01-15 October 2012



CA – Authorities to Cooperate on Cross-Border Digital Privacy

The German and Canadian data protection authorities have signed an agreement on protecting privacy in cross-border data transfers via the web. The countries will cooperate on specific cases and inform each other on privacy complaints. “Since personal data can be transferred to other countries and parts of the world with one mouse click, data protection agencies have to cooperate better internationally,” Canada’s Office of the Privacy Commissioner noted. Germany and Canada plan to discuss extending the plan to additional countries at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay later this month, the report states. [IDG News Service]

CA – Stoddart’s Annual Report Raises Surveillance, Disposal Concerns

A proposal set forth by the Royal Canadian Mounted Police and House of Commons to more than double the number of video cameras on Parliament Hill has raised concerns from federal Privacy Commissioner Jennifer Stoddart. “We were concerned about the scope of the project and its potential impact on the privacy rights of parliamentarians, parliamentary staff, guests and visitors to Parliament Hill,” Stoddart’s annual report states. “According to the preliminary (privacy impact assessment), a deliberate decision was made to not post signs notifying individuals of video surveillance on Parliament Hill.” Meanwhile, Stoddart’s report has also raised concerns about the way Veterans Affairs disposes of documents containing sensitive personal information. [The Canadian Press]

CA – OPC Receives Formal Complaint Over Gov’t Questionnaire

The Office of the Privacy Commissioner (OPC) has received a formal complaint about a controversial questionnaire distributed to current and prospective border officers. OPC Spokeswoman Anne-Marie Hayden said the agency is “looking at investigating” the subject. Aimed at determining an individual’s suitability for employment, the questionnaire asks about substance abuse and other potentially invasive queries, the report states. Customs and Immigration Union Vice President Jason McMichael said of the questionnaire, “Our lawyers believe that it’s outside of privacy legislation,” adding, “Certainly, in our mind, it compromises basic civil liberties.” [Canada.com]

CA – OPC Offering $50,000 for Privacy Research Projects

The Office of the Privacy Commissioner of Canada (OPC) has launched its 2013-2014 Contributions Program, which offers up to $50,000 in funding for initiatives aimed at advancing privacy knowledge in the private sector. Privacy research projects that fall under PIPEDA will be eligible for the funding. The four priority areas highlighted by the OPC are identity integrity and privacy; IT and privacy; genetic information and privacy, and public safety and privacy. Applicants have until November 30 to submit proposals. [IT Business Canada] See also: [OPC Canada – No Mistakes, No Forgetting: Privacy in the Age of Social Media]

CA – Supreme Court Allows Anonymous Proceedings

The Court overturned in part a decision by a provincial court of appeal which denied a 15-year old girl from proceeding anonymously in an action for defamation (someone posted a fake profile on a social networking site using her picture, a slightly modified version of her name, and other particulars identifying her – the picture was accompanied by unflattering commentary about the girl’s appearance along with sexually explicit reference). The Court considered – privacy rights (recognition of the inherent vulnerability of children has consistent and deep roots in Canadian law and results in the protection of young people’s privacy rights based on age, not the sensitivity of the particular child), and the protection of children from cyberbulling (common sense and the evidence show that young victims of sexualized bullying are particularly vulnerable to the harms of revictimization upon publication, and the right to protection will disappear for most children without the further protection of anonymity); once the girl’s identity is protected through her right to proceed anonymously, there is little justification for a publication ban on the non‑identifying content of the profile. [A.B. v Bragg Communications Inc. et al. – 2012 SCC 46 – the Supreme Court of Canada]


US – Study: Most Americans Don’t Want To Be Tracked

A study by the Berkeley Center for Law and Technology found that most Americans don’t find online ads useful and do not want information to be collected about their online behavior. The study asked 1,230 Internet users what they’d like a do-not-track mechanism to do, and 60% chose the option, “prevent websites from collecting information about them.” Nearly 90% of respondents had never heard of the FTC’s proposal for a do-not-track mechanism—which the authors of the study refer to as “a modest intervention.” [The New York Times] See also: [Omer Tene Opinion: Privacy Law in “Midlife Crisis” ]


US – Campaigns Relying on Data Mining To Push Voter Turnout

This year’s presidential campaigns are using data mining to glean intimate details of voters’ lives and use them to prompt a vote for their respective candidate. The Democratic and Republican National Committees have spent a combined total of at least $13 million this year on data acquisition—including details such as what kind of beer voters drink, if they tend to enjoy frequent vacations or whether they watch college football—in order to contact voters with targeted calls. Experiments indicate such tactics tend to increase voter turnout, the report states. [The New York Times]

US – Gov’t Report Calls for Big Data Career Track

A new industry report calls on the government to create a formal career track for employees managing Big Data. The TechAmerica Foundation’s Big Data Commission is calling for “a new federal academy to train and certify employees to capture, store, share, manage and analyze vast volumes of data” and cites agencies currently using Big Data techniques, such as NASA and the Internal Revenue Service. “The biggest issue is making sure that you have and can get to the relevant information that you need to make better decisions, improve processes, reduce fraud, waste and abuse and have better predictive capabilities,” said one expert. [Federal Times]

Electronic Records

US – Research Hampered by Limited Access to Death Files

The Social Security Administration’s (SSA) limit on access to death records amid concerns about potential identity theft has resulting effects on research initiatives. The SSA decided last year that, under the law, state records on deaths are exempted from public disclosures. Researchers conducting studies on diseases such as cancer and cardiovascular treatments say they depended on access to that data, and their work has been slowed by the changes. A spokesman for the financial industry said such limited access makes it increasingly difficult to detect the theft of Social Security numbers from deceased individuals. [The New York Times]

US – A Major Glitch for Digitized Health-Care Records

A comprehensive evaluation of the scientific literature has confirmed what many researchers suspected: The savings claimed by government agencies and vendors of health IT are little more than hype. To conduct the study, faculty at McMaster University in Hamilton, Ontario, and its programs for assessment of technology in health — and other research centers, including in the U.S. — sifted through almost 36,000 studies of health IT. The studies included information about highly valued computerized alerts – when drugs are prescribed, for instance – to prevent drug interactions and dosage errors. From among those studies the researchers identified 31 that specifically examined the outcomes in light of the technology’s cost-savings claims. With a few isolated exceptions, the preponderance of evidence shows that the systems had not improved health or saved money. For instance, various studies found the percentage of alerts overridden by doctors — because they knew that the alerted drug interactions were in fact harmless — ranging from 50% to 97%. The authors of “The Economics of Health Information Technology in Medication Management: A Systematic Review of Economic Evaluations” found no evidence from four to five decades of studies that health IT reduces overall health costs. Three studies examined in that McMaster review incorporated the gold standard of evidence: large randomized, controlled trials. They provide the best measure of the effects of health IT systems on total medical costs. A study from Regenstrief, a leading health IT research center associated with the Indiana University School of Medicine, found that there were no savings, and another from the same center found a significant increase in costs of $2,200 per doctor per year. The third study measured a small and statistically questionable savings of $22 per patient each year. In short, the most rigorous studies to date contradict the widely broadcast claims that the national investment in health IT — some $1 trillion will be spent, by our estimate — will pay off in reducing medical costs. Those studies that do claim savings rarely include the full cost of installation, training and maintenance — a large chunk of that trillion dollars — for the nation’s nearly 6,000 hospitals and more than 600,000 physicians.[The Wall Street Journal]


EU – Certificate Authorities Major Point of Internet Vulnerability

The primary systemic vulnerability of the HTTPS process is the fact that any certificate authority (“CA”) can vouch for any domain name, making each of the hundreds of CA’s in over 50 jurisdictions a single point of failure for potentially all HTTPS communications; the EU proposal to amend the existing regulation on electronic signatures contains some of the first regulatory explorations on HTTPS governance, but is lacking – the proposal targets only European CAs (it fails to address the role of browsers, websites and end-users and how should one allocate responsibilities between them), there should be agreed constitutional values that provide baseline requirements for governance (a coherent security vision is needed that balances the availability, confidentiality and integrity of information), a yearly audit is mandatory only for qualified trust service providers (not for trusted service providers, which are most CAs), trust service providers may submit a security audit report to confirm compliance with security requirements (but the value of these audits is questionable, given that DigiNotar passed their annual audits mandated by Dutch law), and the proposal’s new legislative basis for supervisory activities with regard to security practices and security breach notifications in the HTTPS ecosystem seems to be overbroad and too narrow at the same time (e.g. the flexibility regarding the exercise of executive power may be overbroad from the viewpoint of legitimacy and the rigidity regarding the “tasks” of supervising may be too narrow to include future possible tasks of a supervisory body that may be necessary to ensure adequate enforcement). [Certificate Authority Collapse (Draft) – Axel M. Arnbak and A. N. M. van Eijk, University of Amsterdam, Institute for Information Law] AND [Phil Zimmermann’s “Silent Circle” crypto system]

EU Developments

UK – ICO to Commence Cookie Crackdown

The Information Commissioner’s Office (ICO) is beginning to crack down on companies not complying with cookie regulations. KPMG Partner Steve Bonner said, “There is still a wait-and-see element among companies. It is much like when you are speeding along the motorway with no police car in sight and everyone else also driving 100 miles an hour. It doesn’t feel risky. But when the police car suddenly pulls out of the lay-by, it will be interesting to see what happens.” Noncompliant organizations may be liable for fines of up to £500,000. [Source] See also: [Information Commissioner’s Office, United Kingdom – North Yorkshire Police Force – Data Protection Audit Report Executive Summary]

UK – ICO: Private Sector Ahead on Compliance

Audits by the Information Commissioner’s Office (ICO) indicate that the private sector is “leading the way“ while data protection compliance “concerns remain” for the public sector. “The private-sector organizations we have audited so far should be commended for their positive approach to looking after people’s data,” said the ICO’s Louise Byers, adding, “However, this does not mean that businesses in the UK should rest on their laurels.” She also noted that, generally, the public-sector entities audited had appropriate information governance and training practices in place but need to do more in terms of data security, the report states. [COMPUTERWORLD]

EU – Regulators Say Google’s New Privacy Policy Does Not Pass Muster

Privacy regulators in the European Union (EU) say that Google’s revised privacy policy fails to comply with EU data protection laws. A group of privacy regulators from EU member states plan to send a letter to Google asking the company to revise the policy so that it will be in harmony with EU information privacy laws. The letter also asks Google to explain why and how it will share user data across services and says that Google must obtain “explicit consent” before aggregating users’ data from its various services. [BBC] [ZDNet] [CNet]

EU – German MEP Calls for Tighter Rules on Social Networks

A member of the European Parliament has called for tighter controls of online social networks under the EU’s proposed data protection framework. Germany’s Jan Philipp Albrecht, who is heading up the European Parliament’s work on the draft framework, says a recent incident involving Facebook users’ allegations that their personal messages appeared on their public profiles indicates the need for increased user control over data. “The informed and explicit agreement of all those affected by data processing must be a guiding principle,” said Albrecht. The CNIL met with Facebook last week over the incident and accepted Facebook’s explanation that the incident was a misunderstanding and not a breach. [Reuters] See also: [European Data Protection Supervisor – Opinion on the Commission Proposal for a Regulation of the European Parliament and of the Council on Trust and Confidence in Electronic Transactions in the Internal Market (Electronic Trust Services Regulation)] See also: [The Right to Be Untagged: As Facebook Disables Facial Recognition for EU Consumers, US Consumers Are Left Wondering What’s Next for Them – Anita Ramasastry, Justia.com] AND [Office of the Privacy Commissioner for Personal Data, Hong Kong – Outsourcing the Processing of Personal Data to Data Processors]

UK – ICO Fines Police 120,000 Pounds

Greater Manchester Police has paid a fine of 120,000 pounds after a breach involving the theft of a memory stick containing sensitive information, Publicservice.co.uk reports. The stick was not password-protected and was stolen from an officer’s home. It contained details on more than 1,000 individuals connected to crime investigations. The Information Commissioner’s Office (ICO) found that Greater Manchester Police regularly used unencrypted memory sticks to transport data, the report states. The police experienced a similar breach in 2010 and has since then failed to implement the proper safeguards and data protection training, the ICO found. [PublicService.co.uk]

EU – MEPs Release Data Protection Recommendations

MEP Jan Philipp Albrecht, rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, has released “Working Document 2” on the General Data Protection Regulation draft. Albrecht recommends clarifying the definitions of “personal data” and “data subject” and says consent should “remain a cornerstone of the EU approach to data protection.” Meanwhile, Vice President of the European Parliament Alexander Alvaro has released “Lifecycle Data Protection Management ,” in which he emphasizes the need to modernize data protection legislation in a way “that allows consumers to continue having trust in technological advances as well as in their own ability to determine how their personal data is processed.” [Source] [Federal Commissioner for Data Protection and Freedom of Information, Germany – Guide for the Privacy-Compliant Storage of Traffic Data] [Privacy Bill 2006 – National Parliament of Ireland] [European Commission – Unleashing the Potential of Cloud Computing in Europe – Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions]

US – U.S. Officials Head to Europe to Talk Privacy

Officials from the U.S. Department of Commerce (DoC), Federal Trade Commission (FTC) and Chamber of Commerce recently traveled to Europe to discuss privacy issues. DoC General Counsel Cameron Kerry met with Irish Data Protection Commissioner Billy Hawkes and Department of Justice officials this week to discuss cross-border data flows. The FTC’s Director of the Bureau of Consumer Protection David Vladek was in Brussels supporting efforts by the Internet Cooperation for Assigned Names and Numbers to store more data on website operators and retain it for two years. Adam Schlosser of the U.S. Chamber of Commerce, also in Brussels, lobbied for changes to the proposed EU Data Protection Directive, while Department of Justice officials voiced their concerns. [TechWeekEurope]

Facts & Stats

US – Facebook: COPPA Changes Violate Constitutional Rights

Facebook says proposed COPPA changes violate free speech rights. In a filing with the Federal Trade Commission (FTC), Facebook said the proposed provision preventing children under the age of 13 from “liking” or recommending websites violates the First Amendment. “The Supreme Court has recognized on numerous occasions that teens are entitled to First Amendment protection,” the company said. The changes would also prevent websites from installing cookies to track children’s web movements. Facebook has asked the FTC for clarification that “websites will still be allowed to advertise directly to children,” the report states. [The Hill] See also: [FTC – In the Matter of DesignerWare, LLC et al. – Complaint and Agreement Containing Consent Order]

WW – OECD 2012 Internet Economy Outlook Report Released

“Today the OECD has released its 2012 Internet Economy Outlook, a comprehensive look at the Internet’s ongoing role in transforming the global economy. The report opens with a landmark chapter on measuring the Internet economy. This is a significant addition to the research literature on this subject in part because, as the OECD notes, “there is still no widely accepted methodology for assigning an economic value to the Internet.” They find that up to 13% of business sector value added in the United States in 2010 could be attributed to Internet-related activities-as much as transportation, construction and utilities combined.” [Source]


US – Facebook Launches New Help Center, Faces Criticism for Targeted Ads

Facebook has redesigned its help center and dashboard to help users understand privacy settings. Launched Tuesday, the center aims to help users manage their privacy settings and read about changes to the site, the report states. Meanwhile, the French data protection authority has said Facebook users’ privacy was not breached last week following concerns that private messages were being posted on public profiles. The site continues to face criticism for allowing marketers to target ads to consumers based on their web browsing activities or the phone and e-mail addresses they’ve listed on their profiles. [The Washington Post]


US – Finance Concerned New Laws Conflict with FINRA Regs

New laws passed in some states and proposed in others prohibiting employers from requiring social media passwords from employees and applicants have the financial industry questioning whether they conflict with the communications monitoring required by the Financial Industry Regulatory Authority (FINRA). Many employees use one account for both personal and business uses, and under FINRA regulations, personal accounts used for business are to be treated as business accounts. One expert says such concerns about the California law may be an overreaction, however, as the law allows access to employees’ social media accounts for investigations of misconduct and violations of laws and regulations. [Compliance Week] [FTC v. Wyndham Worldwide Corporation et al. – FTC Response to Wyndham Hotels and Resorts’ Motion to Dismiss – United States District Court for the District of Arizona]


CA – Gov’t to Establish Online Access-to-Information Portal

Government plans to launch a pilot project early next year that will allow citizens to request internal documents under the Access to Information Act via the Internet. At the start, the initiative would involve three departments but would later expand to include most federal agencies. Mexico has a similar portal, and the U.S. recently established its own. [The Globe and Mail]

CA – New Brunswick Gets “F” for Disclosures

A Newspapers Canada audit gives the New Brunswick government a grade of “F” for its response to freedom of information requests. The province received a “C” for the speed of its responses. Information and Privacy Commissioner Anne Bertrand expressed disappointment with the findings, which were released this week in the 2012 Freedom of Information Audit report. “It’s quite surprising in 2012 that some governments would approach this way of governing in secrecy or behind closed doors.” [CBC News] See also: [FOI Group Appeals Denial of BC Health Contracts] AND SEE [IPC ON – Reconsideration Order PO-3107-R – Appeals PA07-409 and PA08-127 – Ministry of Finance]


US – Bioethics Committee Releases Report on Genome Sequencing

The Presidential Commission for the Study of Bioethical Issues has released a report on the privacy concerns of whole genome sequencing, a process in which it’s possible to determine a person’s complete DNA makeup using DNA samples taken from everyday items like cigarette butts, dental floss, gum or used tissues. Reuters reports the commission’s chairwoman noted the “enormous promise” of sequencing for human health and medicine but added there is a “potential for misuse of this very personal data.” Genome sequencing is set to become part of mainstream medical care, the report states. The report recommends privacy protections including that no sequencing should be performed without a person’s consent. [Source]


EU – Regulators Call for Changes to Google’s Privacy Policy

The New York Times reports on a press conference hosted by the French data protection authority, the CNIL, where regulators called upon Google to clarify its 10-month-old privacy policy or face potential sanctions. In a letter to Google, the regulators noted the revised privacy policy “did not appear to adhere to Europe’s approach to data collection, which requires explicit prior consent by individuals and that the data collected be kept at a minimum,” the report states. CNIL Chairwoman Isabelle Falque-Pierrotin said the agency will give Google three or four months to respond to the concerns. In a statement Google Global Privacy Counsel Peter Fleischer said, “We have received the report and are reviewing it now. Our new privacy policy demonstrates our longstanding commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.” Dutch DPA Chairman Jacob Kohnstamm told The New York Times that privacy regulators from the 27 EU member states, Canada and some countries in Asia participated in the CNIL inquiry and “endorsed the request to Google, which outlines areas for changes to improve protection of personal data.” [New York Times] [CNIL To Report on Google’s Privacy Policy]

Lawsuit Alleges Gmail Scanning Violates Privacy

A lawsuit filed in BC Supreme Court alleges Google gathered information sent to and from Gmail accounts. The lawsuit seeks class-action status and could potentially include “anyone in the province who has ever sent an e-mail to a Gmail account,” the report states. The suit alleges Google intercepts and collects personal information from e-mails sent to Gmail users in order to sell targeted advertising opportunities to third parties. Google says it has no comment on the allegations at this time. [The Vancouver Sun]

EU – Regulators to Examine Google Policy, EPIC Challenges FTC

EU data protection commissioners will look at whether Google’s changes to its privacy policy earlier this year comply with EU privacy laws. The revision created a single policy for all Google services and resulted in the consolidation of data into a single location, the report states, drawing questions from regulators including the French data protection authority. Meanwhile, the Electronic Privacy and Information Center has released a statement alleging the U.S. FTC has “withheld from public disclosure” information about its recent audit of Google’s privacy program. [The Guardian]

US – Google Asks for Dismissal of Suit

In its motion to dismiss a class-action lawsuit, Google has said the class is contorting state law “in ways the California legislature never intended.” The suit alleges Gmail scans e-mails for content and intercepts messages between Gmail and non-Gmail users. It accuses Google of violating the California Invasion of Privacy Act. Asking U.S. District Judge Lucy Koh to dismiss the case, Google says its “fully automated processes involve no human review of any kind” and added that the plaintiffs fail to articulate harm and instead “rely on conclusory allegations that their privacy rights were infringed in the abstract.” [Courthouse News Service]

Health / Medical

US – Calls for Prescription Drug Info Raise Concerns

In the wake of a “prescription drug epidemic that led to 113 overdose deaths,” administrators with Florida’s Sarasota County Sheriff’s Office have been seeking additional information from doctors through “a form patients could sign that would waive their privacy rights and allow detectives to examine…records without getting permission from a judge.” Citing HIPAA concerns, among other factors, the report notes the move has “drawn sharp criticism” from some in the medical community. One lawyer suggests the forms violate patients’ privacy rights under HIPAA. [The Herald-Tribune]

US – Court: Stored Communications Act “Ill-fitted” to Modern Issues

The South Carolina Supreme Court ruled that accessing e-mails in a cheating husband’s inbox did not violate the Stored Communications Act, but the judges all agreed that the act, now 26 years old, “is ill-fitted to address many modern day issues.” The e-mails were accessed by the wife’s daughter-in-law who was able to guess the man’s security question. The e-mails were then printed and shared with the wife’s divorce attorney and a private investigator. “The Stored Communication Act makes a hazy distinction between obtaining e-mails that have not been read or messages that have been read and stored elsewhere versus e-mails that have been read and remain in an inbox,” the report states. [The Augusta Chronicle]

US – ONC Seeking Comment on Online Verification

The Office of the National Coordinator for Health IT (ONC) is seeking public opinion on how individuals’ identities should be verified when accessing online health records. The ONC will share the comments with the federal advisory Health IT Policy and Standards Committees October 29 during an online hearing on credentialing patients so they may use online tools. “We want to make sure we facilitate electronic data access and e-mail in a way that protects the privacy, confidentiality and security of that information,” said Deven McGraw, chair of the ONC Privacy and Security Tiger Team. [Government Health IT]

WW – Teenage Patients need Social Privacy Online: Study

Teenage patients who use a social network are less concerned with “informational privacy” (i.e., the collection of personal information by government and companies), than with “social privacy” (i.e., the control over the interaction with others); a desire to represent themselves as “regular”, and not sick, means that they engage in privacy protective behaviours, controlling the audience of their message (through restrictive privacy settings, selective befriending and audience segregation), and the content of the message (no status updates regarding their diagnosis or treatment). To keep up this self-definition as a regular teenager, patients do not seek out others with similar diagnoses or use social networks geared towards patients or particular illnesses. Health care organizations need to create policies governing interactions between health care providers and patients using social media – social media has replaced e-mail, including to communicate with health care staff about medication, and due to the length of time spent in treatment, patients have befriended hospital staff on social networks. [Not all my Friends Need to Know: a Qualititative Study of Teenage Patients, Privacy and Social Media – Maja van der Velden and Khaled El Emam, Journal of the American Medical Informatics Association (2012)]

Horror Stories

US – Social Security Numbers of Military Heroes Posted Online

A breach has exposed the Social Security numbers (SSNs) of war veterans from Iraq and Afghanistan. A civilian contractor posted 31 decorated veterans’ SSNs among a list of 500 names and profiles onto a website. A spokesman said the army launched an investigation and ordered the contractor to take the site down. “We take this matter seriously,” the spokesman said. Meanwhile, the University of Chicago is offering to pay for one year of credit monitoring to those affected by a breach involving 9,100 employees’ SSNs. A recent survey found that 26% of Americans have been told their personal information has been breached. [The Washington Times]

US – Hospital Fires Employees for Accessing Patient’s Files

A “small number” of hospital employees have been fired from Ohio’s Akron General Medical Center for violating hospital and federal privacy rules. John H. Wise is accused of shooting and killing his wife at the hospital where she was a patient in the intensive-care unit. A hospital spokesman says the employees were terminated for inappropriately accessing the woman’s patient records. “It doesn’t happen a lot, fortunately, because employees know, but you can’t let the curiosity get the better of you,” the spokesman said. “That’s human nature and we understand that, but it still doesn’t justify the fact that the policies were violated.” [Source]

US – Data Losses Prompt Investigations, Reassurances

An investigation is underway at Northwest Florida State College involving more than 200,000 students and 3,000 employees. 50 employees, including the school’s president, have reported issues with identity theft. MPBN reports Maine’s Attorney General is looking into an incident involving misplaced consumer data at TD Bank after a box of back-up computer data went missing in March. Meanwhile, strategy game developer Wargaming.net says a recent security breach at digital goods reseller PlaySpan “affects only a select group” of Wargaming’s “World of Tanks” players, and no financial data was compromised. [CNN]

WW – Hackers Post Personal Details from 53 Universities Worldwide

A breach is affecting thousands of personal records from 53 universities around the world. Hackers published records from schools including Harvard, Stanford, Cornell, Princeton, Johns Hopkins and the University of Zurich. Details included 36,000 e-mail addresses as well as names, usernames, passwords, addresses and phone numbers of students, faculty and staff, the report states. The hackers claiming responsibility call themselves Team GhostShell and cited “changing education laws in Europe and spikes in tuition fees in the United States” as their motives. [The New York Times]

Identity Issues

EU – EDPS: Common Standards Should Govern E-ID Schemes

In a new opinion, the European Data Protection Supervisor (EDPS) has recommended that “trust service providers” and other electronic identification issuers should be required to meet a common set of data security standards under the proposed Electronic Trust Services Regulation. The EDPS said “the proposed regulation should establish a minimum set of requirements, in particular with respect to the circumstances, formats and procedures associated to security as well as the criteria, conditions and requirements, including the determination of what constitutes the state of the art in terms of security for electronic trust services.” [Out-Law.com]

UK – UK launching “virtual ID Card” System; Critics Fear It’s An Instant Target

The Government will announce details this month of a controversial national identity scheme which will allow people to use their mobile phones and social media profiles as official identification documents for accessing public services. People wishing to apply for services ranging from tax credits to fishing licences and passports will be asked to choose from a list of familiar online log-ins, including those they already use on social media sites, banks, and large retailers such as supermarkets, to prove their identity. Once they have logged in correctly by computer or mobile phone, the site will send a message to the government agency authenticating that user’s identity. The Cabinet Office is understood to have held discussions with the Post Office, high street banks, mobile phone companies and technology giants ranging from Facebook and Microsoft to Google, PayPal and BT. Ministers are anxious that the identity programme is not denounced as a “Big Brother” national ID card by the back door, which is why data will not be kept centrally by any government department. Indeed, it is hoped the Identity Assurance Programme, which is being led by the Cabinet Office, will mean the end to any prospect of a physical national ID card being introduced in the UK. The identification systems used by the private companies have been subjected to security testing before being awarded their “Identity Provider” (IDP) kitemark, meaning that they have made the list of between five and 20 approved organisations that will be announced on 22 October. The public will be able to use their log-ins from a set list of “trusted” private organisations to access Government services, which are being grouped together on a single website called Gov.uk, which will be accessible by mobile. [Independent]

Intellectual Property

US – ISPs Monitoring Program Will Aim to Discourage Copyright Infringement

By the end of 2012, major Internet service providers (ISPs) in the US will have in place monitoring systems that will help implement a six-strikes plan to discourage illegal filesharing. Called the “Copyright Alert System,” the plan result in increasingly severe responses for each successive strike, although “each strike is dozens or scores or hundreds of infringements,” according to Gigi Sohn, president of Public Knowledge, a digital rights group. The first several strikes will result in warnings; subsequent strikes could result in users being redirected to a certain page until they contact the ISP to discuss the matter or having their Internet speeds throttled. The plan involves monitoring peer-to-peer filesharing services. Much of the response is aimed at being educational rather than punitive. [WIRED]

Internet / WWW

EU – Article 29 Working Party: ICANN Updates May Be Unlawful

As the Internet Corporation for Assigned Names and Numbers (ICANN) updates its Registrar Accreditation Agreement, the European Commission’s Article 29 Working Party has said some of the changes may be illegal. The Working Party has written to ICANN to address its annual re-verification of contact details, which it calls “excessive and therefore unlawful” and a new data retention proposal that would keep personal information on registrants including phone numbers, e-mail addresses and credit card data, “for two years after the registration ceases,” the report states. The Working Party says such retention “does not stem from any legal requirement in Europe” and there is no “legitimate purpose” for the data collection. [Infosecurity Magazine] [Article 29 Data Protection Working Party – Letter to Internet Corporation for Assigned Names and Numbers (ICANN)]

EU – Commission Publishes Cloud Computing Guide

In the private sector, 64% of firms in Europe are using cloud services, but spending is limited and these services are still on trial, being used for non-business critical services (smaller firms are seeking to reassure themselves that the cloud is “safe” before investing, e.g. by waiting for governments to lead by example in cloud adoption); adoption of the cloud by the public sector follows similar patterns as the private sector, raising concerns around the suitability of business processes for the cloud, how to manage the transition from legacy systems to cloud systems, and what are the best contract models (so far cloud usage is complementary to existing systems, and not yielding the high cost savings that governments seek). The top 4 actions most important to cloud adoption are greater accountability and liability for security by cloud service providers (most providers work on a “best efforts” basis, and it is unclear if the cloud services fall within the exemption for liability in the e-Commerce Directive for intermediary services that are mere conduits or provide caching or hosting services), ensuring portability between cloud services (important if the organization uses cloud services in more than one area), improving broadband connections (the lack of reliable and inexpensive broadband connections are a constraint for users), and security certification for cloud service vendors (users are not in a position to evaluate providers’ claims as to their implementation of standards and security). [Source] See also: [Information Commissioner’s Office, United Kingdom – Guidance on the Use of Cloud Computing]

CA – Appeals Court Rules on Internet Case

The Ontario Court of Appeal on Tuesday upheld the conviction of a man who claimed his privacy was violated when his Internet service provider released his name and address to police. The man was later convicted of child pornography offences, the report states. The court said, “The appellant’s name and address was not the kind of information that would reveal intimate personal details or lifestyle choices.” According to the report, “The ruling is significant because it’s the first time the province’s top court has weighed in on whether a computer user has a reasonable expectation of privacy when accessing the Internet.” [The Ottawa Citizen]

US – Privacy Groups Ask FTC to Investigate Facebook’s Involvement with Datalogix

The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy want the US Federal Trade Commission (FTC) to investigate whether Facebook is violating the terms of a privacy settlement reached with the agency. Facebook has entered into an agreement with data-mining company Datalogix to measure the effectiveness of ads on the social networking site. Facebook has issued a statement saying that it is “confident that we are [in] compliance with our legal obligations.” The two groups seeking the FTC investigation say that “Facebook did not attempt to notify users of its decision to disclose user information to Datalogix” and that Facebook’s arrangement for users to opt out of the arrangement is “confusing and ineffective.” [NextGov]

Law Enforcement

CA – Ontario Court Affirms Law Enforcement Access to ISP Data

The court dismissed an appeal by a individual whose criminal conviction resulted from a police search of his residence and computer based upon information voluntarily provided to the police by his internet service provider (“ISP”); the police request complied with PIPEDA as it was specific and narrow (e.g. seeking only the subscriber’s name and address and information that would reveal nothing personal about the appellant or his internet usage, and narrowly identifying 3 specific instances of internet activity) and referred specifically to the nature of the offences being investigated (which were serious and which the ISP was entitled to know with regard to deciding whether to disclose the information), and the ISP’s service was an integral and essential component of the offences being investigated (e.g. this connection would make it more reasonable to expect that the ISP would cooperate with the police request). The search warrant was adequate; the justice of the peace could infer that prohibited content had likely been accessed and stored on the appellant’s computer, and technical and affidavit evidence indicated that the prohibited material likely remained on the computer long after it was downloaded and could likely be recovered by police even if deleted. [R. v. Ward – 2012 ONCA 660 – Court of Appeal for Ontario]

CA – Ontario Court Affirms Law Enforcement Access to ISP Data II

The Court relied on its decision in R. v. Ward to find that the police did not infringe an individual’s Charter rights by obtaining his name and address from his ISP using only a Law Enforcement Request, rather than a warrant or production order.[R v. Cuttell – 2012 ONCA 661 – Court of Appeal for Ontario]


US – GAO Pushes for Work on Location Data Privacy

A report by the Government Accountability Office (GAO) calls attention to the vague treatment of location data in many corporate privacy policies. “Companies were collecting consumers’ location data, but did not clearly state how the companies were using these data or what third parties they may share them with,” The GAO report states. National Journal reports that while the GAO pushes for federal action, just two specific recommendations are made, including that the FTC outline its views on mobile location-data privacy and that the Commerce Department set concrete goals for its work with consumer advocates and industry to develop voluntary standards. Some politicians are using the report as evidence for legislation in this area. [Source]

US – GAO Report: Agencies Need to be Clearer About Mobile Device Location Data Use

According to a report from the US Government Accountability Office (GAO), federal agencies need to take steps to protect mobile phone users’ location data. The report says that mobile carriers’ descriptions of their collection and use of customer location data is often vague. While having the location information can be helpful for navigation and timely emergency response, it can also be used to profile users, commit identity fraud, and to conduct surveillance. The GAO recommends the development of “specific goals, time frames, and performance measures for the multi-stakeholder process to create industry codes of conduct.” [The Hill] [ComputerWorld] [GAO,gov]


SG – Exploring the State of the PDPA

Singapore recently had its first reading of its Personal Data Protection Act in Parliament, prompting Hariati Azizan of The Star Online to query when Malaysia’s Personal Data Protect Act (PDPA) will be enforced. Malaysia’s Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim announced in February that the PDPA would be enforced by the middle of 2012. According to the report, enforcement details will be supplied by the ministry “as early as next month.” Meanwhile, a Malaysian government representative said, “Even though the PDPA has not been enforced yet, there are other relevant laws that can be used to take action against the offenders…” [Source] See also: [Taiwan’s New Personal Data Protection Act Becomes Effective October 1, 2012 – Baker & Mackenzie] and [Office of the Privacy Commissioner for Personal Data, Hong Kong – An Overview of the Major Provisions of the Personal Data (Privacy) (Amendment) Ordinance 2012]

PH – Court Suspends Cybersecurity Law

The Supreme Court of the Philippines has suspended the Cybercrime Prevention Act of 2012. The government will respond to 15 petitions filed in opposition to the law, which critics have said could lead to imprisonment for sharing social media posts, the report states. The law “establishes penalties for various computer-related crimes, including child pornography, identity theft, online fraud and illegally accessing computer networks.” One senator called the law’s temporary suspension “the first victory in our battle to defend our freedom and right of expression.” [The New York Times]

SG – Parliament Passes Personal Data Protection Bill

The Singapore Parliament has passed a personal data protection bill aimed at protecting information in the private sector. The bill includes a Do-Not-Call registry and the creation of a new enforcement agency—the Personal Data Protection Commission (PDPC)—to regulate private-sector use of personal data. Slated to become official in January, the act will require individuals be informed of and provide consent to the processing of their data by private organizations, and individuals may seek compensation through private rights of action, the report states. The PDPC may fine noncompliant organizations up to S$1 million. [ZDNet]

HK – PCPD Reports Violations in Loyalty-Card Programs

Privacy Commissioner for Personal Data Allan Chiang has released investigation reports saying three companies violated customers’ privacy by collecting their Hong Kong Identity Card or passport numbers for a loyalty program. The numbers were collected in order to create default passwords for the programs’ online services and, according to Chiang’s report, the practice amounts to unnecessary and excessive collection. Citing increased public awareness due to the “Octopus incident ,” Chiang said, “I expect that corporations in Hong Kong should have learnt a lesson and paid more attention to data privacy regulations.” [The Standard]

Online Privacy

US – Facebook Testing Promoted (Paid) Posts In the U.S.

“On Wednesday, the company introduced a feature that allows U.S. users with fewer than 5,000 friends to promote their updates – for a fee. The users’ posts would gain prime placement on their friends news feeds.” [Washington Post] seealso: [Not all my Friends Need to Know: a Qualititative Study of Teenage Patients, Privacy and Social Media – Maja van der Velden and Khaled El Emam, Journal of the American Medical Informatics Association (2012)]

US – Exploring the Privacy of Private Messages

A recent online video allegedly shows that Facebook scans links sent via private messages and registers them as though the user “likes” the page sent. “It’s just one example of how online messages that seem private are often actually examined by computers for data,” the report states, adding, “it is not clear from Facebook’s data use policy that regular users would expect links in their messages to be scanned this way.” Facebook has responded that “absolutely no private information has been exposed” and users’ privacy settings were not affected. [The Wall Street Journal]

US – Officials, DAA and Microsoft Battle Over DNT

The Digital Advertising Alliance (DAA) has responded to Microsoft’s new default-on do-not-track (DNT) browser, saying it is not an appropriate standard for customers, reports The Next Web. But Sens. Joe Barton (R-TX) and Edward Markey (D-MA) say the DAA is putting “profits over privacy.” Microsoft is holding its ground, citing a study of its customers that showed 75% want the company to turn on DNT for them. Meanwhile, EU Digital Agenda Commissioner Neelie Kroes is voicing her concern about the delay and the “turn taken” in the discussions at the World Wide Web Consortium, which missed a June deadline to come up with a better system for DNT. [Source]

WW – In Amsterdam, A Lack of Consensus on Do Not Track

The World Wide Web Consortium held (W3C) meetings in Amsterdam and there was a lack of consensus among stakeholders on how to bring a Do-Not-Track option to websites. The report states that “the stakes for Internet users are high and boil down to who determines the limits and protections of online privacy on the Internet…” The meeting continues today. While the W3C’s Thomas Roessler says he has “some measure of confidence we will come up with a workable solution,” the head of the European Commission’s Article 29 Working Party, Jacob Kohnstamm, an observer at the meeting, said, “It seems the process has been hijacked by commercial interests.” U.S. FTC Chairman Jon Leibowitz said, “There is enormous and bipartisan momentum for Do-Not-Track options for consumers if there is no agreement by the end of this year.” [The New York Times]

WW – Do-Not-Track Standards Discussion Heats Up

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) has told FTC Chairman Jon Liebowitz that “self regulation for the purposes of consumer privacy protection has failed,” but he encouraged the FTC to work with the World Wide Web Consortium to develop Do-Not-Track (DNT) standards. Rockefeller has also introduced DNT legislation. Liebowitz has said the industry “appears to be backing off from its commitments” to DNT. Meanwhile, the Center for Democracy & Technology wrote, “in recent days, we have suddenly seen an all-out blitz of attacks on Do Not Track, both in Washington and Silicon Valley.” Industry representatives have sent a letter to Microsoft’s top executives to call the company’s default DNT setting “unacceptable.” [Broadcasting & Cable]

US – DMA Launches “Data-Driven Marketing” PR Campaign

The Direct Marketing Association (DMA) has launched a $1 million public relations campaign aimed at improving the image and curbing government “regulation of the consumer data-mining industry.” Titled the “Data-Driven Marketing Institute,” the campaign intends to prevent “needless regulation or enforcement that could severely hamper consumer marketing and stifle innovation” while “tamping down unfavorable media attention.” Acting DMA Chief Executive Linda A. Woolley said, “We want to set the record straight on what we think has been a lot of mischaracterization of what we do and to explain the benefits of data-driven marketing to consumers.” [New York Times]

US – Advertisers Campaign Against Do Not Track

Nine U.S. lawmakers recently wrote to the Federal Trade Commission (FTC) voicing concern over restricting the flow of data “at the heart of the Internet’s success.” The Association of National Advertisers and the Interactive Advertising Bureau have both voiced opposition to Microsoft’s default Do-Not-Track mechanism. The Digital Advertising Alliance has said self-regulation is working and should be given a chance to succeed. FTC Chairman Jon Leibowitz said the disagreement on standards could lead to a privacy arms race with browsers rushing to give consumers the most privacy protections, which may not be a bad thing, he added. [The New York Times]

US – Think-Tank Website Will Not Honor Do Not Track Requests

The website of Washington, DC-based think tank Information Technology Innovation Foundation (ITIF) will not honor users do-not-track (DNT) requests. A new feature on the website detects visitors’ DNT settings and informs those who have the preference selected that the request is denied. In a blog post, ITIF senior analyst Daniel Castro wrote, “Do Not Track is a detrimental policy that undermines the economic foundation of the Internet. Advertising revenue supports most of the free content, services, and apps available on the Internet.” [ComputerWorld] [ITIF]

US – New “Sponsored Stories” Settlement Filed

Facebook has filed another settlement in a lawsuit over its “Sponsored Stories” feature after a judge dismissed the company’s first attempt in August. The settlement includes a one-time $10 payment to affected users and an “easily accessible mechanism” for users to see how their Facebook content is being used in Sponsored Stories. It also allows parents of users under the age of 18 to opt them out of the feature, or, if the parents are not Facebook users, the company will not use minors’ data until they turn 18, the report states. [CNET News]

Other Jurisdictions

BR – Brazil to Track All Vehicles Electronically

“As of January, Brazil intends to put into action a new system that will track vehicles of all kinds via radio frequency chips. It will take a few years to accomplish, but authorities will eventually require all vehicles to have an electronic chip installed, which will match every car to its rightful owner. The chip will send the car’s identification to antennas on highways and streets, soon to be spread all over the country. Eventually, it will be illegal to own a car without one. Besides real time monitoring of traffic conditions, authorities will be able to integrate all kinds of services, such as traffic tickets, licensing and annual taxes, automatic toll charge, and much more. Benefits also include more security, since the system will make it harder for thieves to run far away with stolen vehicles, much less leave the country with one.” [Slashdot]

NZ – Breaches at Bank, Ministry Put Consumer Data at Risk

New Zealand Assistant Privacy Commissioner Katrine Evans said in a statement that her office is “very concerned” about a gap in security at the Ministry of Social Development’s Work and Income data kiosks that allowed unauthorized access to personal and confidential data. Blogger Keith Ng revealed the lapse after receiving a tip, the source of which claims to have alerted the ministry to it in the week prior, seeking financial reward. Cabinet Minister for Social Development and Employment Paula Bennett called the breach “completely and utterly unacceptable” and apologized. [Source] See also: ^Draft Regulation Of Law No. 29733 Personal Data Protection Law – Official Gazette of Peru^

Privacy (US)

US – California AG and Insurer Reach Lawsuit Settlement

California Attorney General Kamala Harris and Anthem Blue Cross have reached a $150,000 settlement in Los Angeles Superior Court over a data breach incident involving Social Security numbers. Between April 2011 and March 2012, letters were mailed to Medicare Supplement and Medicare Part D subscribers that included the recipients’ Social Security numbers, a violation of California state law. An Anthem spokeswoman said there has been no indication that recipients’ data was abused and the organization has created a new alert system for sensitive subscriber information, the report states. [Associated Press] See also: [United States of America (for the FTC) v. Artist Arena LLC – Complaint and Consent Decree and Order – United States District Court Southern District of New York] and also: [Sean Lane et al. v. Facebook, Inc. et al. – 2012 U.S. App. LEXIS 19767 – United States Court Of Appeals For The Ninth Circuit] and [Coffman v. Central Bank & Trust Co. – 2012 U.S. Dist. LEXIS 136757 – United States District Court for the Eastern District of Kentucky] and [FTC – In the Matter of DesignerWare, LLC et al. – Complaint and Agreement Containing Consent Order]

US – Rockfeller Seeks Answers from Data Brokers

The chairman of the Senate Commerce Committee has asked for detailed information from online data brokers on how they compile and sell consumer information, Broadcasting & Cable reports. Sen. Jay Rockefeller (D-WV) sent letters to data brokers including Reed-Elsevier, Spokeo and Experian seeking answers on data collection—including its granularity, who has access to it and for what purposes. “Collecting, storing and selling information about Americans raises all types of questions that require careful scrutiny,” Rockefeller said, adding that consumers “deserve to know what’s being collected about them and how companies profit from their information.” [Source] See also [House Bill – An Act Regarding the Protection of Geolocation Information – U.S. House of Representatives] AND [Assembly Bill 439 – An Act relating to Health Care Information – California General Assembly]

US – Senate Report: Post 9/11 “Fusion Centers” Offended Civil Liberties

A newly released Senate subcommittee report has found that centers established after September 11, 2001, to share counterterrorism data with local and federal law enforcement put Americans’ civil liberties at risk. Since 2003, more than 70 “fusion centers” were established, costing an estimated $289 million to $1.4 billion. But the centers “forwarded ‘intelligence’ of uneven quality—oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protection,” the subcommittee report states. The report recommends the Department of Homeland Security “revisit the statutory basis for DHS support of fusion centers,” conduct assessments on information-sharing and strengthen protections of civil liberties. [NPR]

US – Federal Trade Commission Cracks Down on Phony Tech Support Schemes

The US Federal Trade Commission has filed charges against 14 companies that are allegedly involved in fraudulent tech support schemes. The scams run operations in which computer users are cold-called from someone pretending to be from a tech support center that has detected that their computer is infected with viruses. In other instances, users are lured in through ads warning them that their computers are infected. They are then instructed to allow the caller remote access to their machines and are charged for the whole process. A US District Court judge has frozen the assets of the companies allegedly involved in the schemes. The FTC has filed complaints against 14 corporate defendants and 17 individual defendants allegedly involved in six schemes. [eWeek] [InformationWeek] [ComputerWorld] [ArsTechnica]

US – 2012 IAPP Privacy Award Winners Announced

At the IAPP Privacy Academy’s Privacy Dinner, some of the best of the best among privacy innovators and experts were honored for their work in the field. In addition to a keynote speech by John Perry Barlow, the 2012 Privacy Dinner featured the announcement of this year’s HP-IAPP Innovator Awards and the Privacy Vanguard Award. Sandra R. Hughes, CIPP/US, is the winner of the 2012 IAPP Privacy Vanguard Award, and for the 2012 HP-IAPP Innovation Award, this year’s winners in the large and small organization and technology categories are the Vodafone Privacy Programme, Alberta Pensions Services, CSR and Oculis Labs. In announcing Hughes’ selection as this year’s Privacy Vanguard at the Privacy Dinner in San Jose, CA, McAfee CPO Michelle Dennedy, CIPP/US, described Hughes’ contributions to the privacy field. Accepting the Vanguard Award, Hughes spoke of her desire to continue to “do the right thing” by giving back to the privacy profession. [Source]

US – Artist Arena Agrees to $1 Million Settlement with FTC for COPPA Violations

Fan site operator Artist Arena has agreed to a $1 million settlement with the FTC for allegedly violating COPPA. The proposed settlement still awaits approval from a judge. An FTC investigation found that the company—which operates fan sites for Justin Bieber and other musicians—collected the names, e-mail addresses, birth dates and gender of children under the age of 13. FTC Chairman Jon Leibowitz said, “Marketers need to know that even a bad case of Bieber Fever doesn’t excuse their legal obligation to get parental consent before collecting personal information from children.” [The Washington Post]

US – Auditor: Ohio Law Hampering School Tracking Efforts

According to auditor Dave Yost, an Ohio law that makes students’ personal information off-limits to state agencies means keeping track of the 1.9 students in the state is difficult and costly. Yost told the state’s Board of Education the Statewide Student Identifier policy “doesn’t help anybody,” adding that moving the system in-house and lifting restrictions on student IDs could save the state an estimated $430,000 each year. “What we’re really worried about here is kids’ information not being out on the street, not being easily accessible…But we can do that by simply controlling the access and what the rules are for dissemination of that information,” Yost said. [Associated Press]

US – AG Tweets to United Airlines: Where’s Your Privacy Policy?

California Attorney General Kamala Harris used social media to commend United Airlines for its “fabulous” mobile app, but then asked via Twitter, “where is your app’s #privacy policy?” Los Angeles Times reports that Harris also linked to the California Online Privacy Protection Act, which requires commercial websites that collect Californians’ personally identifiable information to post a privacy policy. “We have to both cheer the incredible advances in technology and at the same time protect consumer privacy,” said a spokesman for Harris. United Airlines responded saying it would review the app to “ensure that our privacy policy is also easily accessible to United app users.” [Source] SEE ALSO: [FTC – Examining the Uses of Consumer Credit Data – Testimony before the Subcommittee on Financial Institutions and Consumer Credit] and also [Dean Andersen v. State Collection Service, Inc. – 2012 Wisc. App. LEXIS 746 – Court of Appeals of Wisconsin, District Two]

US – Judge Dismisses Pandora Privacy Lawsuit

A federal judge has dismissed a multibillion-dollar lawsuit claiming that Internet radio company Pandora violated its users’ privacy. The suit argued that a pre-Internet era Michigan law was violated when Pandora integrated with Facebook in 2010. Saying that no “actual injury” was demonstrated, U.S. District Judge Saundra Armstrong noted the 1988 state privacy law prohibits a class-action lawsuit “by a person who has not suffered actual loss,” adding, “Pandora argues that it merely streamed music to plaintiff’s computer and, therefore, could not have violated (state law) because it never rented, lent or sold recordings to him.” [CNET News]

US – Groups Warn the FCC on Data Collection, Sharing Practices

Broadcasting & Cable reports that a coalition of groups has cautioned the Federal Communications Commission (FCC) to be careful of how it collects and shares consumer information online in its effort to learn about Americans’ access to broadband services. The Competitive Enterprise Institute, Communications Liberty and Innovation Project, TechFeedom, Center for Media and Democracy and six other groups say they are concerned about consumers sharing information with the commission that could be shared with law enforcement and allow their Internet activity to be reviewed “without due process or judicial scrutiny,” the report states. [Source]

US – Companies Settle with FTC for List Sharing

One of the largest U.S. consumer reporting agencies has agreed to settle with the FTC over charges it “improperly sold lists of consumers who were late on their mortgage payments,” in violation of the FTC Act and the Fair Credit Reporting Act. Equifax Information Services, LLC, will pay $393,000 over allegations that its “inadequate procedures” led to the sale of more than 17,000 lists to firms that “should not have received them.” Direct Lending Source, which bought the lists and resold some of them to third parties, will pay $1.2 million. [FTC Press Release]

Privacy Enhancing Technologies (PETs)

US – Rights Group Lauds Privacy Changes in Apple’s iOS 6

The Center for Democracy and Technology (CDT) says it approves of the privacy features Apple recently incorporated to its iOS 6 operating system. In a recent blog post, the CDT said it “applauds Apple’s decision to incorporate these substantial pro-privacy elements into iOS 6, allowing users to finely control how their data gets shared with specific apps and to more easily express a desire not to be tracked by marketers,” adding, “We hope that this effort encourages mobile OS vendors to continue to iterate and compete on built-in privacy controls.” Meanwhile, in PCWorld, Tony Bradley says the enhancement of data protection controls in Microsoft’s Exchange Server will help IT admins keep data safe. [Computerworld]

WW – New Privacy Tools Emerge

The Association for Competitive Technology has introduced App Privacy Icons as part of its campaign to “provide developers with the resources to demonstrate easy-to-understand transparency about the privacy settings and features of their apps.” The icons inform web users whether an app contains advertising, collects data or shares information with social networks, the report states. Meanwhile, a group of privacy activists have launched “Terms of Service; Didn’t Read” to help users make better choices online. “We are trying to fight the unfair situation in which big websites make us sign terms-of-service agreements that are too long to read and understand,” the project description states. [eWeek]


US – Student RFID Tags Transmit Constant Signal

While some companies fight revisions to the Children’s Online Privacy Protection Act and others continue to violate it, the tracking of students through RFID badges and surveillance cameras is increasing. As of October 1, a Texas school system outfitted students at two of its campuses with badges containing RFID chips that transmit a constant signal so students can be tracked throughout the day—unlike more commonly used RFID badges that only transmit data when scanned. Privacy and civil rights activists say the badges contravene the students’ right to free speech as they can monitor which kids spend time together. [AlterNet]


CA – Stoddart Questions Increased Cameras on Parliament Hill

Privacy Commissioner Jennifer Stoddart is questioning a plan to install 134 surveillance cameras on Parliament Hill, adding to the 50 that are currently there. The RCMP and House of Commons proposal would install the cameras as part of a government security overhaul. Stoddart’s report notes that a “deliberate decision” was made not to notify the public of the surveillance with signs. In an interview, Stoddart said, “Any of these massive surveillance programs are a real infringement on citizens’ rights and have not necessarily proven their worth.” [The Globe and Mail]

CA – Edmonton Police to Test Body-Worn Video

Edmonton police have begun a yearlong pilot program to test audio and video recording devices that are small enough to be worn on uniforms. The body-worn video recording systems were tested in Victoria, BC, in 2009 and were met with concerns about access and use of the recordings as well as the officers’ ability to turn the cameras on and off at will. Edmonton police are hearing similar concerns, and while Alberta’s privacy commissioner has been alerted to the plan, the office says it’s too soon to tell if there will be privacy concerns. [Toronto Sun] SEE ALSO: [Information Security Manual 2012: Principles – Department of Defence, Australian Government]

Smart Cards

UK – App Allows for Criminal Records Searches

A new mobile app allows users to search for individuals’ and companies’ criminal histories. Do No Evil costs $1 a search and scans more than two million litigation records by name and address. The report quotes a man who said the app violated his privacy, preventing him from gaining employment based on his past. The Office of the Privacy Commissioner for Personal Data has received inquiries on the app, a spokesman said, but hasn’t received official complaints. [Time Out]


US – License-Plate Tracking Tech Becoming Ubiquitous

The Wall Street Journal reports on the rise of license-plate tracking technology, noting it “is a case study in how storing and studying people’s everyday activities, even the seemingly mundane, has become the default rather than the exception.” The Department of Homeland Security (DHS) has awarded more than $50 million in federal grants to law enforcement agencies during the past five years for the technology, and at least two private businesses using the technology have been identified, the report states. Former DHS Chief Privacy Officer Mary Ellen Callahan, CIPP/US, once said such private databases could become the nation’s largest collection of people’s movements. Meanwhile, privacy advocates are concerned that new forms of car insurance discounts are potentially privacy-invasive. [Source]

US – SCOTUS Ends Case Against Telecoms

The U.S. Supreme Court has ended a class-action lawsuit filed six years ago against U.S. telecommunications companies for assisting the NSA in monitoring international phone calls and e-mails. The suit was “dealt a death blow in 2008 when Congress granted retroactive immunity” to the companies, the report states, and the court has turned down appeals from civil liberties groups without comment. A case is expected to come before the court later this month to decide whether NSA agents can be sued for authorizing the wiretapping, the report states. [Los Angeles Times]

UK – New Regulator Raises HD CCTV Concerns

Newly appointed Surveillance Camera Commissioner Andrew Rennison says the unregulated installation of inexpensive, high-definition CCTV cameras in Britain could identify and track individuals, creating a Big Brother state and breaching human rights laws. “The technology has overtaken our ability to regulate it,” Rennison said, adding the sophisticated cameras are “storing all the images they record” and have the ability to “run your image against a database of wanted people.” According to the report, Rennison is creating a CCTV code of conduct for Parliament. [The Telegraph] SEE ALSO: [Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses – Congressional Research Service]

Telecom / TV

US – Privacy war heats up between ACLU, DOJ

CSO reports on arguments being levied by the American Civil Liberties Union (ACLU) and the U.S. Department of Justice (DoJ) over government surveillance of citizens’ electronic communications. The ACLU has said the Electronic Communications Privacy Act (ECPA) is outdated and does not require court approval for “non-content” information. ECPA’s standard on “non-content” data is “based on an erroneous factual premise, specifically that individuals lack a privacy interest in non-content information,” said an ACLU representative, adding that non-content data paints a “vivid picture of the private details of your life.” Meanwhile, the U.S. Court of Appeals in New Orleans is scheduled to hear a government appeal regarding a warrantless request of cellphone location records, and California Gov. Jerry Brown vetoed a bill that would have required law enforcement to get a warrant prior to obtaining location-tracking data. [Source]

US – Wireless Carrier’s Initiative Raises Privacy Concerns

A marketing initiative by Verizon Wireless has raised concerns among privacy advocates. The company’s Precision Market Insights plan aggregates customers’ locations, app usage and browsing activities and sells the data, a move that some say could violate a federal wiretap law. Verizon says it may link consumer data to third-party databases containing information about customers’ gender and ages as well as details such as “sports enthusiast, frequent diner or pet owner,” the report states. The company says the initiative is legal because the data is aggregated, does not reveal customers’ identities and provides an opt-out. Meanwhile, a Huffington Post report provides three ways to limit third-party access to iPhone user activity. [CNET News]

US Government Programs

US – DHS Issues Privacy Annual Report

82% of the DHS Federal Information Security Management Act (“FISMA”) systems were covered by a required PIAs, and 95% of systems of records notices were completed; privacy reviews were conducted on 176 intelligence products and 421 Intelligence Information Reports. DHS processed 895 of 909 FOIA requests; an electronic FOIA solution was piloted, which enables requests and appeals to be entered into the system from written or electronic requests, has options for printing or emailing acknowledgements and standard responses, calculates fees based on agency policy, and includes an advanced electronic redaction toolset for search, retrieval, and redaction. The use of privacy compliance reviews (“PCR”) was expanded, with 5 public PCRs completed in the areas of cybersecurity, information sharing and the use of social media; over 1,000 privacy complaints were received, and 51 Privacy Act amendments requests. Six public reports were issued (e.g. 3 quarterly reports under the 9/11 Commission Act, 2011 Annual FOIA Report, 2012 Chief FOIA Officer Report and 2011 Data Mining Report to Congress); 658 privacy incidents were reported to the DHS Security Operations Center (an increase of 34% of the last reporting period), primarily consisting of the alteration/compromise of information (85%), investigation unconfirmed/non-incident (13%), and misuse (2%). Source: [2012 Annual Report to Congress – Privacy Office, Department of Homeland Security]

Workplace Privacy

US – BYOD Gives Rise to Maze of Legal Risks

The growth of bring-your-own-device (BYOD) policies brings with it “a minefield of legal questions and risks.” Demand for legal services for data privacy and security “has skyrocketed” and has propelled a number of law firms to build out privacy protection practices. Meanwhile, a new Harris survey has revealed that nearly 80% of employees would not give their employers access to view what apps are on their devices. [The Washington Post] SEE ALSO: [EEOC Locks Down Employers Use of Arrest and Conviction Information – Melissa Siebert, K&L Gates – LAW.COM] and [Data Protection During Recruitment: Top 10 Tips for Managers – Helen Burgess, Senior Associate – Shoosmiths] AND Technology and the Monitoring of Employees – Employment Practice Group, Kemp Little LLP ¸




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: