves Closer to New Privacy Amendment

A bill that addresses transfers of personal data for direct marketing purposes has been introduced to Hong Kong’s Legislative Council for final approval. The Personal Data (Amendment) Bill 2011 addresses concerns about recent data transfers of customer information for direct marketing without users’ consent and acts on proposals from an April public discussions report. If the bill passes the Legislative Council, it would require Hong Kong companies making data transfers for direct marketing purposes to alert data subjects of the transfer’s purpose as well as the type of data to be transferred and to whom. It would also allow the privacy commissioner to assist data subjects seeking legal redress after breaches. [InsidePrivacy] [Office of the Privacy Commissioner for Personal Data, Hong Kong – Data User Return Scheme: Consultation Document | Press Release] See also: [Outsourcers look to data security transparency for competitive advantage] Privacy as A Selling Point: Forbes reports on the continued use of privacy as a competitive differentiator in the marketplace, pointing out how some companies are asserting their privacy strengths sometimes by highlighting their competitors’ privacy weaknesses. [Forbes] [ZDNet] [Source] and [Privacy by Design: A Boon to Business] [Indian Market Embracing CPOs] [Starts-Ups Considering Privacy in Business Plans]

Online Privacy

WW – Online-Privacy Tools Fail to Prevent Tracking, Study Warns

A new study by Stanford University researchers has found many online advertising companies continue to follow people’s Web activity even after users believe they have opted out of tracking. The preliminary research has sparked renewed calls from privacy groups and Congress for a do-not-track law to allow people to opt out of tracking, like the do-not-call list that limits telemarketers. “I think industry self-regulation is a joke,” shot back U.S. Rep. Jackie Speier, D-Calif, who has proposed legislation allowing the FTC to regulate online tracking. “It’s precisely why we need the FTC to regulate them. For those who say, ‘Privacy, get over it,’ I absolutely reject that.” Stanford’s research looked at 65 online advertising companies, including big companies such as Google, Yahoo, Microsoft and AOL and smaller, lesser-known companies such as x+1, eXelate and BlueKai. It found that half the companies continued tracking even after consumers opted out. In online tracking, advertisers follow a web user’s movements to glean personal details to develop profiles and deliver targeted advertising. The study has prompted a privacy group, Consumer Watchdog, to ask the FTC to investigate whether eight online advertising companies engaged in deceptive trade practices by saying they would delete “tracking cookies” but actually left them in place. Since the study’s release, several online advertising companies have abruptly revised their privacy policies to acknowledge that they may continue to collect data even after consumers opt out at an advertising industry website, or enable “Do Not Track” features in the newest versions of Mozilla’s Firefox browser or Microsoft’s Internet Explorer 9. A group representing online advertisers, the Network Advertising Initiative, said its opt-out site is intended to allow consumers to opt out of advertising, not the data-collection it says is needed. At the site, consumers can check an opt-out box, which produces a message that says: “You have opted out of this network.” For customers who opt out, NAI and companies like Yahoo and Microsoft say these cookies are only collecting data to make sure advertising on websites works properly – not to target ads. “Online advertising companies may need to gather data to prove to advertisers that an ad has been delivered and should be paid for; to limit the number of times a user sees the same ad; or to prevent fraud,” Chuck Curran, executive director of NAI, wrote in a blog post last week. [Source] See also: [US: Under threat of regulation, tech industry takes on challenge of Internet privacy] and [US – Study Finds 12.5% of Companies Violating Own Do-Not-Track Policies] and also: [US: The special relationship between Facebook and law enforcement] and [US: Harvard Researchers Accused of Breaching Students’ Privacy] and [UK: Online advertising comes under MPs’ scrutiny over privacy concerns] and [FTC – Prepared Statement on Internet Privacy: The Views of the FTC, FCC and NTIA, before the House Subcommittee on Commerce, Manufacturing and Trade | Statement of Commissioner J. Thomas Rosch, Dissenting in Part]

WW – Yahoo Condemned Over Plans to Snoop on Emails on Behalf of Advertisers

Internet giant Yahoo has been condemned over plans to snoop on emails in a ‘blatant intrusion of privacy’. The US company provides an email service for thousands of Britons, including children, who will assume that the system is completely private. However, it has emerged that Yahoo has changed its small print terms and conditions to get permission to view and scan emails. At the same time, the firm will also be able to spy on incoming emails from individuals and businesses without permission or warning. Yahoo is pressing ahead with the change on the basis it will allow the company to identify which celebrities, subjects, sports, hobbies and products a particularly customer is interested in. In future, it would use the information to target the customer with website advertising and product information that is relevant to these areas. The Yahoo customer visiting a range of websites would then see pop-up advertisements that are relevant to keywords in outgoing and incoming emails. Yahoo said customers will receive a pop-up asking them to agree to the new terms and conditions. It said: ‘Users who choose to accept the new terms will allow Yahoo’s computer systems to identify words, links, people and subjects from their email, so that we can deliver exciting new product features. ‘In time, we will also serve relevant ads.’ The company said customers can opt out of internet-based ads by going to http://info.yahoo.com/privacy/uk/yahoo/ [Source

US – Company to Certify Ad Network Clients

Evidon, a company behind Digital Advertising Alliance (DAA) you-are-being-tracked icons, is rolling out a new program to certify some of its clients. The program, dubbed GreenLight, aims to demonstrate which networks comply with self-regulatory principles and to act as “an additional level of best practices beyond simple compliance with the DAA program.” Thus far, 10 of the more than 40 ad networks that work with Evidon are participating in GreenLight, which requires them to use Evidon exclusively or as a default and provides additional training about the privacy program. [MediaPost News] See also: [EU EASA Best Practice Recommendation on Online Behavioural Advertising

WW – Facebook Glitch Reveals Private Videos

A Facebook spokesman said a problem which allowed videos uploaded to Facebook to be viewed by anyone on their friends’ list, regardless of whether they have been given access to the clip, has been fixed after being live for one week. Videos can be more sensitive than photos, so it is important that Facebook’s privacy controls, which allow members to restrict who has access to the videos, work as promised. The glitch over the past week allowed any “Friend” to view a listing of their friends’ Facebook videos, including a name, thumbnail, description, and anyone tagged in the picture. [Source] See also: [Nordic countries grill Facebook on privacy]

WW – Zynga Makes Privacy a Game with PrivacyVille

Zynga is ditching the usual fine print of a privacy policy for, what else, a game. That game, called PrivacyVille, is launching today. And it’s not really a game as much as a tutorial on the social gaming company’s privacy policies. The reward is that players who follow along and learn about the company’s practices for protecting users’ personal information get redeemable points. Zynga cautions that the PrivacyVille game is supposed to be educational, and is “not a substitute” for the company’s official privacy policy or Privacy Center, which details how Zynga deals with your personal information. Last week, Zynga announced its plans to go public. The company is expected to raise about $1 billion through its IPO. [Source] [Source]

WW – Fitness Site Exposes Calorie Burning Activities

An online fitness tracking company, which encourages users to share calorie-burning activities through the company’s website, has reset its new-user defaults to “private” after unknowingly exposing some users’ intimate activities. Fitbit has historically made user profiles public to promote competition, but a spokesperson said the company did not intend for “the sharing of intimate information.” About 200 users’ activities were searchable online. The company has contacted search engines to remove the data, hidden all activity records on its site and removed identifiable information from user profiles. “Out of a desire to have a successful ‘social strategy,’ too many companies are choosing to publicize their users’ information as much as possible,”the report states. [Forbes]

Other Jurisdictions

RU – Russia Amends Federal Data Protection Law

In early July the upper house of Russia’s federal legislature approved amendments to the country’s federal data protection law which were subsequently approved by President Medvedev on July 26. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute’s data subject consent provisions. The amendments, to be followed by interpretive regulations, will come into force when they are published in the official newsletter. Russia’s underlying federal data protection law finally came into effect on July 1, after five years of delays. The new rules allow personal data to be transferred outside of Russia to EU member states or to nations that are approved by a Russian federal agency authorized to designate countries that can guarantee adequate protection for personal data. In addition, personal data may be transferred with the prior written consent of data subjects, or if required by Russian federal legislation or international treaties. [Russia Amends Federal Data Protection Law; Privacy Enforcement on the Rise]

US – Privacy Law Reform Revived in Australia

According to Malcolm Crompton, former Federal Privacy Commissioner, the process of reviewing and reforming the Privacy Act 1988, the main law protecting privacy in Australia, was all but stalled in recent years but now has been revived by the Minister for Privacy, Brendan O’Connor. His July 21 call for a consultation on whether to introduce a statutory cause of action for serious invasions of privacy rapidly led a renewal of interest in reforming other portions of the Act. The revival was also spurred by the late June release of a 292-page report on the exposure draft of the Australian Privacy Principles and privacy legislation by the Senate Finance and Public Administration Committee. [Senate Finance and Public Administration Legislation Committee – Exposure Drafts of Australian Privacy Amendment Legislation – Part 1: Australian Privacy Principles ]

AU – Australia Pressured on Data Breach Laws

Data breach notifications have been flagged as one of the pressing issues to be tackled under a multinational joint action plan outlined by the attorneys general of the US, UK, Canada, New Zealand and Australia last week. Australia is falling far behind with its progress on holding organizations accountable for breaches, with every other country either having implemented or close to implementing mandatory notifications. Australia currently doesn’t have any legislation to force companies to disclose breaches, even though it was recommended as part of the Law Commission’s report on privacy, released in 2008. The attorneys general also said that they would look to have internet service providers develop codes of practice to stem malware similar to Australia’s iCode, which has already attracted US interest. [Source] See also: [Government to Consider Privacy Statute] [Source] [Source] [Source] [Cybercrime Legislation Amendment Bill 2011 – Parliament of the Commonwealth of Australia | Source #2 ]

MX – Privacy Regulations Issued for Public Comment

Mexico’s secretary of economy and the Federal Institute for Access to Information and Data Protection have released privacy regulations for public comment. The rules and guidelines established by the proposed regulations are for the implementation of the country’s Federal Law on the Protection of Personal Data in the Possession of Private Parties. According to the report, the regulations cover jurisdictional issues; notice and consent details; data controller and processor relationships; data transfers and security; self regulation; data subjects’ rights; automated processing, and enforcement. [Hunton & Williams’ Privacy and Information Security Law Blog] See also: [Law on the Protection of Personal Data – Peru

AU – AGs to Discuss Parental Access, Suppression Orders

Australia’s attorneys general are looking into whether laws should be created to give parents access to their children’s social networking accounts. In spite of privacy concerns, “We need to look at the policing that occurs, who can and should do it and how do you do it,” said South Australian Attorney General John Rau. But one privacy advocate says a knee-jerk reaction could “undermine an existing law and relationships between children and parents.” Meanwhile, a study in the U.S. indicates that 55% of parents there use social media to keep an eye on their children. [The Australian] [High-Wire Act: Cyber Safety and the Young – Parliament of the Commonwealth of Australia: Full Report ]

Privacy (US)

US – New Privacy Guidelines Would Give FBI Leeway to Abuse Privacy

25 years ago, Congress passed the Federal Privacy Act. In an effort to end the abuses committed by the FBI against anti-war and civil rights activists that director J. Edgar Hoover disliked, Section (e)(7) of that Act prohibited any agency of the federal government from “maintaining records describing how any individual exercises rights guaranteed by the First Amendment… unless pursuant to and within the scope of an authorized law enforcement activity.” The FBI and the federal courts have spent the last 25 years honoring that statute in the breach; and Congress seems perfectly satisfied to let them do so. And as reported in the New York Times on June 13, the FBI is again about to amend its Domestic Investigations and Operations Guide to further thumb its nose at the privacy act. The new guidelines, according to the Times, will allow some 14,000 FBI agents more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. [Source]

US – Netflix Video Provider to Halt Social Network Launch

Video rental provider Netflix announced this week that it will delay the launch of its Facebook integration in the U.S. due to legal issues. The Facebook feature would allow Netflix subscribers to share movie-viewing information with friends online, but the Video Privacy Protection Act (VPPA) is ambigious as to “when and how a user can give permission for his or her video viewing data to be shared,” Netflix wrote in a letter to its shareholders. A proposed amendment to the VPPA intends to clarify consent requirements for sharing. Netflix faces several lawsuits for past alleged VPPA violations. [Hunton & Williams Privacy and Information Security Law Blog]

US – New Theory of Harm in Data Breach Cases

Plaintiffs in data breach claims have been unsuccessful in convincing courts that they have suffered harms as a result of a breach, but “a new theory that claims a property right in personal information has recently been tried,” writes Andrew Clearwater, CIPP, in an article for the current edition of the IAPP’s Privacy Advisor newsletter. Clearwater says that, under this theory, a data breach causes a loss of personal information property and, therefore, a concrete or particularized harm has been realized.” The approach is being tested in a case against RockYou Inc. [Source]

US – Third Suit Filed After PIN Pad Breach

A class-action lawsuit claims that Michaels Stores took almost three months to warn customers that their debit cards’ PIN numbers may have been stolen in a breach spanning 20 states. The class action, filed in New Jersey’s Passaic County Court, claims that the company “failed to take any commercially reasonable steps to safeguard its customers’ nonpublic, sensitive, personal and financial account information…making its consumers an easy target for third-party skimmers,” and that customers were harmed because of the delay in notice they received following the breach. The suit is the third class-action filed since news of the breach broke. [Courthouse News Service]

US – Obama Nominates Ohlhausen to FTC

President Barack Obama has said he plans to nominate Internet policy expert Maureen Ohlhausen to replace Commissioner William Kovacic at the FTC. Ohlhausen is currently a partner in law firm Wilkinson Barker Knauer’s privacy, data protection and cybersecurity practice. From 2004 to 2008, she served as a director in the FTC’s Office of Policy Planning. Ohlhausen worked on an Internet task force during that time, exploring issues surrounding e-commerce and marketing. [The Washington Post]

Privacy Enhancing Technologies (PETs)

US – NIST Issues Privacy Controls for Federal Information Systems

The National Institute of Standards and Technology proposed adding privacy controls to its catalog of security controls for federal information systems, by releasing a draft 34-page Privacy Appendix for public comment through September 2, 2011. The 23 controls specified in the draft provide a structured way of assessing and ensuring that privacy requirements, deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance, as well as from international standards and best practices, are satisfied in federal information systems. Examples of the controls include transparency, data minimization, use limitation, data quality, and individual access and redress. The privacy additions to the guidance would:

  • Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements.
  • Establish a linkage and relationship between privacy and security controls to enforce respective privacy and security requirements that may overlap in concept and in implementation.
  • Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls.
  • Promote closer cooperation between privacy and security officials to help achieve the objectives of top leaders in enforcing requirements.

Though the recommendations are aimed at federal agencies, NIST understands and encourages other organizations to adopt its privacy and security guidance. NIST is accepting public comment on the privacy addendum, known as SP 800-53 Appendix J, at sec-cert@nist.gov through Sept. 2. [Source

US – Online Privacy Company Receives $5.2M for Growth

Two venture capitalist companies have invested $5.2 million in a Cambridge, MA, company that provides online privacy services to Internet users. “Privacy is the next consumer Internet frontier,” said one investor, while another touted the company, Abine, for creating a “one-stop shop for consumer online privacy.” Abine’s president, Bill Kerrigan, said, “Controlling our online privacy has become a universal issue: consumers want basic choice and control over how their personal information is tracked, collected and used.” [The Boston Globe

US – Appeals Court: TSA Can Keep, But Must Rethink Airport Body Scans

The TSA violated federal law when installing controversial full-body scanners in U.S. airports without following proper procedures, a federal appeals court ruled. The D.C. Circuit Court of Appeals in Washington, D.C., rejected arguments from the Obama administration that the TSA was exempt from laws requiring federal agencies to first notify the public and seek comments. “It is clear that by producing an image of the unclothed passenger, (a full-body) scanner intrudes upon his or her personal privacy in a way a magnetometer does not,” wrote Judge Douglas Ginsburg for the three-judge panel. Ginsburg said he would not order TSA to immediately halt the full-body screening—which resulted in a near-revolt by air travelers last fall—but instead instructed “the agency promptly to proceed in a manner consistent with this opinion.” [Source] [Source] and also: [SourceF]

US – TSA Announces Privacy-Boosting Software for Full-Body Scanners at Airports

Air travelers at Raleigh-Durham International Airport will soon be able to board their planes without images of their unclothed bodies being viewed by security personnel. The federal Transportation Security Administration said Wednesday it will upgrade its full-body scanners with new software designed to protect travelers’ privacy. The so-called Automated Target Recognition software eliminates the image of an actual passenger on the screen, replacing it with a generic outline. Passengers will be able to see the same image viewed by security officers. The software is designed to recognize items in the image that could pose a security threat. A TSA spokeswoman said it will be several months before the new software is installed in the 40 airports that have the machines.. [Source]

WW – New Strategy: Privacy by Redesign

Building privacy into an organization’s system from the start is a smart, effective solution that can yield strong results. But what about systems that already exist without privacy? A new concept called Privacy by Redesign, by Dr. Ann Cavoukian, Privacy Commissioner of Ontario, Canada, looks to bring privacy into systems that are already developed. To do so, organizations need to look at the uses of data, what is permissible and what isn’t, and create a consent management system. [Source]

WW – Cisco Issues Product Development Guidelines for Engineers & Product Managers

Summary: Application developers should use Privacy by Design as a means to ensure that privacy features and functions are essential components of any new software development (and not bolted on as an add-on); consideration should be given to reducing the amount of data collected (avoid collecting sensitive data and only collect information that is absolutely necessary for the purpose), reduce the retention period (for no longer than the time necessary to accomplish the intended business purpose or required by law), and reduce the sensitivity of the data (reduce the precision e.g. if a customer phone number is to be used for statistical analysis, retain only a subset of the digits such as the area code, and convert the form of the data, e.g. when using the customer’s IP address to determine location for statistical analysis, discard the IP address after mapping it to a city or town). When installing software on a customer’s system, provide the customer with notice (get explicit consent prior to installation of any software on a customer’s system, including automatic updates), digitally sign software with a certificate from a well-known, trusted certification authority; provide customers with a mechanism to track automatic updates that have been installed and a means to stop subsequent updates. When deploying servers, application developers must get explicit opt-in consent from an Application or System Administrator prior to transfer of data from the server over the Internet (disclose any known privacy implications for server features); provide or identify a mechanism to help an Instance Administrator prevent disclosure of user data and that allows an Application or System Administrator to manage distribution of data outside of the organization or firewall (such as a group policy) – provide the System Administrator with the ability to override decisions made by Application Administrators. [Source]

RFID 

CA – ePassports Won’t Come With Anti-Skimming Sleeves

Passport Canada says it won’t be issuing protective sleeves for its new electronic passports because the high-tech made-in-Canada booklets are safe from the so-called skimming problems seen in the U.S. Ottawa-based Canadian Bank Note Company said it was awarded the contract to design and manufacture ePassports, which will be issued to Canadians sometime in 2012. A radio-frequency identification (RFID) chip will store the name, gender, date of birth, passport number and digital photo of the traveller. [Source]

Security

WW – Is IT Remote Access Support Compromising Data?

Data breaches are more prevalent and more costly than ever. Smarter technologies seem to breed smarter hackers, making it difficult for IT to keep up. But sometimes IT unwittingly helps the bad guys by improperly using core tools, such as remote support mechanisms. According to a Verizon report which examined more than 700 data breaches from 2010, a whopping 71% of all attacks were conducted through remote access and desktop services pathways. [Source] See also: [Apple MacBook batteries found vulnerable to malware] SEE ALSO: [What the #!%*!?: The definitive guide to phone-hacking]

WW – Insiders: Primary Points of Compromise

Last week’s arrest of Gary Foster, the former Citi exec who’s been accused of embezzling more than $19 million through wire transfers, has left the industry a little dumbfounded. How could a mid-level executive in the bank’s treasury department manage to fraudulently push that much money through legitimate transfers? It all happened right under the bank’s nose, and it took almost a year to detect. “It’s such a classic case of insider fraud, how did he go so long without being caught?” When it comes to internal fraud and the damage it causes, banks and credit unions often fail in three critical areas:

  • Internal fraud is misclassified;
  • Institutions underestimate how reports of internal fraud breed mistrust among consumers; and
  • Not catching and stopping internal schemes quickly adversely affects consumers,
    who often fall victim to identity theft.

Banks and credit unions can address internal fraud by using more transaction and behavioral monitoring. But most financial institutions aren’t willing to make the investment. [Source] See also: [‘Low-risk’ border crossers in Nexus program caught smuggling goods into Canada ]

US – ‘Military Meltdown Monday’ — 90K Military Usernames, Hashes Released

Anonymous hackers have broken into a server belonging to consultancy firm Booz Allen Hamilton and published a database containing some 90,000 military e-mail addresses and hashed passwords in what they named Military Meltdown Monday. Unlike the passwords taken from government contractor IRC Federal, the passwords from the Booz Allen system have been hashed using SHA-1. This will make breaking into further systems using the released account information harder—but it’s likely that at least some of the passwords will be crackable, and so further damage could follow. Booz Allen has tweeted that it doesn’t comment on security issues. [Source]

US – Government Agency Breached, 24K Files Accessed

Deputy Defense Secretary William Lynn has announced that a foreign intelligence service accessed 24,000 Pentagon files by hacking into an unnamed government contractor in March. The disclosure came during the release of the Pentagon’s new strategy for military operations in cyberspace, which outlined a more proactive approach to cybersecurity. “Current countermeasures have not stopped this outflow of sensitive information,” Lynn said during a speech at the National Defense University. “We need to do more to guard our digital storehouses of design innovation.” [The New York Times] See also: [US – Report Details CPO, CISO Roles

WW – Carefully Thought-Out Patching Strategy Pays Off

A recently issued report underscores problems inherent in the way most organizations handle security patches. According to “The Secunia Half Year Report 2011,” organizations that implement a well-thought out patching strategy lower their vulnerability risks by as much as 80%. The number of plug-ins and other programs on endpoints makes the problem even more intractable. A company that patches all of the Windows flaws will still have more than three-quarters of their flaws unpatched. Secunia found that patching the most popular programs reduced risk by 31%, but patching the most critical programs reduced risk by 71%. “The analysis reveals that timely patching of the software portfolio of any organization is like chasing a continually moving target.” [Source] [Source] [Free online patching tool]

Surveillance 

WW – The Biggest Privacy Risk? Your Spouse

A new Retrevo Gadgetology study shows that the level of spying among spouses and dating partners has reached new high levels. According to the study, 30% of men and 35% of women admit to having checked the email or call history of someone they’re dating without them knowing. And 32% of men and 41% of women admit to doing the same with their spouses. 17% discovered their spouse was cheating. [Source] [US: Judge rules use of GPS to track a cheating spouse is not an invasion of privacy]

Telecom / TV

UK – Britain’s Phone Hacking Inquiry Opened

An inquiry into Britain’s phone hacking scandal (a.k.a. “Voice Mail Bad Password Scandal”) has officially begun; Lord Justice Brian Leveson said that public hearings will commence in September. The inquiry was ordered by Prime Minister David Cameron. The inquiry will examine ethics and regulation not only of the British press, but of the BBC and social media as well. The breadth and depth required of such an inquiry lead some to doubt that a report will be ready in a year’s time. [Source] [Source] [Source] See also: [OIPC SK – Best Practices: Mobile Device Security]

US – Judge Grants Wiretapping Appeal

A federal judge has announced that Google has the right to appeal last month’s ruling, which stated that the company’s Street View information-gathering practices constituted illegal wiretapping. With more than a dozen combined lawsuits seeking damages from the company, U.S. District Judge James Ware said that his ruling is the first of its kind, according to the report, and that an appellate court is better equipped to decide the case. Ware said, “Thus, in light of the novelty of the issues presented, the court finds that its June 29 order involves a controlling question of law as to which there is a credible basis for a difference of opinion and also finds that certification of the June 29 order for appeal would materially advance the litigation.” [Wired] See also: [Garante Per La Protezione dei Dati Personali – Smartphones and Tables: Current Scenarios and Operational Perspectives]

US Government Programs

US – Intelligence Agency Wrestles With Phone Location Data Tracking

The National Security Agency (NSA) is considering surveilling U.S. citizens by intercepting mobile device location data. The agency is now determining whether it has the legal right to do so, according to NSA general counsel Matthew Olsen. U.S. law prevents intelligence agencies from spying on U.S. citizens within U.S. borders. But at a Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law hearing this week, Olsen said he believes there are “certain circumstances where that authority may exist.” [InformationWeek Government]

US – Government Scolded for Data Breach Notification Delays

The Treasury Inspector General for Tax Administration has criticized the IRS for not notifying taxpayers quickly enough when their personal information had been compromised. Draft cybersecurity legislation introduced by the Obama Administration would require companies to notify consumers affected by data breaches within 60 days. But in a sample of 100 incidents between July 2010 and February 2011, breach notification letters were sent out to victims 86 days after the fact in 20 percent of the cases. In five percent of the cases, victims weren’t alerted because IRS employees failed to document those affected, and 21 percent weren’t alerted because the agency didn’t believe a threat existed. [nextgov]

US – GAO Audits Gov’t Agencies’ Social Media Policies

The Government Accountability Office (GAO) has audited the social media policies and procedures of 23 government agencies and issued a 90-page report disclosing the results. The GAO’s information security director writes, “Without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information and secure federal systems and information against threats.” The audit found that 12 of the 23 agencies have social media policies and procedures in place; 12 have updated privacy policies, and seven have identified security risks [GovInfoSecurity] See also: [Vladeck Talks Social Networks, Do Not Track]

US – GAO Report: DOD Faces Challenges In Its Cyber Activities

Although the Department of Defense (DOD) may cultivate a reputation of being the best equipped of the government agencies to defend against cyber security threats, a report from the US Government Accountability Office (GAO) notes that “keeping pace with the magnitude of cyber security threats DOD faces currently and will face in the future is a daunting prospect. While the US may dominate in land, sea and air presence, the costs and technology required for adversaries to enter cyber space are far lower. The report applauds the DOD’s creation of the US Cyber Command, but says that “it is too early to tell whether this will provide the necessary leadership and guidance DOD requires to address cyber security threats.” The GAO report pointed out areas in which the DOD needs to improve coordination, illustrating the problem with a 2008 cyber infection that prompted directives from a variety of military and civilian organizations, none of which were coordinated with any of the others. [Source] [Source] [Report] [Source

US – Commission Issues Smart Grid Resolution

California’s state utility regulators have adopted a new resolution on smart grid principles. When considering implementing the smart grid, state commissions should consider privacy. That’s according to The National Association of Regulatory Utility Commissioners (NARUC) which adopted a new resolution on smart grid principles. The resolution indicated support for implementation of smart grid technology but notes the importance of consumer education and engagement. NARUC will release a best practice guide on consumer privacy, which it says is essential. State commissions should “review existing privacy policies and, if necessary, adopt or update their policies to ensure that they properly address the privacy concerns created by smart meter data collection,” the commission said, adding that third parties should also be required to comply. [Smart Meter News]

US Legislation

US – House Judiciary Committee Passes Bill with ISP Data-Retention Mandates

The House Judiciary Committee has passed HR 1981 after defeating an amendment that would have placed limits on ISPs’ requirement in the proposed law to retain IP addresses for one year and make them available to law enforcement by an administrative subpoena. If approved, the Protecting Children from Internet Pornographers Act would eliminate law enforcement’s need for court orders to access such information, prompting arguments from some that the bill grants too much power to the Justice Department and would create a robust database for hackers to potentially access. The committee has adopted amendments requiring ISP compliance with the bill’s privacy standards and encouraging breach notifications [Broadcasting & Cable] [US: Lawmakers push for children’s online privacy law] and: [Resistance to ISP Data Retention Proposal] and [OECD – The Protection of Children Online: Risks Faced by Children Online and Policies to Protect – OECD Digital Economy Papers, No. 179]

US – Two Cybersecurity Bills Introduced in Senate

Two bills focusing on data breach response have been introduced into the U.S. Senate. One bill, introduced by Sens. Thomas Carper (D-DE) and Roy Blunt (R-MO), would require financial institutions, retailers and federal agencies to protect personal information, investigate breaches and notify customers of a breach. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country,” said Carper. Meanwhile, Sen. Diane Feinstein (D-CA) has introduced the Data Breach Notification Act of 2011, which would require organizations to notify customers when their personal information is breached. “It is past time,” Feinstein said, “for congress to pass a national breach notification standard.” [TechJournal South] See also: [Don’t Foist Euro-Style Online Privacy On The U.S]

US – The SAFE Data Act: An Admirable Attempt That Needs Expansion

Some of the controversy over The SAFE Data Act, introduced by Rep. Mary Bono Mack, concerns the limited definition of “personal information” in terms of what would trigger a breach disclosure and notification. The term ‘‘personal information’’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: -Social Security number -Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity -Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account. This bill, if enacted into law, would pre-empt state laws. Consider many of the recent hacks where databases containing userIDs or usernames plus passwords were acquired and posted on the Internet. Usernames + passwords do not meet the criteria for “personal information” in the SAFE Data Act, even though such information could easily be used for unlawful conduct such as hacking email accounts or online banking accounts where the user may have reused that login information. The bill now goes to full committee. [Source]

Workplace Privacy

US – No Summer Holiday for HR Data Breaches

Nine breaches of HR data were reported in July: Washington Post (user IDs and e-mail addresses of 1.3 million users of the newspaper’s online job section compromised by hacking); Nyack Hospital (NY) (1,400 current and former employees exposed to ID theft by the theft of a computer); Estée Lauder (an undisclosed number of employees and contractors impacted by the theft of a laptop); Swedish Medical Center (WA) (personal information, including SSNs, of 20,000 current and former employees made accessible on the Internet unintentionally); TSA (dozens of TSA employees at Sky Harbor International Airport suffering loss of banking information and deposits possibly via credit card skimming); Meridian Health System (an undisclosed number of employees jeopardized by the overnight theft of computer equipment from the home of an employee in Asbury, NJ); Lumberton Independent School District (TX) (theft of a laptop from a car impacting an undisclosed number of employees); JetBlue (an undisclosed number of employees impacted by the placement of malware on a corporate system); and Pfizer (a laptop stolen from an employee’s car potentially revealing personal information of an undisclosed number of employees). SEE ALSO: [US phisher who hit 38,500 gets long prison sentence] AND ALSO: [Nothing replaces face-to-face meetings, but Rypple’s use of social media can ease evaluations for both employee and manager] and [NYT: Social Media History Becomes a New Job Hurdle] and [Could you pass a Facebook Background Check?] and, finally, [Datainspektionen, Sweden – Checklist for Employers on CCTV in the Workplace]

+++

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: