01-30 September 2011


US – Sen. Rockefeller Requests FTC Report on Facial Recognition Technology

Senator John D. Rockefeller IV (D-WV) has sent a letter to the FTC, requesting that the Commission submit a report summarizing the use of facial recognition technology and recommend potential legislative solutions to protect privacy. Rockefeller’s letter specifically cited mobile applications such as SceneTap, which “tracks the male/female ratio and age mix of the crowd [in bars]” and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC’s complaint regarding Facebook’s use of facial recognition technology is still pending before the FTC. [Sen. J. Rockefeller Letter to FTC (Oct. 12, 2011)] See also: [EPIC Complaint Re: Facebook Facial Recognition (June 10, 2011)] and [EPIC: In re Facebook] and [EPIC: Facial Recognition] as well as [Forbes: Kraft To Use Facial Recognition Technology To Give You Macaroni Recipes]

US – FTC to Hold Workshop on Facial Recognition Security, Privacy Issues

The FTC said it will hold a workshop that examines how burgeoning use of facial recognition technology impacts privacy and security. The agency said the workshop will look at many topics including:

  • What are the current and future uses of facial recognition technology?
  • How can consumers benefit from the technology?
  • What are the privacy and security concerns surrounding the adoption of the technology; for example, have consumers consented to the collection and use of their images?
  • Are there special considerations for the use of this technology on or by children and teens?
  • What legal protections currently exist for consumers regarding the use of the technology, both in the United States and internationally?
  • What consumer protections should be provided?

The workshop will take place in Washington, DC on Dec. 8, 2011 is free and open to the public. [Source]

EU – Facial Recognition Cameras to be Installed on Rotterdam Trams

Rotterdam’s public transport company RET is planning to use facial recognition technology to make sure people who have been banned from using the city’s trams don’t sneak on anyway. RET is planning to install cameras in every compartment on the tram 2 route to test the system. In theory, the cameras will scan the faces of everyone entering the tram. If someone who has been banned gets on, the driver will be given a signal. RET denies there are privacy concerns because no names will be attached to the recorded images. [Source] See also: [Scanning 2.4 Billion Eyes, India Tries to Connect Poor to Growth]

US – Palm Scans: School Cafeterias Go High Tech

A new palm reader for Pinellas County middle and high schoolers cannot predict the future. But this high-tech scanning system will make the lunch line move faster. Pinellas County Schools are the first in the nation to use a palm scanning system, which is manufactured by Fujitsu. The new palm-scanning program, piloted at Boca Ciega High School, cost the district $105,000. It replaces a finger scan system used in county middle and high schools since 2005. The palm scan system connects with the district’s lunchroom software. Gone is the need for a lunch card or ID number to pay for meals. The scanner photographs and stores each person’s unique palm vein. [Source] See also: [AU: Finger scanners to keep tabs on librarians]



CA – Industry Canada Proposes Amendments to PIPEDA

A bill that would amend PIPEDA has been reintroduced, focusing on empowering consumers by furthering protection for children online (requiring organizations to consider the ability of their target audience to comprehend the consequences of sharing their personal information online), and allowing organizations to release personal information in certain circumstances (protect victims of financial abuse, locate missing persons and identify injured, ill or deceased individuals), and requiring notification of security breaches (to the Privacy Commissioner of Canada, as well as affected individuals where there is a real risk of significant harm). Rules for business would also be streamlined by providing exceptions to the consent requirements for the collection, use and disclosure of information needed to manage employment relationships, produced for work purposes, used for due diligence in business transactions, or disclosed for private sector investigations or fraud prevention. To aid law enforcement, organizations may collaborate with security agencies in the absence of a warrant, subpoena or order, and may be prohibited from notifying the individual about the disclosure of his or her personal information. [Press Release and Backgrounder] See also: [Federal Court slaps law firm for publishing a Privacy Commissioner finding that identified the complainant]

CA – Mandatory Data Breach Reporting Proposed

Proposed changes to Canadian privacy laws would force companies to report breaches of personal information to the privacy commissioner and affected individuals. The change was among proposed amendments to PIPEDA introduced late this month by Industry Minister Christian Paradis in the House of Commons. Organizations would be required to report breaches of personal information to Privacy Commissioner Jennifer Stoddart where there is a risk of “significant harm” such as identity theft, fraud or risk to a person’s reputation. In that way, the government said, those affected could take steps to mitigate the damage that might arise from the breach. Other proposed changes to the law introduce exceptions to rules for handling personal information:

  • They would clarify that organizations can disclose personal information requested by government institutions and law enforcement and security agencies without a warrant, subpoena or court order. They would also prohibit such organizations from notifying those affected by the disclosure of their personal information if the law enforcement or government institution requesting the information objects to the disclosure.
  • They would allow for the release of personal information to help protect victims of financial abuse, locate missing persons or identify people who might be injured, ill or deceased.
  • Disclosure of personal information without consent would be allowed for private sector investigations and fraud prevention.
  • Consent would no longer be required for the collection, use and disclosure of information needed for managing employment relationships, information produced for work purposes, information used for due diligence in business transactions, or business contact information for day-to-day business.

In addition, the rules concerning consent to disclosure of personal information would require organizations to consider the ability of their target audience, such as children, to understand the consequences of sharing their information. [Source] See also: [AU – Data breach laws to follow privacy paper] and: [Video contest lets youth express ideas about privacy]

CA – Alberta Court Declares Portions of Provincial Privacy Law Unconstitutional

The Alberta Courts have once again issued a stunning decision regarding privacy laws in that province. In this case, United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner), 2011 ABQB 415 (CanLII), the Alberta Court of Queen’s Bench has determined that portions of the Personal Information Protection Act (Alberta) (“PIPA”) are unconstitutional. This particular case is a judicial review of a decision of the Office of the Information and Privacy Commissioner that held a trade union violated PIPA by videotaping at a picket line. PIPA allows the collection, use and disclosure of personal information that is “publicly available”, which is very narrowly defined in the Act and its regulations. In addition, it does not apply to information that is collected for journalistic purposes “and for no other purpose”. On a bare reading of the Act, information from a public protest or picket line does not fit within the definition of “publicly available”. In addition, the information collected by the union was collected for journalistic purposes, among others, which meant that exception was not available. The Court found that PIPA violates freedom of expression under Section 2(b) of the Charter and these provisions cannot be justified by Section 1 of the Charter. [Source]

US – U.S. Border Deal Could Compromise Canadian Privacy: Report

The anticipated trade and security agreement with the U.S. carries no guarantee of a reduction of red tape at the border for Canadian business and is more likely to violate national privacy laws, suggests a new report from the Rideau Institute, which offers a scathing rebuke of a new cross-border agreement with the U.S., expected to be announced within weeks, that the federal government says will increase perimeter security and ease trade with our neighbours to the south. Canada is being asked to compromise the civil rights of millions of Canadians without any guarantee the Americans will hold up their side of the bargain, says the report, written by Gar Pardy, a former senior diplomat to Washington. Pardy recommends Canada create a “single authority” to oversee the various security agencies that share information with the U.S. and ensure privacy laws aren’t violated. Pardy also recommends the privacy commissioner review and monitor all information sharing agreements with the United States and report annually to Parliament. Pardy also calls on the federal government to update the 28-year-old Privacy Act. The report also disputes that information sharing between security agencies on both sides of the border has made either country safer. Pardy argues that the lack of terrorist attacks since Sept. 11, 2001, is “less an indication of the effectiveness of security measures than it is of the ineffectiveness of terrorist organizations to reach beyond their traditional areas of operations.” [Source] See also: [Canadians with mental illnesses denied U.S. entry]

CA – Commissioner Urges Teenagers to Protect Privacy

Privacy Commissioner Jennifer Stoddart is encouraging teenagers to consider the consequences before posting personal data online so that they can “take advantage of all of the benefits that the online world has to offer–without having any regrets later.” Stoddart has released “Protecting Your Online Rep“ to help educate high school students about how to protect their privacy and is planning to release similar packages for younger students later this year. “Think twice about every piece of information before you post it on the Internet,” Stoddart said, “because once it’s up there it can be impossible to take down.” [Toronto Star]

CA – Federal Privacy Commissioner Releases Lawyer Guidance

The Office of the Privacy Commissioner (OPC) has created a handbook for lawyers explaining how the Personal Information Protection and Electronic Documents Act applies to law practice in the private sector. “While lawyers may be familiar with privacy laws in general, they may benefit from some concrete guidance on how to apply the laws to their own practice,” said the OPC’s general counsel, adding, “Canadian lawyers have a leadership opportunity to serve as exemplars of ethical and respectful conduct on behalf of their profession and the clients they serve.” [Source] See also: [CA – No Online Monitoring in Crime Bill] See also: [9/11 brought lasting changes to Ottawa security] and [Did the terrorists take U.S. Freedom?]

CA – Ontario Privacy Commissioner Releases Whitepaper

Ontario’s Information and Privacy Commissioner has released a whitepaper for regulators, decision-makers and policy-makers. “Privacy by Design in Law, Policy and Practice“ aims to “help support the wide implementation of the principles of Privacy by Design,” the paper states. It encourages companies to “go beyond mere legal compliance with notice, choice, access, security and enforcement requirements” and, instead, design their own approaches to risk management within regulatory frameworks. [Source]

CA – Manitoba Pawn Shop Handed 16 Tickets

A West End pawn shop is facing $80,000 in fines after it refused to comply with a city order to shut down. Last week, the city ordered A & C Pawn to close for 30 days after it repeatedly failed to comply with a city bylaw that requires them to take photographs of all pawned items and the people who sell them. The Sargent Avenue shop owner appealed the order and his lawyer argued the bylaw is a breach of privacy rights. City officials dismissed the appeal and suspended the pawn shop’s business licence. It’s the first time Winnipeg has suspended a business’s licence to operate. This week, however, pawn shop staff said A & C has no immediate plans to shut down. The store was open Monday to Thursday. [Source]



US – Poll: OK to Trade Some Freedoms to Fight Terrorism

The same Americans who are increasingly splashing their personal lives across Facebook and Twitter trace a meandering path when asked where the government should draw the line between protecting civil liberties and pursuing terrorism. 10 years after the 9/11 attacks led to amped-up government surveillance efforts, two-thirds of Americans say it’s fitting to sacrifice some privacy and freedoms in the fight against terrorism, according to a poll by The Associated Press-NORC Center for Public Affairs Research. A slim majority — 54% — say that if they had to choose between preserving their rights and freedoms and protecting people from terrorists, they’d come down on the side of civil liberties. The public is particularly protective of the privacy of U.S. citizens, voicing sharp opposition to government surveillance of Americans’ emails and phone calls. Two-thirds of those surveyed believe the resulting policies are a mish-mash created in reaction to events as they occur rather than clearly planned. The poll found that about half of those surveyed felt that they have indeed lost some of their own personal freedoms to fight terrorism. Was it worth it? Close to half of those who thought they’d lost freedoms doubted it was necessary. While 47% of Americans support allowing the government to read emails sent between people outside the United States without a warrant, just 30% supported similar monitoring of emails sent between people inside the country. And while nearly half supported government eavesdropping on phone calls between people outside the country without a warrant, only a quarter favored such surveillance of calls inside the U.S. More results:

  • 71% favor surveillance cameras in public places to watch for suspicious activity.
  • 58% favor random searches involving full-body scans or pat-downs of airplane passengers.
  • 55% favor government analysis of financial transactions processed by U.S. banks without a warrant.
  • 47% favor requiring all people in the U.S. to carry a national ID card and provide it to authorities upon demand.
  • 35% favor racial or ethnic profiling to decide who should get tougher screening at airports. [Source]

NZ – Confusion Over Reality TV Privacy Issues: Report

Reality television viewers and the people who unwittingly appear in local reality shows are confused about privacy issues, new research has found. The Real Deal report, commissioned by the Broadcasting Standards Authority (BSA), focused on three local reality shows where people had been “caught up” in filming rather than agreeing upfront to take part. Both viewers and participants were found to be confused over privacy issues such as the right to film in public places, whether or not consent was needed before footage was broadcast, the conditions under which people’s faces should be pixellated, and the use of hidden cameras. BSA chief executive Dominic Sheehan said the report’s key recommendation was that the public would be well served by clear, accessible information about rights to privacy, filming and broadcast. [Source] See also: [Here’s Looking at You Kid – Proximity Marketing and Customer Tracking Embedded in Advertising] See also: [CA – Poster shaming for public peeing]



CA – Complaint Lodged Against PEI Liberal Party

A woman has lodged a complaint with the Prince Edward Island (PEI) privacy commissioner after e-mails she sent to a cabinet minister were released to the media by the Liberal Party. The woman claims she thought the two e-mails–in which she alleges corruption in the immigration nominee program–would be kept confidential, but the Liberal Party denies any reasonable expectation of privacy. PEI Privacy Commissioner Maria MacDonald said, after initial examination, she doesn’t see any relevant exemptions in the law allowing for the release of the e-mails, but the Liberal Party is not a public agency and therefore not covered by the privacy law. MacDonald will not confirm whether her office is investigating the complaint. [Source] See also: [B.C. Government Employee Resigns After Email Security Breach] and [Tory candidate Ted Morton investigated by Alberta privacy commissioner]

SK – South Korea: Help Wanted: Busybodies With Cameras

With his debts mounting and his wages barely enough to cover the interest, Im Hyun-seok decided he needed a new job. The mild-mannered former English tutor joined South Korea’s growing ranks of camera-toting bounty hunters. Known here sarcastically as paparazzi, people like Mr. Im stalk their prey and capture them on film. But it is not celebrities, politicians or even hardened criminals they pursue. Rather, they roam cities secretly videotaping fellow citizens breaking the law, deliver the evidence to government officials and collect the rewards. The opportunities are everywhere: a factory releasing industrial waste into a river, a building owner keeping an emergency exit locked, doctors and lawyers not providing receipts for payment so that they can underreport their taxable income. Mr. Im’s pet target is people who burn garbage at construction sites, a violation of environmental laws. “I’m making three times what I made as an English tutor,” said Mr. Im, who began his new line of work around seven years ago and says he makes about $85,000 a year. The outsourcing of law enforcement has also been something of a boon for local governments. They say that they can save money on hiring officers, and that the fines imposed on offenders generally outstrip the rewards paid to informers. [The New York Times] See also: [Atlanta Police Including Private Surveillance Cameras in Monitoring Center] and also: [AU – Audit for hidden CCTV cameras after backpacker’s pole dance goes viral]

UK – Twitter and Facebook is a Two-Way Street, Says Information Commissioner

Public sector organisations that use Twitter and Facebook cannot complain when citizens use the same social media to ask for information. That was the message from Information Commissioner Christopher Graham in a speech marking ‘International Right to Know Day 2011’ and posted, social media style, on, of course, YouTube. Graham recently made it clear that public sector organisations must be prepared to receive and respond to requests under the Freedom of Information Act (FoI). [Source] See also: [UK – Britain Juggles Right to Know With Privacy Concerns] and [Ex-P.E.I. gov’t worker files complaint over leaked emails]

UK – Intelligence Community Gets Social

Digital media is mostly about entertainment for some, while for others, the value lies in being able to spread messages to a large audience. But, as many news organizations are discovering, Web 2.0 technologies are as good for listening as they are for broadcasting. The notion of social media as a trend-monitoring tool is spreading — and now U.S. spy agencies are jumping on board. Intelligence Advanced Research Projects Activity (IARPA), the intelligence community’s research arm, says it hopes to use data gathered from social media to predict political unrest and natural disasters. While the proposal may rankle privacy critics, it’s just the latest example of the way intelligence officials are turning to the social Web to collect policy-relevant information. [Source]

CA – Council Pushes for Online Voting in B.C

Nanaimo council members will push for online voting when representatives from B.C. communities meet later this month to discuss provincial policy issues. Three communities have aggressively lobbied for online voting. Coquitlam, North Vancouver City and Fort St. John have all urged the Union of B.C. Municipalities to take the issue to the provincial government. Minister of Communities Ida Chong said the B.C. Elections Act has to change to allow Internet voting. Privacy concerns remain the largest fear against the new format, whether it be at the local, provincial or federal level. Some communities in other provinces have successfully adopted online voting, but larger scale elections are much more difficult, according to industry experts. Three major municipalities have used these systems, according to Elections Canada. Ontario’s Markham and Peterborough as well as Nova Scotia’s Halifax have used Internet voting in several elections. The majority of Canadian voters would use Internet voting, according to a survey conducted by Elections Canada after the 2008 federal election. About 54% said they would likely vote online, while 69% of youth voters (between 18 and 25) said they vote online. [Source]

CA – Ontario CIO Wants to Team With Feds on Joint Data Centres

Speaking at this year’s gathering of Ontario IT workers, David Nicholl expressed a desire for vendors to build Canadian-based data centres. The IT leader also expressed an interest in working with Ottawa a lot more closely For Ontario’s IT chief, the lack of Canadian-built data centres is the only thing standing in the way of increased provincial adoption of cloud services. [Source]



US – Spammer Banned From Sending Unsolicited Texts

The FTC has settled with an operator who allegedly sent millions of illegal text messages to consumers. Operator Phil Flora is banned from sending any unsolicited text messages or “making false or misleading claims about any good or service” after he sent a “mind-boggling” number of spam text messages to consumers for mortgage services and claimed he was affiliated with a government agency, according to the FTC complaint filed in February. Flora’s actions violated the FTC Act and the CAN-SPAM Act, the FTC charged, ordering Flora to pay $58,946. [FTC Press Release] [Complaint] [Settlement Order] See also: [Open this malware or I’ll sue you] and also: [US: Lobbyists exposed by email slip up]


Electronic Records

CA – Health Canada Research Project Taps CANARIE for Network

The Canadian Network for the Advancement of Research, Industry and Education will be the foundation for a new venture into patient-orientated research in Canada. While Ottawa, Ont.-based CANARIE may not be the only FiOS infrastructure out there for high data yield research, there are a few reasons why it’s being used by 89 universities and 60 hospitals in Canada. It comes down to the nature of the work being done and the fact that it’s a closed network. Health Canada unveiled a new plan recently to promote and fund more patient-based research. This strategy will allow for more medical research to be conducted on health issues most important to Canadians while also developing strategies and solutions that better address the way we live. [Source]

US – National Doctor Database Goes Dark Over Privacy Concerns

There was no national tracking of malpractice or disciplinary actions by hospitals, licensing boards or professional societies. That changed after Congress established the National Practitioner Data Bank in 1986: a clearinghouse for hospitals, professional societies and state regulators to check doctors’ credentials. It went online in 1990. The data bank was set up to be confidential. But a “public-use” file, scrubbed clean of identifying information, has been released each quarter by the federal Health Resources & Services Administration. That database was removed Sept. 1 so that the government could make sure people can’t use it to find specific information about individual doctors. Recently, reporters with newspapers in Kansas City and Duluth, Minn. did. [Source] See also: [Florida: Picking up a prescription could cost you some privacy]



WW – DigiNotar Certificates Blocked Following Breach

The number of certificates issued as a result of a security breach at Dutch certificate authority DigiNotar is growing; the latest official estimate has the figure at 531. The breach had prompted Mozilla to take measures so “that all DigiNotar certificates will be untrusted by Mozilla products,” which includes the Firefox browser. The most recent version of Google’s Chrome browser also places DigiNotar certificates on a permanent block list. There is evidence that the stolen certificates were being used to spy on people in Iran. The sites for which fraudulent certificates were issued include MI6, the CIA, Microsoft, Facebook and Twitter. Microsoft said that the forged certificate cannot be used to force malware through Windows Update. Internet Storm Center| Source | Source | Source | Source | Source | Source] [DigiNotar Barred From Issuing Qualified Certificates; Existing Signatures Invalidated | Source | Source] [Microsoft Updates Patch That Blocks DigiNotar Certificates | Source | Source | Source] and [GlobalSign to Resume Issuing New SSL Certificates | Source | Source | Source] and [Certificate Hacker Claims He Can Issue Fake Microsoft Updates] and [Apple Updates OS X Trusted Root List to Exclude DigiNotar | Source | Source] and [Mozilla Demands Certificate Authorities Ensure Security | Source | Source] and [Microsoft Joins Mozilla and Google in Blocking DigiNotar Certificates | Source | Source | Source] and [Belgian Certificate Authority Investigating Attack Claims | Source] and, finally: [DNS Attack Affects Prominent Websites] and [Google contacts Iranian users to secure Gmail accounts: A rogue SSL certificate could have compromised about 300,000 users in Iran] and [Dutch government says it cannot guarantee safety of its websites after hacker attack] and finally, [The Economist: Internet security: Duly notarised]

WW – Researchers Demonstrate Flaw in Browser Security Protocol

A pair of researchers has cracked a ubiquitous browser encryption protocol. Thai Duong and Juliano Rizzo have found a vulnerability in versions 1.0 and earlier of transport layer security (TLS), the technology that used to enable secure sockets layer (SSL). The vulnerability also exists in SSL version 3. The flaw can be exploited to decrypt information flowing between a web server and a user’s browser. The researchers plan to demonstrate their findings with a tool they call BEAST (browser exploit against SSL/TLS) at a conference in Argentina. Opera has already released a patch for the flaw, and Google has added a fix to its most recent developer version of Chrome. [Source] [Source] [Source] [Source]

SA – South Africa Joins the Call for BlackBerry Messaging Keys

South Africa has joined the call for access to the BlackBerry Messaging service, quoting the usual security concerns and pointing out that the UK plans much the same thing. “There is evidence that criminals are now using BBM to plan and execute crime,” the deputy comms minister told his audience at a London conference on African telecommunications: “We want to review BBM like in the UK and Saudi Arabia.” It seems that RIM has already shared that key with India, Saudi Arabia probably has a copy too and one can be certain that the UK and US governments wouldn’t be without a copy. [Source]

PK – Pakistani Directive Requires ISPs to Block Encrypted Communications

According to a memo from the Pakistan Telecommunication Authority, Internet service providers (ISPs) in that country are required to block encrypted communications that are sent over virtual private networks (VPNs). The memo, leaked by a Pakistani ISP, served as a reminder of the policy and notice that the “directive has not been followed in true letter and spirit.” The policy’s stated intent is to prevent militants from communications over channels that cannot be monitored. Entities can apply for special exemptions. [Source | Source | Source]


EU Developments

EU – Privacy Directive Reform Publication Likely Delayed

The European Commission’s publication of the EU Data Protection Directive (95/46/EC) reform will likely be delayed beyond the expected November deadline. Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, said that “this is a comprehensive reform” and the timing for publication will be “within 20 weeks.” [IAPP Europe Data Protection Digest] [Source]

EU – EU Council Reaches Agreement with Australia on PNR Data

The EU has endorsed a deal allowing Australian authorities to keep the personal information of passengers flying between Europe and Australia for five-and-a-half years. Australian officials will be able to store data such as names, credit card numbers, phone numbers and addresses as part of efforts to fight crime and terrorism under the deal backed by EU interior ministers. The agreement is expected to be signed by the end of September, the 27-nation EU said in a statement. It must then be approved by the European Parliament. Euro MPs, concerned about the privacy of EU citizens, demanded new negotiations on the use of passenger information with the United States, Canada and Australia. While the Australian deal is finalised, talks with the Americans and Canadians are ongoing. Negotiations with the United States are more controversial, with EU MPs already voicing criticism in May over a preliminary agreement that would allow US authorities to store personal data for 15 years. [Source] [Source] See also:

EU – Facebook Rebuked by EU Privacy Platform; Patriot Act a ‘Distraction’?

The European Parliament’s Privacy Platform met to discuss a wide range of transatlantic data protection matters, which have yet to be resolved. With representatives from Facebook, along with Microsoft’s former privacy chief, privacy groups and advocates met from across Europe to discuss the ongoing negotiations between Europe and the United States on data transfer rules. Facebook spokesperson Richard Allan said Facebook operates under Safe Harbor rules, and that “all European users are with Facebook Ireland and protected under data protection laws”. However, Facebook Ireland, where European’s data is stored, has a relationship with Facebook Inc. based in the United States, to allow “data processing in the United States”. The discussion was interrupted by former Microsoft privacy chief Caspar Bowden, who claimed that Facebook was not as open as it said it was. Bowden described how a subject access request – a Europe-wide information gathering tool, designed to be used by end-users and ordinary citizens to see what data a company, public or private, has on them – was flat-out denied by Facebook. Sophie in ‘t Veld, Dutch MEP and vice-chair of the European Parliament’s civil liberties and justice committee, had asked the European Commission, Europe’s upper house, for clarification in questions regarding data jurisdiction put forward last week. Bowden pointed out that “the Patriot Act has become a distraction” against the “real threat to European data”.[Source] See also: [European companies ‘need confidence’ over Patriot Act concerns] and [EDPS – Opinion on the Proposal for a Regulation of the European Parliament and of the Council on European Statistics on Safety from Crime]

EU – Pro-Hacker Party Wins Parliament Seats in Berlin Elections

Issues of Internet freedom and political transparency are coming to the fore as a political party with philosophical ties to hacker collectives like Anonymous wins seats in the German capital’s recent elections. The Pirate Party of Germany, or Piratenpartei Deutschland, recently took 8.9% of the vote in Berlin’s elections on Sunday. All 15 candidates won seats in the city-state’s parliament in their first election, surpassing expectations for what many supposed was a fringe, one-issue party. Some German political commentators downplay the success of the Pirate Party as a “protest vote” for underrepresented blocks of voters in Berlin, and many noted the markedly different style of the party members, remarking on the pirates’ casual dress of t-shirts and jeans at official ceremonies and their post-victory celebrations infused with alcohol, marijuana and nightclubbing. But the Pirate Party’s emergence marks the rise of issues related to technology, politics and freedom in the European political agenda, highlighting their growing relevance in a changing electorate. “They are absolutely not a joke party,” said Christoph Bieber, professor of political science at the University of Duisburg-Essen. “In the Internet, they had really found an underexploited theme that the other political parties are not dealing with.” [Source] See also: [Former North Vancouver Mountie sues RCMP over pot raids]

EU – CNIL Elects New Chair

The board of France’s data protection authority–CNIL–has elected Isabelle Falque-Pierrotin as its new chair, Hunton & Williams’ Privacy and Information Security Law Blog reports. The move comes after the resignation of Alex Türk, which became official on September 21. Prior to becoming a member of CNIL in 2004 and Deputy Chair in February 2009, Falque-Pierrotin worked for the Organisation for Economic Cooperation and Development and was chair of the French Internet Rights Forum. [Source] [CNIL Press Release]



UK – UK Police May Get Authority to Shut Down Domains Without Court Order

Law enforcement authorities in the UK may gain the power to suspend Internet domain names without a court order if they suspect the domains are being used for illegal purposes. A proposed rule would allow police the expanded authority when “the urgent suspension of the domain name is necessary to prevent serious and immediate consumer harm.” Prior to the takedown, police would have to file a declaration with Nominet, which manages the .uk registry, that the action is “proportionate, necessary and urgent,” but would not need to get court approval. [Source]



WW – Firms Scrambling Ahead of PCI DSS Audits

Firms are struggling to maintain compliance with PCI DSS standards. That’s based on the “2011 Verizon Payment Card Industry Compliance Report,” which looked at more than 100 PCI DSS assessments conducted by Verizon’s PCI Qualified Security Assessors in 2010, based on compliance with 12 PCI DSS standards. The report found 21% of organizations were fully compliant, and when compliance is achieved, it’s not maintained through the next assessment period. Organizations are meeting about 80% of requirements, a Verizon spokesman said, adding, “We’re seeing lots of scrambling to get things in order for the assessor, and that’s not the intent of PCI DSS at all.” [SearchSecurity.com] [Source]

CA – RBC on the Hook for Damages After Employee Breaches Client’s Privacy

The Royal Bank of Canada (RBC) must pay monetary damages to a client for the disclosure by one of its employees of the client’s account information, the Federal Court of Canada has ruled. The client, Nicole Landry, was going through divorce proceedings. As part of the proceedings, Landry’s husband’s lawyer sent a subpoena to RBC ordering a bank employee to attend court with information on Landry’s accounts. The employee also faxed account statements to the husband’s lawyer without Landry’s consent. This was a violation of RBC’s own policies, which required the consent of an account holder before releasing information. The faxing of the documents directly to the husband’s lawyer was also a violation of PIPEDA, as it was outside the scope of the subpoena, which requested the documents for court records. The disclosure of Landry’s account information exposed the fact that she had been concealing the existence of a personal bank account, contrary to her legal obligation to reveal all her assets in the divorce proceedings. Landry sued RBC, claiming its disclosure of information contrary to its policies and PIPEDA had caused her personal harm and humiliation. The court found most of the humiliation and personal harm Landry suffered came from the release of the divorce settlement and her own secretive conduct. However, in recognition of the bank’s breach of her privacy, it awarded Landry a token amount of $4,500 in damages. She had asked for $100,000 in her claim. [Source] See also: [UK: Cashier spied on sex attack victim’s bank records]



[Economist: WikiLeaks: Swept up and away – The release of all the leaked embassy cables marks both the end of WikiLeaks and the beginning of an era] and also: [CBC execs to fight info commissioner: The CBC’s average time for responding to access-to-information requests last year was five months]



NZ – Newborn Blood Sample “Guthrie” Cards to Be Kept Indefinitely

Cards containing the blood spots from heel prick tests on newborn babies will be kept indefinitely, with greater protections on access to the cards. “The Ministry of Health is moving to enhance and protect privacy relating to the cards. The blood spot cards are collected from every newborn as part of an important screening programme that identifies and then treats babies born with serious metabolic disorders. They have been collected since the late 1960s. Parents can choose whether the card is retained in indefinite storage. The protections around use of the cards for research include:

  • Individual written consent required for research on samples collected before June 2011
  • For cards collected after June 2011, parents are informed about what the cards may be used for before they agree to long term storage
  • Any proposal for research using the cards must have ethics committee approval. [Source] See also: [Connecticutt DNA Sampling Law Goes Into Effect Oct. 1]


Health / Medical

UK – Privacy Watchdog Rebukes Health Trust Over Lost Data

An NHS trust has been reprimanded by the Information Commissioner after the personal details of 1.6m patients were lost when a filing cabinet was accidentally sent to landfill. containing a CD holding the addresses, dates of birth, NHS number and GP practice details of patients. A spokesman for the ICO said: “This case highlights that clear policies and procedures should be put in place to support staff when handling personal information as part of an office move.” The Information Commissioner opted against serving a formal enforcement notice against the PCT as he noted it had taken substantial measures to improve its data protection procedures and had made attempts – in the event, futile – to retrieve the cabinet once it was discovered missing. [Source]

US – Federal IT Strategic Plan Needs More, Some Say

GovInfoSecurity reports that some experts say the Federal Health IT Strategic Plan “doesn’t go far enough in spelling out specific action steps and priorities.” Following a public comment period, the Department of Health and Human Services’ Office of the National Coordinator for Health IT issued the final version of the plan earlier this month. One expert says the plan “incorporates all the right areas of focus with respect to privacy and security but misses the chance to address some important issues that will be critical to healthcare’s future success in addressing data security,” including giving Health Insurance Portability and Accountability Act enforcement sharper teeth. [Source] See also: [Pharmacy kiosks launched: Markham company bringing technology to region]

AU – E-Health Violations to Result in Fines

Australia’s government will fine health practitioners $66,000 for breaches of electronic health records. Draft legislation includes penalties of $13,200 for each instance of a record being either breached or accessed without authorization. It also states that healthcare practitioners can only upload patient data if consent is obtained and that Australians will have access to their own data. Exceptions to patient records access rules include “to prevent a serious threat to an individual’s life, health or safety” or to public health and safety. Health Minister Nicola Roxon said the Personally Controlled Electronic Health Record system will be more secure and private than paper-based records. [iTNews] [Draft legislation]

US – Survey: Industry Lacks Data Security

A survey of the healthcare industry reveals that less than half the companies surveyed are bolstering privacy and security measures to keep up with the growing use of digital technology, Reuters reports. Of the 600 executives interviewed by PricewaterhouseCoopers’ Health Research Institute, nearly 74% are planning to expand the use of electronic health records, but only 47% are addressing related privacy and security implications. One of the report’s contributors, Jim Koenig, CIPP, said, “health IT and new uses of health information are changing quickly and the privacy and security sometimes may not be moving in step…That is some of the most sensitive and important information to a consumer, so with the advancement of healthcare IT, it’s only natural that advancements in privacy and security should come along.” [Source] See also: [Nurse fired after breach of privacy at hospital]

US – Health Breaches Rise, AGs Slow to Act

Only two state attorneys general have used the powers given to them by Congress to enforce the Health Insurance Portability and Accountability Act (HIPAA). Since the government bestowed enforcement powers to attorney generals in 2009 through the economic stimulus package, former Connecticut AG Richard Blumenthal and Vermont AG William Sorrell are the only ones to have taken action. Some experts say that high rates of HIPAA compliance, limited budget resources and AG’s choosing to prosecute under state rather than federal laws may be contributing to the lack of action. Meanwhile, Health and Human Services reports that patient data breaches more than doubled from 2009 to 2010. [Source] See also [Senator Introduces Data Protection Legislation | Source]

US – HHS Unveils Personal Health Record Privacy Notice

The Department of Health and Human Services (HHS) has unveiled an easy-to-read, standardized template to help consumers to learn more about the privacy and security policies and data practices of personal health record (PHR) products. With the goal of helping PHR companies build greater trust among consumers, the PHR model privacy notice is similar to nutrition labels on foods, in that it simplifies complex information to improve transparency and consumer understanding, HHS officials said. The PHR model privacy notice was launched at the first-ever HHS Consumer Health IT Summit, held Sept. 12 at the Department of Health and Human Services in Washington, D.C. The summit brought consumers, providers, and the public and private sectors together to discuss how best to empower consumers to be partners in their health and care through health IT. The FTC worked closely with HHS on the development of the template and will enforce it for entities under their jurisdiction. PHR vendors Microsoft, Dossia, and NoMoreClipboard have all agreed to use the notice on their websites. [Source] See also: [IPC recognizes “Right to Know Week 2011” with educational outreach at Ontario hospitals] and [Commissioner Urges Hospitals to be Proactive with the Release of Public Information]


Horror Stories

US – Data Breach Affects 4.9M Active, Retired Military Personnel

Sensitive data including SSNs, names, addresses, phone numbers and personal health data belonging to about 4.9 million active and retired U.S. military personnel may have been compromised after backup tapes containing the data went missing recently. The information on the tapes was from an electronic healthcare application used to capture patient data. It does not include bank, credit card or other financial data, according to a statement released by TRICARE, a healthcare system for active and retired military personnel and their families. The breach affects all those who received care at the military’s San Antonio area military treatment facilities between 1992 and Sept. 7 of this year. Those affected include individuals who had filled pharmacy prescriptions or had laboratory tests done at any of the facilities. As is often typical with such incidents, the information on the backup tapes does not appear to have been encrypted. But in its statement, TRICARE maintained that the risk of the data being misused was low “since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.” [Source] See also [NS: Commissioner is investigating release of 1,500 confidential patient files] and [Investigation launched after medical records found on Calgary street] and [Colorado Nurse Faces 51 Counts for Records Theft] and [Auction Win: Storage Space and Medical Records] and [50,000 Patient Records Lost in System Crash] and [Vending Machine Company Point-of-Sale Breach Affects 40,000 | Source | Source] and [Security Breach Exposes Stanford University Hospital ER Patient Data | US: Medical data breach probed]

US – Former Employee Ordered to Pay $1.2 Million in Restitution for Data Breach

A former employee of Countrywide Home Loan was sentenced to prison and ordered to pay restitution in connection with a large-scale data breach at Countrywide, now Bank of America. The judge also imposed restrictions with regard to Rebollo’s future access to consumer information. Rebollo was employed as a senior financial analyst for Countrywide’s subprime mortgage division in Pasadena where he had access to computer databases, many of which contained sensitive consumer information maintained in private Countrywide databases. Rebollo admitted that he saved the reports to personally owned flash drives and distributed financial information and contact information pertaining to approximately 2.5 million individuals. Rebollo further admitted that, in at least 50,000 instances, the individuals’ Social Security numbers were disclosed. [Source]

AU – Privacy of Patients Breached by Professional Services Review

PATIENT privacy has been compromised in the federal government’s bid to control health spending, with a key agency found to have illegally merged data from Medicare and the Pharmaceutical Benefits Scheme. In a case likely to fuel privacy concerns over planned electronic health records, the embattled Professional Services Review has been ordered to add computer system and practice changes to a growing list of reforms. The PSR investigates alleged doctor rorts, but a wave of legal challenges has this year forced 39 potential cases to be abandoned and left about 50 completed cases at risk of collapse. The government, which is preparing an appeal to the High Court, has ordered an independent review and a parliamentary committee is also examining the PSR. Privacy Commissioner Timothy Pilgrim said that after a 14-month investigation the PSR was found to have breached the Privacy Act with regard to its handling of patient information. “I found that PBS and MBS (Medicare Benefits Schedule) claims information were being stored in the same database and this was in contravention of PSR’s obligations under the privacy guidelines for Medicare benefits and Pharmaceutical benefits programs,” Mr Pilgrim said. [Source]


Identity Issues

US – Twitter Study Tracks When We Are

However grumpy when they wake up, and whether they stumble to their feet in Mumbai, Mexico City or Minnetonka, Minn., people tend to brighten by breakfast time and feel their mood taper gradually to a low in the late afternoon, before rallying again near bedtime, a large-scale study of posts on the social media site Twitter found. Drawing on messages posted by more than two million people in 84 countries, researchers discovered that the emotional tone of people’s messages follows a similar pattern not only through the day but also through the week and the changing seasons. The new analysis suggests that our moods are driven in part by a shared underlying biological rhythm that transcends culture and environment. The report, by sociologists at Cornell University and appearing in the journal Science, is the first cross-cultural study of daily mood rhythms within the average person, using such text analysis. Previous studies have also mined the mountains of data pouring into social media sites, chat rooms, blogs and elsewhere on the Internet, but looked at collective moods over time, in different time zones or during holidays. [The New York Times] See also: [Mobile Authentication] and [Defamatory Blog Postings: Anonymity and the Law] and also: [NYT: Senator Rick Santorum: Dealing With an Identity Hijacked on the Online Highway]


Intellectual Property

CA – UBC Tries to Protect Student Privacy on Plagiarism Checking Website

Students in the social sciences should be familiar with the plagiarism-checking website, Turnitin. But few may be aware that UBC required a review of Turnitin’s privacy policy earlier this year. UBC has maintained a contract with Turnitin, a California-based online tool, since 2001. It’s meant to aid instructors in detecting copied phrases or misquoted texts that could constitute a breach in academic integrity. Students can also use it to pick out and correct originality errors in their papers before submitting it to their instructors. But returning students may have observed that the convenient link to Turnitin through WebCT Vista has been disconnected. It was discovered around mid-March this year that Turnitin had been saving student information on American servers, going against BC’s Freedom of Information and Protection of Privacy Act (FIPPA), which states that personal information in university control must only be stored in Canada. The Vista connection was disabled and UBC entered negotiations with Turnitin. Marianne Schroeder, senior manager of Teaching and Learning Technologies at UBC, explained that in 2006, Turnitin agreed to move their servers to Canada in order to renew their contract with UBC. The recent discovery in March of this year was a complete surprise. Schroeder said UBC took immediate action. UBC first requested that Turnitin stop backing up data to the US, in order to comply with FIPPA. However, the request was rejected. The second option was to design a connection between UBC’s Vista and Turnitin’s website, so that information identifying a student would be removed before a paper was submitted to Turnitin. Again, Turnitin was unwilling to invest in the option. While Turnitin is still being used by the university, the Vista connection remains disabled. New accounts and passwords must be created by visiting Turnitin’s website, as opposed to the simpler access through Vista. As extra precaution, students are instructed to register under a pseudonym and remove any personal information from their papers. The added complications are inevitable in order for UBC to be compliant with FIPPA and protect students’ privacy. [Source] See also: [U of M prof to testify for arbitrator] and also: [Fasken: FIPPA and Ontario Hospitals: Delegation of Authority]

US – Appeals Court Reinstates Hefty Filesharing Verdict Against Joel Tenenbaum

The 1st US Circuit Court of appeals has reinstated a US $675,000 illegal filesharing verdict against Joel Tenenbaum. A jury in the original case awarded the large verdict, but the judge in the case found the amount “unconstitutionally excessive” and reduced it to US $67,500. The verdict was for making 30 songs available over a peer-to-peer filesharing network. The Appeals Court said that US District Judge Nancy Gertner should have reduced the verdict under “remittitur.” The plaintiffs could accept the remittitur or receive a new trial. The Appeal Court noted that their decision was procedurally appropriate, but added that, “This case raises concerns about application of the Copyright Act which Congress may wish to examine.” [WIRED] [ArsTechnica]

CA – Internet Customer Names Sought for Hurt Locker Suits

The court order was requested by Voltage Pictures LLC, which owns the copyright for The Hurt Locker. Three Canadian internet service providers have until the end of Monday, Sept. 12, to hand over the names of customers suspected to have illegally shared The Hurt Locker movie online. “What makes this a particularly noteworthy case is it’s the first big peer-to-peer copyright litigation in Canada in a number of years,” said Michael Geist, a law professor at the University of Ottawa who holds a Canada Research Chair in internet and e-commerce law. Geist said under existing Canadian copyright law, defendants could be liable for up to $20,000 in damages.[Source]

CA – Government to Reintroduce Bill C-32 “In Exactly the Same Form”

Canadian Heritage Minister James Moore has told the Canadian Press that the government plans to reintroduce Bill C-32 in “exactly the same form” as the legislation that died on the order paper with the election call earlier this year. Moore suggested that the government plans to pick up where it left off with the same bill and a legislative committee that will not call groups that appeared during the last round of hearings. That suggests the bill will be on the fast track as the committee heard from dozens of groups on Bill C-32 over several months in late 2010 and early 2011. Moore was also asked about the Wikileaks cables and the revelations of Canada caving to U.S. pressure on digital lock rules. He argued that elements of the bill run contrary to what the U.S. prefers. While that is true with respect to ISP liability, that issue is seen as secondary by the U.S., which is far more focused on digital locks. On digital locks, Bill C-32 was precisely what the U.S. was looking for and contrary to what the government heard during its national copyright consultation. [Source]


Internet / WWW

EU – EU to Legislate on Cloud Security

The European Union will introduce new data protection laws on cloud computing in November. The Binding Safe Processor Rules will ask EU cloud providers to agree to be legally liable for any data breaches or losses, the report states, acting as a cloud provider accreditation service. Eduardo Ustaran of Field Fisher Waterhouse said service providers can use the accreditation as a selling point for their security models, while those who don’t have it may be seen as unsafe. Field Fisher Waterhouse’s Stewart Room described the rules as a “bridge” for cloud adoption in light of concerns about liabilities. [Source]

EU – Civil Liberties Groups Slam EU Data Retention as Unnecessary

More than 30 civil liberties organizations have signed and submitted a letter to the European Commission voicing opposition to the blanket retention of telecommunications data required under the EU Data Retention Directive. In the letter to Home Affairs Commissioner Cecilia Malmström, the groups argue that the retention of data is disproportionate and “therefore illegal” under the Charter of Fundamental Rights and the European Convention on Human Rights, the report states. The groups also query whether the practice has a “demonstrable, statistically significant impact on the prevalence or the investigation of serious crime in a given member state…” [PCWorld] See also: [German Crime Stats Deal Blow to EU’s Data Retention Laws]

US – FCC “Open Internet” Rule Published

The Federal Communications Commission (FCC) has published its “open Internet” order in The Federal Register. The order aims to balance consumer and content provider interests with those of Web access providers, and one access provider has pledged to take the FCC to court over it. The rules, adopted last December, go into effect on November 20 and stop ISPs from blocking legal content such as applications that require a lot of bandwidth. An FCC spokesman said the rules will increase certainty and predictability, but some public interest groups are saying the FCC succumbed to industry pressure and the rules don’t go far enough. [Reuters] See also: [FCC’s Net Neutrality Rules Will Face Legal Challenges | Source] See also: [Hewlett-Packard shows hazard of sharing LinkedIn profiles]


Law Enforcement

US – Supreme Court Hears Oral Argument in Strip Search Case

The US Supreme Court heard oral arguments October 12 in Florence v. Board of Chosen Freeholders of the County of Burlington. At issue is whether the Fourth Amendment permits a jail to conduct a suspicionless strip-search of every suspect, even those arrested for minor traffic offenses. The Petitioner, Albert Florence, was arrested based on an inaccurate police record of his previously resolved traffic fine. Florence was held for six days and subject to multiple strip searches before he was eventually brought before a judge and released. EPIC successfully argued before the Third Circuit in a related case, Doe v. Luzerne, that an individual has a reasonable expectation of privacy in remaining free from the government’s recording of nude images. EPIC also filed a “Friend of the Court” brief in Herring v. US, a related case involving a Fourth Amendment challenge to an arrest and search based on incorrect information in a government database. [SCOTUSblog: Florence v. Board of Chosen Freeholders] and also: [EPIC: Doe v. Luzerne County] [EPIC: Herring v. U.S.]

AU – Social Media Could Render Covert Policing ‘Impossible’

Facebook has proven to be one of the biggest dangers in keeping undercover police officers safe due to applications such as facial recognition and photo tagging, according to Australian researchers. Mick Keelty, a former Australian Federal Police (AFP) commissioner, told the audience at Security 2011 in Sydney that because of the convergence of a number of technologies including biometrics, undercover policing may be “impossible” in the future. He explained that were safety risks associated with undercover policing if people could be identified online. Keelty is currently undertaking research into the policy implications of social networking for covert operations by police and security agencies. The results found that 90% of female officers were using social media compared with 81% of males. The most popular site was Facebook, followed by Twitter. 47% of those surveyed used social networking sites daily while another 24% used them weekly. All respondents aged 26 years or younger had uploaded photos of themselves onto the internet. Of the people surveyed, 85% had their photos uploaded on to the internet by another person. Keelty said that until recently this has been a real problem because Facebook refused to remove photographs, but because of competition from Google+ it had started to remove photos at people’s request. Alarmingly, 42% of respondents said it would be possible to identify their relationship with other people, including family and friends. The results of the survey would be used to inform future policy guidelines within both state and federal police agencies. [Source]

CA – Marijuana Grow-Op Sites Listed by RCMP

The RCMP is now publishing online the addresses of homes where marijuana grow-ops and other drug production operations were found. The new page on the RCMP’s website is part of a stepped up effort by the Mounties to target marijuana grow-ops and the organized crime gangs behind them. The Marijuana Grow Initiative was launched this week and the RCMP says it complements its National Anti-Drug Strategy. Split up by province, the website lists the addresses where search warrants were executed and lists how many marijuana plants were discovered and when. The database also covers clandestine drug labs that were found in homes. The page also includes links to the websites of local police services in Ottawa, London and Winnipeg. They also list addresses in their cities where search warrants were executed. RCMP Commissioner William Elliott said publishing the addresses is part of the deterrence and awareness elements of the new strategy. [Source]

NZ – NZ Police Storing Info of 500,000 Innocent Motorists

Figures released to 3 News show police are storing almost half a million photos of innocent motorists’ number plates and cars. The database is being kept as part of a trial of new surveillance technology. But privacy advocates are alarmed and say there is no need to keep such records of the innocent. Cameras equipped to vans have been snapping away in Auckland and Wellington since April last year, feeding images of cars and number plates into a police database. The technology, called automated number plate recognition, can take up to 3000 photos an hour. The database holds the details of 419,631 motorists, including the date, time and location of the picture. But only 4,492 vehicles are classified as “vehicles of interest”. A spokesperson for the Privacy Commissioner says such technology has to be used carefully and even police need to remember it is never 100% accurate. [Source] See also: [CA – Automated Technology helps OPP check every license plate] and [POLICE BEAT: Vehicle owners should guard those plates]

US – Privacy Laws May Prevent Seattle Police from Wearing Body Cameras

Seattle City Counci lmember Bruce Harrell is spearheading a pilot program that could put small cameras on officers by the end of 2012. However, Bob Scales who work at the Seattle City Attorney’s Office, said a few issues under current Washington State privacy laws may stand in the way. During a city council meeting on September 8, Scales said, “Under the Washington state Privacy Act, it is unlawful to make an audio recording of a private conversation except as authorized by the Act.” In 2000, the state legislature made allowances for the video, but not audio to be recorded on dash cams of some patrol cars. The body camera would record both video and audio, so some argue that provisions have not been made for that under the current law. Scales added, “Because there are no exemptions for the body-worn camera, the officers would have to do a two-part analysis every time they would decide to make a recording. They would need to do an assessment over whether the conversations they were recording were private or not.” “Right now, our legal counsel tells us that there needs to be a similar legislative fix.” [Source] See also: [Ontario – Secret school cameras angers staff] and [Ottawa woman plans webcam childbirth] and [US: ‘Granny cams’ are catching on as a tool to deter elder abuse] and [Calgary City eyes cameras to nab dumpers] and [‘Up-skirt’ photos snapped at CNE air show: police]



WW – Google Will Allow Users to Opt-Out of Wi-Fi Access Point Registry

Google says it plans to allow Wi-Fi access point owners to opt-out of the company’s data collection program. Google uses the Wi-Fi hotspots to pinpoint mobile phone users’ locations. The same vehicles that drive around neighborhoods gathering images for Google Street View have been collecting wireless access point information as well. The decision to allow users to opt out of participation was prompted by requests from European data protection authorities. [CNET] [ZDNet] [The Register]

US – Microsoft Facing Lawsuit Over Windows Phone 7 Location Data Collection

A complaint filed in district court in Seattle alleges that Microsoft’s Windows Phone 7 tracks users’ locations without permission. The complaint alleges that Microsoft is attempting to map the locations of cell towers, wireless routers, mobile phones and computers to support its location-based advertising service, and that the company is using the Windows Phone camera application to gather the information. The first time users open the camera application, they are asked for permission to log their location. Users’ responses are ignored when the application is opened subsequently. [Source]

SE – Sweden: Teachers Use GPS to Track Children

Daycare centres in Sweden have started using GPS systems and other electronic tracking devices to keep tabs on children during excursions – a practice that has raised ethical and practical questions. Some parents are worried day care centres will use the technology to replace staff. Others wonder whether getting children used to being under surveillance could affect their idea of privacy when they grow older. Monica Blank-Hedqvist, the principal of a daycare centre in the city of Borlange, said yesterday her staff had been using such devices during supervised walks in the forest. A spokesman for Sweden’s Data Inspection Board said the authority may investigate the matter. “It could be quite harmless, or it could affect aspects of privacy,” Erik Janzon said. “It depends on what kind of information you feed into the system and the purpose of the use.’ [Source] See also: [US: GPS Surveillance Does Not Invade Spouse’s Privacy, Court Finds] and [Jealous on your boyfriend? Spy him on his mobile]



US – Bank of America Sued Over Privacy Violations Due to Overseas Outsourcing

A new lawsuit was filed in the District of Columbia against Bank of America Corporation; the nations largest bank holding company. The suit alleges that B of A has been outsourcing certain functions to overseas companies and that as a result has given access to the personal financial records of American citizens to foreign nationals. If the allegation is correct, it would appear that B of A has violated the Right to Financial Privacy Act – a federal law – and could have exposed millions of account holders in such a way that they can easily become victims of financial crimes. Just as importantly, those same account holders may also be targeted for government snooping; no search warrant required.The suit is known as STEIN et al v. BANK OF AMERICA CORPORATION et al. [Source]

PH – Philippines Senate Introduces Data Protection Legislation

New legislation has been introduced in the Senate that would enact a data protection bill. The Data Privacy Act was sponsored by Sen. Edgardo J. Angara and supported by information technology and business process outsourcing industry representatives. The present version of the bill follows the information privacy principles laid out in the Asia-Pacific Economic Cooperation Privacy Framework, including harm prevention notice and data collection limits. Angara said, “Our Data Privacy Act will act as another layer of legal protection…This is a clear signal to potential investors that the Philippines is seriously committed to safeguarding information.” [Source] See also: [Applications of China’s New Personal Information Protection Standards – Henry L.T. Chen, MWE China Law Offices and Rohan Massey and Heather Egan Sussman, McDermott Will & Emery]


Online Privacy

WW – Facebook Introduces Timeline

At the annual f8 conference, Facebook showed off new features that it plans to roll out within the next few weeks to select users. One of the new features that Facebook introduced was Timeline. Timeline is a completely reformed profile that resembles a WordPress blog with a header that spans across the page with a photo of your choosing. Under the header is your information along with statuses, locations you have visited, photos, and other activities. They related the new profile to that of a scrapbook, somewhere where you will be able to keep the memories of your past and look back on them whenever you choose. The changes for the new Timeline profile will be rolled out periodically to Facebook’s users over the next couple of weeks as the small tweaks and bugs are worked out. [Source] See also: [The Economist: Facebook: Sharing it all on Open Graph] See also: [German Federal Ministry of the Interior – Press Release: Federal Interior Minister and Facebook To Communicate Better Protection For Users] and [Datatilsynet, Norway – Facebook’s Response to Questions from the Data Inspectorate of Norway] and [How to disappear without a trace online: Internet Suicide Machine]

WW – Facebook to ‘Automate’ Data Requests

The Austrian-based organisation Europe v Facebook said that Facebook was working on an automated system in response to a campaign, in which the group had urged people to request the personal data it holds on them. Europe v Facebook says the current system, in which users can wait up to 30 days to get the data, contravenes European privacy law. It is possible for users to download most of their own data from the site, but that only covers the information that they themselves have uploaded. It does not include information that other people have put up, which Facebook has linked to the user in question. “A Facebook representative has now told the group that, after receiving a massive amount of access requests following the campaign of Europe v Facebook in German-speaking countries, Facebook is now working on a system to automatically process access requests,” the campaigners said in a statement. [Source] See also: [Logging out of Facebook is not enough] and [Privacy Journal: Two-Faced Digital Execs Are Saying Privacy is Essential for Me, but Not for You]

EU – DPC Opens Investigation; Data Use Concerns Persist

Following an advocacy group’s logging of more than 20 complaints, Ireland’s Data Protection Commission “will examine all of Facebook’s activities outside the U.S. and Canada” with a goal of publishing its findings by the end of the year. Privacy advocates are concerned that the social network is not adequately informing users of the potential for information “it will collect from new entertainment and media applications” to be used in advertising. One advocate said, “If the ad were to publish facts about you without your knowledge…it would cross into extremely creepy territory,” while Facebook stressed its features “only work if people explicitly opt in to them.” [siliconrepublic]

US – Groups Ask FTC to Investigate Facebook

The Electronic Privacy Information Center and 10 other privacy and civil rights advocacy groups have asked the FTC to investigate Facebook’s use of cookies and recent changes to its site. The request follows an Australian technologist’s discovery earlier this week that the site tracked users even after they’d logged out. Facebook has since reportedly made changes addressing the concerns. The groups have also raised concerns about Facebook’s new “Timeline” feature, writing in a letter to the FTC that it is a “treasure trove of personal information” that could “provide a tempting target for stalkers, government agents or employers.” [The Washington Post] UPDATE: [Technologist Says Site Fixed Cookie Problem: Facebook fixes cookie behavior after logging out]

WW – Spotify Introduces New Privacy Features

Music streaming site Spotify has introduced new privacy features in the wake of complaints about its integration with the world’s largest social network. The music service had “quietly introduced the requirement that all new users sign up with a Facebook account rather than the usual e-mail” and “defaulted to sharing all a user’s listening habits,” the report states. While users could choose to opt out of sharing their music tastes through Facebook, in response to “hundreds of complaints,” Spotify’s CEO has announced a new “private listening” mode, noting, “we value feedback and will make changes based on it.” [Financial Times]

WW – Amazon’s Silk Browser Raises Privacy, Security Eyebrows

Amazon rolled out its new line of Kindle tablets, adding the seven-inch $199 color Android Fire, the $99 keyboard-free 4GB Touch model and a $79 2GB non-touchscreen version to its ranks. Yet the Amazon product causing the most stir was not an e-reader or tablet, but Amazon Silk, the company’s new mobile web platform powered by Amazon’s incredibly extensive web services platform. Unlike traditional browsers, housing of the Silk subsystems is split between one’s device and the Amazon computing cloud. Instead of multiple requests from remote servers, Silk would benefit from a drastically simplified asset retrieval process. Webpage requests are routed to Amazon’s servers in the cloud and are loaded there, taking advantage of Amazon’s high-speed connection, then streamed back to the device as a completed page. The user wait time that accumulates as a result of the back-and-forth dialogue between the mobile device and the servers from which it is requesting content would be reduced from 100 milliseconds per exchange to 5 milliseconds. Yet, with the introduction of a native cloud-based browser comes questions of privacy. Browsing will be done on the cloud, but so will shopping, bill-paying and banking. Because target websites will only see Amazon’s IP address and not the user’s, surfing will essentially be anonymous from the customer’s point of view. This is unlikely to assuage the concerns of customers who are equally concerned about Amazon’s access to their data as they are about that of third-party sites. [Source] [Source] See also: [Mozilla issues The Do Not Track Field Guide]

US – 4.9 Million Health Records Lost

Three healthcare providers have suffered recent data breaches. A Pentagon contractor’s website alerts of a data breach affecting as many as 4.9 million patients. Science Applications International says the lost information—stored on backup computer tapes from electronic health records—included SSNs, addresses, phone numbers and other private health information of patients who received care from San Antonio military facilities since 1992. The Veterans Affairs Illiana Health Care System in Illinois has notified patients of a potential data breach involving 518 veterans. Meanwhile, two Minnesota healthcare facilities report that a stolen laptop contained personal information including Social Security numbers on more than 14,000 patients. [Source] See also: [IPC Paper: Safeguarding Personal Health Information When Using Mobile Devices for Research Purposes]


Other Jurisdictions

AU – Australian Privacy Commissioner: Sony Did Not Breach Privacy Act

Privacy Commissioner Timothy Pilgrim has cleared Sony Computer Entertainment Australia of wrongdoing in the hacks earlier this year that exposed the personal information of 77 million customers. Pilgrim today published his investigation report, which found no breach of the Privacy Act because there was no evidence that Sony “intentionally disclosed” data and the company “took reasonable steps to protect its customers’ personal information.” However, Pilgrim said he “would have liked to have seen Sony act more swiftly to let its customers know about this incident.” Last week, U.S. officials arrested a man in connection with the Sony hackings. [The Sydney Morning Herald] See also: [Man Arrested in Sony Hacking] and [Former U.S. official to head cybersecurity at Sony] and [Sony’s New TOS Agreement Limits Users to Binding Arbitration | Source | Source | Updated TOS]

AU – Minister: Breach Notification Laws Possible

A discussion paper for Australia’s proposed federal privacy reforms, announced last week, could introduce a statutory cause of actions for victims of privacy invasions. A spokesperson for Home Affairs Minister Brendan O’Conner says that “proposals for mandatory breach notification rules (would be) considered by the government once foundational reforms to the Privacy Act have been progressed.” O’Conner’s department has said that it would consider breach notification laws if there is sufficient evidence that the loss of personal information within business is increasing and information security is lacking. The Australia Law Reform Commission recommended breach notification laws in 2008, and they have remained under consideration since. [SC Magazine]

SG – Singapore Launches Consultations on New Consumer Privacy Law

Singapore will have a new consumer privacy law starting from next year that will protect the data of consumers in an age of information explosion. The new legal framework may allow consumers to “do something” about unwelcome calls and text messages. Singapore currently has no overarching consumer privacy law but only specific regulations requiring the protection of consumer information in banking, telecommunications and healthcare. Under the proposed framework going into public consultations, all telemarketers will have to check against names in a “ Do Not Call” registry that allows consumers to opt out of all unsolicited calls or text messages. If an individual puts his name on the registry and still receives an unsolicited call, he can make a complaint to a new Data Protection Commission. The commission will be given the power to investigate such complaints and fine offending parties. The maximum fine will be a hefty 1 million Singapore dollars (813,008 U.S. dollars). It is not clear, however, if a service provider like a bank can still call its customers for telemarketing purposes if they put their names on the registry. The Ministry of Information, Communications and the Arts said such issues will be addressed in a second round of consultations. [Source] [Ministry of Information, Communications and the Arts:- Public Consultation: Proposed Consumer Data Protection Regime for Singapore] See also: [Thailand: Too many caveats kill privacy in bill on personal data] and [Personal Data Protection Authority of Ukraine – Law of Ukraine on Protection of Personal Data] and [Angola Passes Personal Data Protection Law – Hunton & Williams LLP]


Privacy (US)

US – Real-Life ‘Minority Report’? EPIC Obtains Gov’t Documents

EPIC has obtained, via a Freedom of Information Act request, documents from the Department of Homeland Security about a secretive “pre-crime” detection program. Under the “Future Attribute Screening Technology” (FAST) program, the DHS will collect and retain a set of “physiological and behavioral signals” from individuals at large-scale venues. According to a 2008 Privacy Impact Assessment prepared by the agency, the DHS intends to monitor and collect data including “video images, audio recordings, cardiovascular signals, pheromones, electrodermal activity, and respiratory measurements,” in order to attempt to determine perceived “mal-intent.” EPIC filed the FOIA request after news sources reported that Homeland Security tested the FAST Project in a public location in early 2011. DHS acknowledged the test but has refused to disclose the test results. Similarly, the agency has refused to provide the test’s location or duration, stating only that testing occurred in the “northeast” and in a “large venue that is a suitable substitute for an operational setting,” although not an airport. According to the documents obtained by EPIC, Homeland Security is considering the use of the device at conventions and sporting events. The documents corroborate that a field test was conducted on the public, as well as on DHS employee volunteers. DHS, however, failed to comply with federal law when the agency neglected to do a privacy impact assessment regarding the public testing. [EPIC: FAST Project] [EPIC: FOIA’d Documents FAST Privacy Threshold Analysis] [Declan McCullagh, CNet: Article on FAST Technology (Oct. 7, 2011)] and [Department of Homeland Security: FAST Project]

US – Appeals Court: ECPA Protects Noncitizens

The Ninth Circuit Federal Appeals Court has ruled that foreign citizens are protected by the Electronic Communications Privacy Act, or ECPA . The court’s decision in Suzlon Energy v. Microsoft Corp. reaffirms that ECPA protects consumer data without regard to nationality, by forbidding companies in most circumstances from disclosing communications data with third parties. Suzlon involves a civil suit in which Microsoft refused to disclose data from the Hotmail email account of Rajagopalan Sridhar, an Indian citizen. Indian company Suzlon Energy claimed that Sridhar, an employee, had committed fraud. [Ninth Circuit Court: Suzlon Energy v. Microsoft Corp. (Oct. 3, 2011)] [EPIC: Wiretapping and Electronic Surveillance]

US – California Law Forbidding Warrantless Cell Phone Searches in Effect

A California law took effect this week that requires law enforcement officers to obtain a search warrant before seizing and searching a suspect’s cell phone. The law unanimously passed the California Assembly, overturning a California Supreme Court decision last January that allowed police to search the cell phones of assailants. The law applies not only to cell phones but also to all “portable electronic devices…capable of creating, receiving, accessing or storing electronic data or communications.” Attorney Hanni Fakhoury of the Electronic Frontier Foundation said the law sends a strong message to other courts and U.S. legislatures–as well the U.S. Supreme Court. [Source]

US – Court Upholds Order for DOJ to Hand Over Warrantless Cell Phone Tracking Info

The American Civil Liberties Union (ACLU) has called a recent ruling from the US Court of Appeals for the DC Circuit “a significant victory in the fight against warrantless tracking of Americans by their government.” The court ordered the US Justice Department to surrender names and case docket numbers of cases in which it “accessed cell phone location data without a warrant.” The court’s order upholds a lower court ruling. [Source][Source] [Source] See also: [Israel: Police Arrest 22 in Phone Tapping Case]

US – Judge Approves Bookseller Deal

A New York bankruptcy judge has approved a deal that will make way for Barnes & Noble to purchase a defunct bookseller’s customer list. Judge Martin Glenn approved the deal on Monday. It will give Barnes & Noble access to details on 48 million former Borders’ customers. The deal was halted late last week due to privacy concerns related to Borders’ privacy policy. Under new data protection provisions in the deal, customers will be notified that Barnes & Noble will take possession of their personal information, and they will have 15 days to opt out of the transfer. [paidContent]

US – FTC Proposes New Children’s Online Privacy Rule

The FTC announced it is seeking comment on revisions to the Children’s Online Privacy Protection Act that would extend it to cover evolving technologies such as web and mobile platforms for children under the age of 13. The proposed changes would require operators to post notice and obtain parental consent before collecting information from children, offer a larger variety of ways to obtain that consent, and provide proof that they are capable of adequately protecting children’s personal information. It would also extend the definition of personal information to include geolocation information and information gathered from technologies such as cookies that track young users online for advertising purposes. Written comments on the proposal must be submitted to the FTC by Nov. 28. [Source] See also: [UK Information Commissioner’s Office: Data privacy ‘should be taught in schools’ | The Guide to Privacy and Electronic Communications] and UK ICO: Call for jail option for data privacy breaches] and [European Commission – Communication From The Commission To The European Parliament, The Council, The European Economic and Social Committee and the Committee of the Regions – Protecting Children in the Digital World]

US – Facebook Continues D.C. Hiring Spree With White House, Privacy Expert Hires

Facebook announced new hires for its Washington policy and lobbying office, drawing high-profile figures from the White House and a privacy expert as the social networking site continues to grow — and come under scrutiny for its security and privacy practices. The hirings have created a politically connected team in Washington, with inroads in both parties and years of experience on the Hill and in the White House. Louisa Terrell, special assistant to President Obama for legislative affairs, will join the Silicon Valley-based firm in October as director of public policy. She helped the White House craft legislative strategy in the Senate. She is coming back to the tech world, having worked for Yahoo’s public policy office before joining the administration. Privacy expert Erin Egan, partner and co-chair of Covington & Burling’s global privacy and data security practice, will join Facebook in mid-October. She will be senior policy adviser and director of privacy. As Facebook comes under the microscope in Europe, where countries largely abide by their own privacy rules, the company has hired Erika Mann to lead its Brussels office and serve as the lead spokeswoman for E.U. institutions. Mann most recently represented trade group Computer and Communications Industry Association (CCIA) in Europe as well as being on the board of ICANN. She was a member of the European Parliament from 1994 to 2009, representing the state of Lower Saxony in Germany. The hires add to a slew of politically connected policy veterans joining the company. Faceboook’s chief operating officer, Sheryl Sandberg has worked at the Treasury Department and was a mentee of former Treasury Security and Obama Economic Adviser Lawrence Summers. Last week, Facebook named Erskine Bowles, former chief of staff to president Bill Clinton, to its board. In June, it hired former Clinton White House spokesman Joe Lockhart to head its communications team. In May, Facebook nabbed Republicans Joel Kaplan, a former aide to President George W. Bush, to head its Washington office. In June 2010, Obama White House staffer Marne Levine was hired to work on policy issues based in Washington. And in September 2008, Ted Ulloyt, a former counsel to President George W. Bush, was named vice president and general counsel. [Source]

US – DHS Off the Hook for Airport Screening Snafu

A man who was allegedly arrested after he stripped down in airport security to reveal the Fourth Amendment written on his chest cannot sue the government for violating his constitutional rights, a federal judge ruled. On Dec. 30, 2010, Aaron Tobey entered the security checkpoint area at Richmond International Airport before boarding a flight to Wisconsin for his grandfather’s funeral. A transportation security officer directed Tobey to take a body scan. Before entering the scanning unit, however, Tobey allegedly stripped down to his running shorts to reveal the text of the Fourth Amendment written in black marker on his chest. The officer, referred to in court documents through the pseudonym, Rebecca Smith, had explained that clothing removal was unnecessary. She radioed for help when Tobey got undressed. In a federal lawsuit, Tobey said he was handcuffed and questioned at the on-site police station for 1 1/2 hours. The officers also allegedly discarded Tobey’s belongings and gave him a summons for disorderly conduct, but did not prosecute the charge. Tobey said one officer advised him “that the police would make sure” he had “a permanent criminal record as a result of his actions.” Tobey boarded his flight after going back through the security checkpoint. U.S. District Judge Henry Hudson agreed to dismiss the claims in a 35-page decision states. [Source] See also: [US: ‘Don’t ask, don’t tell’ ends in quiet, personal ways]


Privacy Enhancing Technologies (PETs)

UK – Product Designer Gives Patients Privacy in Hospital

The inventor of the “KwickScreen” retractable room divider has pipped six other industrial designers to become the UK winner of the James Dyson award. Londoner Michael Korn, 30, has taken the “lean manufacturing” theory he learnt at Cambridge University’s Institute of Manufacturing and applied it to two of the most common causes of patient frustration in NHS hospitals: unnecessary spread of infection and lack of privacy. Mr Korn said his screens worked well for hospitals because of the “severe shortage of slide screen, isolation facilities, and for dignity screens” and because most infections were not airborne and the screens, manufactured in Corby, are easy to clean. [Source] See also: [Wall Street Journal: Rise of the CPO and PIAs] and [New Technologies and Tips for Protecting Data]



EU – Product Tagging Increasing

It’s not only a computer that can be connected to the Web now, it’s your smartphone, your car, your home and even your jeans. Retailers are increasingly tracking products with radio frequency identification tags (RFID), interconnectivity that could allow for monitoring of virtually anything at any time. Privacy advocates have raised concerns that RFID tags could read more data than intended, such as a consumer’s RFID-tagged passport or driver’s license, and could lead to cases of identity theft. European Data Protection Supervisor Peter Hustinx has warned that with any tracking devices, “there’s privacy relevance” and uses must be compliant with the new European Commission Framework, signed by the commission this year. [BBC News]



US – NIST Seeks Feedback on Risk Assessment Guide

The National Institute for Standards and Technology (NIST) is seeking comments on its “Guide for Conducting Risk Assessments.” The guidance aims to help agencies assess risk within their IT systems and strengthen federal cybersecurity. NIST describes assessment as one of four steps in agencies’ general security risk management strategy, the report states, noting risk assessment helps thwart incidents before they can occur. A federal IT official testified to Congress this week that risk mitigation is a key feature to the government’s future security measures, especially when it comes to cloud computing. [Source]

US – US Agencies Must Now Submit Cyber Security Reports Monthly

Starting in October, US government agencies will be required to move from annual to monthly cyber security reports to maintain compliance with new Federal Information Security Management Act (FISMA) rules. The new mandates for FISMA compliance include sending monthly feeds to the CyberScope compliance tool, which aims to reduce the expense associated with FISMA compliance and provide more current and pertinent information. [Source]

AU – Shopping Center “Find My Car” Tool

A shopping center in Sydney, Australia has removed a “Find My Car” feature from its iPhone app after learning that the information was accessible in unencrypted form over the Internet. Cameras at the Westfield Shopping Centre photographed cars’ license plates and indexed the vehicles’ locations. The feature of the application was designed to help people who had forgotten where they parked their cars. A blogger found that the information logged by the shopping center systems was available on the Internet and that people could use the application as a tool to track other’s whereabouts. The feature is not functional at the moment, and will remain unavailable until the privacy issue is addressed. [The Australian] [The Register] See also: [ENISA Issues Report – Appstore Security: 5 Lines of Defence Against Malware] and  [US: Court Approves Lawsuit Against Toyota Over Cyberstalking Ad Stunt]

UK – Heathrow Airport to Trial New ‘Privacy-Friendly’ Body Scanners

Body scanners, which show a ‘naked’ image of passengers to security staff, have long been a controversial addition to airport departures. Which could be why Heathrow is trialling ‘privacy-friendly’ body scanners that replace invasive images of the human torso with a cartoon-like figure. Instead of using X-ray beams, the new technology uses millimetre-wave scanners, which bounce electromagnetic waves off a passenger’s body. Anyone who sets off a metal detector in Terminal 4 will be taken to a passenger-screening area and shown the scanner’s image on screen. Suspicious packages or items will be depicted as a yellow box on the computer-generated outline of the passenger’s body. The new body scanners are already in use in some American airports. [Source]

UK – Data Protection Fears Undermine IT Recycling

Data protection concerns are preventing many UK companies from disposing of their working computers by sending them for reuse, a new survey from charity Computer Aid International has revealed. In a survey of 100 senior IT decision makers in UK companies with more than 1,000 employees, researchers found that just 14% of companies send all their working computers for reuse. The remainder sent their equipment to be dismantled and recycled or to lanfill. Legislation around e-waste recommends reuse as the preferred disposal method. Of the companies that did not opt for reuse, 63% cited data protection concerns, 53% blamed cost, while 24% said that contractual obligations to a leasing company prevented them from choosing reuse. However, 83% of these respondents said that they wanted to reuse working equipment if data protection and cost issues were addressed. Of those recycling IT equipment, 28% of companies recycled all of their IT, and 41% recycling more than half. The survey found that companies dispose an average of 542 computers a year, with companies replacing their base units (one third of respondents) and monitors (20%) every three years. [Source]


Smart Cards

AU – Australian Passports Now Offer 3 Gender Options

Australian passports will now have three gender options – male, female and indeterminate – under new guidelines to remove discrimination against transgender and intersex people, the government said. Intersex people, who are biologically not entirely male or female, will be able to list their gender on passports as “X.” Transgender people, whose perception of their own sex is at odds with their biology, will be able to pick whether they are male or female if their choice is supported by a doctor’s statement. Transgender people cannot pick “X.” Previously, gender was a choice of only male or female, and people were not allowed to change their gender on their passport without having had a sex-change operation. The U.S. dropped the surgery prerequisite for transgender people’s passports last year. Any country that complies with the International Civil Aviation Organization’s specifications for machine-readable passports can choose to introduce a gender “X.” [Source] See also: [The future of passports]



US – OnStar Reverses Privacy Changes After Public Outcry About Privacy

GM’s subsidiary OnStar has reneged on highly controversial privacy changes it announced last week after enormous resistance and threats of a congressional investigation. On September 21, OnStar announced several changes to its terms of service. The company stated it would now track the position, speed, diagnostic error codes, seatbelt usage data, and crash information of all vehicles, even if drivers didn’t have an active subscription. The company also reserved the right to sell the GPS data it gathered, though it claimed no personal information would be attached. A GM spokesperson justified the change by claiming it made it easier for customers to re-enroll in the service and gave GM a way to contact people in the event of a recall or consumer hazard. Phone numbers, mailing addresses, and email information evidently weren’t good enough. GM customers could opt out of the tracking, but had to specifically choose to do so. The announcement sparked a wave of protests, multiple letters to the company from Congressmen, and calls for an investigation into whether or not the service’s new terms were a violation of one’s right to privacy. GM has since backed down. [Source] [Source] [OnStar Tracks Your Car Even When You Cancel Service] [GM OnStar cars will upload all data unless owners opt out] [Charles Schumer] See also: [Senators Coons, Franken to OnStar: Tracking, Sharing Customers’ Location Without Consent is a Serious Violation of Privacy – Press Release]

US – DOJ Document Reveals Cell Phone Data Retention Periods

Wired is reporting on the retention periods of major cellular service providers after the American Civil Liberties Union of North Carolina obtained a Department of Justice document intended for law enforcement through a Freedom of Information Act request. The document reveals carriers’ retention terms for text messages and cell-site data. “This brings cellular retention practices out of the shadows so we can have a rational discussion about how the law needs to be changed when it comes to the privacy of our records,” said Kevin Bankston of the Electronic Frontier Foundation. [Source]

US – Lawsuit Challenging Warrantless Wiretapping May Proceed

The 2nd US Circuit Court of Appeals has ruled that a lawsuit challenging the constitutionality of a federal law that allows warrantless wiretapping may proceed. The plaintiffs, a coalition of groups and attorneys concerned with civil liberties, are challenging the 2008 Foreign Intelligence Surveillance Act (FISA). The government maintains that the plaintiffs lack the necessary legal standing to bring the suit. [WIRED] [US Courts] See also: [AB: RCMP warn of fake wireless network]

US – Report: Location-Based Tracking Should Require Warrants

A report from the Constitution Project’s Liberty and Security Committee says that law enforcement agents should have to obtain warrants based on probable cause before using location-based tracking. The report also urges legislators to amend the Electronic Communications and Privacy Act (ECPA) to require probable cause warrants before cell phone location data can be accessed. [Source]

EU – Researchers: TV Habits Determinable with Smart Meters

A Münster University of Applied Sciences study found that, by analyzing patterns in electricity consumption transmitted by a household smart meter, researchers could figure out what program was playing on a television. Previously, it was thought that smart meter data could only be used to distinguish between appliances, but because of the frequency of the data transfers–every two seconds–this finer analysis is possible, the report states. According to the research team, the discovery means tighter regulations on this data are needed. [The H Security]


Telecom / TV

US – Federal Judge Dismisses Privacy Complaints Against Apple

A California judge has dismissed an app-related privacy lawsuit against Apple, arguing that the plaintiffs failed to prove that Apple and its products caused them any harm. The individuals suing Apple have the right to appeal, the judge said, but they need to seriously bulk up their suit if they want to prevail. Back in December, California resident Jonathan Lalo accused Apple of producing devices that allow ad networks to track a user’s app activity. His suit also named Pandora, Paper Toss app maker Backflip Studios, The Weather Channel, and Dictionary.com. A second lawsuit was filed by Dustin Freeman several weeks later, and the cases were eventually combined. The suits cited a Wall Street Journal study published last year that examined 101 apps and found that iPhone apps distributed more personal data without the users’ permission than Android apps. [Source] [Source] [Why the Apple UDID had to Die] See also: [Japan: Smartphone app draws heat for invading user’s privacy]

WW – Researcher: Smartphone IDs Not Secure

The Wall Street Journal reports on the use of smartphones’ unique ID numbers as a way for criminals to access users’ social networks. While the IDs do not contain user information in and of themselves, the report notes that “app developers and mobile ad networks often use them to keep track of user accounts, sometimes storing them along with more sensitive information like name, location, e-mail address or social networking data,” effectively using the IDs as what researcher Aldo Cortesi describes as a not-too-secure key to that information. “Mobile security is not limited to a singular app or games overall–it’s an issue that the entire mobile ecosystem needs to address,” Cortesi said. [Source]


US Government Programs

US – Lawmakers Want “Supercookie” Investigation

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have called for an investigation into the use of “supercookies” by websites. In a letter to the FTC, the co-chairmen of the House Bipartisan Privacy Caucus said the technology could violate the FTC’s “unfair and deceptive acts of practices” rule, adding, “We believe this new business practice raises serious privacy concerns and is unacceptable…the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for misuse of personal information and provides another way for consumers to be tracked online.” [The Washington Post]

US – Congressional Watchdog: DHS Data Mining Programs Pose Risk to Privacy

The Government Accountability Office (GAO) has performed a detailed evaluation of data mining practices at the Department of Homeland Security. According to the GAO’s report, privacy protections and transparency are vital to data mining operations; however, the report states that Homeland Security’s practices did not “adequately ensure the protection of privacy-related information.” in 2009, EPIC called for an investigation of the DHS Privacy Office and maintained that the agency’s Chief Privacy Officer was not complying with the statutory requirements necessary to protect privacy. [GAO: Report on DHS Data Mining Practices (Sept. 2011)] and [EPIC Letter to Congress Re: DHS Chief Privacy Officer (Oct. 23, 2009)] and [DHS Privacy Office] and [EPIC: DHS Chief Privacy Officer and Privacy]

US – DHS Privacy Office Outlines Progress

During the past year, the Department of Homeland Security (DHS) Privacy Office expanded the breadth of its privacy and FOIA-related initiatives throughout the department, the federal community and with international partners, according to an annual report issued by DHS’s Chief Privacy and Freedom of Information Act Officer, Mary Ellen Callahan. According to the report, The DHS Privacy Office 2011 Annual Report, the Privacy Office made significant progress on a number of fronts. The office last year approved and published 68 Privacy Impact Assessments (PIAs) and 20 System of Records Notices (SORNs), on Department programs, systems, and initiatives. The report noted the development of a DHS “Privacy Policy and Compliance” management directive that reinforced department privacy policy based on Fair Information Practice Principles (FIPPs) and detailing privacy-related responsibilities of all DHS employees, and issuance of the new privacy policy guidance memorandum, Roles & Responsibilities for Shared IT Services, signed by the Chief Privacy Officer, the Chief Information Officer, the Assistant Secretary for Policy and the Director of Records. Another achievement of the Privacy Office, the report said, was the “launching [of] a new intranet site featuring the office’s privacy and FOIA training resources, distribution of a two-page factsheet detailing best practices for safeguarding Sensitive Personally Identifiable Information (PII), developing a new online Culture of Privacy Awareness annual mandatory training course, and providing guidance to components developing component-specific privacy training.” During the past year, the report said, DHS investigated, mitigated and closed 88% of reported privacy incidents and reviewed all new DHS information sharing agreements involving PII being shared outside of DHS, and ensured application of the FIPPs to protect PII and comply with DHS policy. [Source] See also: [US: Flight passenger ‘humiliated’ by hairdo security check for weapons]

US – IG Deems DHS Financial, Operational Data at Risk

The inability of DHS to implement appropriate IT and application controls has placed at risk the confidentiality, integrity and availability of DHS’s financial and operational data, according to an audit conducted for the department’s inspector general. Auditors from KPMG released its findings to the DHS IG in April, but the inspector general didn’t provide a public version, which was redacted, until this past week. According to the report, the most significant weaknesses included:

  • Excessive unauthorized access to key DHS financial applications.
  • Configuration management controls that are not fully defined, followed or effective.
  • Security management deficiencies in the area of the certification and accreditation process and the lack of adhering to or developing policies and procedures.
  • Contingency planning that lacked current, tested contingency plans developed to protect DHS resources and financial applications.
  • Lack of proper segregation of duties for roles and responsibilities within financial systems

Nearly two-thirds of the 161 weaknesses discovered in the fiscal year 2010 audit were identified but not remediated from an FY 2009 audit. “Disagreements with management’s self assessment occurred almost entirely at the Federal Emergency Management Agency,” the IG audit said. “Collectively,” the IG report said, “the IT control deficiencies limited DHS’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted the internal controls over DHS’s financial reporting and its operation and we consider them to collectively represent a material weakness for DHS under standards established by the American Institute of Certified Public Accountants and GAO.” [Source]


US Legislation 

US – Data Breach Bills Move in House, Senate Panel

The Senate Judiciary Committee has narrowly approved three bills that would require organizations to secure personal data and notify customers if their data is compromised. When addressing Sen. Diane Feinstein’s (D-CA) bill, Sen. Chuck Grassley (R-IA) said, “we may end up with more burdensome regulations…and consumers still going unprotected because the over-notifications will be ignored.” Sen. Patrick Leahy’s (D-VT) Personal Data Privacy and Security Act of 2011, would make data breach notification a national standard and data breach concealment a crime. Meanwhile, Rep. Mary Bono Mack’s (R-CA) SAFE Data Act was approved by a House subcommittee and will move to the full committee for approval. Bono Mack said, “Consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state regimes.” [Bloomberg] [NextGov] [Source] See also: [Pennsylvania State Senate Passes Breach Notification Legislation]


Workplace Privacy 

US – Fired NY State Employee Sues for GPS Tracking Without Consent

Managing employees in the field has always been a challenge. How do you know if employees are where they say they are? What if a customer calls to complain that a driver never showed up, but he swears he did. What is a manager to do? This is where GPS tracking can offer huge benefits. But is it OK to monitor an employee with a GPS tracking device without their knowledge or consent? How far can the state government go in monitoring a mobile employee? This question will be addressed by a mid-level appeals court in New York very soon in about 6 weeks. The lawsuit was filed by the New York Civil Liberties Union (NYCLU) against the state Labor Department, on behalf of a fired state worker whose personal vehicle was being monitored with a GPS tracking device, without his knowledge or consent. NYCLU believes the surveillance, which was done without a court warrant, violated state constitution protections against unreasonable search and seizure, and violated Mr. Cunningham’s privacy rights. The NYCLU says the GPS tracking went beyond what would normally be termed Cunningham’s work hours, since the device was on for 24 hours a day, seven days a week. They even tracked him on a multi-day family vacation. Mr. Cunningham became aware of the surveillance only a year after it was conducted when the state charged him with misconduct, citing evidence from the GPS tracking to show that he had claimed pay for hours he hadn’t worked. He was fired from his management job last year. [Source] See also: [US: Prison Sentence for Insider Crimes] See also: [Employee mobiles a vector for stealing data

US – Unemployed May Face Drug Test

The governor of South Carolina wants to drug test people who are unemployed before she gives them any unemployment benefits. Governor Nikki Haley says, “I love the idea of drug testing because I think it brings accountability to the process.” Victoria Middleton with the ACLU-SC said, “the organization believes that this kind of sweeping, suspicionless mandatory drug testing is discriminatory, an invasion of privacy and a waste of our limited state funds.” [Source] See also: [US: Mandatory drug tests invade student privacy]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: