Privacy News Highlights: 01-20 August 2012

Biometrics

US – FBI to Provide Facial Recognition to Law Enforcement

A FBI initiative will provide law enforcement agencies free facial recognition software. The new software will help agencies match suspects to the FBI’s biometric database of 12 million mug shots. In his annual report to Congress, Office of the Director of National Intelligence Information Sharing Environment Program Manager Kshemendra Paul wrote, “Later this summer, the FBI will deploy the Universal Face Workstation software, a free-of-charge client application that will provide users with the tools for conducting and managing facial/photo searches with a minimal resource investment.” [NextGov] See also: [US – Senator Franken: Facial recognition may need regulating]

WW – Biometric Recognition Systems Becoming Ubiquitous

Naomi Wolf reports on the growing use of biometric identifying systems in the public space. Wolf writes that she witnessed the installation of facial recognition cameras in several Manhattan public venues, allegedly allowing “police to watch video that is tagged to individuals, in real time.” Last week, New York City officials unveiled a system that “links existing police databases with live video feeds, including cameras using vehicle license plate recognition software,” she writes, adding, “In the name of ‘national security,’ the capacity is being built to identify, track and document any citizen constantly and continuously.” [The Guardian]

WW – Consumer ID Cameras Introduced, Raise Concerns

A U.S.-based company is rolling out facial recognition services for businesses wanting to offer more specified deals to customers. Facedeal users opt in to the service by uploading photos of their faces via Facebook, allowing the service to track users’ shopping habits at businesses using the technology. The creation of a database comprised of faces has raised red flags for Ontario Information and Privacy Commissioner Ann Cavoukian. In addition to data security concerns, she warned, “You don’t know where the information is going to end up, and I always say, beware of unintended consequences.” [The Ottawa Citizen] [Source]

Canada

CA – ‘Unprecedented’ Breach of Privacy at Elections Ontario

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recent investigation into the Elections Ontario breach, which lost the information of over 2.4 million voters from the 2011 general election, should be a summer must-read for every bureaucrat coast to coast. The 30 page-plus admonishment of election officials is unnerving, considering the missing information is a “goldmine” for identity thieves. Cavoukian called it an “unprecedented privacy breech” and lambasted Elections Ontario for failing to implement privacy safeguards in any meaningful way. In other words, they ignored their own policies. [Source] [Investigation Report]

CA – Feds’ Collection, Transfer of Online Data Cause for Concern: Privacy Watchdog

Canada’s privacy watchdog is raising red flags over the way the government handles data from people who visit their web sites. Newly-released documents suggest Privacy Commissioner Jennifer Stoddart was caught off guard when she learned last year that departments and agencies were independently collecting and storing data from people who visited their sites and, in some cases, transferring that information across borders to third parties such as Google. Stoddart’s four-page letter to Clement sent last year meticulously lays out her concerns about the privacy risks of web analytics — the practice of collecting and analyzing data from computers that visit a particular site, in an effort to determine how users interact with it. Coordinating and collecting the data that comes from web traffic can be time-consuming and laborious, which has prompted more than 40 government departments to rely on Google Analytics. Uncertainty concerning how information is treated once it leaves the government’s hands prompted Stoddart to ask that Clement place a moratorium on transferring Canadians’ data to third parties “particularly those located outside of Canada, until the privacy implications of such practices are fully addressed.” One of Stoddart’s main concerns stems from the fact that Treasury Board has neither assessed the privacy impacts of web analytics nor set up government-wide guidelines. Because of that, each federal department and agency is free to decide how it collects data, how the data is stored, and whether that information is transferred. Although a moratorium was not issued, the minister asked that the government develop minimum requirements to help inform departments on the safest ways to set up web analytics to diminish privacy concerns, a spokesman for Clement wrote. [Source] See also: [Canadian spy agency disciplines employees over security policy breaches]

CA – BC First responder Protection Law Clashes with Privacy Rights

The B.C. Information and Privacy Commissioner is slamming a law aimed at ensuring that provincial first responders have more peace of mind for their health and safety. Elizabeth Denham says the Emergency Intervention Disclosure Act, has a “serious impact on the privacy rights of individuals.” Bill 39, which was passed in May, allows police officers, firefighters and paramedics to seek court orders to access someone else’s medical records if the first responder has come into contact with bodily fluids. Denham says that the bill will not be useful, as there are “very few instances where emergency responders contract communicable diseases.” “Government should only contemplate a privacy intrusion of this nature where there is a significant demonstrated need,” she wrote in a letter to Margaret MacDiarmid, minister of labour, citizens’ services and open government. “Any initiative that limits (an individual’s right to control their bodily integrity) must strike a balance between the reasonableness of restricting an individual’s liberties with the commensurate need to infringe them. I do not see such a balance within Bill 39.”[Source]

CA – Conviction for a Privacy Breach: Councillor Skakun and Breaches of FOIPPA

The BC Supreme Court has affirmed the conviction of Prince George Councillor Brian Skakun in a prosecution for breaches of the Freedom of Information and Protection of Privacy Act (FOIPPA). This case has implications for public employees and officials with respect to the handling and disclosure of personal information. Councillor Skakun was convicted on May 24, 2011 because he released a City investigation report into interpersonal workplace conflict involving civilian staff working in the City’s RCMP detachment. Councillor Skakun appealed his Provincial Court conviction to the Supreme Court on a number of grounds, including bias by the Judge and that he was not afforded due diligence or whistleblower defences. Councillor Skakun also argued that the trial Judge was wrong in applying the FOIPPA prohibitions since he was not an officer of the City in accordance with FOIPPA. On appeal, the Judge restated a number of reasons why a Councillor is an official of the City. The Court relied on the language in the Local Government Act describing Councillors as municipal public officers. The Court affirmed that public bodies may only release personal information about individuals in its possession or control through the processes set forth in FOIPPA. In this case, the Court confirmed that none of the processes specified in FOIPPA for the release of personal information were followed. This included the fact that the head of the public body, who in this case was the City Manager, was not asked to review the report to determine what, if anything, could be the subject of lawful disclosure. The Court concluded that nothing in FOIPPA authorizes the release of personal information by a Councillor acting alone as an officer of the municipality. [Source]

Consumer

US – E-Scores Help E-Commerce, Raise Concerns

The growing use of e-scores—the digital valuations of a consumer’s purchasing potential—is becoming an important component to predictive consumer analytics but has federal regulators and consumer advocates worried it could put certain consumers at a financial disadvantage. Some advocates believe the practice creates a two-tiered system that can deny low-value consumers various opportunities. Neustar CPO Becky Burr, said the system helps companies locate and communicate with their markets. “They want to allocate their marketing money efficiently, and consumers want messages that are relevant,” she said, adding, the scores are predictions about consumer groups, not individuals. [The New York Times] See also: [NYT: Shopper Alert: Price May Drop for You Alone]

WW – Getting Customers to Share Personal Data

Customers are willing to share personal information with companies in exchange for perks like free Internet and mobile services. And the more valuable the benefits, the more information customers are willing to share, according to a recent report from PwC, “Consumer Privacy: What Are Consumers Willing to Share?“ Consumers want to be in control of the information they share, which means companies who want to build good relationships have to give them granular control of what and how they share data. And the more transparent a company can be, the more trusted it will be, the survey finds. Targeting various age groups with different perks and making sure information sharing is explicit and done with permission can also help build relationships with customers. Having strong security practices in place is a must for companies that want consumers to share data: 61% of the respondents said they would stop using a company’s online services after a breach. [Source]

US – Mobile Data Privacy Laws Misunderstood by Users

Smartphone users’ understanding of privacy laws may not be accurate, according to a recent survey by law researchers from the University of California at Berkeley. The survey considered data from 1,200 users telephoned on either a landline or a mobile phone and sought to gain insight on perceptions about privacy as it relates to data stored on mobile devices. Researchers found that over 80% of users surveyed believed that their mobile phone was as private at their personal computer. Further, 70% of users would not want their cell phone provider to use location-based data to target ads to them, nor would they wish for social networking apps to use their contact lists. [Source] See also: [Commission nationale de l’informatique et des libertés, France – Smartphones and Privacy: Towards a New Vision of Data Protection?]

E-Government

ON – Ontario Withholding ‘Sensitive’ Statistics on Abortion in the Province

The Ontario government says it recently restricted public access to records of abortion services because the data is “highly sensitive.” The change has prompted criticism from some anti-abortion groups, saying the public’s ability to request abortion data was important because statistics currently released by government entities are “shoddy.” B.C. has had a similar clause in its Freedom of Information act since 2001, restricting the disclosure of information relating to abortion services. The change came after several clinics and hospitals in the province were targeted by anti-abortion groups, as well as violence against North American abortion providers, and was intended to protect the providers. But in recent years, as provinces change the way they report abortion data, the quality of the statistics around the procedure have declined. The recent Ontario change came as part of Bill 122, aimed at greater financial accountability for the broader public sector, exempting “records relating to the provision of abortion services” from the Freedom of Information and Privacy Protection Act. This clause, which came into effect along with Bill 122 in January this year, prevents the public from requesting information from Ontario institutions related to the procedure. [Source]

US – GAO: Update Federal Privacy Law to Address Changing Technology Landscape

Technological developments such as federal agencies’ use of Web 2.0 and data-mining technologies have rendered some of the provisions of federal legislation inadequate to protect all personally identifiable information (“PII”) collected, used, and maintained by the federal government; the 3 major areas of concerns are applying privacy protections consistently to all federal collection and use of personal information (“PI”) (e.g., the Privacy Act’s protections only apply to PI when it is considered part of a “system of records” as defined by the act, but agencies routinely access such information in ways that may not fall under this definition), ensuring that use of PII is limited to a stated purpose (e.g. current law imposes only modest requirements for describing the purposes for collecting PI and how it will be used, which could allow for unnecessarily broad ranges of PII use), and establishing effective mechanisms for informing the public about privacy protections (e.g. concerns have been raised as to whether the mandatory provision of notices by agencies in the Federal Register is an effective way of informing the public). Recommendations include setting specific limits on the use of information within agencies and requiring agencies to establish formal agreements with external government entities before sharing PII, revising the system-of-records definition to cover all PII collected, used and maintained systematically by the federal government, and setting requirements to ensure that purpose, collection, and use limitations are better addressed in the content of privacy notices and revising the Privacy Act to require that all notices be published on a standard website. [Source]

E-Mail

US – Gliph’s Cutting-Edge Cloaked Email™ Protects Email Privacy

Gliph, a one-of-a-kind mobile and web app, today announced the availability of Cloaked Email, a new and innovative method for protecting the privacy of users’ email addresses. Cloaked Email allows users to both send and receive email using their normal email client, while keeping their real email address a secret. Email sent to the cloaked address is smoothly forwarded to users’ real email addresses. When the user replies, their real email address is automatically replaced with the cloak address. This design is perfect for situations like Craigslist communications and transactions, where users often prefer to keep their real identity under wraps. In addition to general privacy protection, Cloaked Email offers Gliph users a new layer of protection against potential data breaches. By registering for a website or newsletter using a Cloaked Email address instead of a real one, Gliph users can limit their exposure to breach or attack. Gliph is available for free on the App Store (https://gli.ph/iphone); the Android Marketplace (https://gli.ph/android); and as a mobile web app (https://gli.ph/m). For more information, visit http://blog.gli.ph. [Source] See also: [US: Surge in spam text messages puts privacy at risk] and also: [Canadian Update – Current Status of the New Anti-Spam Law]

Electronic Records

US – Researchers Developing Patient-Controlled Exchange System

A prototype health information exchange technology allows patients and providers to exchange digital information across unaffiliated healthcare organizations. Developed by Wake Forest School of Medicine’s Department of Biomedical Engineering, the pilot system provides patients with an access key that can be shared with providers at the patient’s discretion. Privacy advocate Deborah Peel applauded the pilot system, saying, “The majority of current (health IT) systems and data exchanges violate medical ethics and patients’ long-standing right to control PHI…Bravo to the Wake Forest research team for finally building effective electronic patient consent tools.” [Modern Healthcare] SEE ALSO: [Cornell: New technique to share personal data while protecting privacy]

Encryption

US – NIST to Release Draft of New Government Encryption Standard Guidelines

The US National Institute of Standards and Technology (NIST) plans to release a draft regarding a new government encryption standard. Currently, NIST’s standard requires that government agencies support Transport Layer Security (TLS) 1.0 encryption; the update will require TLS 1.1 and 1.2. This means that “some agencies … will need to … acquire new web server products to support” the new versions of TLS. The lag time between a release for public review and finalization of a standard is usually about six months. NIST’s draft document for public comment is expected to be released next month. [Source]

WW – RIM Denies India’s Claims That it Has Encryption Keys for Enterprise Customers

BlackBerry parent company Research in Motion (RIM) is refuting India’s claims that the company has provided the Indian government with encryption keys that allows it to access communications between BlackBerry enterprise customers. RIM has reiterated that it “cannot access information encrypted through BlackBerry Enterprise Server as [it] is not ever in possession of the encryption keys.” History supports RIM’s assertions. The company has in the past refused to relinquish customer data and has refused law enforcement requests to build back doors into its products. What is likely is that India now has a Blackberry Enterprise Server (BES) located there for consumers who don’t connect to a corporate BES.[v3.uk] [The Register]

CN – Chinese Gov’t Proposes Healthcare Privacy Draft Regulation

China’s Ministry of Health has proposed a draft regulation requiring health departments to protect and secure patient privacy. The regulation would amend the Tuberculosis (TB) Prevention and Control Regulation and is now open for public comment. The draft says, “Health departments can obtain information from units or people and inspect related venues out of the need for TB prevention and treatment” but should also maintain patient privacy. Entities that leak private information will be disciplined or prosecuted, the report states. [Xinhua]

EU Developments

EU – German DPA Reopens Investigation into Facebook Facial Recognition

Hamburg Data Protection Officer Johannes Caspar has reopened an investigation into Facebook’s facial recognition practices, saying the company is illegally amassing a photo database without users’ consent. Caspar said, “We have met repeatedly with Facebook but have not been able to get their cooperation on this issue, which has grave implications for personal data.” Caspar’s office wants Facebook to destroy its database of faces collected in Germany and alter its website to obtain express consent, the report states. Facebook said, “We believe that the photo tag suggest feature…is fully compliant with EU data protection laws.” [The New York Times]

UK – ICO Issues Guidance for SMBs

The Information Commissioner’s Office (ICO) has issued guidance on the top five areas of improvement recommended for small- and medium-size businesses. Among the suggestions, staff training and communication with customers are the most important. The office suggests organizations tell people how their data is being used; ensure proper staff training; use strong passwords; encrypt portable devices, and only retain data for as long as necessary. The ICO recommends charities and third parties conduct data protection checkups given that they often handle sensitive information. The office also offers advisory visits to organizations seeking advice on data protection improvements. [SC Magazine] [Always-on encryption justified, say analysts] See also: [ICO, UK – A Guide to ICO Advisory Visits]

UK – ICO “Not Ready” for Cookie Investigations

The Information Commissioner’s Office (ICO) has said it is “not ready” to investigate any cookie consent rule complaints because staff is not yet in place for such a task. Since the ICO unveiled its online submission tool, 320 websites have been reported. “At present the information has not yet been analyzed as the team which will have responsibility for this is not in place yet,” the ICO said. Meanwhile, according to a new study, fines issued by the ICO have totaled £1.8 million in the last year, up from £431,000 in the previous 12 months. [PCPro] See also: [DLA Piper: How the EU has Implemented the New Law on Cookies – July 2012]

UK – ICO Fines Health Trust £175,000

The Information Commissioner’s Office (ICO) has fined a health trust £175,000 for inadvertently publishing the sensitive personal information of approximately 1,000 staff members on its website in April 2011. Torbay Care Trust released a spreadsheet that contained staff members’ sexual orientations and religious beliefs in addition to names, birth dates, salaries and National Insurance numbers. Describing the incident as “serious” and “extremely troubling,” the ICO’s investigation revealed that the organization has poor privacy guidance for staff. The ICO said the trust is “taking action to keep its employees’ details secure.” The Independent | ICO source and see also: UK ICO investigating Tesco Website Security | Source]

EU – Member States Concerned About Proposed EU Regulation

A leaked file from the Council of Ministers contains concerns by the UK government about proposed EU data protection reforms. “We are of the view,” the file states, “that the proposed general regulation should be a directive in order to provide greater member state flexibility to implement the measures—a regulation would allow the EU to prescribe rules without necessarily giving due regard to national tradition and practice.” The leaked document was published by civil liberties organization Statewatch and contains the opinions of 20 European states on the proposed reform. [Out-Law.com]

EU – Committee: Too Many Exceptions and Restrictions in EC Proposals

The European Economic and Social Committee has said search engines, social networks and some cloud computing services should be brought within the scope of forthcoming European data protection reforms. The committee said the European Commission’s proposals need to be “more in line with the needs and expectations of the public” and it is concerned about the number of exceptions and restrictions within the commission’s proposals. “The proposal could have gone further in increasing the protection offered by certain rights,” the committee said in a report, adding that the rules should be “applied more systematically to certain fields of economic and social activity.” Out-Law.com

Facts & Stats

WW – IXMaps: Mapping Canadian Privacy Risks in the Internet Cloud

Most Canadians don’t realize how much of our ‘domestic’ Internet traffic goes outside the country before getting to its destination, as a new website shows in dramatic and graphic fashion. IXMaps is a Canadian developed website and interactive tool that lets you know where your data goes. It tracks the packets that make up our e-mails, website requests and other data transmissions. “What IXmaps does is show what’s inside the Internet,” explained Professor Andrew Clement of the Faculty of Information at the University of Toronto; he’s also project manager at IXMaps. “I was surprised to see so much ‘boomerang’ traffic,” Clement said, referring to transmissions that start and end in Canada, but end up travelling to the U.S., where they can be subject to laws and regulations that are not Canadian in origin or application. The Office of the Privacy Commissioner of Canada is funding IXMaps. The team will receive support for its ‘Mapping Canadian Privacy Risks in the Internet Cloud’ project, and to conduct an information session about Internet routing and cloud computing, and its privacy implications for all Canadians. [Source]

Filtering

WW – Google Changes Search Results to Favor Legal Downloading Sites Over Pirates

Google is altering the way it displays search results to ensure that sites offering legitimate downloads of digital content appear before sites offering pirated content. Google revised algorithm will consider the volume of “valid copyright removal notices” a site has received. Google says it has received copyright removal notices for more than 4.3 million URLs in the last 30 days. [BBC] [Money.com] [Washington Post]

SK – South Korea Censoring the Net

“A government critic who called the president a curse word on his Twitter account found it blocked. An activist whose Twitter posting likened officials to pirates for approving a controversial naval base was accused by the navy of criminal defamation. And a judge who wrote that the president (“His Highness”) was out to “screw” Internet users who challenged his authority was fired in what was widely seen as retaliation. [New York Times]

Finance

IR – Top Banks to Be Audited: Privacy Commissioner

The Office of the Data Protection Commissioner (DPC) will audit Ireland’s top banks in the coming months. The announcement comes after the DPC discovered that AIB “supplied inaccurate personal data” to the Irish Credit Bureau (ICB) in breach of data protection law and resulting in the denial of credit to individuals. AIB has confirmed the incorrect reporting of missed loan repayments to the ICB over a six-year period. One MEP said the DPC “has performed excellently in this case; however, we need to strengthen and reinforce the office to ensure that it can effectively monitor companies, investigate breaches and protect individuals.” [Irish Times]

WW – Mobile Payment Systems on the Rise: Report

Starbucks’ has partnered with technology startup Square, which will allow customers to pay for things with a smartphone. But “any company offering mobile payments faces a big challenge: convincing people that paying with a phone is safer and more convenient than using cash or a credit card,” the report states. Some have said the convenience “may present a compromise on user privacy.” [The New York Times] See also: [Remote Payments Plan May Compromise Privacy]

Health / Medical

AU – E-Health Reforms Expand Commissioner’s Powers

Australia is rolling out new privacy safeguards in the Personally Controlled Electronic Health Records program. Under the reforms, which expand upon existing obligations under Australia’s Privacy Act 1988, Australian Privacy Commissioner Timothy Pilgrim may seek civil penalties and enforce undertakings by organizations that fail to protect patient records. Healthcare providers are now obligated to refrain from collecting more patient information than is necessary and to ensure staff are appropriately trained in data protection. The reforms expand Pilgrim’s powers and allow consumers to make decisions about who sees their records and what information is shared with third parties. [FutureGov] See also: [Australian Privacy Foundation slams privacy amendments saying ‘Once-in-a-generation’ opportunity to improve credit reporting and data off-shoring protections lost]

US – Study: Consumers Concerned About EHRs

A new survey has found that patients have strong concerns about privacy and security when it comes to switching from paper to digital medical records. The Harris Interactive study on behalf of Xerox indicates 40% of those surveyed believe electronic health records (EHRs) will help doctors deliver better care, but only 26% said they want their records to be digital, and 9% said the idea “frightens them.” Privacy is a “common concern” about EHRs, said Xerox’s chief innovation officer for healthcare. “There is definitely a need for better information systems and interfaces.” [InformationWeek] See also: [Nunavut government passes half-way point in digitizing health records] See also: [County Jail Nurses Unhappy With Electronic Health Record System]

WW – Comparing Each Nation’s Privacy Enforcement Strategies

A new report analyzes the healthcare breach enforcement strategies of the UK and the U.S. In the UK, emphasis relies on “publicizing frequent financial penalties” while the U.S. focus has centered on the announcement of less frequent “resolution agreements.” This year, the UK has handed out 11 fines totaling £1.4 million—approximately $2.2 million—and the U.S. has issued three resolution agreements totaling $3.3 million. “The jury is out on which nation’s approach will be more successful in reducing the number of breaches over the long haul,” the report states. [GovInfoSecurity] See also: [SASK: Health privacy law needs teeth] See also: [CA – All Privacy Breaches should be Made Public: NDP]

US – Study: Patient-Controlled Sharing Best for Privacy

A new scientific study by the Journal of the American Medical Informatics Association “validates the workability of a digital medical-imaging sharing system controlled by patients, not providers.” While images are now shared with patients via a hand-carried CD, digital sharing networks challenge patient privacy, the report states. But the Patient Controlled Access-key Registry (PCARE) allows patients to control the access keys. The same PCARE framework can be used for electronic health records, the study states, adding that such a framework protects patient privacy with “minimal burden on patients, providers and infrastructure.” [FierceHealthIT]

Horror Stories

US – Data Breaches Up 19%; Public-Sector Breach Numbers Rise: GAO

Hospitals in Connecticut and Ohio have reported breaches of protected health information, while a Tennessee school district is notifying 9,200 students and employees that their personal data was compromised in a breach involving nine of the system’s databases. Meanwhile, Federal Times reports that the Government Accountability Office’s information security director told a Senate subcommittee this week that the number of federal data breaches rose 19% between 2010 and 2011.[Source]

US – Hackers Encrypt Medical Records and Demand Ransom

A medical facility in northern Illinois has acknowledged that hackers broke into its computer network and encrypted data, demanding a ransom to be paid for revealing the password to decrypt the data. The Surgeons of Lake County instead turned off the compromised server and contacted authorities. This is not the first time that health data have been held for ransom. Prescription drug benefits management company Express Scripts was the target of cyber criminals who took the data and demanded payment if the company did not want the stolen information made public. [Source] http://www.bloomberg.com/news/2012-08-10/hackers-encrypt-health-records-and-hold-data-for-ransom.html

US – Breaches Hit Health Orgs, EPA; Costly for LinkedIn

In three separate incidents, Palm Beach County Health Department (PBCHD), Stanford’s medical school and the Environmental Protection Agency (EPA) have announced personal data breaches. A PBCHD employee was fired for illegally accessing patient records to allegedly create a list for identity theft. Stanford School of Medicine officials have warned 2,500 patients their personal health data may have been breached after the theft of a computer, and the EPA confirmed that approximately 8,000 individuals’ Social Security numbers and bank routing numbers may have been exposed. Meanwhile, LinkedIn said that a breach earlier this year has already cost the company at least $1 million [SC Magazine] See also: [CBC News: Woman Sues Western Health for Breach] and Apria Healthcare is offering 11,000 patients free credit monitoring] and [CNET News: Gamers Urged to Change Passwords After Breach] and [The Boston Globe: Retailer, Healthcare Company Offer Credit Monitoring Following Breaches] and [UK: Confidential children’s data leaked on the net] and [ONT: Police Officer guilty of misusing police data] and [NATO Employee Charged With Stealing Secret Data

US – Yahoo Sued After Disclosure User Names, Passwords Stolen

A New Hampshire man has sued Yahoo for negligence after hackers accessed and disclosed as many as 450,000 users’ names and passwords. Allan v. Yahoo has been filed in a San Jose, CA, federal court and seeks an order mandating the company compensate some of the users for account fraud and for failing to have adequate security measures in place at the time of the event, the report states. The hacker group responsible said it did not perform the attack for malicious reasons but to provide businesses with a wake-up call to better secure personal data. [Source]

US – VA Improves Security, Other Breaches Persist

Improvements in data protection at the Veterans Affairs Department are due to the use of encryption. The department now encrypts all of its information operations laptops following a 2006 data breach involving the theft of a laptop containing data on millions of veterans. Additionally, the department’s chief information officer now oversees its IT operations, and privacy and security policies and procedures as well as employee training have been put in place. Meanwhile, COMPUTERWORLD reports that in the last three years, about 21 million patients’ medical records have been exposed in data security breaches large enough to require reporting to the federal government. GovernmentHealthIT

WW – Dropbox Customer eMail Breach Explained

Dropbox has confirmed a security breach that exposed customer data. Last month, Dropbox users in Europe reported receiving spam email advertising online casinos. The customer data were contained in a document that was stolen from the Dropbox account of one of the company’s employees. The intruder managed to gain access to the account because of a different attack on another website; the account holder used the same password for both accounts. Dropbox says it plans to introduce two-factor authentication in the coming weeks, but did not offer any specific information. [Heise Online] [SC Magazine]

Identity Issues

SE – Government Gets Go-Ahead for Blacklist Database

The Swedish Data Inspection Board will allow the government to start a registry of blacklisted sports supporters. The board says there are a number of issues that need to be addressed before the registry moves forward, including exactly what information would be kept on blacklisted individuals and the way innocent individuals would be affected by proposed measures such as increased surveillance. The board also says an in-depth analysis of what information would be available to sports associations and event organizers is necessary. “There’s always a risk that information kept in these types of sensitive registers will fall into the wrong hands,” said the board’s director general. [The Local]

US – Amazon, Apple Address Security Loopholes

Following the identity hacking of a Wired reporter, Amazon and Apple have altered security authentication protocols. The assailants allegedly accessed the reporter’s Amazon account by calling the company and using his name, e-mail address and mailing address and then used the last four digits of the user’s credit card to access his Apple account. In response, the companies are not allowing customers to call in and change account settings. An Apple representative said, “When we resume over-the-phone password resets, customers will be required to provide even stronger identity verification to reset their password.” [Wired]

EU – ENISA Calls for End User, Service Provider Collaboration

The European Network and Information Security Agency has called for collaboration between service providers and end users to protect online identities. The agency said this week that in the first half of 2012, millions of citizens’ personal data was exposed due to data breaches, often affecting multiple sites at once. The agency published guidelines for online service providers on passwords, authentication systems and data breach notifications—which it believes will contribute to better data protection in the long term. ComputerWeekly

Internet / WWW

WW – Google to Include Gmail Content in Web Searches

Google has announced plans to roll out a new feature to a million Gmail users who sign up for it, and after accepting feedback, hopes to give all accountholders the ability to opt in to the feature that would allow contents of users’ Gmail correspondences to be included in their Google searches. The feature is a response to a more people-centered Internet driven by the prevalence of information sharing on social networks, the report states, and may bring with it privacy concerns. To alleviate these concerns, Google will show Gmail communications in a collapsed format that users have to open in order to see details. [Associated Press]

Law Enforcement

US – Federal Appeals Court Says Utilities Must Provide Customer Data to Authorities

The 9th US Circuit Court of Appeals has unanimously ruled that utility companies must provide authorities with customer records upon request if drug agents believe the information is relevant to an investigation. The Comprehensive Drug Abuse Prevention and Control Act of 1970 allows law enforcement authorities to demand data with an administrative subpoena, which does not require judicial oversight. The case in question involves demands from the Drug Enforcement Agency for account information about three customers of Fairbanks, Alaska’s Golden Valley Electric Association. [WIRED]

US – Federal Court Says Case Challenging Warrantless Wiretapping May Not Continue

The 9th US Circuit Court of Appeals has ruled that the plaintiff in a case brought against the government challenging the warrantless wiretapping program may not proceed. The court ruled unanimously that the organization, a Muslim charity, could not bring a lawsuit against the government, but could, if it wished, bring a lawsuit against individual government officials. A lower court had ruled that two attorneys working with the al-Haramain Islamic Foundation were spied on without warrants and awarded them more than US $20,000 each and US $2.5 million in legal fees. [WIRED] [ArsTechnica]

Location

UK – Cellphones Are Now Able to Predict Location; Invasion of Privacy?

Soon, companies and law enforcement agencies will be able to predict your location in 24 hours A group of scientists from the University of Birmingham have developed an algorithm that predicts where mobile phone users will be in 24 hours. Using mobile tracking data for your phone and the mobile devices of the people in your address book, the algorithm is able to predict your future location and is accurate up to 65 feet. The program has helped the group of scientists win this year’s Nokia Mobile Data Challenge. Although tech-savvy criminals can turn off the GPS and tracking data, the algorithm uses data from cell phone towers, which “no one can hide from.” “Predictive Tracking” also extends to advertisers and companies. Even though the authors hope that the law enforcement will be able to use this prevent crimes, he feels that it would make more sense for advertisers to use. [Source]

AU – Privacy Commissioner Wants Payload Data Deleted

The Australian Privacy Commissioner has called on Google to destroy data collected from open WiFi networks. The commissioner sent a letter to Google’s Australian head of public policy and government affairs ordering its immediate destruction, the report states. “I do not require Google to retain the additional payload data, and unless there is lawful purpose for its retention, Google should immediately destroy the data,” Pilgrim wrote. “Further, I also request that Google undertakes an audit to ensure that no other disks containing this data exist and to advise me once this audit is completed.” Commissioners from the UK, France and other jurisdictions have made similar requests. iTnews see also: [Datatilsynet, Norway – Notice of Decision on Violation Charge – Google Street View WIFI Data, Payload]

US – EPIC: Voters Should Be Wary of 2012 Election Apps

A mobile app created by the Obama campaign shows a map with lists of the first and last names of nearby voters. The app is meant to help campaign volunteers canvass for potential voters and send the data back to the campaign. EPIC has released a report, “Smartphones and the 2012 Election,” focusing on the potential risks to voters who download election-related apps to their smartphones and tablets. The report contends that these apps promote greater citizen participation in e-democracy, but also may contain malware, disseminate false information – or, as was recently reported of an Obama campaign app, compromise voter privacy by making voters’ personal and locational information widely available. A recent study by the University of Pennsylvania’s Annenberg School for Communication revealed that voters are ambivalent about “personalized” political advertising, a practice likely to increase with the number of election and political apps available for download. EPIC’s report also examines the role of federal and state regulation in protecting voters and providing guidance to campaigns, and recommends actions that voters, election administrators, and campaigns can take to better protect voter privacy. The Washington Post See also: [Election Day impersonation, an impetus for voter ID laws, a rarity, data show] [EPIC: Paper on ‘Smartphones and the 2012 Election’] [U. Penn. Annenberg School: Study on “Tailored” Voter Ads]

Offshore

WW – The Cloud and Its Privacy Risks

Privacy in the cloud “may be an illusion,” and businesses relying on the cloud should be aware of its privacy risks. Laws in the U.S., EU and elsewhere allow government agencies access to cloud data, and Mutual Legal Assistance Treaties facilitate cooperation across borders, allowing law enforcement to request data in any country that is a part of such a treaty. The report points to a recent whitepaper that concludes “it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities.” TECHNEWSWORLD See also: on May 23, 2012, international law firm Hogan Lovells published a white paper entitled A Global Reality: Government Access to Data in the Cloud: On the fundamental question of governmental access to data in the Cloud, we conclude … that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities. Government’s ability to access data in the Cloud extends across borders. And it is incorrect to assume that the United States government’s access to data in the Cloud is greater than that of other advanced economies.” See also: [ECPA Reform Would Require Warrant for Cloud Data

WW – Apple and Amazon Amend Security Practices After Journalist Suffers Hack

Apple and Amazon have changed their security policies after a hacker was able to exploit weaknesses in the systems to gain access to a journalist’s accounts and wipe several of his devices. Apple said earlier this week that users will temporarily be unable to reset AppleID passwords over the phone, and will instead have to use the iForgot online system. Amazon said that the exploited weakness was closed, but declined to offer details about what that weakness was and what was done to correct it. [Money.com] [ArsTechnica] [Mat Honan details the Amazon and Apple security flaws that let hackers wipe his MacBook from the Cloud]

Online Privacy

US – Judge Rejects Facebook Settlement

A judge has rejected Facebook’s settlement offer in a lawsuit over the company’s “Sponsored Stories” features and its lack of an opt-out provision. Judge Richard G. Seeborg of U.S. District Court in San Francisco, who earlier this month voiced concerns about the proposed settlement and its plan to pay $10 million to charity but nothing to class members, rejected the settlement, saying there are “sufficient questions regarding the proposed settlement” and asking for clarification on remediation for those affected and the size of the legal fee payment. [The New York Times]

US – FTC and Facebook Reach Settlement Over Privacy Practices

The US Federal Trade Commission (FTC) and Facebook have agreed to the terms of a settlement regarding the social networking site’s privacy practices. The settlement requires Facebook to obtain users’ “express consent” prior to sharing their information beyond the limitations in users’ privacy settings. Facebook must also provide users with “clear and prominent notice” whenever their data are shared. Failure to comply will cost Facebook US $16,000 in civil penalties for each violation. The FTC alleged that Facebook told users they could make their data private, but then allowed the information to be shared and made public. In the settlement, Facebook denies the allegations and admits no guilt. Morrison & Foerester LLP Partner D. Reed Freeman said that the FTC “has been accepting settlements with express denials of liability for decades without any adverse consequences. This policy has helped encourage companies to enter into settlements because any follow-on litigation would still bear the burden of proving liability on their theories. Requiring an admission of guilt will lower the settlement rate, increase the litigation rate and draw precious commission resources from investigating and bringing new cases to proving up old ones in court.” [The New York Times] [CNET] [ComputerWorld]

US – Court: Police Did Not Violate Law in Viewing Facebook Profile

FourthAmendment.com reports on a case involving a search warrant for all of a defendant’s Facebook content. In United States v. Meregildon, the defendant argued the government’s method of collecting evidence to obtain the warrant violated the Fourth Amendment. An online friend of the defendant’s reported him to the police on suspicion of gang activity and gave them access to the defendant’s Facebook profile. The court ruled the defendant had no reasonable expectation of privacy in his Facebook postings that others could see. The “friends” he shared his information with were free to do with that information what they wanted, the court said. [FourthAmendment.com]

WW – The Rising Market of Personal Data Control

The emerging personal data control market is “the asset class of the twenty-first century,” consumers should view their personal information like “money in a bank,” the report states. According to Forrester Research, the business of personal data management is already worth billions and could grow within the next two years. More than $2 billion is spent annually in the U.S. harvesting consumer data from third parties. One expert says “cyber vaults”—cloud-based “hubs” that act as personal data safes and managers—could store financial, health and other personal information and ensure correct elements of a user’s data are provided to websites, potentially replacing traditional computers. CNN

UK – Advocate: Gambling Industry “Ignores” Privacy Laws

The founder of Privacy International, Simon Davies, said the online gaming industry is failing to adequately protect its customers’ personal data and violates the UK’s Data Protection Act (DPA). After analyzing the industry for two years, Davies says many online sites collect vast amounts of personal information, including passport and credit card scans, driver’s licenses and utility bills. “All the available evidence indicates that this information is stored permanently,” Davies has said, adding that this constitutes a violation of the third and fifth principles of the DPA, the report states. computing.co.uk

WW – Creepy Exploitation of Unknowingly Public Photos on Photobucket

Inspired by the “hackers” who were able to access Wired writer Mat Honan’s online accounts and fully wipe his MacBook, BuzzFeed’s Katie Notopoulos took a look at “fusking,” the not-actually-hacking technique of finding private – and often nude – pictures on Photobucket by exploiting its privacy settings.” [Gawker] [ www.reddit.com/r/photobucketplunder ]

Other Jurisdictions

JA – Info Regulator, Data Protection Law on the Way

Jamaica forthcoming Data Protection Act “will regulate the use of personal information filed on Jamaicans.” Ministry of Science, Technology, Energy and Mining Minister of State Hon. Julian Robinson told the government recently that there is “a need for a more uniformed, robust and clear mandate to protect privacy and personal information.” The law will regulate data collection, processing, storage, use and disclosure of information about Jamaicans. Robinson added that a position will be established for a single information and communication technology regulator within the next couple of years. [Jamaica Observer]

HU – Hungarian DPA Issues First Fine

The Hungarian Data Protection Authority has imposed a fine of €35,700 on an online real estate marketplace for unauthorized data processing. The fine is significant in that it is the first maximum fine imposed under Hungary’s new Privacy Act, which took effect January 1. The company controlled websites that offered users free trial periods but later invoiced them high fees and transferred customer data to third parties without consent or notification. In this exclusive for The Privacy Advisor, Bird & Bird’s Bálint Halász discusses the details and implications of the case.

HK – New Ordinance Will Change Privacy Landscape

Following Hong Kong’s Personal Data (Privacy) (Amendment) Ordinance (PDPAO) publication in the Government Gazette this month, DLA Piper analyzes the key amendments that will be implemented in several phases, starting October 1. Key amendments of the PDPAO include the regulation of the use of personal data for direct marketing; regulation of third-party processors; new powers for the data protection authority to assist in civil actions and to verify data user returns’ accuracy, and new rules against unauthorized personal data disclosure and repeated violations of an enforcement notice. Provisions related to direct marketing and new regulatory powers are slated to go into effect in 2013. [Source]

BR – Brazil to Vote on Internet Bill of Rights

Brazil’s Marco Civil da Internet—a proposed “bill of rights” for Internet users—is expected to come to a vote before Congress on August 8. The bill “establishes a clear set of rights and responsibilities for users, sets strong net neutrality principles and shields Internet intermediaries from liability for illegal content posted by users,” the report states. The Bureau of Legislative Affairs of the Brazilian Ministry of Justice began collaborating with Rio de Janeiro Law School on the creation of the Marco Civil da Internet in 2009. Global Voices

Privacy (US)

US – Google Agrees to $22.5 Million Settlement; FTC Settles with HireRight

Google has agreed to pay a US $22.5 million fine for misrepresenting its activity when it monitored the activity of web surfers who were using the Safari browser and had selected “do not track” privacy setting. The fine was imposed as part of a settlement with the US Federal Trade Commission (FTC). The settlement requires that Google disable all cookies it has placed on the computers of Safari users who had selected the do not track preference. The FTC has also settled with an employment background screening company for $2.6 million on charges it violated the Fair Credit Reporting Act. The FTC says HireRight Solutions failed “to use reasonable procedures to assure the maximum possible accuracy of information it provided,” failed to give consumers copies of their reports and failed to resolve consumer disputes. The FTC also alleges HireRight failed to ensure the information reflected updates to criminal records and “in numerous cases, even included the records of the wrong person,” leading to consumers being denied job opportunities.[FTC Press Release] [Record-Setting Settlement Stirs Debate] [Source]

US – TSA Petition Closes 2,500 Signatures Short, Other Efforts Move Forward

The White House has pulled a petition on Transportation Security Administration (TSA) airport screening procedures from its “We the People” website, the Cato Institute’s Jim Harper, who initiated the petition, said it expired on schedule and was short “by about 2,500 signatures, or 10% of the 25,000 needed.” Harper added that other “parts of the effort to require the TSA to follow the law are moving forward. The DC Circuit Court of Appeals recently instructed the TSA to answer legal filings calling for it to go forward with the process for public review of its rules.” [EPIC]

US – The Political Struggles of the PCLOB

About the Privacy and Civil Liberties Oversight Board (PCLOB),”it’s probably fair to say that few governmental bodies have had a more troubled childhood than this one.” Chief among the concerns, the report states, is that, “because of the objection of unnamed senators,” the Senate has yet to confirm David Medine as PCLOB chairman. Alan Charles Raul, a Washington lawyer who previously served as vice chairman of PCLOB during the Bush administration, said that he is “not aware of any reason why the committee would not have confirmed” Medine. Raul believes that Medine “would make an excellent choice for chairman” and, in a letter to Congress last April, wrote “in strong support” of Medine’s nomination. With new cybersecurity initiatives being considered by the White House and Congress, Raul said “it is imperative that (PCLOB) become operational once again.” [The New York Times] [Senate Confirms Four to Oversight Board]

US – Court Reinstates Driver’s Privacy Class-Action Suit

A federal appeals court has decided to reinstate a class-action suit involving private data on parking tickets. The 7th U.S. Circuit Court of Appeals has decided against Chicago’s Palatine Village Police Department, ruling that putting too much personal information on parking citations violates U.S. law. The information on the department’s parking citations includes the vehicle owner’s name, address, driver’s license number, date of birth, sex, height and weight, the report states, and is usually left under a windshield wiper blade. One motorist filed suit in 2012, but a federal judge then denied the claim, citing a law enforcement exception in the Driver’s Privacy Protection Act. [Wired] [Illinois: Appeals Court Upholds Parking Ticket Privacy] See also: [AU: Privacy commissioner’s letter to Myki: please explain security flaw]

US – Court: ZIP Code Ruling Applies Retroactively

A U.S. District Court has upheld that the California Supreme Court’s ruling in Pineda v. Williams Sonoma that ZIP codes are personal information applies retroactively. Retail stores in California frequently ask for ZIP codes during purchase transactions, but Jessica Pineda filed suit after a 2008 visit to a Williams Sonoma store in California where a cashier asked for her ZIP code without telling her how the information would be used. The U.S. District Court has ruled that the decision applies retrospectively to a class-action lawsuit filed against OfficeMax. [The Privacy Advisor]

US – DOC Reports on First NTIA Stakeholder Meeting

The Department of Commerce National Telecommunications and Information Administration (NTIA) Director of Privacy Initiatives John Verdi reports on progress toward implementing the Obama administration’s Consumer Privacy Bill of Rights. The first stakeholder meeting drew hundreds of participants and raised “constructive suggestions regarding what elements might be included in the code,” Verdi writes, adding that the NTIA’s role will not be to weigh in on issues but to guide a transparent and consensus-based process. The NTIA will hold the next two stakeholder meetings August 22 and August 29 and has posted discussion lists from the last meeting. In the meantime, stakeholders have created a public mailing list to discuss the process. [Source]

US – Court Orders TSA to Open Body Scanner Comment Period

A federal court has ordered the Transportation Security Administration (TSA) to explain why it has not offered a public comment period for the installation of body scanners in U.S. airports. The U.S. Circuit Court of Appeals for the District of Columbia gave the order after the third request by the Electronic Privacy Information Center (EPIC). The three-judge appellate court originally ruled the agency violated the Administrative Procedures Act by not initiating a 90-day public comment period. EPIC Executive Director Marc Rotenberg said the “order indicated that we have meritorious arguments.” The agency has until August 30 to respond. Wired

US – COPPA Modifications Play Catch-Up with Technology

The FTC has proposed modifications to the Children’s Online Privacy Protection Act Rule, which would “dictate that both the operator of a website that is directed at children and any third-party advertising network or application” would be responsible for complying. An FTC spokeswoman said the change would “close an apparent or possible loophole in the rule,” which was enacted four years before Facebook and the third-party apps it hosts. The proposal would also apply to a website that attracts both children and adults, requiring it ask a user’s age and then apply privacy protections to those under the age of 13. The New York Times

US – DHS CPO Departs to Initiate Privacy Practice

U.S. Department of Homeland Security (DHS) Chief Privacy Officer (CPO) Mary Ellen Callahan has left the DHS to start a new privacy and information governance practice at the Jenner & Block LLP law firm. The DHS privacy office more than doubled and conducted upwards of 200 privacy impact assessments while Callahan served as CPO. Her last day in office was August 1, and Deputy Chief Privacy Officer Jonathan Cantor will fill the role until a new CPO is appointed, a DHS spokeswoman said. The Wall Street Journal

US – State’s Supreme Court Upholds Opt-Out Fee Program

Maine’s Supreme Court has upheld the state’s public utilities commission (PUC) decision to allow Central Maine Power (CMP) to charge a fee to customers wishing to opt out of the company’s smart meter program. CMP was one of the first utilities in the U.S. to face legal opposition to smart meter implementation after customers challenged the program in early 2011, alleging CMP’s smart meter installations violated their Fourth Amendment privacy rights. The PUC ruled the fee would be permitted, and, despite the customers’ challenge to the decision, Maine’s Supreme Court upheld the decision on July 12, stating the utility’s opt-out provision negated any privacy concerns. Info Law Group

US – Court: License Plate Decal Doesn’t Violate Privacy

New Jersey’s Supreme Court has found that requiring young drivers to affix a red decal to their license plates is not an invasion of privacy. The court ruled 6-0 that the law mandating the decal does not violate the Driver’s Privacy Protection Act, which forbids the disclosure of information about a driver except that they are under 21 and hold a learner’s permit, examination permit or probationary license, the report states. Young drivers “have no reasonable expectation of privacy in their age group, because a driver’s age group can generally be determined by his or her physical appearance, which is routinely exposed to public view,” the court said. The Star Ledger

Privacy Enhancing Technologies (PETs)

WW – IE10 Users Can Change DNT Default on First Run

Microsoft Windows 8 users will be able to change the default setting for the do not track (DNT) feature in Internet Explorer 10 (IE10) when the operating system is first run. Early this year, Microsoft said that the DNT feature would be turned on by default in IE10. When Windows 8 is first run, users will have the option of allowing the Express Settings, which accepts all default Microsoft settings, or they can choose Customize, which will give then the opportunity to turn off the DNT setting if they wish. Windows 8 users who select the Express Settings will also see a notice telling them that DNT will be on by default in IE10. [ComputerWorld] [Ars Technica]

US – Scholars Present Technology-Centered Privacy Approach

Two legal scholars have released an article that proposes “a technology-centered approach to measuring and protecting Fourth Amendment interests in quantitative privacy.” Scholars David C. Gray and Danielle Keats Citron note that “technology can permit government to know us in unprecedented and totalizing ways at great cost to personal development and democratic institutions,” adding, “these concerns about panoptic surveillance lie at the heart of the Fourth Amendment as well.” Instead of “case-by-case assessments of information mosaics,” they argue that government access to “broad programs of continuous and indiscriminate monitoring should be subject to the same Fourth Amendment limitations applied to physical searches.” [Source]

WW – Burner Delivers Instant Privacy to the Phone

Have you ever given someone your phone number and wish you hadn’t? Now there’s an app for that: Burner, created by Ad Hoc Labs and launching publicly today on the iOS platform, issues disposable phone numbers at the touch of a button. Burner is available in the iTunes App Store for $1.99. Burner is ideal for dating, buying and selling online, posting via social media, and many more use cases. Simply give the number to anyone you like, keep it active for as long as you like, then burn it when you’re through. [Source]

Security

WW – Survey: Data Security Tops Firms’ Concerns

A new report has found that, “for the first time, data security was earmarked by the largest percentage of responding directors—48%—and general counsel—55%—as an issue of concern.” The Corporate Board Member (CBM) and FTI Consulting report surveyed 11,000 public company directors and nearly 2,000 general counsels in U.S.-based firms. One-third of the lawyers said their companies were “not effective at managing cyber risk,” while almost half of the directors said their companies had no formal response plan in place. CBM’s president said the discrepancy between the two is a “cause for concern.” [Source]

WW – PwC Whitepaper Discusses Importance, Pitfalls of Internal Audits

A PricewaterhouseCoopers whitepaper discusses internal audits’ ability to bolster security and prevent network breaches. The whitepaper outlines how internal audits “have become a key pillar of security strategies in the age of data breaches” and how companies can makes audits more effective. Believing adequate security measures already exist, for example, can sometimes undermine an audit’s purpose, the report states. “Internal audit departments need strong governance, which leads to respect, credibility and visibility,” said PricewaterhouseCoopers’ Carolyn Holcomb, who says senior management need to become more aware of the risks and concerns associated with security and privacy, and board-level support for audits is very important. [eWeek] See alswo: [WikiLeaks endures a lengthy DDoS attack]

Surveillance

WW – Police Chiefs Sign Drone Codes of Conduct

The International Association of Chiefs of Police (IACP) has adopted codes of conduct for the use of unmanned aerial vehicles (UAVs). The recommended guidelines provide that captured images will be open for public viewing and will not be stored if there is no evidence of a crime or ongoing investigation. The codes recommend obtaining a warrant in cases where flights may intrude on an individual’s reasonable expectation of privacy, the report states. The IACP said, “Privacy concerns are an issue that must be dealt with effectively if a law enforcement agency expects the public to support the use of UAV by their police.” [The Washington Times] See also: Lawmaker Releases Draft Drone Privacy Bill

CA – Privacy and Drones: IPC Issues Report on Unmanned Aerial Vehicles

By: Ann Cavoukian, Ph.D., Information & Privacy Commissioner: Unmanned Aerial Vehicles (UAV) present unique challenges due to their ability to use a variety of sensors to gather information from unique vantage points, often for long periods and on a continuous basis. The prospect of having our every move monitored, and possibly recorded, raises profound civil liberty and privacy concerns. At the same time, there are many desirable benefits associated with these technologies. The aim of this paper is to provide a background for general privacy readers, as well as for potential users or regulators of UAV activities, as they relate to the collection, use, and disclosure of personal information. Full report Source

Telecom / TV

AU – Australia Delays Internet Surveillance Plan

The Australian government has tabled an initiative that would have stored the web history of Australians for up to two years. Attorney-General Nicola Roxon has referred a discussion paper on the expanded governmental surveillance powers to a parliamentary committee, which will stall the plans until after the next election. Roxon recently said she’s not yet convinced the data protection proposals have merit. Supporters of the reforms are concerned with the delay, with one security official saying the reforms “are urgently needed to deal with a rapidly evolving security environment.” [The Sydney Morning Herald] See also: [AU: Privacy threat worries charities]

US – Rise in License-Plate Scanners Prompts Debate

Growing use of automated license plate readers (ALPRs) by law enforcement is raising concerns about privacy, security and whether license plates constitute personally identifiable information. ALPRs integrate cameras and optical character recognition software with a license plate database. The American Civil Liberties Union has released a report on the privacy and security implications of ALPRs. An ACLU representative said, “It’s not an exaggeration to say that in 10 years there will be ALPRs just about everywhere, making detailed records of every driver’s every movement and storing it for who knows how long.” [InformationWeek] See also: [Ontario Privacy Commissioner questions Waterloo license-plate recognition parking plan] and [BC: Police policy on license-plate cameras lacks detail, critics say]

US Government Programs

US – GPS Tracking: No Expectation of Privacy, Court Rules

A federal appeals court has ruled that authorities do not need a probable-cause warrant to track a suspect’s every move via GPS signals from a suspect’s mobile phone. The 6th U.S. Circuit Court of Appeals upheld a 20-year term for a drug courier that the authorities tracked via his mobile phone pinging cell towers. In the majority opinion, U.S. Court of Appeals for the Sixth Circuit Judge John M. Rogers wrote, “There is no Fourth Amendment violation because (the defendant) did not have a reasonable expectation of privacy” in the data emitted from his phone. The decision, a big boost for the government’s surveillance powers, comes as prosecutors are shifting their focus to warrantless cell-tower location tracking of suspects in the wake of a Supreme Court ruling in January sharply limiting the use of GPS vehicle trackers. The Supreme Court found law enforcement should acquire probable-cause warrants from judges to affix GPS devices to vehicles and monitor their every move. The court of appeals ruling comes a month after a congressional inquiry found that law enforcement made 1.3 million requests for cellphone data last year alone while seeking out subscriber information like text messages, location data and calling records. [The Wall Street Journal] [Source] [WIRED] [CNET] [US: Appeals Court OKs Warrantless, Real-Time Mobile Phone Tracking] See also: [Manitoba: Police use of infrared cameras prompts privacy concerns]

US – ACLU Sues DOJ for FBI Memos on GPS Tracking Guidelines

The American Civil Liberties Union (ACLU) is suing the US Justice Department (DOJ); the documents filed in US District Court in New York seek the release memos regarding the FBI’s use of GPS technology. The information is being sought in the wake of a Supreme Court decision that said placing a GPS tracking device on a suspect’s vehicle is equivalent to a search under the Fourth Amendment. The memos being sought are the FBI’s guidelines to agents regarding the use of the GPS devices to track suspects. [NextGov] [ACLU Complaint] [WIRED] [ArsTechnica] ACLU documents:

US – Privacy Assessment Discloses TSA Gathering Data on Airline Passengers

DHS has unveiled the details of 15 separate “privacy impact assessments” of some of the department’s management systems and databases which its privacy office issued between March and May of 2012, including one that reveals that TSA’s Secure Flight program has begun gathering frequent flyer status codes about the airlines that run the frequent flier programs. Such frequent flyer data is collected from aircraft operators “in conjunction with risk-based security rules,” explains a notice published in the Federal Register on August 2. In other summaries of its recently-approved privacy impact assessments (PIAs), DHS disclosed that:

  • The U.S. Secret Service’s criminal investigation division has established a new “Field Investigative Reporting System” that contains PII gathered during investigations involving counterfeiting, electronic crimes and other matters.
  • The DHS Directorate for Management has created an “Email Secure Gateway” (EMSG) which is used by all of the department’s email users. “EMSG handles email traffic in, out, and between DHS, its components, and the Internet, and provides a directory of users’ official contact information,” much of which is considered PII.
  • ICE has created a new database, known as the “Enforcement Integrated Database,” which maintains personal information about individuals involved in investigations, arrests, bookings, detentions and removals from the U.S. conducted by ICE. This database takes advantage of “technology which helps ICE prioritize aliens for immigration enforcement action based on criminal history” and enables ICE to “conduct risk classification assessments of aliens arrested under immigration laws.” [Source]

US Legislation

US – Rep. Markey Releases Cellphone Privacy Proposal

Rep. Ed Markey (D-MA) has released a discussion draft of legislation that would limit the number of requests by law enforcement for private cellphone data. The Wireless Surveillance Act of 2012 would require law enforcement officials to provide regular request disclosures and to acquire warrants prior to using geolocation tracking as well as stipulate data retention limits on personal information held by carriers. The proposal comes after Markey’s inquiry of nine wireless providers earlier this year. “With searches and seizures now happening in cyberspace,” Markey said, “this legislation will update the Fourth Amendment for the 21st century.” [The Hill] See also: [Lone Senator (Ron Wyden (D-OR) is Fighting Widespread And Illegal Government Surveillance of US Citizens] and See also: [California Community Mulls Driving Tax Amid Privacy Concerns] and [Invasion of Privacy: Arizona State Wants to Track Student Eating Habits Using ID Cards to Prevent College Drop Outs]

US – NY Gov. Signs Laws to Protect New Yorkers’ SSNs

New York Gov. Andrew Cuomo has signed a series of bills aimed at protecting New Yorkers’ privacy and personal information. The new laws, effective later this year, prevent inmates from having access to individuals’ Social Security numbers and limit instances where entities may request the numbers. The governor said, “New Yorkers deserve the strongest protections possible,” and the bills “will ensure that New Yorkers’ personal information is kept private.” [WKBW]

US – Magistrate Says Video Privacy Law Applies to Digital Content

A US federal magistrate has ruled that information collected about which videos people watch online is protected under US privacy law, possibly putting Hulu on the spot for sharing users’ viewing habits with third parties. US Magistrate Laurel Beeler ruled that the Video Privacy Protection Act of 1988 applies to Hulu. Hulu argued, unsuccessfully, that the law applies only to video rental stores not video streaming services. Beeler wrote that, despite Hulu’s assertion that the VPPA does not specifically cover digital distribution, “Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects that argument.” University of Minnesota law professor William McGeveran said, “Congress was really clear about wanting the interpretation to be technology neutral.” [WIRED] [MediaPost]

IN – Court Issues Guidelines on Children in the Media

The Delhi High Court has issued new guidelines on the broadcast of news about children after a complaint was lodged when an injured child was shown on TV. The guidelines state that the media “shall ensure that a child’s identity is not revealed in any manner, including but not limited to disclosure of personal information, photograph, school or locality and information of the family including their residential or official address.” The rules aim to protect children’s privacy “so that he or she may not be exposed to anxiety, distress, trauma or social stigma in the future,” the report states. [Deutsche Welle]

US – NJ Gov. Signs Emergency Responders Privacy Bill

New Jersey Gov. Chris Christie has signed into law a bill that aims to protect the privacy of accident victims by prohibiting emergency responders from photographing or disclosing such photographs. Assemblyman Craig Coughlin said S199/A789 is “not an injunction on our first responders…but the callous few who violate the privacy of the people they are charged with protecting.” Coughlin added, “In an era where photos and videos can live in perpetuity online, no family should ever have to worry about distressing images of their loved ones being displayed without their consent.” [NJTODAY]

US – Illinois Law Prohibits Employers from Asking for Social Media Passwords

Illinois became the third state to pass a law prohibiting employers from requiring employees or job applicants to provide access to their social media accounts when Illinois Gov. Pat Quinn signed the bill this month. Maryland and Delaware have passed similar laws. In addition, California is considering a similar bill, and Michigan and New Jersey have their own versions in the works. In total, at least 15 states have introduced social media legislation in some form, according to the attorney who advised the Illinois bill’s sponsor. [The Wall Street Journal] See also:: [US: Judges Get Michael Lefkow and Donna Humphrey Judicial Privacy Improvement Act of 2012 Privacy Law in Illinois]

US – Cybersecurity Bill Dies in Senate

The cybersecurity bill introduced by Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME) has died in the Senate. The legislation failed to garner enough support in a cloture vote. The legislation, according to the report, “reflects a confluence of concerns over civil liberties and national security.” The one measure that survived would allow private businesses and government agencies to share data about cybersecurity threats. [The New York Times] See also: [White House Considering Executive Order on Cybersecurity in the wake of the failure of cybersecurity legislation in the US Senate | Source | Source | Source]

US – House Democrats Propose ECPA Reforms to Require Warrants

Members of the House Judiciary Committee yesterday introduced legislation aimed at updating and clarifying the Electronic Communications Privacy Act (ECPA). Submitted by Reps. John Conyers (D-MI) and Jerrold Nadler (D-NY), the bill would require law enforcement to obtain warrants for electronic communications and would set clear standards and notice obligations for when government authorities can access such data. Business Software Alliance President and CEO Robert Holleyman supports reform of ECPA, saying, “Any country that wants to succeed in the cloud needs clear and consistent rules to protect users’ privacy while enabling the free flow of data and commerce.” [NationalJournal]

Workplace Privacy

US – Federal Worker Monitoring Raises Privacy Concerns

Many federal agencies monitor workers’ activities online. The WikiLeaks scandal and other unauthorized disclosures have prompted the government to collect larger, timely and detailed profiles of federal employees. The increased use of monitoring worries some privacy advocates, the report states, because of potential abuse, particularly related to whistle-blowing and the monitoring of personal e-mails. A 2010 incident with Food and Drug Administration scientists has been cited as one such example. A Defense Department representative said, “Nobody’s reading e-mails here…There has to be probable cause.” [The Washington Post]

AU – Privacy Foundation Provides Policy Statement on Substance Abuse Testing

Substance abuse testing must not be imposed unless pre-conditions have been fulfilled, including the following – a privacy impact assessment (“PIA”) has been undertaken (in advance of any commitment being made to impose testing) and has included consultation with representatives of and advocates for the categories of affected people, justification has been exposed in advance and subjected to examination, the privacy intrusions are proportionate to the need, and all privacy intrusions that are found to be justified are the subject of mitigating measures to reduce their negative impacts. Where substance abuse testing is imposed, explicit and clear information must be given to employees in relation to the following matters – the specific purposes for which it is being imposed, the circumstances under which it will be imposed, the procedures involved in extracting the sample and the data from the sample, the employer’s responsibilities, the employee’s rights, the uses to which the resultant samples and data may be put, and any disclosures that the resultant samples and data may be subject to. [Source]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: