21-31 August 2012

Electronic Records

AU – OAIC Seeks Public Comment on PCEHR Enforcement

The Office of the Australian Information Commissioner (OAIC) is seeking public comment on how it should enforce personally controlled electronic health record (PCEHR) privacy regulations. Together with a set of enforcement guidelines, the OAIC has released a consultation paper. The guidelines detail the OAIC’s enforcement and investigative powers under the PCEHR and Privacy Acts and outline the penalties, enforceable undertakings and injunctions that can be applied in breach cases, the report states. The OAIC is asking if the draft guidelines are acceptable and provide enough clarity. The deadline for public comment is September 18. [ZDNet]

US – Hackers Claim File Containing iOS Device IDs is Evidence of FBI Tracking Project

Hackers have posted a document to Pastebin that they claim contains unique identification codes for one million iOS devices that were obtained when the laptop of an FBI agent was compromised earlier this year. The attackers claim to have obtained a file that contains Unique Device Identifiers (UDIDs), usernames, and push notification tokens for 12 million devices. They also claim that the file contains some names and associated mobile phone numbers. The attackers are suggesting that the presence of such a document indicates that the FBI may be tracking iOS devices. [ZDNet] [The Register]

Encryption

WW – Report Calculates Costs Savings from Use of Full Disk Encryption

“Is full disk encryption (FDE) worth it? A recent study conducted by the Ponemon Institute shows that the expected benefits of FDE exceed cost by a factor ranging from 4 to 20, based on a reduction in the probability that data will be compromised as the result of the loss or theft of a digital device. ‘After doing all of the math, Ponemon found that the cost of FDE on laptop and desktop computers in the U.S. per year was $235, while the cost savings from reduced data breach exposure was $4,650.’” [Source] [Source]

EU Developments

UK – ICO Defends Cookie Compliance Initiatives

The Information Commissioner’s Office (ICO) has defended its record against claims it has not investigated cookie compliance failures. An earlier report stated the ICO received 320 violation claims without investigating one. The ICO said the report was “dramatically wide of the mark,” adding, “So far, 45 (websites) have been analyzed, of which 27 have clearly taken action to increase the visibility of the information about cookies.” The ICO also said, “A progress update, including a list of all the websites contacted, will be published on our website in November…” [SC Magazine]

UK – Retailers Could Be Forced to Release Customer Data

UK ministers have announced they may require supermarkets and online retailers “to release sensitive personal data they hold about customers.” Companies could be required by law “to provide electronic copies of ‘historic transaction data’ when individuals request it,” the report states, which would mean shoppers receive “records of their purchases and spending habits.” While consumers currently have the right to request such information under the Data Protection Act, “the details are rarely in electronic form, and the process is awkward and slow,” the report states, noting, “The new rules would make access far quicker and easier.” [London Evening Standard]

Google

US – Advocacy Group Challenges FTC Settlements

Nonprofit advocacy group Consumer Watchdog “is dialing up its criticism of the proposed privacy settlement between the FTC and Google,” filing a motion in U.S. District Court seeking friend-of-the-court status and a hearing. Consumer Watchdog questioned the proposed $22.5 million settlement when it was first announced because it allows Google to deny “any violation of the FTC order, any and all liability for the claims set forth in the complaint and all material allegations of the complaint save for those regarding jurisdiction and venue,” the report states. [IDG]

US – Consumer Group, Resort Challenge FTC Settlement

The U.S. District Court of Northern California has granted Consumer Watchdog the right to challenge the legal logic behind the proposed FTC settlement with Google. The advocacy group has questioned how the FTC can charge a company with a violation while also allowing no admission of guilt. A Google representative noted, “We are confident there is no basis for this challenge,” while a Consumer Watchdog spokesman said, “The settlement is particularly the start of a very slippery slope,” adding, “It’s very important the FTC get called on this.” Meanwhile, Wyndham Hotel & Resorts LLC is challenging the FTC’s allegations that it failed to adequately secure consumer data. [POLITICO]

WW – Google to Set up Privacy Red Team

In what appears to be a response to recent high profile privacy issues involving Google and some of its services, the company is in the process of setting up a Privacy Red Team. In a job post for the role of a Data Privacy Engineer Google says the purpose of the team will be to “independently identify, research, and help resolve potential privacy risks across all of our products, services, and business processes in place today”. Google has come under fire in a number of jurisdictions for how it has infringed on the privacy of its users. Recently Google was ordered by the US Federal Trade Commission to pay a $22.5 million fine for having misrepresented to users of Apple’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads. While in Europe Google has come under fire from various Data Protection agencies for not deleting Wi-Fi data it gathered as part of its StreetView program from unsecured wireless networks. A ThreatPost report states the move by Google “to look critically at engineering and other decisions in the company’s products and services that could involve user privacy risks is perhaps a unique one.”[ZDNet] [The Register] [Net-Security] [PCMag] [InformationWeek] see also: [Why the FTC May Investigate Google and What to Do If It Happens] see also: [Paying Lip Service to Privacy: Attorney Details Steps for Organizations to Fill Privacy Gaps]

Health / Medical

US – Network Exposure and Healthcare Privacy Breaches

Under Federal law requiring disclosure, the HHS reports on data breaches of over 500 records. Since 2009 HHS has documented 435 PHI breaches impacting 20,066,249 individual records. Why are healthcare systems vulnerable to patient privacy breaches? A key vulnerability is system complexity. EHR systems store patient electronic health records and transported data insider healthcare organizations and between healthcare business units and in and out of HIEs. These systems are big and complex. In addition, the HIE and EHR IT vendors are highly fragmented, competing in typical American free market economy fashion with no vendor-neutral standards for patient privacy enforcement. Lack of vendor neutral standards leads to the implementation of proprietary interfaces between systems for electronic healthcare data transfer and exchange. Every interface developed by a healthcare systems integrator is potential attacker entry point. Risks are compounded by:

  • High porousness of the healthcare enterprise network: A porous healthcare provider network invites attackers in and trusted insiders to take good stuff out using pen drives, tablets, DropBox and Gmail.
  • Low level of ethics of top executives: Executives should be taking leadership positions in security and HIPAA compliance as an example to the rest of the employees and as proof that they believe that good security is key to protecting customers. When a top executive doesn’t let internal risk management guidelines get in the way of his personal goals, it sets the stage for additional fraud at lower echelons and fosters an environment where it’s OK to take company documents, just as long as you don’t get caught.
  • Minimal network monitoring: Organizations with minimal network monitoring are living a life of ignorance that is bliss. If there is a porous network and lack of security and compliance leadership, then even if there is a fraud event, violation of company policy in regards to fraud, online gambling or sexual harassment in the workplace; it will not be detected. Security and fraud violations that are not detected cannot be used for corrective action and future deterrence. [Source]

US – ONC to Revise Model Privacy Notice for PHRs

The Office of the National Coordinator for Health IT is calling for comments and recommendations to inform its revision of the model privacy notice for personal health records. The current model privacy notice is applicable through September 30, the report states. FierceEMR

US – HIMSS Issues Recommendations for “Medical Banking”

The Health Information and Management Systems Society has issued a set of recommendations to guide financial institutions managing revenue for healthcare organizations. Released as a whitepaper , the guidelines aim to help financial institutions involved in “medical banking” to comply with HITECH’s added security and privacy requirements. Recommendations include selecting a privacy officer, updating workforce training and considering data privacy and security accreditation or certification by an independent third party. The paper states, “As customers of financial institutions, healthcare providers and payers need assurances that financial institutions can safeguard protected health information with appropriate technology systems, infrastructure and procedures for risk management and incident management.” [Source]

US – EHR Stage 2 Final Rules Call for Encryption

This week saw the release of the two final rules for Stage 2 of the HITECH Act’s electronic health record (EHR) incentive program. The Department of Health and Human Services rules, which address meaningful use and software certification, are scheduled to be published in the Federal Register on September 4. The meaningful use rule includes requirements for risk assessment analysis addressing encryption of data stored in certified EHR technology, while the software certification rule requires EHR software “be designed to encrypt, by default, electronic health information stored locally on end-user devices,” the report states. A recent whitepaper, meanwhile, cautions against securing personal health information on portable devices. [GovInfoSecurity] [Meaningful Use Rule] [Software Certification Rule]

US – Experts “Mostly Pleased” with HITECH Stage 2 Provisions

Privacy and security experts are “mostly pleased” with the provisions included in Stage 2 of the HITECH electronic health record (EHR) incentive program. One provision requires EHR software be designed to encrypt medical records stored on devices by default, which Rebecca Herold says “will ultimately improve protection of patient information.” Two other provisions—receiving mixed reviews from the experts—include a risk assessment rule mandating security updates, but not specifically encryption, and a patient access rule requiring that five percent of discharged patients access their EHRs within a specified time period—down from 10% in the proposed rule. [Source]

Horror Stories

UK – Data Breaches in UK up More than Tenfold in Five Years

The UK Information Commissioner’s Office (ICO) says that over the past five years, data security breaches in the UK have increased more than 1,000 percent. The figure is slightly higher for local government breaches, and slightly lower for National Health Service (NHS) breaches. The dramatic increase may be attributable in part to organizations reporting more breaches than they have in the past because of increased awareness and legal requirements to keep personal data safe. Telecommunications is the only sector that showed a decline in the number of breaches reported over the given period of time. [BBC] [v3.co.uk]

AU – Cyber Thieves Steal Half a Million Australian Credit Card Numbers

A cyberattack has resulted in the theft of 500,000 credit card numbers in Australia. The incident occurred at an unnamed business in Australia and appears to be the work of hackers located in Eastern Europe. They allegedly placed keystroke loggers on point-of-sale (POS) terminals and remotely downloaded the information. The unnamed company was using default passwords on the POS terminals and stored transaction data unsecured. The thieves appear to have used an unsecured Microsoft Remote Desktop Protocol (RDP) to harvest the data. The people behind the attack are believed to be the same ones that conducted a similar attack in the US on Subway sandwich restaurants. Police are investigating the incident. [WIRED] See also: [Class-Action Filed Against Eastern Health] and [When Cybercrime Isn’t Treated as a Crime: Why Not Report Credit-Card Account Theft to Local Cops?]

US – Thumb Drive Prompts Notifications, Feds Arrest Former ER Worker

A cancer center in Texas is notifying 2,200 patients that a missing thumb drive contained their personal details. CMIO reports that it’s the third breach this year for the University of Texas MD Anderson Cancer Center in Houston. Meanwhile, federal officials have arrested a Florida man for selling the medical records of patients of Florida hospitals. Dale Munroe, who worked in the emergency room at Florida Hospital Celebration before he was fired last year, is accused of accessing and selling the records of more than 700,000 patients, according to the report. [Source]

US – Hackers Publish Stolen Data; Breaches Hit Two Orgs

A hacker collective calling itself Team GhostShell has allegedly accessed and published one million records taken from banks, government agencies and other firms and is warning of further leaks. A security expert said it is “a pretty significant breach.” In a separate incident, a Cancer Care Group laptop containing personal information of approximately 55,000 individuals was stolen from an employee in July. Meanwhile, the University of Rhode Island has disabled a server after it was discovered that the personal information of more than 1,000 faculty and staff was publicly available. [CNET News]

UK – UK Information Commissioner Investigating Tesco Website Security

The UK Information Commissioner’s Office (ICO) is investigating Tesco for alleged inadequate security practices. The retail company allegedly stores its website login and password data unhashed and unsalted. Some of the site’s pages do not use HTTPS, and the company emails users’ passwords in plaintext. Some have noted that it is unusual for the ICO to become involved when a breach has not occurred. [SCMagazine] [BBC] [ComputerWeekly]

Identity Issues

WW – Dropbox Implements Two-Factor Authentication

Dropbox has implemented two-factor authentication for Windows, Mac, and Linux users. Earlier this summer, the company said it would take steps to better protect customers’ data after hackers managed to hijack an employee’s account, access some customer email addresses, and send them spam advertising gambling sites. Dropbox attributed the attack to an employee who used the same password for his work account as for another account elsewhere, which had been compromised earlier. Dropbox will now provide users with one-time security codes, either sent to their phones in a text message, or generated with a mobile authenticator app. Users say the plan still has some problems that need to be worked out. [Krebs] [InformationWeek] [The Register] See also: [Do authenticaton questions really protect you?]

Law Enforcement

US – License Plates Scanned at Border, Data Shared With Car Insurance Group

As public scrutiny continues to mount against the use of license plate readers (LPRs) across the country, the Electronic Privacy Information Center (EPIC) has now released government documents showing that such data, which includes precise GPS location, date, and timestamps, in addition to the plate in question, are shared with an auto insurance umbrella organization. The documents, published this week as the result of a Freedom of Information Act (FOIA) request, include a six-page memorandum of understanding (MOU) from 2005 between the National Insurance Crime Bureau (NICB) and the United States Customs and Border Protection (CBP) agency. The NICB is a nonprofit organization funded by hundreds of American auto insurance corporations around the country, which “partners with insurers and law enforcement agencies to facilitate the identification, detection, and prosecution of insurance criminals.” The revelation has certainly raised some eyebrows, but the NICB now says that while insurance companies are members of the organization, they do not automatically gain access to the LPR data. Roger Morris, the NICB’s chief communications officer, clarified by e-mail that only authorized “Special Investigations Units” personnel from NICB member companies have access to such data “for theft prevention activities.” Every 24 hours, the NICB receives an electronic data transfer from all border stations, providing LPR details on all cars that have crossed in and out of the country. Mainly, the NICB says it’s looking for cars that have been (possibly fraudulently) reported stolen, but were spotted at a border. Morris added that the CPB’s LPR data—”roughly 15 million reads a month”—is kept for 12 months. That means the CBP makes approximately 500,000 LPR reads at the borders every single day, and passes that data along to the NICB. The MOU also allows the NICB to sub-contract management of this data to a “data processing service,” and requires that any misuse of the LPR data be reported to the NICB, and then reported on to the CBP. “In short, US Customs is granting a private company access to what it admits is ‘highly sensitive commercial, financial, and proprietary information,’ and then further allowing the private company to outsource the management of that ‘highly sensitive’ data to yet another private company,” wrote the ACLU Massachusetts. “The only auditing and accountability mechanisms required are self-policing and self-reporting. These documents reveal a growing problem that extends far beyond the management of license plate data. The government is increasingly collecting vast quantities of information about ordinary people accused of no crime, and increasingly it is relying on private contractors to manage, sort, and analyze this data looking for crime or even ‘pre-crime’ trends. The sharing of our license plate data with private companies should be viewed as but one troubling example of this much larger problem.” [Source]

US – Dealer uses MPLS License Plate Data in Car Repo

A South St. Paul car dealer used data stored by Minneapolis police license plate scanners to repossess a car, likely the first time the records have been used by a business in Minnesota. The data’s value for a repo man illustrates just one of the potential applications of Minneapolis’ massive database chronicling patterns of vehicles on its streets. Some privacy advocates fear that data could eventually be used for more sinister purposes. Minneapolis deploys 10 license plate readers, eight of them mounted on police cars and traffic enforcement vehicles, that scan thousands of license plates each day and store their locations – 4.9 million so far in 2012. Their primary use is to help police on patrol identify wanted vehicles in real time. [Source]

US – 6 Years of Spying on NY Muslims Didn’t Generate a Single Terror Lead: NYPD

In more than six years of spying on Muslim neighbourhoods, eavesdropping on conversations and cataloguing mosques, a secret unit of the NYPD never generated a lead or triggered a terrorism investigation, the department acknowledged in court testimony. The demographics unit is at the heart of a police spying program, built with help from the CIA, which assembled databases on where Muslims lived, shopped, worked and prayed. Police infiltrated Muslim student groups, put informants in mosques, monitored sermons and catalogued every Muslim in New York who adopted new, Americanized surnames. Police hoped the unit would serve as an early warning system for terrorism. And if police ever got a tip about, say, an Afghan terrorist in the city, they would know where he was likely to rent a room, buy groceries and watch sports. But in a June 28 deposition as part of a long-standing federal civil rights case, Assistant Chief Thomas Galati said none of the conversations the officers overheard ever led to a case. [The National Post]

Location

US – Location Privacy Act Passed in California

California state legislators have passed a new bill requiring law enforcement agencies to obtain a warrant before collecting any GPS or location data from cell phones or smart phones. The Location Privacy Bill 2012, which was sponsored by the EFF and the ACLU, has now been passed on to California Governor Jerry Brown for signing into law. In a statement the EFF said it “urge[s] Governor Brown to have California take the lead on this issue and sign SB 1434,” and that it “strikes a sensible balance between keeping the public safe and preserving our privacy.” Brown vetoed a similar initiative in 2011, however. Earlier this week, California passed a bill protecting students from having to provide access to their social media accounts. [ZDNet] [ArsTechnica]

US – Missouri Tracking Law Challenged in Court

A new cellphone tracking law recently passed in Missouri is being challenged in court on assertions that it conflicts with federal law. Missouri’s law makes it easier for police to track users’ cellphone locations in cases of emergency. According to a lawsuit filed Monday, the law should be overturned under the supremacy clause of the U.S. Constitution. The suit seeks a restraining order or injunction and class-action status, the report states. The attorney who filed the suit said, “If I take my cellphone to California, I have more rights. If I use my cellphone in Missouri, I have less rights. So really it comes down to a privacy issue.” [Associated Press]

Offshore

IN – India Pushes Sites to Remove ‘Inflammatory’ Content

India pressed social media websites including Facebook and Twitter on to remove “inflammatory” content it said helped spread rumors that caused an exodus of migrants from some cities. The government said in a statement it had already blocked access to 245 web pages it said contained doctored videos and images, and the telecommunications secretary, R Chandrashekhar, threatened legal action against the websites if they did not fully comply with the requests to take down the offending pages. [Reuters]

Online Privacy

US – Advocates Ask FTC to Investigate; FTC Extends COPPA Deadline

A group of advocacy organizations has asked the Federal Trade Commission (FTC) to investigate several viral campaigns aimed at children. The Center for Democracy & Technology—along with 16 advocacy groups—has sent a letter to the FTC with five complaints about the campaigns alleging they violate COPPA. “Such tell-a-friend campaigns, a powerful form of word-of-mouth marketing traditionally directed at teens and adults, are inherently unfair and deceptive when aimed at children,” the complaint states, noting, “The practices also violate existing privacy laws for children.” Meanwhile, the FTC announced it is extending the deadline for public comment on proposed modifications to COPPA. [ZDNet]

US – Child Advocates Ask FTC to Investigate Viral Marketing Aimed at Kids

A coalition of nearly 20 children’s advocacy, health and public interest groups focused on children’s health and privacy have asked the US Federal Trade Commission (FTC) to investigate online viral advertising programs that exploit commercial appeal to children. The groups say that the “tell-a-friend” features used by McDonald’s, General Mills, Turner Broadcasting and other companies violates the Children’s Online Privacy Protection Act (COPPA), which became law in 2000, because the actions are taken without adequate parental notification and without parental consent. Georgetown law professor and legal counsel for the Center for Digital Democracy said that the FTC should put an end to the “commercial exploitation of children.” [WIRED] [CNET] [MSNBC] [New York Times]

US – Judge Rejects Facebook Sponsored Stories Proposed Lawsuit Settlement

A US District Court judge in California has rejected the proposed settlement of a lawsuit brought against Facebook over its Sponsored Stories feature. The lawsuit was filed by five Facebook users and is seeking class action status on behalf of as many as 100 million users; it alleges that Facebook violated users’ rights by using their images in Sponsored Stories. The settlement would allow adults to limit how their images are used in Sponsored Stories; minors would be able to opt out altogether. The settlement would have Facebook change its Statement of Rights and Responsibilities and provide users with more information about how their names and pictures are used with Sponsored Stories. The settlement would also give users more control over their data. The proposed settlement would have Facebook pay US $10 million to Internet privacy organizations and to pay attorney’s fees of up to US $10 million. Judge Richard Seeborg said he had “serious concerns” about the settlement, asking why Facebook should not be asked to pay US $100 million, because it seemed as though the legal team was making money on the case, but the users they were representing were not receiving much in return. [WIRED] [ComputerWorld] See also: [Facebook cleanses pages of fraudulent “Likes”]

EU – Consumer Group Tells Facebook to Fix App Centre

The Federation of German Consumer Organizations “believes Facebook is violating privacy laws with its new app center and has set a deadline for the social network…to fix it or potentially face legal action.” The group contends the app center gives third-party applications users’ information without their knowledge. “It will consider legal action against Facebook if the site fails to fix the problem by September 4,” the report states, noting the deadline follows plans by Hamburg’s data protection commissioner to “reopen his investigation into Facebook’s policies on tagging photos, retaining and deleting data and the level of control users have over their information.” [Reuters]

US – Twitter Appeals Court Decision

Twitter has filed an appeal with the New York State Supreme Court to overrule a lower court order for the company to disclose an Occupy Wall Street protester’s tweets. The American Civil Liberties Union has filed a brief in support of the company, saying, “We are hopeful that Twitter’s appeal will overturn the criminal court’s dangerous decision and reaffirm that we retain our constitutional rights to speech and privacy online as well as offline.” [The Hill] [Twitter and your privacy] [Expert: Case Shows “Privacy Is Big Business”]

WW – Your Old Tweets Resurface with Twitter’s Data Reseller Partners

Twitter has announced its Certified Partners Program. There are currently 12 partners in the program, and they specialize in one of three categories: engagement, analytics, and data resellers. Twitter says that the certifications will “make it easier for businesses to find the right tools.” Three of the 12 partner companies–Topsy, DataSift, and Gnip–are data resellers, which means they provide access to all publicly available tweet content over several years (what Twitter calls the “Firehose”). Before data resellers like these existed, your old tweets–even public ones–would become buried as you continued to pile new ones on top of them. They’d be inaccessible after 30 days. Now, companies like DataSift have unlocked this previously inaccessible archive of every Tweet ever made in the past several years. The company collects about 250 million tweets every day, analyzing the things people talk about, the words they use, their geographic location, and even whether their tone seems negative or positive. Aside from leaving Twitter altogether, there are two ways to protect yourself from Twitter’s data resellers. 1. Go back and delete old tweets: Unlike when you’re looking for someone else’s Tweets, you can always see your own without any expiration date. DataSift is required to regularly update its files to remove Tweets that have since been deleted. 2. Set your tweets to private by protecting them: Protected tweets aren’t part of Twitter’s public stream and data resellers can’t collect them. You’ll know that a user’s Tweets are protected when you see a little lock icon next to their avatar. [Source] [Comment from PogoWasRight] See also: [DIGITAL WILL: How to share your data after death]

US – Social Media Privacy for College Athletes? California Senate Says Yes

California’s Senate has unanimously approved legislation to bar colleges and universities from requiring students to provide administrators with access to their social media usernames and passwords. Governor Jerry Brown now must sign or veto the bill by Sept. 30. California is not the first state to pass legislation protecting social media privacy for students. In March, Maryland’s Senate passed a bill to prevent public colleges and universities in the state from requiring students including athletes to provide access to their social accounts. [Source]

Other Jurisdictions

PH – Data Privacy Law Signed

President Benigno Aquino has signed the Data Privacy Act 2012. The bill is also known as “An Act Protecting Individual Information in Information and Communication Systems in the Government and the Private Sector.” The bill is based on the European Directive and requires data security standards by business process outsourcers. The president did not veto any of the bill’s provisions, the report states. Some lawmakers have said the law will spur investment in the Philippines. [ABS-CBN News] [GovInfoSecurity] [Philippines: BPO companies more bullish after signing of data privacy law] see also: [Rwanda: Proposed Communications Intercept Law – Is Our Privacy Adequately Protected?]

CN – Cabinet OKs Draft Data Protection Bill Changes

China’s Executive Yuan has approved draft legislation that seeks to make improvements on a 2010 amendment to the Personal Data Protection Act. The proposed changes would require data collectors to inform consumers prior to processing such data. The bill will go before the Legislature Yuan for final approval, the report states. [The China Post]

AU – ACC Report Issued, Commissioner Urges Culture Change

An independent report on New Zealand’s Accident Compensation Corportation (ACC) has revealed that a data breach was due to “human error” but also “systemic weaknesses within ACC’s culture, systems and processes.” Commissioned by New Zealand Privacy Commissioner Marie Shroff, the Independent Review of ACC’s Privacy and Security Information was undertaken by KPMG and former Australian Privacy Commissioner Malcolm Crompton. Shroff said the ACC “has elements of privacy protection and security” in place, but they “are not up to the standard expected” of such an organization, adding, a “culture change” will be necessary, starting “right at the top.” Meanwhile, State Services Commissioner Iain Rennie urged vigilance by public servants processing personal data. [Press Release] [Report]

Privacy (US)

US – Magistrate Says Video Privacy Law Applies to Digital Content

A US federal magistrate has ruled that information collected about which videos people watch online is protected under US privacy law, possibly putting Hulu on the spot for sharing users’ viewing habits with third parties. US Magistrate Laurel Beeler ruled that the Video Privacy Protection Act of 1988 applies to Hulu. Hulu argued, unsuccessfully, that the law applies only to video rental stores not video streaming services. Beeler wrote that, despite Hulu’s assertion that the VPPA does not specifically cover digital distribution, “Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects that argument.” [WIRED]

US – Administrative Subpoenas Raise Questions

Administrative subpoenas, which carry the signature of a federal official but not that of a judge, require telecommunications companies, Internet service providers, banks, bookstores, hospitals, and utility companies in the US to “turn over” customer records if the US Drug Enforcement Administration (DEA) or agents from other government departments believe the information is relevant to an investigation. The DEA obtained the power through a piece of 1970 legislation; that agency is believed to be one of the major users of administrative subpoenas. A DEA spokesperson said that the agency does not keep a database of the administrative subpoenas it issues. There are reportedly more than 300 US statutes that allow federal officials to bypass Fourth Amendment protections by issuing these subpoenas; government agencies are not obligated to disclose the frequency with which they use administrative subpoenas. Administrative subpoenas can be issued not only for drug investigations, but also for hazardous waste disposal, atomic energy, child exploitation, medical insurance fraud, student loans, and other investigations. [WIRED]

US – 2012 Republican Convention: GOP adopts Internet freedom plank

Part of the platform the Republican party adopted included language to protect Internet freedom, something that lawmakers and interest groups on both sides of the aisle have been calling for in recent months. The Republican plank is focused on removing regulation around technology businesses, as well as language that would protect personal data online from the government. The platform language also says that the party will “resist any effort” to move Internet governance away from its current multi-stakeholder model in favor of international or “intergovernmental” organizations. There has been some discussion of handing more control of the Web to the United Nations, as reported in May. The proposal is being championed by China, Russia and some Arab states but has gathered vocal critics from technology companies such as Google, Microsoft, Verizon and Cisco, who say such a plan would create financial risks to their businesses. The GOP platform also specifically criticized the Federal Communications Commission, saying that the agency’s net neutrality rule and other regulations show the Obama administration is “frozen in the past.” The platform proposes that the federal government inventory its spectrum to discover how much of it could be auctioned to the public. [Source]

US – Privacy Worries Surround UN Internet Regs

“What would online privacy look like if the United Nations (UN) regulated the Internet?” queries Mathew J. Schwartz. “That’s one question on the minds of privacy advocates as the International Telecommunications Union—a UN agency based in Geneva, Switzerland, that regulated telecommunications and IT issues—approaches the task of helping the UN decide if it should exert more control over Internet governance,” Schwartz writes. According to the report, some proposals “have technologists and—at least in the United States—legislators up in arms, leading to allegations that the renegotiated treaty could allow countries such as China and Russia to more easily censor the Internet.” [Privacy worries surround UN Internet regulations]

US – Sens. Call on Obama to Issue Cybersecurity Order

At least two senators have called on the Obama administration to issue an Executive Order on cybersecurity after Congress failed to pass legislation on the issue. In an open letter to the White House, Sen. Diane Feinstein (D-CA) wrote, “our critical infrastructure, our financial hubs and our ability to defend the nation are at risk; we must take action to address these vulnerabilities as soon as possible.” Feinstein did note that the administration does not have power to offer legal certainty or protection to firms that share cybersecurity data with the government, the report states. Meanwhile, some experts say impending cybersecurity initiatives further prompt the need for the Privacy and Civil Liberties Oversight Board. [Hogan Lovells’ Chronicle of Data Protection]

US – SEC Cyber-Disclosure Guidance Becoming Standard

The Securities and Exchange Commission (SEC) cyber-disclosure guidance has “become de facto rules for at least six companies” including Google and Amazon. According to letters sent by the SEC, the companies were asked to, in future filings, disclose to investors if systems had undergone a cyberattack. Companies have expressed concerns that such admissions can hurt reputations, provide competitors with important information or give rise to consumer litigation, the report states. In its deliberations on cybersecurity legislation, Congress has assessed ways to encourage firms to disclose data breaches, including a voluntary reporting system. [Bloomberg]

US – CA PUC Approves Gas Meter Privacy Protections

The California Public Utilities Commission has unanimously agreed to new rules governing the protection and use of consumers’ data captured from gas meters. Two commissioners described the protections as being balanced, enabling both consumer protections and the “responsible use of consumer information,” according to the report. The rules allow covered entities certain rights around the collection, use and disclosure of the data. [Solid State Technology] [US – As Smart Grid Grows, Privacy Concerns Proliferate]

Privacy Enhancing Technologies (PETs)

WW – Researchers Hack Brainwaves to Reveal PIN Numbers, Other Personal Data

A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal information by presenting 30 headset-wearing subjects with images of ATM machines, debit cards, maps, people, and random numbers in a series of experiments. The paper, titled “On the Feasibility of Side-Channel Attacks with Brain Computer Interfaces,” represents the first major attempt to uncover potential security risks in the use of the headsets. “The correct answer was found by the first guess in 20% of the cases for the experiment with the PIN, the debit cards, people, and the ATM machine,” write the researchers. “The location was exactly guessed for 30% of users, month of birth for almost 60% and the bank based on the ATM machines for almost 30%.” To detect the first digit of the PIN, researchers presented the subjects with numbers from 0 to 9, flashing on the screen in random order, one by one. Each number was repeated 16 times, over a total duration of 90 seconds. The subjects’ brainwaves were monitored for telltale peaks that would rat them out. The EEG headsets, made by companies such as Emotiv Systems and NeuroSky, have become increasingly popular for gaming and other applications. [Source]

RFID

TX – Rebellion Erupts Over School’s Student-Chipping Plan

A rebellion is developing in Texas against a plan by a school district in San Antonio that would monitor the exact location and activities of all students at all times through RFID chips they are being ordered to wear. School district officials did not respond to a request for comment, but the developing furor comes only days after a coalition of civil rights and privacy organizations publicly stated their opposition to “spychipping” the students. A “position paper” from groups including the American Civil Liberties Union, Electronic Frontier Foundation, Big Brother Watch, Citizens’ Council for Health Freedom, Constitutional Alliance, Freedom Force International, Friends of Privacy USA, the Identity Project and Privacy Activism said no students should be subjected to the “chipping” program “unless there is sufficient evidence of its safety and effectiveness.” “Children should never be used as test subjects for technology, no matter what their socio-economic status. If schools choose to move forward without complete information and are willing to accept the associated liability, they should have provisions in place to adhere to the principles of fair information practices and respect individuals’ rights to opt out based on their conscientious and religious objections,” the statement said. The paper said RFID tracking is dehumanizing, since it can “monitor how long a student or teacher spends in a bathroom stall.” The plans also violate free speech and association, since the presence of a tracking device “could dissuade individuals from exercising their rights to freedom of thought, speech and association. For example, students might avoid seeking counsel when they know their RFID tags will document their presence at locations like counselor and School Resource Officer offices.” It argued that the technology also violates religious freedom and could be subject to unauthorized use. “While RFID systems may be developed for use in a school, the RFID tags may be read covertly anywhere by anyone with the right reading device. Since RFID reading devices work by silent, invisible radio waves and the reading devices can be hidden, unauthorized or covert uses can be nearly impossible to detect,” the report said. “A student’s location could be monitored from a distance by a jealous girlfriend or boyfriend, stalker, or pedophile.” [Source]

Security

US – Data Security Now a Main Concern for US Boardrooms: Survey

An annual survey of 11,000 public company directors and 2,000 general counsels shows that for the first time data security is now a prime concern for US boards. The survey, conducted by advisory firms Corporate Board Member and FTI Consulting, shows that over half (55%) of general counsels surveyed rate data security as a major concern while 48% of the directors surveyed felt the same. A similar survey in 2008 found that only 25% of directors and 23% of general counsel noted data security as a high area of concern, which reflects a doubling of this concern in four years. TK Kerstetter, President, Corporate Board Member said about the results “While a number of companies are taking steps to become more educated on IT risks, the fact is that not enough are taking the appropriate actions to fully prepare their organization.” He went on to say “I think it is going to take several well-publicized security breaches before a majority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster.” [ComputerWorldUK] [Yahoo!]

Surveillance

WW – Researchers Find Spyware Being Used by Police in Countries Around the World

Researchers have found evidence suggesting that governments in several countries around the world are using spyware sold by UK company Gamma International. The spyware, known as FinSpy, can monitor calls and report back about calls and GPS location; record Skype sessions on PCs; log keystrokes; and take control of cameras and microphones. The researchers found the spyware while investigating email attachments sent to Bahraini activists. FinSpy can infect PCs and “a broad range of smartphones.” Research conducted elsewhere found FinSpy command-and-control servers in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, UAE, as well as one in the US running on Amazon cloud systems. Shortly after the research was published, several of those servers were shut down. [The Register] [Source] [Software Meant to Fight Crime Is Used to Spy on Dissidents]

UK – Surveillance Device Uses Wi-Fi to See Through Walls

Researchers in England have created a prototype surveillance device that can be used to spy on people inside buildings and behind walls by tracking the frequency changes as Wi-Fi signals generated by wireless routers and access points bounce off people as they move around. The device, which is about the size of a suitcase and has two antennae and a signal processing unit, works as a “passive radar system” that can “see” through walls, according to PopSci.com. It was able to successfully determine the location, speed, and direction of a person behind a one-foot-thick brick wall, but cannot detect people standing or sitting still, the article said. The U.K. Ministry of Defence is looking into whether the device — designed by Karl Woodbridge and Kevin Chetty of the University of College London — can be used in “urban warfare” for scanning buildings, PopSci reported. The paper on the research, “Through-the-Wall Sensing of Personnel Using Passive Bistatic WiFi Radar at Standoff Distances,” appeared in the April issue of iGeoscience and Remote Sensing, IEEE Transactions. [Source]

Telecom / TV

AU – Telstra Charges Crime Victims for Privacy

Consumer advocates have called for Australia’s largest telecommunications provider to stop charging victims of crime to keep their addresses out of the public phone directory. Both Choice and the Australian Communications Consumer Action Network have criticised Telstra for charging a monthly fee for silent home phone numbers, even though the Australian Law Review Commission recommended the law be changed to stop carriers charging for the service. Despite the recommendation, the law has not been changed and Telstra charges users $2.93 monthly to keep numbers out of the White Pages. ACCAN spokeswoman Elise Davidson said the ongoing fee was an “unfair practice” that affected the country’s most at-risk telephone users. [Source]

AU – Tax Office Wants Access to Real-Time Data

The Australian Tax Office (ATO) is asking for changes to the nation’s phone-tapping laws so investigators can intercept data in real time. The office has access to stored communications such as voice mail, e-mail and SMS messages under the Telecommunications (Interception and Access) Act 1979, the report states. “Access to real-time telecommunications data would enable our investigators to quickly identify those involved in suspected fraud, establish an association between two or more people, prove that two or more people have communicated at a particular time and by what means or show that a person was at a location at a particular time,” said the ATO. [iTnews]

US Government Programs

US – White House Considering Establishing Cyberthreat Information Sharing Program

A draft document circulating in the White House suggests that the President may be considering a new program that would protect government and private industry computer networks that are part of the country’s critical infrastructure from cyberattacks. The program would call for the government to establish a continuous threat collection and information dissemination system. The program is being considered in lieu of legislation, as lawmakers have been unable to come to any agreement on a cybersecurity bill. The draft “is not close to being done,” according to a White House spokesperson. The document indicates that the program would aim for “a near-real-time common operating picture” for critical infrastructure threats and establish “strong cooperation” between government and private sector entities. [Business Week]

US – Interior Dept. Seeking Cloud Tool Capable of Wiping Mobile Devices Remotely

The US Department of the Interior has issued a request for information (RFI) seeking a tool that would allow the agency to remotely update, monitor, shut down, or wipe employees’ mobile devices, even when they are overseas. The product sought would have to work on Apple, Android, BlackBerry and Windows mobile devices; the agency prefers cloud-based tools. Just one compromised device could infect other portions of the department’s computer systems. A 2011 study from the Government Accountability Office (GAO) noted that the Interior Department had not put in place “effective controls to prevent, limit, and detect unauthorized access to its systems” nor had it “manage[d] the configuration of network devices to prevent unauthorized access and ensure system integrity.” The RFI wants tools that can determine when a mobile device is being compromised. The Interior Department is seeking to have proposals submitted by September 7, 2012. [FCW] [NextGov] [FBO]

US Legislation

US – Bills to Watch

In California, Assembly Member Fuentes’ bill (A 2055) continues its progress through the California Senate and is now on the consent calendar. The Bill contemplates allowing a search warrant to be issued when the information to be received from the use of a tracking device constitutes evidence that tends to show: a felony has been committed or is being committed; that a particular person has committed a felony or is committing a felony; or will assist in locating an individual that has committed or is committing a felony. As proposed, the bill requires that a search warrant identify the person or property to be tracked and limits the time that the device may be used to a specified number of days. The bill also requires execution of the warrant within 10 days.

Likewise, Senator Leland Yee’s Social Media Privacy Act (S 1349) has progressed to the Assembly’s consent calendar. The bill would prohibit a postsecondary educational institution from requiring, or from formally requesting in writing that a student or prospective student disclose the user name and account password for a personal social media account, or provide the institution with access to any content of that account.

In Michigan, Sen. Richard Jones introduced a bill (S 1228) that would create a Do Not Call list for political calls. “Robo calls are disruptive, and they always seem to come at dinnertime or in the middle of a ball game” said Jones “If a candidate or volunteer wants to contact a voter directly, this measure will not prevent them from doing so. This legislation simply gives citizens a choice whether or not they want to receive automated phone calls.”

In New York, two bills previously reported as awaiting signature have now been enacted. A 8992 prohibits non-governmental entities from requiring individuals to provide their social security number, unless for one of several designated purposes. And A 10569 prohibits telemarketers – regardless of where they are located – from delivering pre-recorded messages by telephone without the consent of the recipient. In addition, this measure will require outbound, pre-recorded sales calls to provide the recipient with a key-press or interactive voice response to be placed on the “do not call” list, as well as immediately disconnect the call. In the event of a voicemail, outbound sales calls will also have to deliver a message with a toll free number for recipients to call to have their names removed from the call list.

In the United States Senate, Senator Johanns of Nebraska introduced a bill (S 3467), which would enact a moratorium on aerial surveillance conducted by the Administrator of the Environmental Protection Agency. The EPA currently uses these flights to determine compliance with the Clean Water Act.

Workplace Privacy

CH – Former Swiss Bank Employee Arrested in Connection with Customer Data Leak

An employee at a private Swiss bank has been arrested for allegedly stealing data from the institution. An internal investigation turned up evidence of data abuse and an alleged perpetrator was identified. The suspect is a Zurich-based employee of the Julius Baer bank; he has been fired and was subsequently arrested. The bank has contacted customers in Germany who may have been affected by the incident. The stolen data were found on a CD that is now in the possession of German tax investigators. A German magazine recently reported that tax investigators raided the homes of several Julius Baer clients in Germany in connection with allegations of untaxed funds being held in Swiss bank accounts. [Bloomberg] [Swissinfo]

CH – Data Disclosure Angers Swiss Bank Employees

Employees at several Swiss-based banks have expressed disapproval over the disclosure of their personal information to U.S. authorities investigating American tax evaders, The Wall Street Journal reports. In some cases, employees were not told of the handover or were told but not allowed to review the data. The Swiss government, in order to avoid an indictment of its banks, allowed banks to share data of thousands of employees with the U.S. Department of Justice. A Zurich University professor said, “The Swiss should offer whatever help is required for the U.S. to track down tax dodgers, but they should make clear that they will do so within the country’s legal framework.” [Wall Street Journal]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: