01-31 August 2011


US – Scientists Warn Face Recognition Searches Pose ‘Ominous’ Privacy Risks

Computer based facial recognition will pose a serious threat to people’s privacy in the near future, according to Alessandro Acquisti at Carnegie Mellon University, who undertook the work with partial funding from the U.S. Army, and after conducting experiments using nothing more than a webcam enabled PC and access to Facebook. Presenting the results at the Black Hat computer security conference in Las Vegas, Acquisti said: ‘Facial visual searches may become as common as today’s text-based searches.’ In collaboration with fellow researchers Ralph Gross and Fred Stutzman, the team set up a computer, webcam and facial recognition software at the university. Using willing participants, the team asked random participants to peer into the camera and have their faces scanned. Using a database of 5,000 publically available student Facebook profile pictures, the recognition software was able to correctly guess the face in 31% of cases – most in under 3 seconds. The team also created software for the iPhone that scanned sites such as facebook to come up with a positive match and corresponding vital statistics of the subject. According to Acquisti widespread facial recognition poses an ‘ominous risks for privacy’ as publicly available databases could allow anyone to bring up a persons real name and other information using only a quick face shot. According to website CNET, the university researchers also compared 277,978 Facebook profiles against 6,000 profiles from an on-line dating. The team were able to match 1 in 10 of the site’s members with their real names. [Source] See also: [Will Privacy Concerns Spawn the Faceless Book?] [Bruce Schneier: Developments in Facial Recognition] and [Mug-Shot Industry Will Dig Up Your Past, Charge You to Bury It Again]

EU – Germany Asks Facebook to Disable Facial Recognition

The head of the German data protection authority has asked Facebook to disable its facial recognition feature over concerns that it violates European Union privacy laws. Johannes Caspar, head of the Hamburg Data Protection Authority, sent Facebook a letter, in which he argued that facial recognition amounts to unauthorised data collection on individuals. Caspar has given Facebook two weeks to respond. This is far from the first time Facebook’s facial recognition feature has been criticised – the feature was introduced in December, and it’s been constantly attacked since. Pushback against the feature increased in June after security firm Sophos warned Facebook’s users that the site had expanded its use of the facial recognition feature. This prompted Facebook to apologise for how it had handled the rollout. The European Union’s advisory board – the Article 29 Working Party – is also looking into Facebook’s facial recognition and whether it’s a violation of EU law. Investigations at the member-state level are underway in Ireland, the United Kingdom, and, now, Germany. [Source] and see also: [Manhunt is no way to deal with a social ill]

CA – Fotobounce Hypes Alternative Facial Recognition Option

In wake of Facebook Inc.’s decision to avoid launching its new facial recognition technology in Canada, one Toronto area firm is encouraging businesses and consumers to consider the risks associated with posting photos to a public Web site. Oakville, Ont.-based Applied Recognition Inc., which launched its Fotobounce Viewer app for Android last week, said users may be tiring of the typical model for online photo storage sites. The company is pushing its new mobile app and its integration with the existing Windows and Mac-based Fotobounce desktop software which allows users to organize their photos and share them across an encrypted, photo sharing network. The company, which refers to the technology as “Skype for photos,” also gives users the option to upload their sorted photos to Facebook, Flickr or Twitter. One of Fotobounce’s flagship features, however, is its face detection engine. The first time a user uploads photos to Fotobounce, the system automatically clusters similar unidentified faces together in groups. Users will then be asked to confirm the matches, individually or en masse, and assign a name to each cluster. Despite the similar functionality, Ganong envisions Fotobounce as a complimentary service to Facebook and other photo sharing networks. “We give users face recognition, but it remains on the desktop,” he said. “What they choose to share online only contains name tags or key words for the people in the photos. It’s a secure way of implementing face recognition without the associated risks.” Fotobounce said it currently has 150,000 users, but hopes to reach its target of 1 million users within the next 12 months. [Source]

CA – Facebook Sleuths Still Trying to Finger Vancouver Rioters

The online rage and name-calling that flooded Facebook after the June 15 Stanley Cup riot has now subsided. Still, a handful of Facebookers continue to pore over dozens of hours of footage to try to identify the perpetrators of last month’s mayhem. They post their findings to the Facebook Vancouver Riot Pics group, which has more than 101,100 “Likes.” One of the core members estimates that close to 300 rioters have been identified on the group’s page. So far 37 people have turned themselves in to police and, while no one has been formally charged, up to 1,700 potential suspects have been flagged by police for more than 202 separate incidents. [Source]


CA – Air Passenger Observation Plan Post 9-11 Raises Red Flag for Privacy Watchdog

Canada’s privacy czar is concerned about the potential unfairness of a plan to scrutinize the flying public’s behaviour at the airport. The federal government announced last year it would develop a passenger-behaviour observation program to detect terrorists. Officers of the Canadian Air Transport Security Authority would be on the lookout for suspicious actions at air terminals, such as a traveller wearing a heavy coat on a hot day, or sweating profusely. Privacy Commissioner Jennifer Stoddart says she’s not convinced the techniques will actually help screening officers zero in on genuine threats. “There is a huge possibility for arbitrary judgments to come into play,” Stoddart said in an interview. “This kind of initiative that doesn’t have a clear scientific basis is extremely worrisome.” [Source] See also: [European Data Protection Supervisor – Opinion on the Proposal for a Council Decision on the Conclusion of an Agreement between the EU and Australia on the Processing and Transfer of Passenger Name Record (“PNR”) Data by Air Carriers to the Australian Customs and Border Protection Service]

CA – Federal Court Awards Minimal Damages Under PIPEDA

The Federal Court has recently released its second decision in which damages have been awarded for a breach under PIPEDA. Once again, the degree of damages are very low considering the costs associated with seeking redress before the Federal Court, but this very likely turns on the unique facts of the case. In Landry v. Royal Bank of Canada, 2011 FC 687 (CanLII), the applicant was embroiled in what appears to be a bitter divorce and was hiding certain bank accounts from her spouse. Her bank was served with a subpoena to produce records. It appears that the bank did not follow its prescribed procedures (which would have avoided the entire mess) and ultimately faxed the applicant’s bank records to counsel for her spouse. The applicant complained to the Office of the Privacy Commissioner of Canada, who found her complaint to be “well-founded and resolved”. The applicant started an application in the Federal Court, seeking at least $75,000 in damages. Neither party looked good appearing in court: the bank had not followed its procedures and tried to cover it up. The applicant was essentially caught trying to hide assets contrary to her legal obligations in connection with the divorce proceeding. In the result, the Court concluded fixing an amount of $4,500 with interest and costs to be paid to the applicant by the respondent. [Source]

CA – Electronic Search Powers Need Scrutiny, Experts Say

A group of experts in internet and privacy law want the government to study provisions they say could drastically affect Canadians’ privacy rights. The provisions were included in three lawful access technical surveillance bills from the last parliamentary session, but are expected to be rolled into the omnibus crime bill the Conservatives plan to table this fall. The Conservative election platform promised to reintroduce the electronic surveillance provisions, which critics call warrantless online spying, as part of the omnibus crime bill. The provisions would give law enforcement agencies more power to take information from ISPs and other private companies without a warrant, according to Open Media, a consumer watchdog group. Open Media is asking that the provisions be properly examined by MPs and senators in committee before the bill gets passed. The Conservatives have promised to pass the omnibus bill within 100 days of Parliament’s post-election return, which was June 2. Open Media worries that won’t be enough time when combined with all the other bills expected to be rolled together. “The overarching concern is its an erosion of civil liberties and online privacy with no real justification for it.” The legislation proposed in the last session would allow police to get some information without a warrant and other information with something like a court order, but with a lower standard of proof, Israel said.The group is also worried about a lack of oversight for the new powers. [Source] See also: [Letter to the Prime Minister re: Omnibus Crime Bill]

CA – Alberta Privacy Commissioner: Fines for Companies that Lose PII

With reports of privacy breaches mounting, Alberta’s privacy commissioner says it’s time the government consider slapping fines on companies that lose customer information. In the past 16 months, more than 90 breach reports have been received by the Office of the Information and Privacy Commissioner. In May 2010, under the Personal Information Protection Act, it became mandatory for companies to report privacy breaches. Currently, there are no penalties for non-compliance. Information and privacy commissioner of Alberta, Frank Work said the amendment gave his office a wake-up call. “It has proven to us how serious and how wide scale the problem is … It’s now hit home. I do think now the time has come for the government to seriously consider amending the legislation to provide for penalties.” He said monetary fines would be the most effective solution. [Source] [Privacy breaches overwhelm Alberta watchdog]

CA – Canada-U.S. Border Talks Raise Privacy Concern

Privacy and information sharing are a concern for Canadians who wrote to the government about border talks with the U.S., according to a report released by Foreign Affairs Minister John Baird. Canada and the U.S. are in negotiations over ways to integrate border security and ease trade access, though many of the details aren’t public yet. Two reports released this week summarize public consultations on the perimeter security talks. One is on implementing the agreement and the other on aligning regulations between the two countries. Business and trade groups were concerned about streamlining and speeding up approval for goods and wanted to align screening procedures for travellers between the two countries, the perimeter agreement report says They also want expanded pre-clearance programs. Individual Canadians were more concerned about maintaining privacy rights. The report says they voiced concerns about information sharing with the U.S. government. [Source] [Harper and Obama to meet in early fall on border deal]

CA – DPA Releases PIPEDA Guidance for Lawyers

The Office of the Privacy Commissioner of Canada (OPC) has announced the release of a handbook to help lawyers become more familiar with the Personal Information Protection and Electronic Documents Act (PIPEDA). Launched at the Canadian Bar Association Canadian Legal Conference and Expo 2011, PIPEDA and Your Practice—A Privacy Handbook for Lawyers provides best practices for personal information management, use, collection, disclosure and response. “While lawyers may be familiar with privacy laws in general,” says an OPC spokeswoman, “they may benefit from some concrete guidance on how to apply the laws to their own practice.” [Source]

CA – Critics Decry Outsourcing of Visa Processing

The federal government is working to create a global network of visa processing offices, many of which are now privately run-a move that critics say raises concerns over information security, privacy and oversight. The government is set to almost double the number of countries in which it outsources the operation of visa application centres, from 20 to 35. Citizenship and Immigration Canada says it wants to continue to expand its use of these centres globally, although a spokesperson says no final decisions have been made yet. Some centres could also collect and transmit biometric information, such as fingerprints, in the future. The handbook is available on the Privacy Commissioner’s website: http://PIPEDAhandbookforlawyers.priv.gc.ca [Source]

CA – Ontario Government’s First CIO Mark Vale Passes Away

Dr. Mark Vale, who died last Friday at St. Michael’s Hospital in Toronto, is best remembered for having led the development and implementation of standards for managing government information assets in the Ontario government. Not only did his work lead to improved access of government data, but he also helped secure sensitive information held within Ontario Public Service. Toronto-born Vale, a 25-year veteran of the information technology industry, was named chief information and privacy officer for the Ontario government in July 2006. At the time he accepted the job, he was president of Toronto-based Information Management & Economics, Inc., an organization that helps government bodies and companies across Canada become more efficient by better managing information.[Source]


CA – OPC Releases Survey Findings on Consumer Views, Practices

A survey of 2,000 Canadians has revealed that many technology users fail to take basic steps to protect their personal information. The 2011 Canadians and Privacy Survey, which was commissioned by the Office of the Privacy Commissioner, revealed that the majority of respondents do not use password locks or device settings to protect their personal data. “Canadians are recognizing that their personal information is not safe in this new digital environment unless they take concrete measures to protect it,” said Privacy Commissioner Jennifer Stoddart. “Unfortunately…too few are taking even the most basic precautions, such as setting passwords on their mobile devices.” The survey also measured Canadians’ attitudes about privacy as it relates to social networking, national security and other areas. [Source[

CA – Canadian Youth Increasingly Aware of Online Privacy

Social media sites like Facebook have become a ubiquitous presence in the lives of young people and many parents may worry that their children are giving away too much information. “From the perspective of youth, the main concern is overexposure or embarrassment, which is to say that people are concerned that what they post online will be seen by unintended audiences,” said Matthew Johnson, director of education at the Media Awareness Network, a non-profit organization that promotes digital literacy among Canadians. Often, this unintended audience includes parents and authority figures, but the content can also be distributed to a wider audience for malicious reasons. Young people are generally aware of the risks of posting information online, Johnson said. [Source]


CA – Caseloads and Privacy Laws Impede Social Workers

While police continue their investigation into the murder of 14-month-old Elizabeth Velasquez, social workers in the province are speaking out about child protection caseloads. The little girl was abused and murdered last year, despite pleas from her grandparents for social services to step in. A spokesman for the social workers’ union says child protection workers are juggling too many cases at a time. Privacy laws are getting in the way when are trying to share information. [Source] See also: [Cavoukian: Privacy laws are not to blame – they are designed to serve the public, not act as cover for inconvenience or incompetence] and [Feds mistakenly mail out private info]

US – VA Social Media Policy Adoption: Workers Must Ensure Data Privacy, Security

Department of Veterans Affairs employees must take steps to ensure the privacy and security of personal information that may appear in social media used by the department, according to a new VA social media policy made public Aug. 16. Under the new policy, dated June 28, all department social media must:

  • post a privacy policy on the introductory page;
  • not be used to monitor an individual’s exercise of his or her First Amendment rights;
  • “be restricted to those VA personnel who have a need to know;
  • ensure the confidentiality, integrity, and availability of posted information;
  • not post data protected by HIPAA or the Privacy Act;
  • consider whether a Privacy Act system of records notice is required if social media captures personal information.

VA employees using social media to interact with the public must “draw a clear distinction between their personal views and their professional duties” and not infer that they are communicating the department’s official position unless they are authorized to do so. [Source]


US – Court: Non-Citizen E-Mails Protected Under ECPA

The Ninth Circuit Court has ruled that under the Electronic Communications Privacy Act (ECPA), Microsoft does not have to turn over an Indian citizen’s e-mails. Indian energy company Suzlon Energy, claiming the man defrauded it, has requested copies of all e-mails sent to and from his Web mail account and of written agreements he had with Microsoft. The court ordered Microsoft to hand over the contracts but ruled the e-mails are subject to protection under ECPA, sparking a debate over the intent of the law. Suzlon’s lawyer commented, if by “parking” e-mails in the U.S. criminals could avoid discovery, “every felon in the world would do so.” But Judge Milan Smith remarked, if congress wants to distinguish between a U.S. citizen and noncitizen, “it knows how to do it.” [Courthouse News Service]

CA – Businesses Brace for Tough New Spam Law

Business are combing through their email lists as the date draws nearer for Canada’s tough new anti-spam legislation to come into effect, forever banishing Nigerian princes and Viagra peddlers from consumers’ inboxes. The law, passed last December and expected to come into force in late 2011 or early 2012, will restrict spam by requiring businesses to have explicit permission to send commercial electronic communication, including through email, text messages and social media. There is room in the law for implied consent, but recipients must have the option of opting out. Many email and mobile marketers support the law, saying it aligns with best practices already established by the industry’s legitimate businesses. But they’re not the only ones who will have to comply with the act. All businesses and individuals with an online presence will fall under its regulations. And the penalties for operating outside them are significant, up to $1 million for individuals and $10 million for businesses. [Source] [Source]

US – Google Sued in Massachusetts for Scanning Emails Sent to Gmail Account

A Massachusetts woman filed a class action suit in Mass. state court against Google, alleging that Google violated Massachusetts’ wiretap law by scanning messages she sent from her AOL account to recipients’ Gmail accounts. Massachusetts is one of several states that require all parties to give their consent to the interception or recording of communications (unlike federal law and the laws in a majority of states, which only require consent from one party to the communication).[Source]

US – Spam King Surrenders

Sanford Wallace, a.k.a. “the Spam King,” has surrendered to federal law enforcement agents in California. Wallace has been charged with sending millions of spam messages to Facebook users. He allegedly tricked users into submitting their account login details. An estimated 500,000 Facebook accounts were compromised. Once he had access to compromised accounts, he accessed their friends lists and posted junk messages on their walls. Facebook won a US $711 million judgment against Wallace in 2009. Wallace faces charges of electronic mail fraud, intentional damage to a protected computer and criminal contempt. He has been released after posting US $100,000 bail. [Source] [Source]

Electronic Records

UK – NHS to Axe £7bn Electronic Records? Ministers Ready To Pull The Plug on Fiasco

Ministers are set to announce that plans for an ambitious system that links all parts of the NHS are to be abandoned. Instead of a centralised set-up, local NHS trusts and hospitals will be able to buy computer systems to suit their needs. The decision to axe an important element of the £11 billion NHS IT project comes as MPs launch a scathing report into a system they describe as ‘unworkable’. The £7 billion electronic care records system – a key part of the botched NHS IT project – could be targeted under the new strategy. It follows years of controversy and criticism that the project has missed deadlines and run over budget. [Daily Mail] [The Register] [Report]

TW – Taiwan Readies to Launch Electronic Medical Records Plan

Patients in Taiwan will no longer have to undergo the same medical tests repeatedly, once the nationwide electronic medical records plan kicks off this November, the Department of Health said. “The plan allows doctors from different hospitals to access a patient’s EMR with the patient’s consent,” said Hsu Min-huei, director of the DOH’s Department of Medical Informatics. He added that many hospitals in other countries such as Canada, the U.K and U.S. are already using EMRs. According to Hsu, the plan works under an index mechanism. “Doctors will be able to look up the patient’s name, examination date and item,” he pointed out. “To ensure a patient’s privacy, the system will keep track of which doctors access which files.” Under the plan, doctors can access blood test results, CAT scans, MRIs, outpatient service records, a summary of a patient’s condition and medication prescribed during hospitalization. The plan will be launched at 126 hospitals in Taiwan. “There are 500 hospitals across Taiwan,” Hsu said. “We hope the plan can be implemented in every hospital by the end of 2012.” [Source] See also: [CA – Up-to-Date Health Information for Patients]

EU – NHS Scotland Overhauls Security With New Sign-On System

In one of the most significant security roll-outs in recent NHS history, patient health records at Scotland’s 1,300 GP practices and 97 hospitals are to be secured using Imprivata’s desktop single sign-on (SSO) system, OneSign 4.5, NHS Scotland has announced. At the head of the security features is the ability to access all applications after one sign-on process, backed up by self-service password resets, which overcomes the expensive hassle of calls to a helpdesk. OneSign 4.5 is a way for health workers to authenticate themselves using one of a variety of security technologies such as biometrics or smartcards in a way that fits in with the practicalities of the working environment. The deployment will also include ‘no-click access’, a way for workers to avoid the need to constantly login in during a work day using the keyboard. If workers move away from the screen, the desktop is locked and only unlocked at the moment they return once they have re-authenticated. [Source]

WW – Health Industry Prepares to Mine Patient Data

With the increased use of remote monitoring systems and new digital imaging technology, “tremendous amounts of data” are being generated but not analyzed. A vice president of an analytics company says that “doctors have live data coming out of these devices and equipment, but to date it really hasn’t been analyzed.” According to the report, healthcare suppliers will begin selling equipment and software that can analyze the streaming data. “If there was a national healthcare database in the U.S.,” he says, “the value of that information in terms of mining it to identify trends across population segments is phenomenal.” [The Australian]

EU Developments

EU – French Parliament Publishes Legislation on Cookies and Data Breach Notification

The French Parliament published legislation on cookies and data breach notification in accordance with Directive 2009/136/EC. “Pursuant to Article 17 of Law no 2011-302 of 22 March 2011, implementation of the Directive 2009/136/EC has been delegated by French Parliament to the government.” The legislation “introduces a requirement for consent to be obtained before cookies are placed” and that browser settings or another application can be used to signify consent. “Unlike the UK, consent given through browser settings is valid even if the subscriber does not amend or set the controls.” The legislation also introduces a data breach notification requirement for electronic communication providers. [Source] [Source] See also: [Garante Per La Protezione dei Dati Personali, Italy – Authorisation No 6-2011 for the Processing of Sensitive Data by Private Investigators, June 24, 2011]

EU – Council of Europe Report the Modernisation of Convention 108

The Convention should remain technologically neutral, with general principles set out in specific texts when required; the two converging approaches with regards to data protection law are a desire for greater harmonisation of basic concepts and rules and greater clarity in determining the applicable law. Definitions of the right to data protection and the right to respect for privacy should be clarified (e.g. private life and data protection are two different things and personal data may or may not be private). The concept of data controller is no longer as relevant due to the increasing use of data sharing systems and interconnection. Sensitive data should be linked to their use, rather than simply extending the list; any extension of the list should be preceded by an impact study. Opinions were divided on whether there should be a definition for “sub-contractor”; sub-contractors have to comply with so many obligations in respect of security and respect for privacy that their role becomes hard to identify and the mere distinction between controller of the file and subcontractor no longer reflects the complex relationship which exists between organisations processing personal data. Consent should not be presented as a condition to be met for processing to be legal and fair (e.g. in many cases the person who gives consent does not realise what they are agreeing to); the quality of consent causes a great deal of apprehension (e.g. the problem of determining whether consent is genuinely free). In regards to transborder data flows, there are limits to the extent to which these can or should be controlled in a networking world; adequacy could be assessed on the basis of broad data processing sectors or relate to the particular circumstances of the case and the particular controller. Data protection laws require clarification in the context of cloud computing; where such technologies are concerned, there should be a right to know the physical location and the country where data are kept or where distribution servers are situated. There should be an option not to be tracked (in relation to RFID tags); a right should not be based on a targeted technology, which would contradict the goal of preserving the Convention’s technologically neutral character. There should be a provision for a right to be informed about security breaches, applicable across the board to all sectors. Data protection authorities should be given the right to settle disputes; DPAs’ decisions should be mutually recognised by other states’ parties. [Source]

EU – Crisis-Hit Greece to Loosen Privacy Laws

Greece plans to loosen strict privacy laws to allow surveillance camera footage as evidence in court, following a “dangerous” escalation in violence during anti-government protests amid the financial crisis. The proposed reforms follow warnings from top law enforcement officials that violent protesters are using potentially lethal means against police, including acid, crossbows and firebombs packed with firecrackers and metal shavings. Justice Minister Miltiadis Papaioannou outlined the changes at a parliamentary committee hearing and published them on his website. He warned of a “major escalation” in violence in recent months. He said the reforms also aim at permitting the identification of Internet bloggers who incite violence and make it more difficult for small groups of protesters to block road traffic. Police have long sought the use of camera footage — currently only used to manage traffic — as evidence, arguing that violence during protests has escalated in recent months. If the reforms are passed, police also plan to install cameras in squad cars and motorcycles. [Source]

EU – Google Court Case Results from “Transatlantic Clash”

Spain’s government has ordered Google to halt its indexing of data on certain individuals. Ninety individuals who filed complaints with the Spanish Data Protection Agency will benefit from the order, which is now being considered in court. Google has asserted that the requirement “would have a profound chilling effect on free expression without protecting people’s privacy.” Experts weigh in on the order, the origins of the concept of a “right to be forgotten” and the differing perspectives. “What you really have here is a transatlantic clash,” said a Swiss native and Georgetown University professor. [The New York Times] [No Right To Be Forgotten]

UK – Commission: Privacy Laws Insufficient

A report from the Equality and Human Rights Commission says that UK privacy laws do not do enough to protect citizens. Current privacy laws have failed to prevent breaches and keep pace with advances in technology and increases in the amount of data organizations collect about individuals, the report states. “This needs to change so that any need for personal information has to be clearly justified by the organization that wants it. The law and regulatory framework needs to be simplified and, in the meantime, public authorities need to check what data they have and that it complies with the existing laws,” said Commissioner Geraldine Van Bueren. [The Inquirer] [Charles Raab: Research report 69: Protecting information privacy]

EU – Parliament Resolution on Aviation Security, Focus on Security Scanners

The European Parliament supports the use of security scanners, provided appropriate safeguards are in place, over less demanding methods that do not guarantee a similar level of security – metal detectors are less effective, particularly with regard to non-metallic objects and liquids, and full hand-searches are more likely to cause greater irritation and face greater opposition (however, people should be given an option to refuse use of a security scanner, and submit themselves to alternative screening methods that guarantee the same level of effectiveness). To ensure data protection, only stick figures should be used (to protect passengers’ identities and ensure they cannot be identified through images of any part of their body), data generated by the scanning process must not be used for purposes other than detecting prohibited objects, may only be used for the amount of time necessary for the screening process, and may not be stored (data must be destroyed immediately after each person has passed through the security control). People undergoing checks should receive comprehensive information in advance about the operation of the scanner, conditions in place to protect their rights and the option to refuse to pass through the scanner; security staff should receive special training on using security scanners in a manner that respects passengers’ fundamental rights, personal dignity and data protection. [Source]

EU – Google Given Chance to Settle Belgian Case Over Street View

A federal prosecutor from Belgium has offered Google the opportunity to pay a €150,000 fine to settle claims of illegal data collection practices stemming from its Street View project. The company now has three months to accept the offer or the case could be brought before the country’s federal court, which could declare higher fines or imprisonment. A Google representative said, “We have received an offer of extrajudicial settlement from the Belgian federal prosecutor, and we have to study it carefully.” [Bloomberg]

UK – ICO Gives Google Good Grades, Not a “Rubber Stamp”

After auditing the company’s privacy structure, the Information Commissioner’s Office (ICO) says that Google “has taken reasonable steps to improve its privacy policies” but adds that the audit “is not a rubber stamp.” The company agreed last year to let the ICO conduct the audit in light of its controversial Street View project. The ICO said that “the audit verified that Google made improvements to their internal privacy structure,” but it “needs to ensure its work in this area continues to evolve alongside new products and technologies.” Meanwhile, in a Google blog post, the company announced that it will conduct a privacy impact assessment on any additional Street View activities in New Zealand. [The Guardian] [The Telegraph] [Report]

Facts & Stats

WW – Data Protection Laws Now in 76 National Jurisdictions

In a special report for Privacy Laws & Business, Australian Professor Graham Greenleaf has identified comprehensive data protection legislation in 76 national jurisdictions around the world as of July 30, 2011. His findings are summarized in a table listing the jurisdiction, the name of the law, its dates of enactment and latest amendment, the region, information about European findings of adequacy, status as a Council of Europe member and a ratifier of Convention 108 and its optional protocol, and other international commitments. Countries of some prominence that have flown under the radar of HR Privacy Solutions include Albania, Angola, Bosnia & Herzogovina, Croatia, Kyrgyz Republic, Mauritius, Montenegro, Senegal, and Serbia. India was notably included in the list, by virtue of its new rules under Section 43A of the Information Technology Act 2008. Accompanying the table was a detailed and insightful analysis of trends and time lines revealed by the data set. Professor Greenleaf indicated his intent to make a periodically updated version of the table available on his website.

WW – Google Plus Members Value Their Privacy

According to an analysis from data-mapper Matthew Hurst, new Google+ members may be seeing very little activity from the site’s 20 million users. His analysis shows approximately 48% of Google+ users haven’t posted publicly. Hurst, whose visualization was picked up by The Next Web, showed that there is a tight cluster of public power-users on the network, with the rest of the service’s 20 million or so users chiming in less often. But, as a commenter on Hacker News pointed out, Hurst’s data appears to only contain public data. An earlier report from All Things Digital revealed that approximately two-thirds of the content on Google+ is, in some way, private. [Source]


UK – UK Authorities Mull Internet Kill Switch

Amidst widespread calls from MPs, David Cameron has pledged to investigate the possibility of turning off social networks during times of crisis, lumping Britain in with some rather unsavory company. The U.K. has long criticized countries like China, Iran and Libya for censoring the web and clamping down on dissent, which appears incredibly hypocritical to the rest of the world if he then proceeds to do the same thing on his own turf. Opinion pieces in international newspapers have already started popping up with headlines like “what goes around, comes around.” [Source]

UK – Government Will Not Order ISPs to Block Sites Hosting Pirated Content

The UK government has scrapped plans under the Digital Economy Act thatwould allow authorities to request that the court block websites hosting pirated digital content. Internet service providers were unhappy with the provision, and the UK Office of Communications (Ofcom) reviewed the policy and found that the provisions “would not be effective.” The Motion Picture Association recently won an injunction requiring BT toblock a certain site that hosted links to pirated content; the case did not invoke the Digital Economy Act. [Source] [Source] [Source]


WW – Privacy Concerns Accompany Rise of Paperless Receipts

Consumers may soon have the choice of forgoing a printed receipt at the check-out counter, as an increasing number of retailers cut ties with the tiny slips of paper that have been issued to customers for decades. The paperless receipt is gradually creeping into the Canadian marketplace, as a variety of retailers implement new types of systems that allow customers to retrieve their receipts from email or online websites. However, because shoppers must provide an email to receive a receipt, retailers can learn a lot about a customer’s preferences and buying habits. [Source] [CTV News] and see: [Hotel Guest Files Credit Card Receipt Suit alleging that a Virginia Beach hotel breached privacy law by printing sensitive data on his checkout receipt] and [US: Federal Court OKs Personal Information on Parking Tickets]

US – Judge Rules That Bank is Not Liable for Fraudulent Transactions

A US District Court judge has approved a pending decision recommended by a magistrate stating a commercial bank which protected customers’ accounts with minimal authentication is in compliance with federal online banking security requirements. Patco Construction had sued Ocean Bank following a series of fraudulent funds transfers totaling US $588,000. Part of Patco’s argument rested on Ocean Bank’s allowing the transactions to go through without taking adequate steps to verify their legitimacy. In late May, the magistrate ruled in the bank’s favor, and on August 4, a judge made the ruling official. Patco has not decided whether it will appeal the decision. Similar suits are being tried in various federal district courts, but none qualifies as case law, which requires a ruling from an appellate court. For a decision to set a national precedent, a decision would be required from the US Supreme Court. [Source] [Source]

EU – EDPS Opinion on Credit Agreements Relating to Residential Property

The concept of responsible borrowing entails that consumers should provide relevant, complete and accurate information of their financial situation; the limited number of activities which have relevance under the EU data protection regime are mainly the consultation by creditors and credit intermediaries of the so-called “credit database” with the purpose of assessing the creditworthiness of consumers and releasing of information by the consumers to the creditors or credit intermediaries (suggested modifications to the Proposal – access to the database is permitted if there is clarification of whether only creditors or credit intermediaries who concluded a contract with a consumer, or are required by the consumer to take steps to conclude a contractual relationship with him, can have access to his or her data and if consumers are notified, in advance, that a certain creditor or credit intermediary has the intention to access his or her personal data in the database and the right to exercise all relevant data protection rights). [Source] See also: [EDPS Opinion on the Proposal for a Regulation of the European Parliament and of the Council on Energy Market Integrity and Transparency]

US – Payment Card Industry Tokenization Guidelines Released

The Payment Card Industry Security Standards Council (PCI SSC) has released guidelines on tokenization. The PCI DSS Tokenization Guidelines Information Supplement provides suggestions for “developing, evaluating or implementing a tokenization solution, including insight on how a tokenization solution may impact the scope of PCI DSS efforts,” the report states. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements,” said PCI SSC General Manager Bob Russo. [SC Magazine]

EU – CNIL Authorizes PI for Money Laundering and Terrorist Financing

Financial institutions should meet their legal and regulatory obligations in anti-money laundering and counter terrorist-financing due diligence, by processing personal data according to a risk-based approach, i.e. determining the profile of the business relationship with the client and beneficial owner by considering products purchased, transactions and client characteristics (nationality of the customer cannot be the only criterion for requiring enhanced due diligence). Additional aims of processing include identifying persons subject to additional due diligence measures as politically exposed persons (comparing the customer affairs database against a reliable reference document used to identify PEPs), triggering alerts and reports of suspicious transactions (processing that identifies transactions deemed suspicious as they involve amounts that are likely to finance terrorism or come from an offence punishable by one year imprisonment) and applying measures to freeze assets (operations based on lists of measures to freeze assets are subject to manual review to address any similarities in names). The personal data to be collected must be necessary to assess the risk posed by the client, requested operation or signed contract, and proportionate to the risk classification of the financial institution (e.g. personal data that may be collected include copies of identification documents, occupation, nature and level of income, financial transaction information including currency processed, source and destination of funds, and mandates and powers of any natural persons representing corporations); additional data may be collected directly from the person in cases that are high risk, complex, deal with an unusually large amount of money or have no apparent economic justification or lawful purpose. Within their respective powers for the purposes of fighting money laundering and terrorist financing, recipients of data include data controllers (e.g. staff in customer relations or who make determinations about whether to maintain a business relationship with a politically exposed person), authorities (e.g. financial intelligence unit Tracfin or the Treasury Department) and other financial institutions (e.g. other agencies that intervene for the same client in the same transaction). [Single Authorisation No. AU-003: Decision No. 2011-180 of 16 June 2011, Authorizing Single Processing of Personal Data Related to the Fight Against Money Laundering and Terrorist Financing | Press Release and Backgrounder] and [Individual Rights in the Digital Revolution: Information Report No. 3560 to the French National Assembly – Law Committee and the Committee of Cultural Affairs]

WW – Credit Card Data Compromised

A credit card data breach affecting approximately 92,400 Japanese Citigroup customers. Compromised data includes names, addresses, credit card account numbers, phone numbers, dates of birth and dates accounts were opened. According to the report, an individual employed by a Citigroup subcontractor sold the data to a third party. This is the second breach that has affected the company this year. [InfoSecurity]


CA – Watchdogs Demand Probe After Mounties Drop Access-to-Information Case

Three watchdog groups are asking Parliament to find out why the RCMP dropped its probe of alleged political interference in the release of government information. Newspapers Canada, the Canadian Taxpayers Federation and the B.C. Freedom of Information and Privacy Association issued a joint letter asking a House of Commons committee to investigate the case of Sebastien Togneri. In 2009, Mr. Togneri, a political aide to then-public works minister Christian Paradis, ordered a document withheld from a Canadian Press reporter who had requested it under the Access to Information Act. The document, an annual report on the government’s giant real-estate portfolio, was then retrieved from the Public Works mailroom shortly before it was to be sent out. Mr. Togneri was later required to appear before the Commons committee on access to information, privacy and ethics, where he acknowledged his order to “unrelease” the document was a “mistake.” And a year-long investigation by the Information Commissioner concluded Mr. Togneri had inappropriately interfered when he had no legal authority to do so.Suzanne Legault recommended the government send the case to the RCMP to examine whether Mr. Togneri’s actions broke Section 67.1 of the Access to Information Act, which provides for jail terms and penalties for interfering with the release of government information. The RCMP was called in, but this month dropped their probe, saying any criminal investigation was “unwarranted.” “The RCMP decision to abandon this investigation is extremely troubling,” John Hinds, president of Newspapers Canada, said in a release. “It appears to leave people most likely to interfere with [Access to Information] requests above the law, and that just cannot stand.”[Source] See also: [Wikileaks crashes in possible cyberattack] and also [Old Mug Shots Fuel Art, and a Debate on Privacy] and [Freedom of what? Sure seems it’s not information]

BR – Brazil’s Long-Awaited Freedom of Information Law is Under Threat.

Brazil’s long-awaited freedom of information law is once again under threat. Senator and disgraced ex-President Fernando Collor, who was impeached in 1992 by the very Senate he now serves, has proposed radical revisions to the freedom of information bill 41/2010. These changes constitute a clear affront to President Dilma Rousseff, who has supported passage of the measure, to the Chamber of Deputies, which approved the bill in 2010, and to the three Senate committees that have already endorsed the measure in 2011. As Chair of the Committee on Foreign Relations and National Defense, Mr. Collor holds a powerful position in the Senate. But the amendments proposed are so retrograde that Collor should hardly be taken seriously. A freedom of information law is viewed to be one of the principal pillars of transparency and social accountability needed to better combat endemic corruption in Brazil. [Source]

NZ – Value of Information Trumps Caution: Government CIO

The emphasis in opening government data is to “push the information out there and enable people to use it in whatever ways they see fit,” rather than being over-cautious in ensuring that the data is exactly right and conveniently packaged, says New Zealand government CIO Brendan Boyle. Boyle was speaking at a symposium on record-keeping organised by the Association of Local Government Information Management (Algim). He identified the factors holding back increased openness with government information and increased centralisation onto all-of-government ICT. [Source] See also: [Office of the Privacy Commissioner, New Zealand – Focusing on Solutions: Working with the Office of the Privacy Commissioner]


US – Court Allows Suit by Man Who Wants Genetic Profile Destroyed

A Massachusetts man who voluntarily provided DNA in 2002 to police investigating a murder may pursue a privacy invasion suit seeking return of his genetic profile, a state appeals court has ruled. Keith Amato claims in his class action suit that police promised the sample and data would not be retained if his DNA didn’t match crime scene evidence, according to the opinion. The state eventually returned the DNA sample, but not the genetic profile. Amato sued for breach of contract and under two state laws governing state retention of data and invasion of privacy. The Massachusetts Appeals Court allowed all three causes of action. [Source]

US – Collecting DNA From Arrestees is Unconstitutional, California Court Says

The First District Court of Appeal in San Francisco has overturned a voter-approved proposition that requires adults charged with a felony to provide a DNA sample. The court said Proposition 69 is unconstitutional because the law allows searches of individuals without a warrant, adding it authorizes “the warrantless and suspicionless search of individuals…for evidence of a crime unrelated to that for which they have been arrested.” The court also noted, “The question this case presents, which is increasingly presented to the courts of this state and nation, is the extent to which technology can be permitted to diminish the privacy guaranteed by the Fourth Amendment.” [Wired]

Health / Medical

US – OCR Data Breach List Hits 300, Reveals Top Audit Interests

The Office for Civil Rights (OCR) has logged almost one healthcare breach every other day since it began keeping its online list in February 2010. The OCR notification website lists breaches of health information protected under HIPAA affecting 500 or more individuals and was created as part of the breach notification interim final rule. According to the report, the tally has reached 300 breaches, and of the 420 complaints claiming violations of HIPAA since October 2009, 192 have been closed after “investigation and appropriate corrective action.” The OCR also announced the top areas of interest on its HIPAA privacy and security compliance radar. Its top issue is incident detection and response. It will also focus on reviews of log access; secure wireless networks; management of user access and passwords, and theft or loss of mobile devices, among other requirements. The OCR plans to look at 150 organizations by the end of the year. [HealthLeaders Media] [Source] and [OCR Undecided on BA Inclusion in HIPAA Audits] and [EHRs Raise Liability Fears]

US – Survey: 70% of Healthcare Providers Suffered Privacy Breach in Past 12 Months

Veriphyr, a provider of Identity and Access Intelligence, announced the results of new survey on Protected Health Information (PHI) privacy breaches. According to the findings, more than 70% of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. Insiders were responsible for the majority of breaches, with 35% snooping into medical records of fellow employees and 27% accessing records of friends and relatives. The report, entitled “Veriphyr’s 2011 Survey of Patient Privacy Breaches”, summarizes the findings of a survey of compliance and privacy officers at mid to large sized hospitals and healthcare service providers. Key findings include:

  • Top breaches in the past 12 months by type: Snooping into medical records of fellow employees (35%); Snooping into records of friends and relatives (27%); Loss /theft of physical records (25%); Loss/theft of equipment holding PHI (20%)
  • When a breach occurred, it was detected in: 1-3 days (30%); 1 week (12%); 2-4 weeks (17%)
  • Once a breach was detected, it was resolved in: 1-3 days (16%); 1 week (18%); 2-4 weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI. 52% stated they did not have adequate tools for monitoring inappropriate access to PHI. [Source] See also: [Medical records strewn in abandoned Melbourne clinic] and [Ireland: ‘Unauthorized Access’ To Patient Data After Medical Transcription Lapses]

US – Florida’s ‘Drug Tests for Welfare Recipients’ Law Likely Unconstitutional

Back in June, Florida Governor Rick Scott signed into law a bill that, among other things, requires all recipients of cash welfare from the state to undergo mandatory drug testing as a condition of receiving certain forms of state aid. The first round of testing was recently completed, but the legal controversy is just beginning. As one Tampa Bay television station has reported, in the past Federal Courts have generally held that drug testing requirements for public assistance are unconstitutional: In a 1997 ruling from Georgia by the U.S. Supreme Court, Justice Ruth Bader Ginsburg wrote, “The Fourth Amendment precludes suspicionless search… the drug test diminishes personal privacy.” In 2003, a U.S. Circuit Court of Appeals ruling from Michigan backed that up saying, “Michigan law authorizing suspicionless drug testing of welfare recipients was unconstitutional.” [Source] See also: [The social network of infertility: Study examines couples’ privacy preferences]

US – AMA Discusses Prescription Data Selling Practices

American Medical Association (AMA) President Peter Carmel is refuting a New England Journal of Medicine (NEJM) article that insinuates the AMA has financial incentives to support a Supreme Court decision allowing the sale of prescription drug information to pharmaceutical companies. The NEJM article also claims the AMA has not done enough to promote its program allowing doctors to opt out of data mining. But Carmel calls the assertions “unfounded speculation” and outlines ways the AMA has promoted the opt-out program. While the AMA believes physicians should have the right to opt out, the report states, it “prefers its own approach to state laws that might be overly restrictive.” [Information Week]

US – Sexual Health Database Protects Porn Actors’ Privates and Their Privacy

The Free Speech Coalition, a trade association for the adult entertainment industry, has launched an online database that lists pornography performers who are sexually-transmitted disease-free and available for work. The database, called Adult Production Health & Safety Services, is accessible only by producers, performers and their agents. It replaces a database operated by AIM Medical Associates, which was shut down in May after the site was hacked and performers’ private medical information was leaked online. “APHSS.org does not contain any medical records and very minimal information to identify users,” said Joanne Cachapero, membership director for the Free Speech Coalition. “In the unlikely event that the database was hacked or breached, there is not much personally identifying information contained in the database.” Proponents say the new database will safeguard performers’ sexual health as well as their privacy. But critics say it promotes unsafe sex. [Source]

US – Health Data Not Covered in Breach Legislation

The Center for Democracy and Technology’s Harley Geiger writes that the data breach notification bills currently in congress would not protect health data processed by certain commercial services. The HIPAA Privacy Rule requires covered entities to notify individuals when their data is compromised, but with the influx of commercial health IT systems and applications, sensitive health data is increasingly being used by commercial products and services. As a result, neither current data breach draft legislation nor the Privacy Rule would require non-covered entities processing health data to notify individuals of a breach, which “makes it all the more important that the law evolves with technology to provide blanket privacy protection for health information in commercial contexts,” the report states. [Source]

US – AHA Wants HIPAA Access Provision Withdrawn

The American Hospital Association (AHA) says federal regulators need to “significantly alter” the access report provision in their proposed HIPAA disclosures rule. In a letter sent to the Department of Health and Human Services, the AHA says the access report provision–which would allow patients to request a history of who has accessed and disclosed their personal health records—is “misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals.” [HealthLeadersMedia]

Horror Stories

US – Health Data of 300K Californians Available on Unsecured Website

A researcher from a data loss protection company recently discovered that personal medical data for nearly 300,000 Californians were available online in an unsecured format and could be found through Internet searches. Aaron Titus – a researcher from Identity Finder – discovered the information and alerted Southern California Medical-Legal Consultants, the company that was using the data. [Source]

US – Hackers Breach Chocolate Recipe on Hersey Website

Hackers breached the security of a website operated by US confectionery giant Hershey Company and may have made off with customers’ names, birthdates, street and email addresses, and site passwords. In an email sent to customers last week, Hershey said an unauthorized individual accessed the site and changed a baking recipe for one of its products. The company said it found no evidence any other recipes on the website were affected, but it couldn’t rule out the possibility that hackers stole personal data taken when customers create accounts on the site. [Source] [Travelodge UK Admits Data Breach] [University of Wisconsin Malware May Have Exposed Student, Staff Data]

US – Fired Techie Created Virtual Chaos at Pharma Company

Logging in from a Smyrna, Georgia, McDonald’s restaurant, a former employee of a U.S. pharmaceutical company was able to wipe out most of the company’s computer infrastructure earlier this year. Jason Cornish, 37, formerly an IT staffer at the U.S. subsidiary of Japanese drug-maker Shionogi, pleaded guilty to computer intrusion charges in connection with the attack on Feb. 3, 2011. He wiped out 15 VMware host systems that were running e-mail, order tracking, financial and other services for the Florham Park, New Jersey, company. “The Feb. 3 attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail,” the U.S. Department of Justice said in court filings. Total cost to Shionogi: US$800,000. [Source] [Purdue University Warns Former Students of Breach]

UK – USB Device Found in Pub Contained Unencrypted Housing Company Data

The UK Information Commissioner’s Office (ICO) has found two organizations in violation of the Data Protection Act after a USB containing unencrypted data was left at a pub. The data storage device contained information about residents of two housing companies and included 800 records with bank account information. The USB was lost by a contractor working for one of the companies, but data from both were on the device. More than 26,000 people were affected. The USB was turned in to police. Both housing companies have agreed to encrypt portable data devices and monitor contractors’ and staff members’ data handling. There were no fines. The ICO imposes financial penalties only when there has been demonstrable damage to those whose data are compromised. [Source] [Source]

US – Citigroup Suffers Another Data Breach

Attackers have reportedly stolen and sold details of more than 92,000 payment cards belonging to Citigroup’s Citi Cards Japan (CCJ) customers. The compromised data include names, dates of birth and account numbers, but not personal code notification numbers (PINs) or CVV security codes. The data breach does not appear to have been the result of an online intrusion. Authorities have been notified and an investigation is underway. Customers have been notified as well and CCJ will re-issue cards as needed. Earlier this year, Citigroup suffered a breach that compromised card information of 360,000 accounts. [Source] [Source] [Source]

Identity Issues

CA – Most Canadians Can Be Uniquely Identified from Date of Birth and Postal Code

There are increasing pressures for health care providers to make individual-level data readily available for research and policy making. But Canadians are more likely to allow the sharing of their personal data if they believe that their privacy is protected. A new report by Dr. Khaled El Emam, the Canada Research Chair in Electronic Health Information at the University of Ottawa and the Children’s Hospital of Eastern Ontario Research Institute, suggests that Canadians can be uniquely identified from their date of birth, postal code, and gender. This means if this triad of data exists in any database, even if it has no names or other identifying information, it would be possible to determine the identity of those individuals. The report is now available in BMC Medical Informatics and Decision Making Journal. [Source]

WW – Google+ Introduces Identity-Verification Badges

Google is adding badges that certify the identity of users of its Google+ social networking site, starting with public figures and with people who have been added by many as contacts. Later on, the verification badges will be available to a bigger scope of users who aren’t famous or broadly popular on the site, Google official Wen-Ai Yu [cq] said in a Google+ post. For now the main goal is to inform users which is the official profile of a singer, actor, politician, public figure or popular Google+ account holder they may want to add to their Google+ Circles to follow their public posts. “When you visit the profile of a celebrity or public figure, you’ll see a verification badge next to their profile name. This will help you easily determine which profiles are owned by real, verified people,” she wrote. Verified Google+ accounts will feature a gray checkmark inside a lighter-gray circle next to the person’s profile name. It’s not clear from Yu’s post how many “followers” a Google+ user needs to have to qualify as someone whose account merits having a verification badge. Other social media sites feature verified accounts, including Twitter, which is used by many public figures to communicate with their fans. [Source] See also: [Judge warns about growing problem of ‘mistrial by Google’]

US – Posing as a Different Facebook User Can Constitute Identity Theft, US Court Rules

A California Court of Appeal ruled that a school pupil had committed identity theft under Californian laws when he obtained a schoolmate’s email password, used it to gain access to her Facebook account, and posted sexually suggestive messages whilst posing as the girl. Wilfully obtaining personal identifying information and using it “for an unlawful purpose” without the person’s consent is illegal under the provisions of California’s Penal Code. [Source]

UK – Council Sued for Unmasking Twitter User

The first Briton to have his Twitter identity forcibly revealed by a court is seeking to sue the council that blew his anonymity and force a judicial review of the case. A review could have implications for whistleblowing websites – and for a council that used public funds to unmask a perceived detractor. [Source] See also: [The War On Anonymity] and [The Re-Identification Risk of Canadians From Longitudinal Demographics – Khaled El Emam, BMC Medical Informatics & Decision Making 2011]

Intellectual Property

US – Future iDevices Could Work With Privacy Glasses

The U.S. Patent & Trademark Office recently published a new patent application from Apple that details the company’s designs for privacy glasses for future iDevices. It happens to a lot of us: We’re sitting at the local coffee shop minding our own business, our eyes fixed firmly onto our iPhone/iPod touch or iPad. Suddenly, you get that feeling that someone is watching you. As you turn around, it’s true: Someone is checking out your iDevice. Unfortunately, depending on what you’re working on, this stranger might have just seen something important. To assist customers in keeping private information just that, Apple is working on a privacy mode that might be included in future iDevices and MacBooks. This mode would match the glasses with specific filters. In other words, unless you have the glasses, you couldn’t see what was on the iDevice screen. [Source]

Internet / WWW

UK – U.K. Police Claim Rioters Using Blackberry Messenger

Ontario’s Research In Motion says it will work with London police after authorities said the company’s BlackBerry Messenger service is helping fuel rioting in the city. Scotland Yard has said it is tracking down any rioters inciting violence using Facebook, Twitter or BlackBerry Messenger (BBM) as the riots raged for a third night. But unlike the often public world of Twitter and Facebook, BBM is heavily encrypted and untraceable to authorities, unless they have access to RIM’s servers. It is a private network in which messages can only be accessed by those with the PIN number of those they are messaging. The service is quite popular with teens for that very reason in places with authoritative governments, such as in the United Arab Emirates or Saudi Arabia. RIM says it will “assist” authorities, prompting privacy concerns from some users, although the company has clashed with governments before on similar privacy issues. [Source] [Source]

IN – Indian Government Demanding Access to Monitor Communications

Blackberry parent company Research in Motion (RIM) is facing yet another deadline from India’s government regarding its failure to comply with requirements to make data sent over its network “intercept-friendly.” Some are guessing that RIM may be forced to set up a server in the country to give the government the ability to intercept communications. RIM’s earlier proposal to provide users’ enterprise server IP addresses and the PINs and IMEI numbers of each Blackberry device used by subscribers was deemed unacceptable by India’s government. The government also wants the department of telecommunications to “ensure effective monitoring of Twitter and Facebook.” [Source] [Source]

WW – Anonymous Says It Will Take Down Facebook On Nov. 5

Hacktivist group Anonymous said that it will target Facebook for a takedown on Nov. 5, aka Guy Fawkes Day. Those claiming to be members of the group uploaded a video to YouTube in mid-July announcing the operation, which was spotted by Rosie Gray of The Village Voice. Why is the group targeting Facebook? The video message is most critical of Facebook’s privacy policies, saying the site does not provide its users with enough choice or transparency. [Source] UPDATE: [Threat To Destroy Site May Be Hoax]

EU – European Companies Avoiding U.S. Cloud Providers

European companies are choosing not to use U.S.-based cloud service providers because of legal obligations the service providers have to the U.S. government under the USA Patriot Act. According to the U.S. legislation, data that is stored, processed or retained by a U.S.-based service provider must be made available for inspection by U.S. authorities without notification to users, which is a violation of the European Data Protection Directive. One European IT chief said, “We would never be able to use a U.S.-based provider of cloud services, even if the data is stored in a data center in the EU,” suggesting that European companies would instead use local service providers. [The Financial Times]

Law Enforcement

EU – Germany: Police Officers Riled By New ID Requirement

Berlin police must now wear personal identification on their uniforms, but many German officers say the requirement puts their lives at risk. Said one: “Even as police officers we live completely openly in our private lives … I’m afraid criminals could track me down. You deal with the same people for years and they start to hate you personally.” Although police officers in other western countries like the United States and Britain have been required to wear numbers or name tags for years, Berlin last month became the first German state to mandate their use among uniformed officers. [Source] [Source] See also: [MPs Urge Gov’t to Consult with ICO on ID-handling Plan]

US – Data From Sheriff Departments Stolen and Posted Online

A group of cyber attackers operating under the umbrella of the Anonymous collective have released a 10GB cache of data taken from US law enforcement agencies’ computer networks. The data exposure appears to be a retaliatory action for the arrests of people who were allegedly involved in earlier cyber attacks. The compromised information includes SSNs, email messages, information about stolen credit cards and informant data. The data appear to have been taken two weeks ago from servers at Brooks-Jeffrey, an Arkansas-based company that hosts sheriff association websites. [Source] [Source] [Source] [Source] See also: [60% of Toronto arrests lead to strip searches]


US – Court: GPS Technology Conflicts with Legislation

Courts around the U.S. are grappling with how to balance law enforcement’s use of GPS data with an individual’s right to privacy. A district judge in Maryland recently denied a warrant requested by federal authorities who were attempting to locate a suspect via his cellphone’s GPS data. The judge said that for some, “this use of location data…would appear chillingly invasive.” Meanwhile, courts in California and Oregon have upheld warrantless GPS searches by authorities, and the U.S. Supreme Court will review a GPS privacy case, The Baltimore Sun reports. “For investigators, the cellphone has become one of the greatest tools available,” says one expert. “But certainly we want to do this the right way and protect people’s right to privacy.” [Source]

CA – Toronto Real Estate Board, Regulators Clash Over Privacy Rights in VOW Policy

The Toronto Real Estate Board says the privacy rights of consumers are at stake in a lawsuit brought against the board by Canadian regulators regarding the operation of virtual office websites (VOWs). Canada’s Competition Bureau filed suit against TREB in May, claiming the board hasn’t allowed brokers to provide consumers with access to detailed multiple listing service (MLS) data through password-protected VOWs like those operated by ZipRealty and Redfin in the U.S. In June, TREB – North America’s largest real estate board at 31,000 members – published a proposed policy that would allow members to operate VOWs. Last month, in an amended complaint, the Competition Bureau said the proposed policy restricted the display of sold and pending listings and the compensation offered to the buyer’s broker through VOWs, and alleged the policy would “entrench and perpetuate the traditional ‘bricks and mortar’ business model for providing real estate brokerage services,” and “constitute a further anti-competitive act” under Canada’s Competition Act. TREB filed a formal response to the amended complaint Friday denying that “TREB’s policies with respect to the use of and access to the TREB MLS constitutes a practice of anti-competitive acts.” The response added that TREB’s policies “have been formulated to safeguard the privacy rights of TREB’s members and TREB’s members’ customers … in their individual listings and to ensure TREB and its members are compliant with their respective statutory obligations.” [Source]

US – Groupon Shares Mobile Location Plans With Congress

Groupon Inc disclosed some details of its plan to offer location-based offers through mobile phones when the largest daily deal company responded to Congressional questions about its privacy policies. Groupon general counsel David Schellhase said the company is developing technology that will track customers’ location, even if they don’t have a Groupon app open on their phones, according to an August 10 letter to the co-chairmen of the House Bi-Partisan Privacy Caucus: Joe Barton, a Texas Republican, and Edward Markey, a Massachusetts Democrat. [Source]

US – LinkedIn Backs Off Ad Scheme Over Privacy Gaffe

LinkedIn has announced that it will no longer pursue its new form of advertising called “social ads,” which shared users’ activities and included their pictures. The company began testing the initiative in late June after announcing it to users. Complaints about user privacy followed, including a statement from the Dutch Data Protection Authority that the company’s changes may have breached Dutch privacy law. The company’s head of marketing solutions told users, however, that “The only information that (was) used in social ads is information that is already publicly available and viewable by anyone in your network.” [The Wall Street Journal] See also: [Press Release: Dutch Data Protection Authority Maintains Decision to Impose a Penalty on Google]


IN – India Exempts Outsourcers from New Privacy Rules

Personal data sent to India by customers outsourcing work to companies in the country will not be covered under new rules governing the collection of such information, the government said, providing relief to India’s large outsourcing industry. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 introduced in April require companies or their intermediaries to take consent in writing from individuals about the use of the sensitive personal information they collect. The new rules would make it difficult for Indian outsourcers to operate if they were required to take written consent from individuals in other countries whose data they collect and process through call centers and business process outsourcing operations. [Source] [India exempts outsourcers from new privacy rules]

CN – Ministry Proposes New Rule for PI

China’s Ministry of Industry and Information Technology (MIIT) is seeking comment on a draft rule regulating the processing of personal information by “Internet Information Service Providers.” defining “Internet Information Services” as “service activities for the provision of information to Internet users over the Internet.” If enacted, the rule’s provisions include requiring Internet Information Service Providers to refrain from collecting personal information (PI) without users’ consent, only collect PI as necessary to provide services, inform Internet users of how and why their PI is collected, not disclose PI to third parties without consent and “immediately take remedial measures” in the event of any breach. [Hunton & Williams Privacy and Information Security Law Blog]

Online Privacy

WW – Facebook Unveils New Settings

Facebook has unveiled new options to help users manage the amount of information they share on the site and with whom. The changes will allow users to check a box indicating which friends can see which online posts; share locations from PCs and laptops; control being “tagged” by others in posted photos, or choose to block a user entirely—disabling them from photo tags or other interactions on the site. The company wants to make the sharing options “unmistakably clear,” said a Facebook spokesman. [The Wall Street Journal]

WW – Facebook: “Anonymity on the Internet Has to Go Away”

Facebook’s marketing director Randi Zuckerberg, who also happens to be Facebook co-founder and CEO Mark Zuckerberg’s sister, wants to put an end to online anonymity. She believes that Internet users would act much more responsibly online if they were forced to use their real names at all times. During a Marie Claire round table discussion on cyberbullying and social media, Randi explained how using real names online could help curb bullying and harassment on the web, according to Huffington Post: “I think anonymity on the Internet has to go away… People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.” Zuckerberg was asked several times to name what new features Facebook will offer to better safeguard security on the social networking site. Unsurprisingly, she refused to give specific examples of forthcoming initiatives: “There’s so much more we can do. We’re actively trying to work with partners like Common Sense Media and our safety advisory committee.” Five months ago, Facebook announced new safety resources and tools for reporting issues, in conjunction with a White House summit for preventing bullying. Four months ago, the company rolled them out. [Source] see also: [Datatilsynet, Norway – Social Network Services and Privacy: A Case Study of Facebook | Source | Source]

EU – Schleswig-Holstein Commissioner Orders Site Owners to Deactivate FB Analytics

The Independent Centre for Privacy Protection (ULD)-the privacy regulator for the German state of Schleswig-Holstein-has told website owners in that state to “shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’ button” from their sites. In a press release, the ULD said that “after a thorough legal and technical analysis,” it concluded that use of such features violates the German Telemedia Act, the Federal Data Protection Act and the Data Protection Act of Schleswig-Holstein. [Source] See also: [The Next Online Privacy Battle: Powerful Supercookies] and [SurfEasy: Browsing privacy for Grandma] and [New Site: Watch Ads, Give Data, Get Prizes]

US – Company Settles Behavioral Targeting Lawsuit

Defunct ad company NebuAd has agreed to a $2.4 million settlement in a class-action privacy lawsuit based on its behavioral targeting practices. The seven Web users who filed the suit will receive $1,000 to $5,000 each. The case stemmed from NebuAd’s partnership with six ISPs to gather data about Web users’ online activities, “including search queries and activity at non-commercial sites,” the report states. The plaintiffs claimed such practices violated federal and state privacy laws. NebuAd’s insurers will reportedly fund the settlement. Lawsuits are pending against the six ISPs NebuAd partnered with before it folded in 2008. [MediaPost News] See also: [Hoofnagle: Users “Outgunned” By Marketers | Paper on SuperCookies]

US – ISP Tracking Spurs Class-Action Suit

Researchers’ have discovered that some Internet service providers (ISPs) have been rerouting users’ online traffic to provide Web search results “that can generate money for firms selected by the ISP as well as the ISP itself.” The practice has resulted in a class-action lawsuit against companies Paxfire and RCN, and Sen. Richard Blumenthal (D-CT) has said he is considering investigating the practice. Referencing past ISP tracking incidents, the report suggests the key issue is “ISPs, in their quest for revenue, are once again interfering with users without their knowledge or consent.” [Source] See also: [Statutory Instrument No. 336 of 2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations – Ireland]

US – Foursquare To Sell Tracking Abilities to Merchants

Online deals company Foursquare is looking to bring in revenue by selling its merchants software that will enable them to track–and therefore better target specials to–their customers who use the service. Traditionally, social media companies have turned to advertisers to monetize “free” services, and Foursquare’s method may end up putting them in the center of the privacy debate. “The minute you start analysis on people at specific stores, particularly smaller stores with repeat customers, consumer anonymity begins to fade,” Sherman writes. “Set the right specials, and a store owner could begin matching faces, names (especially from credit card purchases) and online identities.” [Source]

WW – Microsoft Stops Secretly Tracking Users’ Browsing Habits

Microsoft has removed code from its MSN web site that tracked its users’ browsing habits, even if those users intentionally deleted their cookies in order to preserve their privacy. Mike Hintze, associate general counsel, regulatory affairs, Microsoft, announced in a blog that the firm investigated the code once it was brought to its attention by a researcher. “According to researchers, including Jonathan Mayer at Stanford University, ‘supercookies’ are capable of re-creating users’ cookies or other identifiers after people deleted regular cookies. “We determined that the cookie behaviour he observed was occurring under certain circumstances as a result of older code that was used only on our own sites.” Hintze added that the company removed the code, and reassured users that the information potentially gleaned from the “older code” had not been shared with external organisations. [Source] See also: [‘Related’ Browser Add-On: Handy, But at Cost to Privacy] see also: [Hackers in the bloodstream: Diabetics vulnerable to attack on insulin pumps, sugar monitors]

US – Case Dismissed Against Advertisers, Not Network

A federal judge has dismissed a potential class-action lawsuit against four advertisers that allegedly acted “in concert with the ad network Interclick to use controversial ‘history-sniffing’ techniques for online tracking.” However, the judge “did not entirely dismiss the lawsuit against the ad network,” the report states. Privacy advocates have spoken out against such practices, but a paidContent report suggests the court’s actions indicate they may not be illegal. Scott Kamber, the attorney who filed the case, points out, however, that it can now move forward, saying “the judge has recognized that there is a wrong here that can be remedied.” [MediaPost News]

US – NARC To Begin Self-Regulatory Program Enforcement

The Better Business Bureau’s National Advertising Review Council (NARC) is going to enforce privacy principles for online behavioral targeting. NARC will also reach out to companies that aren’t following the program to ask that they engage. The program requires ad networks using behavioral targeting techniques to notify users about the data collection through a standard icon and allow them to opt out of receiving such ads. NARC says it will name companies that fail to follow the principles. [MediaPost]

UK – Man Reveals Secret Recipe Behind Undeletable Cookies

A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser’s privacy mode. The “ETag” technique, which worked with sites including Hulu, Spotify and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the websites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user’s browsing history across two or more different browsers. It came to light only after academic researchers published a paper late last month. [Source] [CEO Defends ETag Intent]

WW – Company Advises Against UDID

Software developers who build programs for Apple’s operating system have been asked by the company to avoid using unique device identifiers (UDID) in software for its iPhones and iPads. UDIDs make it easier for advertising networks, analytics firms and others to observe and track users’ online behavior. A deadline for the change has not been specified, but the company’s website tells developers that the tracking tool “has been superseded and may become unsupported in the future.” The Center for Democracy & Technology’s Justin Brookman said, “I want to see how this all plays out, but at first glance, this is a really good result for consumers.” [The Wall Street Journal]

WW – Flickr’s New ‘Geofence’ Settings Protect Your Geoprivacy

The popular photo sharing website Flickr has introduced a new way to geotag your photos without revealing your location to the entire web. Flickr’s new “Geofence” settings give users more granular control over their geotagged photos. Perhaps the best part of the new Geofence features are how dead simple they are to use – simply draw a circle on a map, choose a geoprivacy setting for that area, and you’re done. Your new fence will apply to any future photo uploads and Flickr will offer to update the privacy settings on any existing images that fall within your new fence. Previously, Flickr limited its geotagging options to a simple yes or no – either you shared location data with everyone or no one. Now you can share location data with only those people you trust. For example, you might leave the geodata for your vacation photos visible to everyone, but limit the location data of photos around your house to only your friends and family. In those cases where there might be overlap between two geofences Flickr will default to the more restrictive of the two. For example, if you draw a circle around your house and limit it to the most restrictive group, “Family,” and then draw a circle around your whole neighborhood and limit that to “Friends,” any areas where the two overlap will still be limited to only the Family group. [Source] SEE ALSO: [The Leaky Nature of Online Privacy]

UK – BBC Sets Out Social Network Picture Use Policy

The BBC will use pictures published on social network sites without rights holders’ consent “where there is a strong public interest” and if there are time constraints on a major story, the corporation has said. BBC social media editor Chris Hamilton outlined the policy after a BBC staff member expressed the wrong views on the use of copyrighted works in response to a viewer complaint. The complaint detailed concerns at the way the BBC credited pictures as being “from Twitter” and said the BBC should “give proper credit to photographers”. “In terms of permission and attribution, we make every effort to contact people who’ve taken photos we want to use in our coverage and ask for their permission before doing so,” Hamilton said in a BBC blog. “However, in exceptional situations, where there is a strong public interest and often time constraints, such as a major news story like the recent Norway attacks or rioting in England, we may use a photo before we’ve cleared it. We don’t make this decision lightly – a senior editor has to judge that there is indeed a strong public interest in making a photo available to a wide audience.” [Source] See also: [Ohio couple can sue company for spying on sex chat] see also: [The New York Times: On Its Own, Europe Backs Web Privacy Fights]

Other Jurisdictions

IN – Indian Gov’t Exempts Outsourcers from Consent Requirements

On August 25, in response to pressure from the $14 billion Indian BPO industry, the government clarified the new rules under Section 43A of the Information Technology Act to exempt outsourcers from the need to obtain the written consent of data subjects of information received from clients outside India. As predicted, this requirement applies only to “bodies corporate” operating within India. Both IT lobby NASSCOM and the Data Security Council of India (DCSI) welcomed the statement issued by the Ministry of Communications & Information Technology (MCIT).

PE – Details Emerge about New DP Law in Peru

An English translation of Peru’s Law for Personal Data Protection, signed into law in July, shows that a data protection authority, the National Authority for Personal Data Protection, will be established and given the ability to levy fines for violations of the law. In addition, a National Register of Personal Data Protection will be developed to record, for a fee, publicly or privately administered databases of personal information, as well as authorizations issued by the Authority pursuant to the law.

AU – Rethink Urged on Australian Cyber Bill

Privacy concerns must be balanced against any proposed increase in powers to crack online criminal networks, a parliamentary inquiry has recommended. A review of the federal government’s cybercrimes bill was tabled in the Senate on Thursday by the chairwoman of the joint select committee on cyber safety, Labor senator Catryna Bilyk. In June, Attorney-General Robert McClelland introduced legislation that amends a range of laws to enable Australia to accede to the Council of Europe Convention on Cybercrime. The Cybercrime Legislation Amendment Bill allows law-enforcement agencies to request the preservation of communications that could be sought under warrant as evidence. It also increases international cooperation between Australian and overseas cybercrime investigators and extends the scope of existing commonwealth computer offences. Senator Bilyk said the committee had tabled a unanimous report with 13 recommendations. [Source]

HU – Hungarian Ombudsman Rules Personal Data in Govt Survey Be Destroyed

Hungary’s data protection ombudsman, Andras Jori, has declared that the personal data collected from a government-issued survey has not been handled correctly, should be deleted from the records and should not be used or processed in the future. In June, Jori established that the questionnaires did not meet the country’s data protection law and ordered the data be erased, but Jori said that the agency in charge of destroying the data has not complied with his instructions, prompting him to ban the database containing the personal information. [Politics.hu] [Source]

SK – South Koreans Sue Apple Over iPhone Privacy

A group of nearly 27,000 South Koreans is suing Apple for $26 million for what they claim are privacy violations from the collection of iPhone user location information. Each person in the suit is seeking $932 in damages, said Kim Hyeong-seok, one of their attorneys. He said they are targeting Apple Inc. and its South Korean unit to “protect privacy” rights. South Korea’s communications regulator earlier this month ordered Apple’s local operation to pay a 3 million won fine for what it said were violations of the country’s location information laws. [Source]

SK – KCC Proposes Plan for Online Data Protection

In light of a recent breach affecting 35 million citizens, the Korea Communications Commission (KCC) has announced a plan that will require website operators to limit the amount of stored personal information of users and to encrypt data that is stored. Under the proposal, websites would be required to encode information such as telephone numbers and e-mail addresses and provide free security software to companies that cannot afford the required security systems upgrade but would not be able to request resident registration numbers from subscribers. The KCC will have a “detailed action plan” by December, the report states. [The Chosun Ilbo]

NZ – New Zealand Privacy Act Strengthened: Law Commission Report Highlights

The Law Commission’s proposals, released last week, to update and strengthen the Privacy Act 1993 contemplate both detailed technical changes and major departures from how data privacy is regulated. This Brief Counsel summarises the key recommendations in the final report of the Commission’s vast four-part review.

  • The Privacy Commissioner as enforcer: The most significant change recommended by the Law Commission is to grant the Privacy Commissioner enforcement powers. Currently the Privacy Commissioner has a facilitative role only in a complaints-driven process.
  • The Law Commission recommends the Privacy Commissioner be empowered to:

– determine access complaints

– issue compliance notices, and

– require agencies to undergo audits of their information privacy procedures in certain circumstances.

  • The Privacy Commissioner would have the power to require an agency to be audited where there is good reason to do so.
  • The Review recommends the Privacy Commissioner be charged with developing protocols for auditing requirements and situations.
  • The Review proposes a threshold for mandatory notification, to the individual concerned and to the Privacy Commissioner, where the breach is serious. Responsibility for determining whether a breach is “serious” would lie with the agency. Criteria for making this decision would include:

– whether or not the information disclosed is particularly sensitive

– who may have access to the information, and

– whether it is reasonably foreseeable that significant harm may result from the breach
and the scale of the breach.

The Review recommends a number of other changes, including:

  • removing the need for a threat to health and safety to be “imminent”
    in order to allow disclosure of personal information
  • creating a new exception to principle 11 to expressly permit an agency
    to report to a public sector law enforcement agency any reasonably held
    suspicion or belief than an offence has or may be committed
  • requiring the Privacy Commissioner, the Ministry of Justice and the Ombudsman
    work together to develop guidance or commentary on the maintenance of the law
    as a ground to refuse or withhold the provision of information, and
  • implementing a new information sharing framework for the sharing of
    personal information between government agencies.

To ensure that inaccurate information is not perpetuated, and to guard against the threat of misuse and a loss of trust in the government, the Law Commission has prepared a ministerial briefing (reproduced as Appendix 1 of the Review) outlining a suggested information sharing framework. With over 120 recommendations, the Commission has plenty more to say than the provisions highlighted above. Other key recommendations include:

–          express provisions clarifying that agencies sending PI offshore remain fully responsible for that information and must take reasonable steps to ensure that the information will be subject to acceptable privacy standards where the information will not be held or processed on the agency’s behalf

–          removing the exemption from the Act for information collected or held in connection with a person’s personal or domestic affairs, where the use or disclosure would be “highly offensive” (the “no posting compromising photos of your ex” prohibition), and

–          asking appropriate industry bodies to consider implementing a legally enforceable Do Not Call register, through the mechanism of the Fair Trading Act or other market regulation (supplementing the commercial electronic message unsubscribe regimes provided for under the Unsolicited Electronic Messages Act). [Source] [The New Zealand Herald]

RU – Russia Amends Federal Data Protection Law

Amendments to Russia’s federal Law on Personal Data, effective July 27, 2011, directly affect Russian companies that record the contact information of people in computer databases (e.g. medical centers, mobile operators, banks, insurance companies, pension and investment funds, hotels and travel agencies), requiring them to ensure data processed is adequate, relevant, and not excessive in relation to the purposes for which they are processed and choose methods to ensure personal data security as approved by the Federal Security Service or Federal Technical and Export Control Service. The amendments give citizens the right to demand compensation for moral damage or damages in case of leakage of personal information. Strict limitations are imposed on the use of electronic means of communication for direct marketing, including requirements to obtain express consent before sending marketing communications by SMS or e-mail (a lack of prior consent is presumed) and cease sending of marketing communications at the notice of the individual, and prohibiting the use of autodial to send SMS and e-mail marketing. [Source] [Source]

Privacy (US)

US – FTC Fines Mobile App Developer Over Children’s Privacy

The FTC has announced a $50,000 settlement with a developer of mobile applications for children. The developer had been charged with violating the Children’s Online Privacy Protection Act by collecting information from children who used the apps without their parent’s permission. The case was the commission’s first to involve mobile applications, or apps. The charges included collecting and storing children’s e-mail addresses and allowing children to post personal information on public message boards. The company, W3 Innovations, which owns Broken Thumbs Apps, created mobile games and apps for children including Emily’s Girl World, Emily’s Dress Up and Emily’s Runway High Fashion. According to the commission, the apps were downloaded more than 50,000 times by children under 13. In addition to the $50,000 penalty, the company will be required to delete the personal information it collected. [Source] [Source]

US – Privacy Lawsuit Targets ComScore

Online data tracking service comScore Inc siphons confidential information including passwords, credit card numbers and Social Security numbers from unsuspecting users, according to a lawsuit filed this week. The proposed class action lawsuit, filed on behalf of two plaintiffs who downloaded comScore software, also says comScore scans all files on users’ personal computers and modifies security settings, among other allegations. The lawsuit against comScore, one of the leading companies that measures and analyzes Internet traffic, seeks an injunction against several alleged practices, as well as damages under U.S. electronic communications privacy laws. ComScore collects data from people who get free software and chances to enter sweepstakes in exchange for their participation. It sells that information to more than 1,800 businesses around the world, including Best Buy Co, Facebook, Microsoft Corp and Yahoo Inc, according to comScore’s website. [Source] [ComScore takes users’ credit card numbers: lawsuit]

US – Company Wants Class-Action Dismissed

Consumers who filed a class-action lawsuit against Amazon haven’t sufficiently alleged that they were harmed, the company says. Amazon is asking that the lawsuit—which alleges the company used cookies to track users via a privacy policy that misrepresented its practices—be dismissed. “Plaintiffs assert attenuated theories of liability and harm, recognized by no court or law, based on Amazon’s alleged practices in setting ‘cookies’ on users’ computers,” the company says in court papers, adding that the users suffered no tangible economic harm. [MediaPost News]

US – University Receives $3.2M for Research

The University of Illinois at Chicago (UIC) is receiving $3.2 million from the National Science Foundation to conduct an electronic privacy study. UIC will receive the funding over the next five years to form an Integrative Graduate Education and Research Traineeship program. Graduate students enrolled in the program will study electronic security and privacy issues in business, engineering, legal and social science. Discussing computer viruses, cyber-attacks and identity theft, the grant’s principal investigator said, “Technological expertise is a necessity to fight these threats, but technological solutions divorced from human, social, economic and legal considerations all-too-often fail.” [Newswise]

US – In New Jersey, Rules Are Changed on Witness IDs

The New Jersey Supreme Court, acknowledging a “troubling lack of reliability in eyewitness identifications,” issued sweeping new rules making it easier for defendants to challenge such evidence in criminal cases. The court said that whenever a defendant presents evidence that a witness’s identification of a suspect was influenced, by the police, for instance, a judge must hold a hearing to consider a broad range of issues. These could include police behavior, but also factors like lighting, the time that had elapsed since the crime or whether the victim felt stress at the time of the identification. When such disputed evidence is admitted, the court said, the judge must give detailed explanations to jurors, even in the middle of a trial, on influences that could heighten the risk of misidentification. In the past, judges held hearings on such matters, but they were far more limited. The decision applies only in New Jersey, but is likely to have considerable impact nationally. [Source]

Privacy Enhancing Technologies (PETs)

WW – Start Up Allows for Privacy On the Web

A social network launched in April of this year claims to give people “real-world style, disposable interaction on the web.” In an interview, SecretSocial co-founder Zubin Wadia discusses the idea behind the company and its plans for the future, including becoming the “go-to place” for private conversations when using other online networks. All SecretSocial conversations have an expiration date set by the users involved, at which time the conversation is deleted from user browsers as well as the company’s servers. According to Wadia, one of the problems behind Internet privacy is the assumption that data needs to be retained forever. “A lot of this data analysis, complex or not, can occur in realtime,” he says. [PaidContent | Part 1: Disconnect | Part 2: Everloop ] See also: [IPC ON – Privacy By Design in Law, Policy and Practice: a White Paper for Regulators, Decision-Makers and Policy-Makers]


US – Valley Doctor Devises Microchip to Manage Implant Patient Records

Dr. Berger, in association with the University of Pittsburgh and Doctor Marlin Mickle, has created a microchip that contains the medical history of the joint and even keeps records of the movement of the knee joint. “Once an implant is put into the patient there is always a need for paper records and if the patient needs it in a hurry, the Ortho-Tag will be able to provide the information,” said Berger. “The tag keeps the history of the artificial joint and records the range of movement that will help physical therapists treat the patient. And it will act as an early warning system for infection of the joint.” [Source]


EU – ENISA: A Security Analysis of Next Generation Web Standards

In order to accommodate innovations in web applications and their business models, new standards are currently being developed (including an overhaul of HTML (HTML5), cross-origin communication standards (such as CORS and XHR), standards for access to local data such as geo-location, local storage and packaged stand-alone applications); this report by the European Network and Information Security Agency (“ENISA”) identifies 51 security threats and issues – 25 identify security-relevant capabilities in the individual specifications which are not well-defined or insecure (e.g. unprotected access to sensitive information, new ways to trigger form submission to adversaries, adversary-controlled cross-domain requests, and granularity problems in specifying and enforcing least-privilege policies), 8 issues dealing with isolation properties (e.g. new ways to escape origin separation and click-jacking protection) and other identified threats related to inconsistencies and under-specification relating to permission and user-involvement. The report includes recommendations on controlling functionality (e.g. through enhanced access control policies such as the Content Security Policy specification), permission system design (e.g. a separate specification for permissions systems referenced by all related specifications), more detailed user interface requirements (e.g. permissions specifications should require certain features in user interfaces such as information about the document origin, if the permission is for one-shot or monitoring access, etc.), end-user policing (e.g. specifications should require permission awareness indicators, so the user knows when a site is using a granted permission, and users should have a way to select predefined security profiles) and restricted contexts (e.g. private browsing should be included in a specification which defines behaviours such as whether permissions should be shared outside of private browsing mode). [Source]

CA – Cyber Attacks Force Businesses to Spend More on Security

As much as 20% of Canadian businesses lost at least $274,600 as a result of cyber attacks, according to a survey by Symantec. Nearly half of Canadian businesses are hiring more technology professionals and spending a greater part of their budgets on security to deal with an ever growing amount of IT threats, according to a recent survey. As much as 45 per cent of the respondents believe that cyber security is more important today that it was just a year ago, the survey found. Apart from malware and cyber attacks, IT teams are also facing a lot of pressure from the proliferation of consumer oriented mobile devices now popping up in the workplace. [Source] See also: [Google one of many victims in SSL certificate hack]

US – Lost USB Memory Sticks Affect Bottom Line: Ponemon Study

Lost memory sticks holding sensitive data can be detrimental to a company’s bottom line. That’s according to a recent Ponemon Institute study, which surveyed more than 400 organizations and found they will lose $2.5 million because of missing memory sticks. Nearly half of organizations have lost sensitive or confidential information on USB drives in just the past two years. Many businesses don’t know – or aren’t tracking – all the places their data is stored. It could be the corporate server, desktop or portable PCs, smart phones and portable memory devices. The Ponemon Institute says more than 40% of organizations surveyed have more than 50,000 inexpensive consumer USB drives in use, with nearly 20% having more than 100,000 drives in circulation – typically with very little oversight or control, even with all those high profile data losses.On average, the companies lost 12,000 records stored on the sticks, costing about $214 per record. More than 70% of survey respondents said they are either certain or feel it was likely that data breaches were caused by missing memory sticks. A U.S. Department of Homeland Security experiment placed USB sticks in parking lots and found 60 percent of those who picked them up accessed the data. [PCWorld] [Source]

CA – Canadians Lax About Cellphone Security

Those aged 18–34 were more likely to use features such as passwords and settings to protect their privacy than older Canadians. Less than half of Canadian cellphone and tablet users put password locks on the devices or adjust settings to limit the sharing of personal information stored on the devices, a poll commissioned by Canada’s privacy commissioner has found. The survey also found that:

  • 1/3 of Canadians use public Wi-Fi at places such as coffee shops and airports where online communications are not always protected by encryption.
  • 1 in 5 users of social networking sites do not adjust privacy settings to control who can see photos and information about them online.

When asked if there were technologies they were particularly concerned about with respect to privacy issues, 40% said the internet, 15% said social networking sites and 11% said cellphone or communications technology. For a similar survey two years earlier, just 26% were concerned about the internet, 2% about social networking sites and 3% about cellphone or communications technology.

  • 85% of public Wi-Fi users were concerned about the risk it posed to their privacy.
  • 45% of social networking site users also expressed concern about the risk to their privacy.
  • 61% felt their personal information is more weakly protected than 10 years ago.
  • Only 14% felt businesses are taking their obligations to protect privacy seriously and 22% thought governments are doing so.
  • 82% opposed giving police and intelligence agencies the power to access email records and other internet usage data without a warrant from the courts.
  • 85% of survey respondents said they were somewhat or very concerned about personal information provided to airport and border crossing agents being shared with foreign authorities.

Meanwhile, a vast majority believe Canada should toughen up laws protecting personal information:

  • 97% of respondents want companies who break privacy laws to be legally required to implement privacy protections. At the moment, the Privacy Commissioner can make recommendations, but must turn to the courts for enforcement if the company refuses to comply.
  • 95% think companies who break privacy laws should be named, 91% think they should be fined, and 84% think they should be taken to court.
  • 83% think internet companies should ask their customers for permission before tracking online behaviour and internet usage. [Source] [Most of us don’t use passwords on mobile devices: Study] and [US: Why Your App Must Comply With Child Privacy Regulations]

WW – Android Malware Further Invades Privacy

New malware discovered on Android Market can record phone calls, as increased malware continues to present new problems for Google’s mobile operating system. The Android Trojan, called “Golddream.A,” infiltrates phones when people unknowingly download hacked applications and records users’ phone calls. The virus stores the recording on the phone’s SD memory card and then uploads it to remote server controlled by the hacker. The new malware, discovered by security researchers at Computer Associates, may be some of the most intrusive yet in the Android Market, but it’s certainly not the first. Reports of possible security issues with Android software began to pick up in March, when antivirus company Kaspersky identified 70 types of Android malware. The company ran the same test last September and only brought up two malware threats, suggesting viruses will continue to grow on the platform. [Source]

WW – iTunes App Store, Android Market a ‘Gold Mine’ of Personal Info

A survey of 100 apps found that many are storing a high percentage of unencrypted personal data, making mobile devices a more attractive target for identity thieves and hackers. 76% of account user names for all the apps tested were able to be recovered, along with 31% of application data, such as location check-ins, and 10% of passwords. Overall, 39% of the apps were given a fail rating by the survey, called “appWatchdog” and conducted over an eight-month period by ViaForensics, a digital forensics and security firm. The rating indicates that a variety of sensitive information, including passwords and personal identification numbers (PINs) used through apps are regularly stored and recoverable from smartphones. [Source]

US – Why Your App Must Comply With Child Privacy Regulations

The FTC announced a settlement with mobile app developer W3 Innovations, LLC. (W3) and its president, Justin Maples, over alleged children’s privacy violations. The FTC action was intended to send a message to the mobile app market that it will be closely monitoring the industry for business practices that violate consumer protection law, including privacy restrictions. [Source]

CA – Smart Home Security Service Launched by Rogers

A security system that also lets homeowners control appliances and thermostats remotely using a smartphone is being offered by Rogers Communications. Ian Pattinson, vice-president and general manager of Rogers Smart Home Monitoring, a new service that launched in Ontario this week, said his family uses the system to arm security, turn off lights, automatically shut off devices such as a curling iron and adjust the thermostat in a single step when they leave home. Further adjustments can be made using his iPhone while he is out of the house. Privacy built in, Rogers says: Ann Cavoukian, information and privacy commissioner of Ontario, said this kind of emerging smart home technology can bring “significant benefits” to people’s day-to-day lives. Privacy concerns may only surface if the personal information is sent to a central monitoring station. Pattinson said building privacy into the system was important. He noted that the central monitoring system doesn’t have access to the cameras, information about doors opening or closing, and don’t get copies of the emails and text messages with pictures. Each user has a personal four-digit code that gives certain rights to use the system, and that must be entered in addition to a Rogers password in order to control appliances or the security system. He added that the sensors, which cost $49 each, are encrypted and the company has employed “white-hat” hackers to test the system’s security. [Source]

US – Report Analyzes Advanced Persistent Threats

In its latest global threat report, Cisco has found that data breaches have been “seemingly nonstop” in 2011, with unique instances of malware more than doubling. The report discusses advanced persistent threats (APTs) and the difficulty of identifying them, saying that APTs “must enable the attacker to remotely manipulate a system while remaining virtually invisible to standard defenses.” A Cisco representative said, “If anyone attempts to sell your organization a hardware or software solution for APTs, they either don’t understand APTs, don’t really understand how computers work or are lying–or possibly all three.” [siliconrepublic]

US – Demand for Info Sec Pros Expected to Grow

According to a report from the recruitment firm Barclay Simpson, demand for information security professionals is up and will continue to grow through the end of the year. “The information security recruitment market recovered during the course of 2010,” the firm said, adding, “By the end of the year, all sectors outside of the public sector were experiencing demand similar to pre-recessionary levels.” According to the report, driving the demand is the need for risk-assessment and Payment Card Industry Data Security Standard skills. [InfoSecurity] [Source]

Smart Cards

US – Visa to Implement Chip and PIN in US

Visa has announced plans to implement an additional layer of authentication for in-person purchases by moving from magnetic strip to chip-and-PIN technology. The plan will require users to enter PINs when making purchases at terminals that are compatible with the new technology, which is already in wide use in Europe. Starting in October 2012, Visa will exempt US merchants from PCI DSS compliance standards if they conduct at least 75% of their Visa transactions with the new terminals. By April 2013, all US merchants and payment card processors will have to support chip-and-PIN technology. [Source] See also: [Organization Loses PCI Assessor Credentials] [Visa To Waive Some PCI DSS Compliance]


US – ACLU Seeking Information on Police Use of Mobile Device Data for Tracking

Affiliates of the American Civil Liberties Union (ACLU) in 31 states have filed 379 information requests, demanding that state and local law enforcement agencies tell how they use location information from mobile phones to track U.S. residents. Amid a growing debate over whether police or private companies should be able to track mobile-phone users, the public should know how law enforcement agencies are using mobile location data, the ACLU said. The information requests ask local and state law enforcement agencies whether they are obtaining court-approved warrants before tracking mobile-phone users, and how often they are obtaining mobile-phone location data. The ACLU groups also want to know how much money local and state police agencies are spending on mobile-phone tracking. [Source] [Source] [Source] [ACLU] See also: [U.S. plans to provide Iraq with wiretapping system]

US – US Court Order Denies Release of Historical Cell-Site Information

Court denies the government’s application to obtain from a cellphone provider (Verizon) records reflecting the historic location of a cell phone for a 113 day period (“cell site information”) as cellphone users maintain a reasonable expectation of privacy in long-term cell-site-location records (cell-site-location records sought capture enough of the user’s location information for a long enough time period to depict a sufficiently detailed and intimate picture of his movements); collection of cell-site location records effectively enables “mass” or “wholesale” electronic surveillance and raises greater Fourth Amendment concerns than a single electronically surveilled car trip. Although the cell-phone user, by choosing to carry, turn on, and make and receive communications from a cell phone voluntarily discloses information about his location to a third party (under the 3rd-party-disclosure doctrine, such a disclosure would eliminate a reasonable expectation of privacy), there should be an exception for cumulative cell-site-location records (these records implicate sufficiently serious protected privacy concerns that an exception to the third-party disclosure doctrine should apply to them to prohibit undue governmental intrusion). [Source]

UK – CCTV Puts Eyes on London Rioters

As Britons woke to scenes of devastation from riot-hit cities across the country, they were also bombarded with digital security camera images of some of the looters who caused the havoc. Scotland Yard wasted no time in trolling through film from a plethora of closed-circuit television (CCTV) security cameras to retrieve shots of the thugs and arsonists who caused the mayhem. The police are aided by the fact Britain, perhaps more than any other country in Europe, is saturated with hundreds of thousands of the cameras that monitor building lobbies, stores and streets for security, watch for traffic jams and bill motorists who drive into London’s city centre in an attempt to reduce traffic congestion. Scotland Yard released 15 photographs of riot suspects, posting the images on the Internet and asking citizens “to identify people that were engaged in criminality.” “We will be coming to arrest you over the coming days — if necessary, weeks and months,” promised Tim Godwin, the acting police commissioner. [Source]

CA – No Video Cameras for Seniors’ Homes

Video cameras are not the best way to protect frail seniors in nursing homes, Ontario Health Minister Deb Matthews says. “After very careful examination from many different angles, we determined that the best way to move forward was to continue to work with the long term care homes, with the families and with the people who live in long term care homes,” Matthews said. While no law prohibits families from placing video cameras in homes to monitor the care of seniors, staff will usually order them to remove it, a GAP news release says. Matthews said the ministry has consulted with the provincial information and privacy commissioner, and video cameras raise privacy issues. [Source] SEE ALSO: [Police, business and the city of Peterborough collude for more closed-circuit television cameras] and [More GPS surveillance is on the way] and [AU: Film rolls on public sex and bar fights at Reef Hotel Casino in Cairns] and also: [US: License-plate software stirs privacy debate]

Telecom / TV

US – FCC Asked to Disallow Wireless Shutdowns on Public Transit

An emergency filing sent Aug. 29, to the FCC is asking the commission to swiftly rule that local governments don’t have the authority to shut off wireless communications systems — a direct rebuke of an incident earlier this month on San Francisco’s public transit. The Electronic Frontier Foundation, the Center for Democracy and Technology in Government, and several other organizations asserted in the emergency petition that Bay Area Rapid Transit’s (BART) purposeful shutdown on Aug. 11 of wireless service used by passengers engendered public safety and infringed on citizen rights. Both the FCC and BART have already said they would investigate the circumstances and legality of the shutdown. The advocacy groups commended the FCC for initiating an inquiry. BART turned off cell service at four underground stations on Aug. 11. BART officials said the temporary shutdown was due to information they had that mobile devices would be used to organize a rush-hour protest over the shooting deaths of two men by BART police. Turning cell service off created a firestorm of freedom-of-speech claims, including from the activist group “Anonymous.” The group fired back at BART on Aug. 14, hacking the Mybart.org website and leaking the personal and login information of that website’s users. Mybart.org remains temporarily shut down by BART. [Source]

UK – Hackers Threaten Blackberry for Co-Operating With London Police

A British MP is asking that Blackberry’s instant-messaging service be suspended because of its suspected use by rioters in London and other British cities, following some of the worst riots England has seen in years. Police believe the BBM was used by the rioters because the messages are private. “This is one of the reasons why unsophisticated criminals are outfoxing an otherwise sophisticated police force,” Lammy tweeted. “BBM is different as it is encrypted and police can’t access it.” RIM released a statement Monday saying: “As in all markets around the world where BlackBerry is available, we cooperate with local telecommunications operators, law enforcement and regulatory officials.” On the same day, BlackBerry U.K. tweeted that it would be cooperating with authorities but did not specify in what way. “We feel for those impacted by the riots in London,” the tweet read. “We have engaged with the authorities to assist in any way we can.” But BlackBerry’s response has sparked a wide array of criticism on Twitter, as well as a threat from a hacking group going by the name of Team Poison. The hackers posted a warning on the company’s blog threatening Research In Motion and Blackberry. According to the Guardian, the statement reads: “You Will_NOT_assist the UK Police because if you do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason. “If you do assist the police by giving them chat logs, GPS locations, customer information and access to peoples BlackBerry Messengers you will regret it, we have access to your database which includes your employees information; e.g. – Addresses, Names, Phone Numbers etc. – now if u assist the police, we_WILL_make this information public and pass it onto rioters.” [Source] [British Government Considers Disrupting Social Networks in Attempt to Quell Riots] [Source]

US – Senator Vows to Block Surveillance Bill Over Privacy Concerns

Sen. Ron Wyden (D-Ore.) will seek to block passage of an intelligence bill that extends the government’s eavesdropping authorities because the intelligence community won’t say how many Americans are being monitored. At issue is the Foreign Intelligence Surveillance Act, which was passed in 1978 in response to revelations of political wiretapping. The law was updated in 2008 in a way that essentially legalized President George W. Bush’s “warrantless wiretapping” program aimed at stopping terrorism plots. The intelligence bill, approved by the Senate’s Select Committee on Intelligence, would extend the 2008 changes until 2015. Those changes greatly expanded the government’s surveillance authorities. “Congress passed the FISA Amendments Act in 2008 in an effort to give the government new authorities to conduct surveillance of foreigners outside the United States,” Wyden said in a statement. “The bill contained an expiration date of December 2012, and the purpose of this expiration date was to force members of Congress to come back in a few years and examine whether these new authorities had been interpreted and implemented as intended,” Wyden wrote. “I believe that Congress has not yet adequately examined this issue, and that there are important questions that need to be answered before the FISA Amendments Act is given a long-term extension.” [Source]

CA – Company Settles Over Robocalls

Canada’s minister of industry says he’s pleased with the settlement between the Canadian Radio-television and Telecommunications Commission (CRTC) and Goodlife Fitness Centres, Inc. The settlement is related to the company’s telemarketing methods using “robocalls” without members’ prior consent. Using automatic dialing-announcing devices without prior consent is forbidden under CRTC guidelines. The company has agreed to pay $300,000; publish corrective notices in newspapers and on its website; cease the robocalls, and organize a business education event with the CRTC to encourage telemarketing compliance, the report states. Minister of Industry Christian Paradis said the settlement is “good news for Canadian consumers.” [Source]

US – Company Creates DIY Privacy Policies for Apps

Privacy policies can be difficult to write and read–especially on mobile devices–prompting one company to create a tool to help mobile application developers make consumer-friendly policies. PrivacyChoice analyzed hundreds of privacy policies across the web, devising a tool that asks developers questions about their data handling practices and then formulates a policy based on the answers. “The mobile environment requires you to say things very succinctly, and it requires you to say things in layers,” says Jim Brock, founder of PrivacyChoice. One industry advocate says solving the “privacy problem” is crucial to developers, many of whom are small businesses dependent on income from selling consumer data. [The New York Times]

US Government Programs

US – Bush-Era Warrantless Wiretapping Program on Trial in Seattle

According to the court testimony of a former AT&T technician, there is a secret room—the “SG-3 Room”—In the company’s San Francisco offices that is occupied by the National Security Agency. All Internet traffic AT&T receives is filtered through high-powered NSA computers there, and the machines sort through the communications of “millions of ordinary Americans” searching for . . . something. The Electronic Frontier Foundation and the ACLU are fighting an ongoing legal battle with the government and AT&T in attempt to establish some sort of accountability for the domestic spy program. Two key appeals cases will be heard in Seattle federal court this month. The first, Jewel v. NSA, was filed by the EFF in 2006, “on behalf of AT&T customers to stop the illegal, unconstitutional, and ongoing dragnet surveillance of their communications and communications records.” The case also targets former President George W. Bush, former Vice President Dick Cheney, Cheney’s former chief of staff David Addington, and former Attorney General and White House Counsel Alberto Gonzales–the officials who authorized the NSA wiretapping. The second case, Hepting v. AT&T, covers much the same ground. Also filed in 2006, the EFF is again suing on behalf of AT&T customers, alleging that the telecommunications company violated privacy laws “by collaborating with the NSA in the massive, illegal program to wiretap and data-mine Americans’ communications.” Both cases have previously been dismissed by judges in lower courts. In the Jewel case, the Bush administration argued that the litigation would force the government to disclose “state secrets.” The Obama administration used the same argument again in 2009, and a District Court judge eventually dismissed the case on the grounds that, because millions of Americans had been spied upon, no single American had standing to sue. A federal judge nixed the Hepting case in June 2009, ruling that AT&T and other Internet service providers were not liable for being in cahoots with the NSA because of the Foreign Intelligence Surveillance Amendments Act. This law, signed by Bush in 2008, allows the Attorney General to dismiss lawsuits against telecom companies for wiretapping if the program did not occur, was legal, or was authorized by the president. (None of those steps are required to be disclosed to the public.) The AT&T/NSA program received this certification in September 2008. Both cases rely on evidence gathered by Mark Klein, a former AT&T technician who documented the existence of the “SG-3” room in San Francisco, a setup he claims exists in at least 15-20 other AT&T sites around the country. Klein’s testimony was supported by a former Senior Advisor for Internet Technology at the FCC. [Source] See also: [US: Domestic surveillance a key legacy of 9/11] and also: [AT&T Sues Individuals for Mining Data]

US – Judge Calls Location-Tracking Orwellian, While Congress Moves to Legalize It

A judge ruled this week that law enforcement authorities need a warrant to access location data on a suspect’s cell phone. But the debate on the right to privacy when it comes to technology like smartphones and GPS systems is far from over, as a similar case heads to the Supreme Court, and bills by Sen. Patrick Leahy (D-VT) and Sen. Ron Wyden (D-OR) are reviewed. “Regardless of what the courts decide,” said an attorney with the Electronic Frontier Foundation, “the right answer when it comes to the Fourth Amendment does not preclude Congress as a policy matter that it should protect location data more strongly.” [Wired]

US – New Federal CIO Named

FCC managing director and former Microsoft executive Steven VanRoekel will be the next federal chief information officer. VanRoekel will replace Vivek Kundra, who has held the position since 2009 and is leaving to take a position at Harvard. VanRoekel says he plans to further the work that Kundra began. “We’re trying to make sure that the pace of innovation in the private sector can be applied to the model that is government,” he said. For two years, VanRoekel has served as managing director of the Federal Communications Commission. Before that, he spent 15 years with Microsoft. [The New York Times]

US Legislation

US – House Panel Votes to Require ISPs to Keep Customer Records

A U.S. House of Representatives committee has voted to approve legislation that would require Internet service providers to retain customer IP data for 12 months in the name of combating child pornography. The Protecting Children From Internet Pornographers Act would require ISPs to retain all customer IP addresses so that law enforcement agents can use the information to investigate online child pornography. Law enforcement agents would gain access to the IP information with subpoenas they issue, not court-ordered warrants. The House Judiciary Committee voted 19-10 to approve the bill over the privacy concerns of several committee members. Most Republicans voted for the bill, and most Democrats voted against it. The bill is “an outrageous expansion of the power of the federal government,” said Representative Zoe Lofgren, a California Democrat. Several Democrats raised concerns that federal law enforcement agents would use the IP data for investigating a wide range of crimes, not just child pornography. Critics also suggested that the data rules would open up the customer data to subpoenas in civil lawsuits and would be a costly burden to small ISPs. [Source]

US – California Assembly Passes Cell-Phone Privacy Bill

The state Assembly unanimously approved a bill that would force law enforcement officers to secure a warrant before they can search the contents of a cell phone. The measure has changed slightly since it was approved by the state Senate last month, so the upper house must weigh in again before the bill heads to the desk of Gov. Jerry Brown. If he signs it into law, it would overturn a January state Supreme Court ruling that allowed officers to search the contents of a cell phone they take from anyone they arrest. Source]

Workplace Privacy

US – Massachusetts Data Security Regs Require More than a WISP

In its first settlement over allegations of violations of the state’s rigorous data security regulations, the Massachusetts Attorney General’s Office found that the Belmont Savings Bank’s written information security plan (WISP), while necessary, was insufficient to demonstrate compliance with the regulations. Specifically, the Bank failed to encrypt personal information on laptops and the mobile devices, failed to store and secure back-up tapes properly, and failed to train its employees in data security policies and procedures. The Bank agreed to pay a $7,500 fine and follow the provisions of its own WISP.

US – NLRB Issues Guidance on Social Media Policies in Workplace

After bringing a number of enforcement actions against employers for over-reaching social media policies, the National Labor Relations Board (NLRB) issued three advice memoranda that clarified its position on acceptable policies. According to the NLRB, an employer’s social media policy or practice only violates the National Labor Relations Act when the policy or practice is used to stop or specifically target concerted organizing activity. Employers do not have to tolerate disparaging remarks about their company, managers, employees or customers simply because an employee makes that remark on Facebook or another social media site. Separately, the U.S. Chamber of Commerce issued a comprehensive report entitled “Survey of Social Media Issues Before the NLRB“ providing a wealth of information about NLRB decisions in this area. See also: [16 Ways to Stay Safe on Facebook]

US – Seven HR Data Breaches in August

Breaches of employment-related data slowed a little in August, with only seven organizations announcing losses: Fort Dodge Correctional Facility (names, SSNs and other personal information of an undisclosed number of the Iowa prison’s employees left in an unsecured location accessible to inmates); Allianceforbiz.com (20,000 government employees and contractors impacted by the hacking of an events management company); Bay Area Rapid Transit (personal information of over 2,400 BART employees deliberately posted on the Internet as retaliation by the hacker group #Anonymous, following protests over fatal shootings by BART police); Reznick Group (an undisclosed number of employees of the top 20 national CPA firm affected by a computer security breach experienced by AssureCare Risk Management, a former service provider for the firm’s employee benefits plan); City of Pittsburgh (at least 29 police officers, public safety employees and others victimized by ID theft, with the source of the breach not known); and Lexington VA Medical Center (1,900 veteran’s warned that their personal details were made vulnerable when an employee took patient files home in violation of the Kentucky hospital’s policy).

CA – B.C. To Screen Caregivers of Children

The B.C. government is reversing course on a policy that allows caregivers of vulnerable children to avoid background security checks. Adults in more than 1,300 B.C. homes will soon face screening such as criminal-record checks to determine if they should continue to care for a relative’s children. The turnaround comes at the order of Mary McNeil, new Minister for Children and Families. Last year, the province rejected calls from its children and youth watchdog to review all the homes receiving financial aid from the Child in the Home of a Relative program. The program offers assistance to families who care for a niece, nephew or grandchild when the parents cannot do so. But an audit by the watchdog found thousands of fragile children are exposed to risk because of inadequate background checks. The program is now being phased out – replaced with a new program that includes full screening – and caregivers who enrolled after December, 2007, have been screened. Still, there are 1,800 children and youth placed in a relative’s care where the adults have not gone through background checks. [Source] See also: [US – Former WKU employee Eckhardt files complaints through civil court, EEOC] and [SaskTel too nosy over sick leave says arbitrator] and [CA – Video of bus driver violated privacy, union says] and [Addiction information used against Alberta employee]

US – Lawyers Ask Montana High Court to Protect Privacy

Two Billings attorneys are asking the Montana Supreme Court to stop workers’ compensation investigators from practices that they say violate the privacy rights of workers’ comp claimants. The Billings Gazette reports that Gene Jarussi and Michael Eiselein, along with 10 other attorneys across the state, filed the petition on Aug. 2, contending that Montana State Fund fraud investigators routinely share surveillance videos and other confidential information with doctors of workers’ comp claimants. The attorneys say the investigators commonly don’t get a court order allowing them to release the info, nor do they tell the claimants that they’re sharing the information. They’re asking the high court to stop the investigators from sharing confidential criminal justice information until the State Fund shows it’s doing so lawfully. [Source]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: