16-31 October 2012



US – FTC Releases Facial Recognition Best Practices

The Federal Trade Commission has released recommendations for companies using facial recognition technology. “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies“ recommends that companies design their services with consumer privacy as a consideration; develop reasonable security practices; assess the sensitivity of the information that is collected, and make sure consumers are aware when a facial recognition technology is being used. “Fortunately, the commercial use of facial recognition technologies is still young,” the staff report states. “This creates a unique opportunity to ensure that, as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer.” [Source] [Source] SEE ALSO: [EU – Referral Decision to the European Court of Justice re: refusal to provide biometric data in relation to travel documentation and passports – The Council of State, Netherlands]

WW – The Emergence of Emotion-Sensing Technologies

Improved facial recognition technologies are now capable of sensing human emotions such as anger, sadness and frustration. Affective computing is currently being developed to assess a wide range of applications from reading student interest in the classroom to helping those on the autism spectrum understand the emotions of others. Emotionally aware devices, however, give “many people the creeps,” the report states. Oxford University Future of Humanity Institute Director Nick Bostrom said, “We want to have some control over how we display ourselves to others,” adding, “it’s not obvious the world would be a better place” with such technology. [The New York Times] SEE ALSO: [Smart Cameras Predict Human Behavior]


CA – Online surveillance Set as Tories’ Bill C-12 Comes Up for Second Reading

The Conservative government’s widely criticized online surveillance legislation may be on the back burner, but another bill that would expand police access to Internet users’ data is about to resurface. Bill C-12 would make it easier for authorities — possibly including private security firms — to obtain information about subscribers from Internet service providers, email hosts and social media sites on a voluntary basis. The legislation also includes provisions that could effectively impose a gag on the companies, preventing them from telling customers their personal details have been shared. Government House leader Peter Van Loan recently signalled the little-noticed bill could come up for second-reading debate as early as next week. The likely re-emergence of the bill comes eight months after a storm of outrage over another, highly publicized attempt to boost Internet surveillance. Bill C-30 alarmed civil libertarians because it would allow authorities access to Internet subscriber information — including names, addresses, telephone numbers and email addresses — without a warrant in cases where companies refused to provide it voluntarily. [National Post] SEE ALSO: [Canadian police urge Parliament to pass domestic spying bill]

CA – Canadian, German Data Protection Watchdogs Join Forces

The German and Canadian data protection commissioners signed an agreement that aims to ensure people’s digital privacy will be better protected if data travels across borders via the Web, the authorities announced. International cooperation could help put companies like Facebook and Google on a privacy leash. Both countries will inform each other about important events and complaints and will cooperate on specific cases, the authorities said in a news release. Although there have not yet been cases where the data protection authorities might have wanted to work together, Peter Schaar, the German Federal Commissioner for Data Protection and Freedom of Information, said international cooperation is needed in cases dealing with companies like Google and Facebook. Both data protection agencies are striving to expand their coordination with counterpart agencies around the world, they said. At the 34th International Conference of Data Protection and Privacy Commissioners at the end of October in Uruguay, Canada and Germany plan to discuss extending their cooperative agreement to more countries. [IDG News Service]

CA – Federal Confusion Undermines No-Fly List, Spy Watchdog Says

The federal spy watchdog says confusion over how Canada’s no-fly list should work has “significantly undermined” its potential to help keep the skies safe. In its newly released annual report, the Security Intelligence Review Committee reveals there is uncertainty in government over who should be on the no-fly roster. Under the program in place since June 2007, airlines rely on a list of individuals considered “an immediate threat to civil aviation” should they board an aircraft. The review committee says, however, that description is open to interpretation, and federal agencies have “struggled” with nominating people for the list. The review committee also raises concerns about CSIS’s information exchanges with foreign counterparts — a sensitive issue given the possibility such sharing can lead to the torture of people detained in overseas prisons. The committee identified problems with:

 – CSIS’s efforts to obtain assurances from foreign partners when receiving information from them.

 – the attachment of caveats — or restrictions on use — when providing information to a foreign agency.

 – the sharing of information on young offenders.

The watchdog concluded there was a “lack of clarity and absence of guidelines” on assurances from foreign partners when information-sharing poses a substantial risk of torture. It also found the use of specific caveats was inconsistent — noting up to a dozen different ones had been attached to files shared in recent years. The review committee recommends CSIS develop policy and direction on the use of assurances, and that it revise its policy on caveats. [CBC News] SEE ALSO: US – Experts warn about security flaws in airline boarding passes] AND [Auditor General report: Canada’s online security centre not operating around the clock]

CA – Federal Privacy Commissioner Satisfied With Response from ‘Leaky’ Web Sites

Privacy Commissioner Jennifer Stoddart says she’s pleased with the progress made by organizations flagged as raising privacy concerns. In September, Stoddart said some leading Canadian websites were inappropriately sharing users’ personal information with third parties. After investigating 25 shopping, travel and media sites, Stoddart wrote to 11 of them asking for changes in order to comply with Canadian privacy law. A Stoddart spokesperson said she’s “pleased that they appear to be taking this issue very seriously,” and the office is now analyzing their responses for continued discussions. [ITBusiness.ca]

CA – Ontario Commissioner Releases Paper on Personal Data Ecosystem

Information and Privacy Commissioner of Ontario Ann Cavoukian, with co-authors from Europe and the U.S., has released a paper, Privacy by Design and the Emerging Personal Data Ecosystem, that highlights new technologies enabling Internet users to have more control over their data. “Privacy is all about control,” Cavoukian says in a news release, adding, “that is why I am taken with the promise of the emerging Personal Data Ecosystem. New technologies…give individuals a central point of control for their personal information and the ability to decide what information to share, with whom and under what conditions.” [News Release] See also: [NYT: New Online Storage Service to Put Users in Charge] AND [US – Data Deluge Creates Privacy Issues]


WW – Transaction Data-Sharing Rising; Consumers Want Control Over PI, Says Survey

MasterCard is currently reviewing transaction data to help marketers improve targeted advertising. MasterCard Senior VP of Media Solutions Susan Grossman said, “The foundation of all our solutions is transaction data.” A company spokesman said MasterCard is “committed to protecting individual privacy” and that shared data is anonymous and aggregated. Wired reports on potential business ventures for Amazon. A representative from a digital ad agency said, “With rich data on its users, Amazon is uniquely positioned to match advertisers with shoppers.” Meanwhile, a TrustedID survey has revealed that less than 20% of consumers have a good understanding of “data brokers.” [Financial Times]


US – Presidential Campaigns Ramping Up Online Tracking

The New York Times reports on the online tracking of consumers by both U.S. presidential campaigns. “One of the hallmarks of this campaign,” the article states, “is the use of increasingly complex—but not always accurate—data-mining techniques to customize ads for voters based on the digital trails they leave as they visit Internet sites.” According to an Evidon report, both campaigns have increased their online tracking beyond that of many popular retailers, the report states. Some privacy advocates worry that collected data could be used for secondary purposes, giving businesses a window into users’ political beliefs. The ACLU’s Chris Calabrese said, “We simply don’t know how this information is going to be used in the future and where it is going to end up.” [NYT] SEE ALSO: [AU – Site names homeowners – concern over website’s breach of privacy]


US – Inspector General: Lack of Encryption Software Puts Vet Data at Risk

Encryption software purchased for PCs and laptops at the U.S. Department of Veterans Affairs (VA) has been installed on only 16% of computers, according to the department’s inspector general. The software was purchased six years ago after a high-profile data breach involving the loss of information on 26 million veterans and costing $20 million to clean up. An anonymous tip that the software was not being implemented prompted the inspector general to investigate. The inspector’s subsequent report states that veterans’ data “remained at risk due to unencrypted computers.” The VA says it plans to complete installing the software by September 2013. [InformationWeek] [Inspector-General report]

UK – RSA Splits Passwords in Two to Foil Hackers’ Attacks

A product that scrambles and then splits users’ passwords in two before storing them on different computer servers has been unveiled by RSA. The security firm says the facility offers better protection against hackers, who would only gain access to half a “randomised” password in the case of a successful attack. The firm said the idea had been discussed by academics for some time. However, one expert said it would only prevent a minority of attacks. RSA’s distributed credential protection (DCP) facility was announced at the company’s annual European Conference in London. “DCP scrambles, randomises and splits sensitive credentials, passwords and Pins and the answers to life or challenge questions into two locations,” said the firm’s marketing manager Liz Robinson. “This is especially important in today’s landscape as we’ve seen over 50 million passwords stolen in large data breaches in 2012 alone.” [bbc.co.uk] SEE ALSO: [Top 25 common, attackable passwords: Stop using ‘ninja’ and ‘jesus’]

EU Developments

EU – Justice Committee Calls for Changes in Draft Data Protection Proposals

The Justice Select Committee has said the European Data Protection proposals “need to go back to the drawing board.” The committee says in a new report that the updates to data protection laws are “too prescriptive” and don’t allow necessary flexibility for data protection authorities or organizations that retain personal data. The proposals should focus on the commission’s objectives while compliance should be monitored by member states, the committee suggests. The committee noted its support for the draft law’s provisions that would give individuals increased control of their data, allow for data erasure or removal and harmonize laws across regions. [Parliament.uk] SEE ALSO: [EDPS – Comments on DG Connect’s Public Consultation on Improving Network and Information Security (NIS) in the EU] SEE ALSO: [EU – RSA’s Coviello calls for privacy laws to be overhauled to improve security]

US – FTC Declines to Comment on EU’s Call for Privacy Policy Changes

Following French DPA (CNIL) President Isabelle Falque-Pierrotin’s announcement on calls for Google to revise its privacy policy, the U.S. has “declined to join European criticism.” Falque-Pierrotin had asked the FTC’S David Vladeck to support a letter that Dutch DPA Chairman Jacob Kohnstamm previously confirmed was endorsed by 27 EU member states, Canada and some countries in Asia. Vladeck declined, and the FTC has not commented on whether it is investigating privacy issues raised in the letter, the report states. “We would have been happy if they would have signed it,” Falque-Pierrotin said, adding, “I think they will study it and have their own conclusions.” [The Washington Post]

EU – Reding Hints at Data Protection Concessions for SMEs

At a Home Affairs Council meeting in Luxembourg last week, EU Justice Commissioner Viviane Reding said she was willing to offer some concessions to small-medium enterprises (SMEs) and the public sector in revisions to the data protection regulation. Though the regulation needs the “right firmness of touch,” Reding said she did not want SMEs to be overburdened. “The commission is prepared to look at whether this SME exemption could be broadened to other areas and that we can also look to add further flexibility through an approach that takes into account the amount and sensitivity of the data processed,” Reding said, adding, “One thing is clear: There can be no general exemption for the public sector.” [COMPUTERWORLD UK]

EU – Council of Europe Promoting Latin American Data Protection

The Council of Europe is encouraging non-EU member states to ratify Convention 108—the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Uruguay, which recently hosted an international privacy conference, has initiated the ratification process, possibly becoming the first non-Council of Europe member state to do so. Council of Europe’s Jörg Polakiewicz said, “The eventual accession of Uruguay will be a key step towards the global promotion of the convention and intergovernmental cooperation on personal data protection,” adding, “We are sure, hopefully, that Uruguay will be the first of many non-European countries to join the treaty.” [MercoPress]

UK – ICO Looking Into Police Data Collection, Retention

The Information Commissioner’s Office (ICO) is investigating claims against Kent police over data collection and retention activities. A spokesman for the ICO said, “If police forces are examining the content on mobile phones and are wanting to use that information, this would need to comply with the Data Protection Act.” He added the office is “looking at this issue and will be considering whether any action is necessary to help ensure compliance…” Meanwhile, a spokesman for the Home Office said that although information about suspects is crucial, police “should only be extracting and retaining data relevant to criminal investigations or for other permitted purposes.” [This is Kent]

UK – UK ICO Updates Guide to ICO Data Protection Audits, Version 2.0

The audit guidelines have been updated to reflect the likelihood of follow-up action after the original audit has been completed, based on the original audit findings – a high assurance of data protection was found (there will be no follow up), a reasonable assurance of data protection (an e-mail follow up will be conducted at 6 months and a short summary report will be produced), limited assurance of data protection was found (an e-mail follow up will be conducted at 6 months to determine whether a follow up visit is required) and very limited assurance of data protection was found (3 monthly updates will be required from the organisation, as well as a full update at 12 months, and a follow up site visit will probably be required). [Source] SEE ALSO: [UK Information Commissioner’s Office – Audit: A Guide to ICO Privacy and Electronic Communications Regulations Audits] AND [UK Information Commissioner’s Office – Audit Outcome Analysis: Central Government – February 2010 to July 2012] AND [UK Information Commissioner’s Office – Audit Outcome Analysis: National Health Service (NHS) – February 2010 to July 2012] AND [UK Information Commissioner’s Office – Surrey and Sussex Probation Trust – Data Protection Audit Report Executive Summary] AND [Datainspektionen, Sweden – Decision – Uppsala County Council Hospital is Correcting Deficiencies: the Data Inspection Board (“DIB”) issues a decision regarding a hospital’s shortcomings in its IT systems regarding doctor access to medical records]

UK – ICO Fines Council £120,000 After Child Data Breach

The Information Commissioner’s Office (ICO) has fined Stoke-on-Trent Council £120,000 after sensitive personal information was e-mailed to the incorrect recipient. The council failed to resolve issues raised by an earlier and similar incident by failing to provide a legal department with encryption software and lacking data protection training, the report states. ICO Head of Enforcement Stephen Eckersley said “the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.” [publicservice.co.uk] SEE ALSO: AND [UK – Information Commissioner’s Office – Data Protection Act 1998 Monetary Penalty Notice – Norwood Ravenswood Limited]

EU – Regulators Looking Into Microsoft Changes

Luxembourg and other EU data protection commissions (DPCs) are looking into whether changes Microsoft made to its Internet products Hotmail and Bing bring new privacy risks for users and comply with the region’s standards on notice and choice. President of the Luxembourg DPC Gerard Lommel acknowledged that possible issues “can neither be excluded nor confirmed” in this case, suggesting the review is not on the level of a recent investigation into Google’s privacy policy changes “where clear privacy issues had been identified.” [The Washington Post] SEE ALSO: [EU – European Commission v. Republic of Austria – Case C-614/10 – European Court of Justice]

EU – Court Rules Austria DPA Needs More Independence from Gov’t

The Court of Justice of the European Union (CJEU) has ruled that the Austrian government has not complied with EU law as it has not provided its data protection authority (DPA), the Datenschutzkommission, with “complete independence.” In order to attain “complete independence,” the CJEU ruled that DPA staff must not share offices with government officials; must not be required to provide the government with “unconditional” access to information about the DPA’s work, and an individual heading a DPA must not simultaneously hold other government positions. During a speech in Brussels, the European Data Protection Supervisor called the decision a “great day for data protection in Europe,” while also discussing the relationship between the proposed EU regulation and the e-Privacy Directive. [Out-Law.com]

UK – Graham: “Important Data Protection Principles at Stake”

Information Commissioner Christopher Graham told a committee of MPs recently that the draft Communications Bill, currently in front of Parliament, may miss its intended mark and instead uncover “incompetent and accidental anarchists” rather than the “really scary people.” The bill would see Internet service providers (ISPs) required to store communications data for at least one year, but Graham says it may only apply to the six largest companies, adding, there are “important data protection principles at stake. There is a judgment to be made between the security community saying ‘we have to have this stuff’ and the civil liberties community, which says this is a gross intrusion of privacy and of citizens’ rights.” [BBC News]


WW – Twitter Posts Notices for Copyright-Deleted Tweets

Twitter has made a significant shift in how it responds to copyright complaints. In the past, such complaints meant that tweets would vanish without a trace but now people can see the place where the tweet once stood — and reaction to its disappearance. [GigaOm]


WW – PCI Council Says Payment Regulation Is Challenging

PCI Security Standards Council European Director Jeremy King has said the council was “surprised at how fast new technologies were coming along” in the mobile payment landscape. King added, “Mobile technology is still new, and there is still no knowledge of how to do mobile security.” Analyst Alan Goode said challenges not only reside on the security side but in the authentication and data protection spheres as well. “It is difficult to regulate and ensure data is protected,” he said, adding, “With mobile you can do it right, providing that the data is protected and assured.” [SC Magazine]

US – Credit Report Data Security Questioned

The theft of credit reports raises questions of whether adequate security is being employed to protect credit reporting databases. Instead of directly targeting the big three credit bureaus, data thieves often target affiliated businesses that utilize credit background checks. Sen. Richard Blumenthal (D-CT) said, “This is profoundly important because it illustrates a growing problem when it comes to data breaches and security—the chain is only as strong as its weakest link,” adding, “If their customers have inadequate security practices, so do the credit bureaus.” A spokesman for Experian said, “We continue to invest in the security systems we have in place to protect our clients and consumers.” [Bloomberg] see also: [CA – TD Bank missing data could affect 1,000 Canadians with U.S. accounts] SEE ALSO: [US – Can’t fix error in your credit report? Call Consumer Financial Protection Bureau] AND [“Lagarde list” of Greek depositors in Swiss bank leaked, journalist arrested for breach of privacy]


CA – Federal Gov’t Plans Online Pilot Project for Access-to-Information Requests

Canada’s archaic access-to-information regime is about to establish a toehold in the online world. The Harper government plans a pilot project early next year to allow ordinary citizens and others to request internal documents under the Access to Information Act via the Internet. The one-stop online portal would route each request to the proper department, allow fees to be paid electronically, and permit detailed tracking of the processing of the file. The initiative will begin with just three departments, but is to include most federal agencies and institutions over the next three to four years. Canada, once considered a global leader in freedom of information, has since become a laggard, with one 2011 study ranking the country 40th among 89 nations with similar transparency laws. [Source] [Canadian government revamping open data portal] SEE ALSO: [Ontario ombudsman André Marin says municipalities ‘shockingly secretive’]

US – Gazette Sues City for Records of Employee Discipline for Internet Abuse

The Billings Gazette filed a lawsuit against the city of Billings, asking for the release of public records dealing with city workers who were disciplined for viewing inappropriate websites on the job. The state District Court lawsuit seeks a court order compelling the city to produce documents in the case of five workers who were suspended without pay for five days last spring. In the lawsuit, Gazette attorney Martha Sheehy cited the right-to-know provision of the Montana Constitution and said the city “impermissibly violated the public’s right to inspect and copy documents held or generated by a public body.” The city has not identified the five workers and would not say what positions they held or where in the city they worked. “The law is well settled,” the suit says. “Public employees who occupy positions of trust have no legitimate right to privacy to investigations of their conduct.” The suit further says that managerial employees “clearly had no reasonable expectation of privacy” and nonmanagerial employees “have limited privacy interests in the misuse of government time and computers in the accessing of inappropriate internet sites.” “The public’s right to know clearly outweighs any privacy interests which might be asserted by a public employee disciplined for accessing or repeatedly attempting to access inappropriate materials while at work for the City,” the suit continues. In addition to asking for a court order requiring the city to produce the requested documents, the suit asks that the city pay the newspaper’s attorney fees and costs. [Source] SEE ALSO: [IPC ON – Order PO-3110 – Appeal PA11-347 – Ministry of Health and Long-Term Care]


US – Citing Privacy Concerns, U.S. Panel Urges End to Secret DNA Testing

They’re called discreet DNA samples, and the Elk Grove, California, genetic-testing company easyDNA says it can handle many kinds, from toothpicks to tampons. If the availability of such services seems like an invitation to mischief or worse – imagine a discarded tissue from a prospective employee being tested to determine whether she’s at risk for an expensive disease, for instance – the Presidential Commission for the Study of Bioethical Issues agrees. On Thursday it released a report on privacy concerns triggered by the advent of whole genome sequencing, determining someone’s complete DNA make-up. Although sequencing “holds enormous promise for human health and medicine,” commission chairwoman Amy Gutmann told reporters, there is a “potential for misuse of this very personal data.” The bioethics panel recommends a dozen forms of privacy protection, including that “surreptitious commercial testing” be banned: No gene sequencing or other genetic testing should be permitted without consent from the person the DNA came from, it said. About 25 states currently allow such DNA testing. The full report from the presidential commission is at www.bioethics.gov. [reuters.com] [US Panel: Protect patients who use whole genome sequencing] SEE ALSO: [IN – Department of Biotechnology, Government of India – Draft Human DNA Profiling Bill 2012]


US – Policies of Google and Others Said to Mean Privacy Risks For ‘Cloud’ Users

The privacy policies of Google and other tech firms could allow them to mine personal data held by government agencies that use cloud-based e-mail, database and document services, an industry group warned. The group, SafeGov.org, a consortium of industry experts promoting safe government use of cloud services, raised the concern as Google has sought to defuse controversy over changes to its privacy policy that allow for more extensive tracking of consumers. SafeGov.org first highlighted this issue in January after Google announced plans to consolidate its privacy policy across more than 60 services, including Gmail and YouTube, allowing tracking of users as they move among those sites. The group recently renewed its call for greater safeguards after European data-protection commissioners last month identified significant legal shortcomings in the policy and called for changes. Google officials say the changes to its privacy policy do not affect the bundle of productivity software it sells to governments, which are governed by contractual provisions. “The privacy policy as written gives them unlimited ability to mine [data] as they see fit,” said Jeff Gould of SafeGov.org. SafeGov.org says its concerns extend to state and local governments, as well as schools and other public institutions. “It’s just not appropriate to have data mining,” Gould said. “If they’re not doing that, then let them say that.” [The Washington Post] SEE ALSO: Europe: [Google’s privacy policy under fire] AND [NYT: Larry Page Defends Google’s Privacy Policy] AND [UK: Google told to fix privacy policy by EU data regulators]

EU – Advocate: Google Data Use Should Be in Antitrust Talks

A European-based consumer rights group has said the European Union should consider Google’s access to personal data in its antitrust considerations. Consumer organization BEUC Director General Monique Goyens said in a letter to the EU’s antitrust chief that much of the company’s market advantage is “largely fueled by its access to users’ personal data.” Goyens added, “The privacy policy of Google is directly linked to its dominance in the online search and should therefore be considered as an aggravating factor in your analysis.” [BusinessWeek]

US – Opposition to Google’s Safari FTC Privacy Settlement to Be Heard Next Month

A California court will hear arguments next month against a proposed settlement between Google and the FTC. The $22.5 million settlement is the largest fine handed down by the FTC thus far and stems from Google’s use of cookies to track users of Apple’s Safari browser. Privacy advocates have criticized the settlement for being “too soft,” the report states. Advocacy group Consumer Watchdog will argue at the November 16 hearing that the deal does not prevent Google from conducting similar tracking in the future and does not require the company to destroy information gleaned from past tracking. [IDG News Service]

WW – Google Exec: Internet Evolves Too Fast for Regs

A Canadian policy manager at Google, Colin McKay told a House of Commons committee that the online world moves too fast to create regulations that will endure and that a more enforcement-focused system could curb open discussions between tech companies and regulators. “We would have to consider what the possible repercussions of having that open a discussion, in a system that’s more heavily focused on enforcement, would have on how our products roll out and how the privacy commissioner interprets our actions,” McKay said, adding, the two sides now engage in constructive dialogue and companies respond quickly to rulings. [The Canadian Press] SEE ALSO: [CA – OPC – Letter to the French Data Protection Authority Regarding its Review of Google’s Privacy Policy] and [CA – Wayne Plimmer v. Google Inc. – Class Action Complaint – Supreme Court of British Columbia] and [US – Brad Scott and Todd Harrington et al. v. Google, Inc. – Defendant Google Inc.’s Motion to Dismiss Plaintiffs’ First Amended Class Action Complaint – United States District Court Northern District Of California, San Jose Division] AND [AU – student data stored for Google ads] AND, finally: [Google allows anyone with a Web browser to peer into data centers that power its services]

Health / Medical

UK – NHS lost 1.8 Million Patient Records in a Year

More than 5,000 confidential patient records are being lost by the NHS every day, according to new figures. Official statistics showed that at least 1.8 million sensitive papers went missing throughout the health service in just 12 months. Among the breaches included data security records dumped in public bins and electronic records found for sale on an internet auction site. Other security lapses involved details of terminally ill patients being faxed to the wrong number, patient records being stolen and posted on to the internet and unsecured laptops being stolen from homes of staff members. Campaigners today labelled the disclosures as worrying lapses in date protection laws and called for systems across the NHS to be tightened. [Telegraph Reporters] SEE ALSO: [US – Seeking a difficult balance: The limits of privacy in the emerging healthcare IT ecology] AND [US – Electronic Health Records vs. Patient Privacy: Who Will Win?] AND [US: Centers For Medicare & Medicaid Services (CMS) Falls Short In Response To Healthcare Data Breaches] AND [Ontario College of Physicians keeps secret details of doctor’s incompetence] AND [NYT: Boy Scout Files Give Glimpse Into 20 Years of Sex Abuse]

Horror Stories

US – Breach Report: 174 Million Records Compromised in 2011

According to Verizon’s Data Breach Investigations Report, 174 million records were compromised in 855 data breach incidents in 2011. Calling it “an all-time low” for data breach protection, the report revealed that 96% of organizations required to follow the Payment Card Industry Data Security Standard (PCI DSS) that experienced a breach—according to Verizon’s “caseload”—were not compliant with PCI DSS. The Verizon report stated, “We are seeing a continuing trend whereby more of the organizations that fall in the 96% tend to be on the small side,” adding, “In many cases, these organizations have either failed to perform their assessments or failed to meet one or more of the requirements.” [Out-Law.com]

US – 3.5 Million SSNs Exposed in Data Breaches

A data breach at the South Carolina Department of Revenue has exposed as many as 3.6 million Social Security numbers and 387,999 credit card numbers. The breach was the result of a cyber attack against the department’s systems in mid-September. The Social Security numbers were not encrypted. The state’s chief consumer advocate is calling for privacy laws to be strengthened to tell agencies how to guard against a breach. Meanwhile, employees of the Hillsborough Area Regional Transit Authority in Florida have been alerted that their Social Security numbers and bank information may have been compromised. [SecurityWatch]

WW – Hackers Breach 53 Universities and Dump Thousands of Personal Records Online

Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world. The group of hackers, calling themselves Team GhostShell, claimed responsibility for the attack on Twitter and published some 36,000 e-mail addresses and thousands of names, usernames, passwords, addresses and phone numbers of students, faculty and staff, to the Web site Pastebin.com. In most cases the data was already publicly available, but in some instances the records included additional sensitive information such as students’ dates of birth and payroll information for university employees. [New York Times] SEE ALSO: [Spear-phishers lie in wait at ‘watering hole’ websites]

US – PIN Pads Breached at Barnes & Noble Stores

Credit card information of Barnes & Noble customers has been stolen by hackers at 63 store locations across the country. The bookseller discovered the breach in September and was instructed by the Justice Department to keep the matter under wraps so the FBI could investigate. The hackers allegedly accessed the financial data via PIN pads placed at store registers. Though breach notification varies by state, Morrison & Foerster Attorney Miriam H. Wugmeister said, “If you have a breach that included name plus credit card information, but the credit card information was encrypted, you would not have to provide notice.” [The New York Times]

US – Tennessee Hospital Reports Breach

A Tennessee hospital is notifying 27,000 patients that their personal information has been compromised. Blount Memorial Hospital says a laptop was stolen during a burglary in August. The laptop contained 22,000 patient names, dates of birth, addresses and billing information, among other details, and the Social Security numbers of about 5,000 additional patients. The hospital has alerted the U.S. Department of Health and Human Services Office for Civil Rights. [knoxsnews.com] SEE ALSO: [CA – Lawyers to start process for class action suit over privacy breaches at Peterborough hospital]

US – University of Georgia Notifies 8,500

The University of Georgia (UGA) is notifying 8,500 current and former employees that their personal information may have been exposed. According to UGA Vice President for Information Technology Timothy Chester, “This appears to be a planned intrusion by someone who knew enough about our operations to know which accounts to attack and where the sensitive information was located within the system.” The intruder reset the passwords of two IT department personnel to gain access to the data. “It is clearly a criminal act of computer trespass, and we are working with UGA Police to investigate,” Chester told employees in an e-mail. [SCMagazine]

US – $665,000 or More Expected in Settlement of MN Case

A former police officer may receive more than $665,000 in the settlement of a case where other law enforcement officers illegally accessed her driver’s license information. Her suit alleges 144 law enforcement officers “accessed, used or disclosed her private information approximately 554 times” between 2005 and 2012 “without any legitimate business reason to do so” and names the cities of St. Paul and Minneapolis, MN, among others. A $385,000 settlement is proposed with St. Paul, MN, and a $280,000 settlement was reached during an October 1 court-ordered mediation with the 16 other area cities. A settlement conference with the city of Minneapolis is scheduled for October 25. [KSTP-5 Eyewitness News] see also: [NZ: Independent inquiry into WINZ privacy breach]

Identity Issues

CA – Service Ontario ID Card Changes

In a recent press release, Liz Sandals and Bob Chiarelli, Ontario Minister of Infrastructure, Minister of Transportation announced that the program running the Ontario ID cards is improving. Ontario is making it easier for residents without a driver’s licence to get official, government-issued photo ID. The Ontario Photo Card is now available at the following local ServiceOntario centres: The card will be offered at all ServiceOntario centres throughout the province by December 2012. [Source] SEE ALSO: [New Canadian Passports: Tories Pushed Design In A Historical Direction] AND [CA – Alberta man wins back identity 8 years after losing wallet]

WW – Facebook Removes Two-Factor Authentication Mobile Numbers From Search

Mobile phone numbers used for Facebook’s ‘Login Approvals’ account security feature are no longer searchable through the website. Facebook’s search system provides reverse lookup functionality that allows users to find other people on the website by searching for their phone numbers or email addresses instead of their names. Facebook “Login Approvals” is a two-factor authentication feature that requires users to input special codes sent to their mobile phones in addition to their regular passwords when attempting to authenticate from a new device. The feature is designed to prevent account abuse in cases where the user’s password is compromised. The new restriction only applies to mobile phone numbers used for two-factor authentication, not every phone number added by users in the “Contact Info” section of their profile pages, the Facebook spokeswoman said. Last week, Facebook limited the rate at which phone numbers can be searched on its mobile website in order to block a phone-number harvesting method disclosed by a security researcher. Suriya Prakash, an independent security researcher from India, publicly reported on Oct. 5 that Facebook’s reverse lookup feature can be abused to search for thousands of sequential phone numbers in order to find any Facebook profiles associated with them. [IT World]

Intellectual Property

US – Judge Sets Record $1.5 Million Fine in BitTorrent Case

Kywan Fisher was ordered by an Illinois federal court to pay $1.5 million, or $150,000 for each of the ten movies he downloaded, to adult film production company Flava Works. In a default judgment, the judge set the maximum penalty under U.S. copyright law of ten times statutory damages — the biggest penalty to date in a BitTorrent case. [Forbes]

Internet / WWW

WW – UN Wants “Anti-Terror” Internet Surveillance

The United Nations (UN) has released a report calling for more surveillance of Internet traffic and users for the purpose of undermining terrorist activity. “The Use of the Internet for Terrorist Purposes“ states, “One of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” The 148-page report notes that terrorists use social networks to spread propaganda. UN Executive Director Yury Fedotov said, “Potential terrorists use advanced communications technology, often involving the Internet, to reach a worldwide audience with relative anonymity and at a low cost.” [CNET News] SEE ALSO: [US – Zillow Now Tells the World About Your Foreclosure]

Law Enforcement

US – Minneapolis Police Want to Limit Access to License Plate Camera Data

A Minneapolis municipal committee is now advocating on behalf of local police for a change in Minnesota’s state law concerning the right to access data collected from license plate readers (LPRs). For now, the city maintains a massive database collected from its 11 LPR readers that hold each license plate number seen, along with the corresponding GPS location data, date and time for the previous 90 days. In a recent meeting, the Committee of the Whole Agenda heard discussions regarding a new proposal from the city police department that would restrict access to license plate reader records. Under the proposed rules, only the police would have access to the entire database, and a non-police individual would only be able to access the data that pertained to his or her car. Currently, a rather liberal open records state law known as the Data Practices Act makes all government data public by default. If approved by the Minneapolis city council, such changes could be put forward to the sate legislature as soon as next year. [ars technical]

CA – Police Push for Surveillance, Data-Sharing Legislation

Police chiefs across the country are pushing for controversial Internet surveillance legislation in the name of investigations involving cyber and cell phone technology. The Canadian Association of Chiefs of Police says such investigations are being hampered by antiquated laws and wants Bill C-30 back on Parliament’s agenda, though privacy concerns halted its progress earlier this year. Police say requiring Internet providers to share information on subscribers would allow for better crime-solving and would help thwart cases such as cyberbullying. Meanwhile, Bill C-12, which would facilitate data sharing between online service providers and police, is expected to see a second reading debate soon. [Source] SEE ALSO: [Edmonton police in the wrong for withholding file, rules Alberta’s privacy commissioner]

US – Police May Use Hidden Surveillance Cameras on Private Property Without Warrant

A federal judge in Wisconsin has ruled that law enforcement officers may, in some cases, install hidden surveillance cameras on private property without first obtaining a warrant. US District Judge William Griesbach ruled that the US Drug Enforcement Administration (DEA) acted reasonably when it entered private property without the owners’ permission and without a warrant and installed several hidden surveillance cameras in an operation aimed at gathering evidence that the suspects were growing marijuana. The defendants, who could face life in prison and fines of up to US $10 million, maintain that their Fourth Amendment rights were violated because there were “No Trespassing” signs posted on the 22-acre property. Judge Griesbach adopted a recommendation by US Magistrate Judge William Callahan that said the action did not violate the defendants’ Fourth Amendment rights. The trial is scheduled to begin in January 2013. [CNET] SEE ALSO: [AB – Cops to test ‘body-worn video’ to record police work]


US – Judge Concerned About Warrantless Cell Tracking

A Texas judge has concerns about the ways law enforcement agents are using technology to gain data on cell phones in particular areas. Magistrate Judge Brian Owsley recently denied two federal requests for warrantless cell phone tracking, noting the government should apply for warrants. The judge says he’s concerned agents and U.S. attorneys don’t understand the technology. “Without such an understanding, they cannot appreciate the constitutional implications of their requests,” Owsley wrote in an order last month, adding there has been no discussion around how data retained on innocent people would be used. [The Wall Street Journal]

US – The Growing Use of GPS Tracking Devices

The New York Times reports on the use of GPS tracking devices by families. The small, beeper-like gadgets can be placed in a car to follow a teenager or spouse, in a child’s backpack to ensure the child gets to and from school safely or embedded in medical-alert technology to provide emergency help to the elderly. The user can track a subject’s location via the web or smartphone app—and some companies offer multiple tracking services. This “kind of air-traffic control panel of familial concern” raises issues of privacy and personal space, the report states. [Source] SEE ALSO: [Location-based services: Common sense will keep you safe]

CA – Woman Files Suit Over iPod Location Privacy

A Surrey woman has filed a suit in British Columbia’s Supreme Court alleging Apple’s iOS4 operating system violates users’ privacy rights. Amanda Ladas says her iPod allows anyone with “moderate computer knowledge” to determine her location. The suit, which seeks class-action status, claims Apple has “violated the privacy and security rights” of Ladas and other potential plaintiffs and “has engaged in deceptive acts or practices” entitling plaintiffs to damages. [The Vancouver Sun]


IN – Gov’t Panel Issues Privacy Law Recommendations

A government-appointed panel tasked has issued recommendations identifying privacy issues and preparing a report to facilitate the proposed Privacy Act. Led by former Delhi High Court Chief Justice A P Shah, the group laid out guidelines on telephone tapping and other forms of communications surveillance as well as recommendations to set up national and regional privacy regulators. The group identified differences between existing laws that allow government surveillance, stating, “these differences have created an unclear regulatory regime that is inconsistent, non-transparent and prone to misuse and does not provide remedy or compensation to aggrieved individuals.” [The Times of India]

IN – India Asks EU to Declare it as “Data Secure” Country

The government of India has asked the EU to declare the country as “data secure.” Without a data secure declaration from the EU, sensitive data such as medical information cannot legally flow between the regions. India Commerce and Industry Minister Anand Sharma said, “It is our clear analysis that our existing law does meet the required EU standards. We would urge that this issue is sorted out quickly, and necessary comfort in declaring India data secure in overall sense needs to be given as almost all the major Fortune-500 companies have trusted India with their critical data.” The EU is studying whether India’s laws meet the EU’s directive. [The Times of India]

SG – Gov’t Considers Banning Free Phone Books

Singapore is considering halting the publication of free telephone directories due to privacy concerns. Concerns about the listing of residential and office numbers has prompted the Infocomm Development Authority of Singapore (IDA) to publish a consultation on whether “it is still necessary to maintain the regulatory requirement for Directory Services.” The IDA notes “increasing public awareness, and concerns, about use and protection of personal data.” Singapore’s Parliament passed a data protection law earlier this month that includes a Do-Not-Call registry, provisions on private-sector use of personal data and the creation of a new enforcement agency, which may fine noncompliant organizations. [AFP] SEE ALSO: [PH – High Court in Philippines Suspends Contentious Internet Law]

Online Privacy

WW – Yahoo to Ignore Default DNT Settings

Yahoo has announced that it will ignore Internet Explorer 10’s default do-not-track (DNT) settings, indicating the setting “ignores the wishes of its users.” The browser will continue to offer its Ad Interest Manager, which allows users to make choices about the online ads targeted to them, and other tools. “Ultimately, we believe that DNT must map to user intent-not to the intent of one browser creator, plug-in writer or third-party software service,” Yahoo said in a statement. [InformationWeek] See also: [Letter from John D. Rockefeller to the Federal Trade Commission Regarding the World Wide Web Consortium Deliberations on Do-Not-Track – U.S. Senate] See also: [The Bizarre, Belated Assault on Do Not Track – Leslie Harris and Justin Brookman, Center for Democracy and Technology] AND ALSO: [US – Mozilla stresses privacy while testing new social API in Firefox]

UK – Do Not Track Standard Needs Action Says Commissioner

European commissioner Neelie Kroes has accused members of the online industry of watering down a standard designed to protect consumers’ privacy on the web. Websites are under pressure to allow consumers much greater control over how they are tracked online. But work undertaken by the World Wide Web Consortium (W3C) to create a Do Not Track (DNT) standard was “not going to plan”, said Ms Kroes. She is angry about delays and a proposal to exempt marketing. [bbc.co.uk] SEE ALSO: [NYT: Privacy Advocates and Advertisers at Odds Over Web Tracking]

WW – Microsoft Alters Its Privacy Rules

A new policy implemented by Microsoft allows it “broad leeway” over how it collects and processes information from consumers using its free, web-based services. Unlike Google’s policy changes earlier this year, “Almost no one noticed” Microsoft’s change, the report states, adding, “The difference in the two events illustrates the confusion surrounding Internet consumer privacy.” Consumer Watchdog’s John Simpson said, “What Microsoft is doing is no different from what Google did,” adding, “It allows the combination of data across services in ways a user wouldn’t reasonably expect.” A Microsoft spokesman said, “one thing we don’t do is use the content of our customers’ private communications and documents to create targeted advertising.” [The New York Times]

WW – Microsoft to Clarify Privacy Rule Changes

Microsoft has said it will clarify part of its new disclosure policy to explicitly state that it will not use personal information gleaned from certain free services for targeted advertising. Rep. Edward J. Markey (D-MA) sent a letter to the company expressing concerns that the move would allow Microsoft to compile “detailed, in-depth consumer profiles.” In a statement, Microsoft said, “We appreciate the feedback we’ve received, and as a result, we will update the agreement as soon as possible to make that point absolutely clear.” [The New York Times]

US – McDonald’s Removes Sharing Feature Following COPPA Complaint

McDonald’s has removed social networking features in some of its online games following complaints from a privacy advocacy group. The Center for Digital Democracy filed a complaint with the FTC last month that the restaurant chain was violating children’s privacy laws by, without requiring parental consent, asking children to list the e-mail addresses of friends as part of a “tell-a-friend” feature on HappyMeal.com. McDonald’s said it has removed the feature and the online security of its guests “remains a top priority.” [The Washington Post]

US – Company Settles Supercookies Lawsuit

An analytics company has agreed to settle a class-action lawsuit over tracking practices. The settlement forbids KISSmetrics from using ETags and other supercookies for tracking purposes without first giving users “reasonable notice and choice” and requires it pay $2,500 each to the two consumers who sued as well as $500,000 in attorney costs. The suit alleged the company violated wiretapping laws by using ETag technology, which can be used to track users’ web movements even after they deleted traditional cookies. [MediaPost] SEE ALSO: [CA – Man distributed sexual images of ex-girlfriend to poison new relationship, court told]

EU – Law Student’s Quest Against Facebook Continues

Austrian law student Max Schrems has said Facebook and European regulators have not done enough to curb what he says are violations against European privacy laws. Founder of “Europe v Facebook,” Schrems is looking to raise approximately 200,000 euros to keep his campaign moving forward. “At the core of the fight is one of the overarching questions of our time: Who has rights to the trillions of bits of data users create online every day?” the report states. Schrems said, “We’re right now defining what our world is going to look like in 20 years.” [The Washington Post] SEE ALSO: [US: Facebook photos point to burglary, party at Tega Cay home] AND ALSO: [US – Obama Worries About Malia Using Facebook, Cites Privacy Concerns] AND [UK – Online life after death needs clear data regulation]

CA – Commissioner Cavoukian Joins the Fight Against Cyberbullying

Online social media networks like Facebook and Twitter appear to have become the new schoolyard for bullies. But unlike the tormentors of the playground, cyberbullies are able to lurk in the shadows of anonymity on the Internet, and their cruelty doesn’t stop at the end of the school day. The harm they inflict on their victims can have devastating effects, and for some may lead to the most tragic of consequences, said Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, in a YouTube video. [Source] SEE ALSO: [BC – Hackers say they’ve found Amanda Todd’s tormentor]

Other Jurisdictions

PK – Law Must Balance Security with Individuals’ Rights

Responding to criticism over a new Pakistani counterterrorism law, Sen. Raza Rabbani has said the law “must not be used to put the fundamental rights of people at stake.” The Fair Trial Act allows the state to intercept private communications, including e-mails, SMSs, phone calls and audio-visual recordings, in order to arrest suspected terrorists. The law has been tabled in the National Assembly. “We must strike a balance between adopting modern techniques of investigations and the fundamental rights of the people,” said Barrister Zafarullah Khan. [The Express Tribune] SEE ALSO: [HK – Hong Kong’s watchdog for data privacy sees upsurge in complaints]

AU – Australia Attorney-General Consults on Australian Privacy Breach Notification

The Australian Attorney-General has issued a consultation on a nationwide mandatory breach notification scheme; the rationale for such a scheme includes mitigation of consequences of a breach, deterrence/incentive to improve data security, tracking of incidents and provision of information in the public interest, and maintaining community confidence in legislative privacy protections. Triggers for notification could include an appropriate test (e.g. a “catch-all” test or specific triggers based on volume of records breached or sensitivity of the records); notification could be decided by the organisation or agency, the Commissioner, or the organization in consultation with the Commissioner, and notification could be provided to the Commissioner and/or the affected persons and the police, financial institutions and CERT Australia. The issue of timely notification must be considered (e.g. before a particular deadline or as soon as possible); the content of the notification should be detailed (e.g. a description of the breach, types of information lost, and contact details). A scheme could apply only to those agencies regulated by the Privacy Act, or all entities, with a potential exemption for law enforcement agencies; penalty options include civil, criminal or administrative penalties or the capacity to “name and shame,” with consideration given to the circumstances in which they are applied. [Discussion Paper]

AU – Mandatory Notification Back on the Table

Australian Attorney General Nicola Roxon has published a discussion paper on whether the country needs a mandatory breach notification law that includes a poll for the public to weigh in on the issue. Privacy Commissioner Timothy Pilgrim renewed his calls for a law after a decrease in notifications in the last financial year. Pilgrim said “there is a strong case to have mandatory data breach notification laws in Australia” but cautioned against notification for minor breaches due to administrative burdens, notification fatigue and lack of utility, the report states. The attorney general is accepting comment until November 23. [The Australian Financial Review]

SA – Pending Privacy Bill Could Cost 35,000 Jobs, Observer Says

According to one critic, South Africa’s proposed Protection of Personal Information Act (PPI) could cause as many as 35,000 citizens to lose their jobs. The PPI is expected to limit unwanted telemarketing calls and spam, the report states. CareerCall’s Andy Quinan says the bill could affect the call-sector industry and stifle entrepreneurs who use telemarketing as a cost-effective marketing tool. Quinan has based his estimate on the 2008 C3Africa National BPO Survey. [ITWeb]

CO – Data Protection Law Becomes Effective

Colombia has enacted an omnibus data protection law, reports the Hunton & Williams Privacy and Information Security Law Blog. The law was enacted on October 17. It contains “significant notice and consent requirements, special provisions for the processing of children’s data, European-style data subject rights…and cross-border data transfer restrictions,” among other provisions. The law also calls for the establishment of a data protection authority. [Source]

UK – Insurance Group Asks for Veto

An insurance industry group has asked Ukraine’s president to veto a measure to amend the data protection law. The League of Insurance Organizations of Ukraine (LIOU) says the amendments “unreasonably extend the powers of the State Service of Ukraine on Personal Data Protection,” the report states. “We think the adoption of this law in such wording, despite numerous plus points, contains serious obstacles to entrepreneurship in Ukraine, creating a serious threat of the appearance of unreasonable additional financial and organizational expenses for businesses, as well as contradicting international standards regarding personal data protection, and the norms of the Ukrainian legislation,” the group stated in its letter. [KyivPost] SEE ALSO: [MX – Mexico Guidelines for Privacy Notice – Secretariat of Economy] and [AU – Office of the Australian Information Commissioner – Review of Counter-Terrorism Legislation] and [NZ – C v Holland – [2012] NZHC 2155 – High Court of New Zealand] and [RU – Recent Developments in Russian Personal Data Protection Regulation – Leonid Zubarev, Partner, and Anastasiya Lemysh, CMS Russia Client Alert]

Privacy (US)

US – California Issues App Developer Noncompliance Notice

California Attorney General Kamala Harris has reportedly sent out notices warning as many as 100 mobile app developers that they must conspicuously post privacy policies within the next 30 days to be in compliance with the California Online Privacy Protection Act. The new state protocol requires mobile applications that collect personal data within the state to post a privacy policy stating what data is collected and how it will be used. Harris said, “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.” [Bloomberg]

WW – Researchers Find Android Apps Pose Data Privacy Concerns

Researchers say that more than a quarter of apps for Androids available through the Google Play store appear to pose potential security risks to users. The researchers considered the apps to be questionable or suspicious if they had the capability to access personal information such as GPS data, phone calls and phone numbers. Users were led into allowing the apps to collect the data when they were installed; if users do not agree to the apps’ requests, the apps will not run on their devices. The practice appeared to be popular among games, entertainment, and wallpaper apps, despite the fact that those apps would seem to have little or no practical use for the information. The researchers state specifically that these apps are not considered malware, simply that they pose a privacy risk to users. [InformationWeek] [ComputerWorld]

WW – Study: Free Apps Present More Privacy Risks

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401% more likely to track location and 314% more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.” [Source] SEE ALSO: [JP – Five Arrested in Japan in Connection with Malware Hidden in Android Apps]

US – Rules Surrounding App Data Collection a “Gray Area”

The New York Times reports on the gray legal area surrounding mobile apps. The law has not kept pace with advances in technology, resulting in online businesses’ collection of large volumes of personal data. Meanwhile, users are often oblivious. “Generally, most people are simply unaware of what is going on,” said one expert. App developers’ data collection practices are loosely regulated in the U.S., the report states. California Attorney General Kamala Harris recently reached an agreement with six leading companies that they would only sell or distribute apps with privacy policies, the report states. Meanwhile, in Europe, revisions to the data protection regulation would require consumer consent before data collection on the web. [Source]

US – California AG Tells Mobile App Makers to Post Privacy Policies

California’s attorney general Kamala Harris has notified the makers of mobile applications that they will be held accountable for their handling of Californians’ personal data. The first round of notices was sent to the makers of 100 apps that do not have written privacy policies describing what data the app collects and shares. The companies have 30 days to post “conspicuous” privacy policies or face fines of up to US $2,500 each time a California resident downloads the app that does not have such a policy. Harris is extending the privacy requirements imposed on personal computers to smartphones and tablets. [Source]

CA – Privacy Commissioners Help Developers Create Privacy-Friendly Apps

Today’s app economy is like a new frontier marked by innovation, thousands of jobs and millions of consumers worldwide equipping themselves with useful, convenient, informative and entertaining tools. Like any new frontier though, this one has risks, including those to privacy. To help heighten personal information protection in the mobile era, the Privacy Commissioner of Canada, and the Information and Privacy Commissioners of Alberta and British Columbia today issued new guidance to help mobile app developers set themselves apart by making user privacy central in their design process. The guidance, shared with international data protection authorities and released upon the close of the 34th International Conference of Data Protection and Privacy Commissioner in Punta del Este, Uruguay, provides app developers with insights in the following areas:

  • Accountability under the law
  • Transparency
  • Collection
  • Gaining meaningful consent despite the “small screen” challenge
  • User notice and consent timing

The full guidance can be found on the web site of either: the Office of the Privacy Commissioner of Canada; the Office of the Information and Privacy Commissioner of Alberta; or the Office of the Information and Privacy Commissioner of British Columbia. [Canada Newswire]

US – Courts Widening View of Data Breach Damages, Lawyers Say

Federal courts are widening the definition of damages from data breaches. This “sea change” leaves unprepared companies at risk when it comes to class-action lawsuits, according to lawyers from the firm Pepper Hamilton. Until recently, courts would dismiss data breach lawsuits that couldn’t prove specific harm. But courts “are starting to pick up on the fact that the data that can get out there can cause serious harm, maybe not immediately but sometime in the near future,” lawyer Jeffrey Vagle said. A recent survey found the average settlement award for class-action data breach suits to be $2,500 per plaintiff. [CSO] SEE ALSO: [US: How should judge protect privacy of Colorado shooting victims?]

US – Court Allows Path Lawsuit to Move Forward

A judge has allowed a lawsuit against mobile app developer Path to proceed. The company has been urging the court to dismiss the suit, claiming users did not suffer economic harm, but U.S. District Court Judge Yvonne Gonzalez Rogers found that a user sufficiently alleged harm in the case. The company is accused of violating users’ privacy after it was discovered that users’ address books were uploaded without consent. A second class-action lawsuit against the company is pending in a federal court in Austin, Texas. [MediaPost]

US – FTC Finalizes Two Privacy Settlements

The FTC has finalized settlements with two companies for allegedly illegally exposing the sensitive personal information of thousands of consumers through the installation of peer-to-peer file-sharing software on computer systems. The settlements are with EPN, Inc., and Franklin Budget Car Sales, Inc., and will “bar misrepresentations about the privacy, security, confidentiality and integrity of any personal information collected from consumers,” the FTC press release states. The companies must also create and maintain comprehensive information security programs. [Source] SEE ALSO: [US – Facebook Amended Settlement and Release – U.S. District Court for The Northern District Of California]

US – State Tax Department Breach Incites Class-Action Lawsuit

Fallout from a breach at South Carolina’s state tax agency is affecting 3.6 million individuals’ Social Security numbers. A law firm has filed a class-action lawsuit against both the state’s governor and the Department of Revenue (DOR) alleging they failed “to protect the citizens of South Carolina” and violated the state’s breach disclosure laws. The governor said the fact that the information wasn’t encrypted isn’t an anomaly. “It’s not just that this was a DOR situation but an industry situation,” she said. The breach may be the “largest cyber-attack against a state tax department in the nation’s history.” [The Washington Post] SEE ALSO: [US – Lauren Chaikin et al. v. Lululemon USA Inc., Lululemon Atheltica Inc., and Does 1-50 – Class Action Complaint – Superior Court of California, County Of San Diego]

US – EFF Fights Energy Company’s Subpoenas

A privacy group is advocating against an energy company’s subpoena seeking information on dozens of e-mail accounts. Following a $19 billion judgment in favor of Ecuadorean aborigines and farmers against Chevron for an oil contamination, the company has filed subpoenas for information—including IP addresses and time stamps—about Yahoo and Google users, calling the verdict “extortionate fraud.” In response to the subpoenas, the Electronic Frontier Foundation has filed an amicus brief stating that the release of the information the company seeks would intrude on the privacy of the John Does involved, adding the court “should not permit Chevron’s unnecessary and unwarranted fishing expedition” without sufficient cause. [Courthouse News Service]

US – FTC Reaches Settlement with Analytics Company

The Federal Trade Commission (FTC) has reached a settlement with web analytics company Compete, Inc., for allegedly misrepresenting its data collection practices and failing to adequately secure collected data. The company has agreed to destroy data collected from users prior to February of 2010 and to undergo biennial audits for the next 20 years. According to the FTC, the company did not appropriately disclose “the full extent of data collected through tracking software,” and such a failure “was, and is, a deceptive act or practice.” Compete said, “We will continue to develop and uphold new standards for transparency and security.” [MediaPost]

US – Judge Dismisses Consumer Privacy Allegations

A federal judge has dismissed much of a class-action suit over a data breach at Sony’s Playstation Network in April 2011. The suit alleges hackers were able to access the gaming network because the company negligently “failed to provide adequate firewalls and safeguards” for users’ personally identifiable information. Sign-up for the games requires users to provide names, mailing addresses, e-mail addresses, birthdays and credit and debit card information, the report states. The suit alleges Sony should have known the system was vulnerable to an attack. A U.S. District Court judge has dismissed several of the suit’s claims, including violations of California consumer protection statutes. [Courthouse News Service] [US – In Re: Sony Gaming Networks and Customer Data Security Breach Litigation – 2012 U.S. Dist. LEXIS 146971 – U.S. District Court for the Southern District of California]

US – FPF Announces Privacy Papers for Policy Makers 2012

The Future of Privacy Forum (FPF) has announced this year’s selections for its Privacy Papers for Policy Makers. Of the more than 35 entries, eight were selected. The papers cover topics such as Privacy by Design, online behavioral advertising, mobile privacy, government surveillance, de-identification and social networking. FPF Founder and Co-chair Christopher Wolf said, “Improving privacy protection is vitally important in this technology age, so we are delighted to help build a bridge of communication between privacy scholars and privacy policy makers.” FPF Director and Co-chair Jules Polonetsky, said, “These writings offer some of the most compelling and innovative viewpoints that we hope policy makers consider as they look to address privacy issues.” [Source]

Privacy Enhancing Technologies (PETs)

US – Carnegie Mellon to Offer Masters in Privacy

Carnegie Mellon University has created a masters degree program in privacy. The one-year program will start in the 2013-14 academic year and aims to help prepare students for the increasing marketplace demand for privacy-savvy computer scientists and engineers. The program will include classroom instruction and a summer work experience project. CMU Professors Lorrie Cranor and Norman Sadeh created the program. [The Pittsburgh Post-Gazette]

CA – Privacy Commissioner Designates Route1 as Privacy by Design (PbD) Ambassador

Route 1 announced that the Office of the Information and Privacy Commissioner of Ontario has designated the Company as a Privacy by Design (PbD) Ambassador for its commitment to secure remote access and identity management, evidenced in the development and success of the MobiKEY. A security and identity management company, Route1 customers include both government and military organizations in the U.S. and Canada, as well as private sector businesses such as law firms, healthcare facilities and financial institutions. MobiKEY provides multi-factor authentication to ensure the identity of an individual attempting to remotely access data, which integrates privacy protocols for both the user and the institution. [Mediacaster Magazine] SEE ALSO: [US – Symantec Corporation : Norton Hotspot Privacy Keeps Consumers Safe on Public Wi-Fi]


US – Cyber Liability Insurance Awareness Is Growing

A survey reveals that 60% of businesses do not have cyber liability insurance, but according to one expert, companies are becoming more aware of it. The Advisen survey report states that 52% of businesses not currently covered have no plans to gain the insurance in the next year. Pinsent Masons’ Ian Birdsey said, “When you consider the frequency, severity and exposure of security and data breaches,” it’s “surprising” that 52% are not considering the insurance. Birdsey noted that “the test remains whether advocates for data risks or cyber liability insurance cover at general counsel or chief privacy officer level can persuade their management teams to allocate budget to buy cover in the next financial year.” [OUT-LAW] [The Advisen survey report] SEE ALSO: [US – Cyber Risks: An Insurance Perspective – Jillian Raw, Kennedys LLP] AND [EU – ENISA, Annual Incident Reports 2011] AND [EU – Lifecycle Data Protection Management – Alexander Alvaro, Vice-President of the European Parliament: the concept of lifecycle data protection management (“lifecycle DPM”) is proposed in addition to the framework contained in the EU data protection regulation proposal] AND [AU – Information Security Manual 2012: Executive Companion – Department of Defence, Australian Government] AND [CA – Feds earmark $155M over five years to fight cyber threats]

Smart Cards

US – Supervisor Calls for Public Transit Card Privacy

A San Francisco supervisor is calling for stricter privacy controls surrounding “Clipper cards” used to pay for public transportation. Supervisor Jon Avalos has introduced a resolution to ensure that “people who are using Clipper cards can actually be protected against any use of information about where they go and what their whereabouts are.” The cards do not contain personal information, according to a Metropolitan Transportation Commission spokesman, but do contain travel logs on a passenger’s past 10 trips. The agency is required by state law to provide travel information when subpoenaed, the spokesman said. [The San Francisco Examiner]

HK – Privacy Watchdog Slams Excessive Use Of Data on Customer Loyalty Scheme

Customers’ privacy may have been violated under the customer loyalty schemes, the Privacy Commissioner for Personal Data Allan Chiang said in four investigation reports. The three scheme, including the “Fun Fun Card” program 1 by China Resources Vanguard Company Limited, the “Mann Card Program” by The Dairy Farm Company Limited, and the “MoneyBack Program” by A.S. Watson Group (HK) Limited through PARKnSHOP and Watsons. The commissioner particularly slammed Watson Group, directing it to stop collections of customers’ ID numbers, erase completely the ID number of applicants and other data collected. “Ill-defined” purposes much also be removed. “After the Octopus incident in 2010, public awareness of the collection and use of personal data in direct marketing activities has significantly raised. I expect that corporations in Hong Kong should have learnt a lesson and paid more attention to data privacy regulations,” Chiang said. According to the report, the operators had collected the applicants’ Hong Kong Identity Card or passport number, complete or partial number, for the purpose of providing them with a default log-in password for using the program’s online service. This amounted to unnecessary and excessive collection. In particular, the program operators have either not defined or ill-defined the purpose of use of the data and class of data. [The Standard Hong Kong]


UK – Group Warns of Public Transit Privacy Concerns

Privacy International is warning that public transportation companies voluntarily share personal information about travelers with law enforcement agencies. “Every single authority and company we have spoken to so far has shocking practices,” said a spokesman from Privacy International, which has polled 48 transport authorities and companies globally to ask how they handle personal information stored on public transportation cards. “The problem with smart cards is that they record a very fine grain of information,” the spokesman added, in some cases including bank details, e-mails, passwords and telephone numbers. While court orders are required in some countries, that is not the case for others. [IDG News Service]

US – Judge: DEA’s Warrantless Surveillance Did Not Violate Law

A U.S. District Court ruling that, in some circumstances, police are allowed to install hidden surveillance cameras on private property without a warrant. U.S. District Court Judge William Griesbach has ruled Drug Enforcement Administration (DEA) agents had reason to “enter rural property without permission—and without a warrant” to install surveillance cameras to investigate suspected criminal drug activity. Griesbach’s ruling upheld a recommendation by U.S. Magistrate Judge William Callahan stating the DEA did not violate the law as “The Supreme Court has upheld the use of technology as a substitute for ordinary police surveillance.” [CNET News]

US – Calif. Privacy Groups Oppose Cellphone Surveillance Device

FBI investigators used a court order authorizing access to cellphone customer data to quietly deploy a powerful surveillance technology known as “stingrays,” privacy groups contend in a new court filing that claims the devices are overly invasive. Your cellphone can be singled out by its international mobile subscriber identity, or IMSI, which then makes it possible to secretly determine your whereabouts using stingray devices, also known as IMSI catchers. The law enforcement tool troubles security experts and civil libertarians alike because it mimics cellphone towers. Stingrays track the locations of mobile devices, including those that are not targeted but are nearby. IMSI catchers can also be adjusted to capture the content of communications, although the government claims that was not done in this case. An expert in 2010 showed spectators at a technology conference in Las Vegas that IMSI catchers could be built at home for as little as $1,500, exposing a potential weakness in cellphone security. Thirty cellphones in the room reportedly attempted to connect to his do-it-yourself tower, and anyone in the room who made a call while connected to it received an automated message that said their communications were being recorded. The government’s pursuit of an alleged tax fraudster that began in Northern California and is now playing out in an Arizona courtroom has become the first major constitutional challenge to stingrays. Law enforcement agencies using the technology have held it close to the chest, and the public has little knowledge of it. In an Oct. 19 friend-of-the-court brief filed with the U.S. District Court of Arizona, the Electronic Frontier Foundation in San Francisco and the ACLU of Northern California argued that stingrays are “highly intrusive and indiscriminate,” and claimed government investigators sought to utilize them while providing Judge Richard Seeborg with scant details about the technology’s extraordinary power. [The Tribune]

UK – Draft Communications Bill: Powers May Uncover ‘Wrong Targets’

Plans to monitor all Britons’ online activity risk uncovering “incompetent criminals and accidental anarchists” rather than serious offenders, the information commissioner has warned. Ministers want to strengthen the law on internet data retention to help the police tackle security threats. Christopher Graham said the “really scary people” could simply avoid detection by changing their behaviour. Under the government’s plans, currently being scrutinised by Parliament, service providers will have to store details of internet use in the UK for a year to allow police and intelligence services to access it. Records will include people’s activity on social network sites, webmail, internet phone calls and online gaming. Ministers argue law enforcement agencies need to keep pace with the changing technology used by offenders but critics have called the proposals a “snooper’s charter”. [BBC]

WW – New Memoto Camera Captures ‘Every Single Moment Of Your Life’

Do you wish you had photos of “every single moment of your life” so you could “revisit any moment of your past”? Like the time you walked in on your roommates having sex, or the look of disappointment on your girlfriend’s face when you forgot her birthday? Then Memoto’s new wearable camera, about half the size of a matchbox, may be for you. The Memoto camera is constantly on while you wear it (clipped to a shirt or hung on a necklace), and you can use it rain or shine as it’s weather-protected. It’s got a GPS that geotags each photo, and a battery that is said to last between one and two days, that’s recharged when connected to your computer. Dubbed a “lifelogging” camera—referring to the process of computer-assisted recording to capture large portions of your life—the creators say the name Memoto is associated with the words “memory motor.” Founded by six Swedish entrepreneurs and posted on crowd-funding website Kickstarter, the product exceeded its $50,000 funding goal in only five hours. It takes photos every 30 seconds, and synchronizes with apps to work as a photographic memory – a digital timeline of your life. “The website talks about lifelogging as capturing your life, but what you’re really capturing is the life of everyone else around you… sometimes without their awareness,” said Dr. Bita Amani, an associate professor of law at Queen’s University who teaches a course on information privacy. Amani says Memoto raises three kinds of privacy issues: those related to the original recording (photographs), the subsequent publication (i.e. on Facebook), and cloud storage. She also notes that any kind of recording may become subject to a use other than what was originally intended. [Global News]

Telecom / TV

US – EFF, ACLU Take on Data Collection Practices

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) are challenging the data-collection activities of Verizon Wireless. The advocacy groups say Verizon violates the federal Wiretap Act when it collects data on customers’ app usage, locations and web browsing and sells it to advertisers. Verizon says its actions are legal because it notifies customers of its practices and allows them to opt out, and the data cannot be tied to an accountholder. The groups claim, however, that the act of collection is the violation. “What you do after the fact is certainly important, but the violation of the Wiretap Act has already occurred,” said EFF lawyer Hanni Fakhoury. [PC World] [US: Verizon draws fire for monitoring app usage, browsing habits]

WW – Study: Free Apps Present More Privacy Risks

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401 percent more likely to track location and 314 percent more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.” Among the findings:

  • 24% of free apps have permission to track location vs only 6% of paid apps.
  • 7% of free apps have permission to access to your address book vs 2% of paid apps.
  • 2.6% of free apps have permission to silently send text messages vs 1.5% of paid apps.
  • 6% of free apps have permission to clandestinely initiate calls in the background vs 2% of paid apps.
  • 5.5% of free apps have permission to access the device camera vs 2% of paid apps. [San Jose Business Journal]

US Government Programs

US – Privacy and Civil Liberties Oversight Board to Hold First Public Meeting

The Privacy and Civil Liberties Oversight Board will hold its first public meeting this month, according to a notice in the Federal Register. The board, which aims to provide privacy oversight on U.S. surveillance and security measures in the fight against terrorism, had remained dormant since 2007, inciting widespread criticism. President Barack Obama appointed new members to the board in 2011, and the Senate confirmed four of five nominees earlier this year. The aim of next Tuesday’s meeting is to gather feedback from nongovernmental organizations and members of the public on priorities the board should consider on its forthcoming agenda. The public portion of the meeting will take place from 10 a.m. to noon on October 30 in Washington, DC. [Federal Register]

US – FTC Working on Data Collection Nutrition Label

The Federal Trade Commission (FTC) is working on a nutrition label for data collection. FTC Chairman Jon Leibowitz says the label would act as a “disclosure mechanism that websites can customize to succinctly tell consumers what kind of data they are collecting and how they are using it.” The news follows calls from academics and advocates for companies to create privacy policies that are accessible and easy-to-read and understand for the average consumer. [Law360]

US Legislation

US – FTC’s Proposed COPPA Changes Could Face Legal Challenge

A potential legal backlash may occur against the FTC if it pursues proposed changes to the Children’s Online Privacy Protection Act. At a recent forum, TechFreedom President Berin Szoka and others cited specific issues with the proposed changes, including expanding the definition of personally identifiable information to cover persistent identifiers, a move they believe could hamper website functionality and innovation, the report states. Szoka said, “The FTC should take the time next year, probably hold a workshop and discuss these things and issue a revised rule,” adding, “If they don’t, they will be sued.” [NationalJournal] see also: [No “Do Overs”: Children, Personal Information And Marketing In Canada]

US – Rep. Barton: “We Need Stronger Privacy Laws”

In a blog post, Rep. Joe Barton (R-TX) calls for tougher online privacy legislation. “If our forefathers knew what the Internet and modern technology would be like today,” Barton writes, “they would have put a right to privacy explicitly in the Constitution.” Barton contends that parts of the online industry are listening, “while others remain tone-deaf,” particularly in relation to Do Not Track. Barton writes that some are “putting profits over privacy” and describes the Do Not Track Kids Act as “common-sense legislation.” Meanwhile, the Center for Digital Democracy and Commonsense Media have launched an online petition aimed at persuading the FTC to “stay the course” on proposed changes to COPPA. [Source]

US – Lawmakers Call for Improved Medicare ID Theft Prevention

Reps. Wally Herger (R-CA) and Sam Johnson (R-TX) are calling on the Department of Health and Human Services (HHS) to remove users’ Social Security numbers from Medicare cards. Citing a recent report that found flaws in the way the HHS responds to Medicare identity theft, Johnson said, “This report is a wakeup call for (the Medicare agency) to heed the advice of its own inspector general and take immediate action to develop a new system for protecting seniors from medical identity theft.” [The Hill]

US – FTC’s Ohlhausen Skeptical of New Privacy Legislation

The FTC’s Maureen Ohlhausen has voiced concerns that calls for new privacy legislation could undermine the FTC’s other task of promoting competition. Ohlhausen said, “Before seeking new privacy legislation, I think it is important to identify a gap in statutory authority or to identify a case of substantial consumer harm that we would like to address but can’t within our existing authority.” Ohlhausen noted the many benefits of information sharing for consumers, adding, “that’s why I am concerned about treating privacy solely as a consumer protection issue. It also must be viewed through the competition lens if you want to reach the best outcome for consumers.” [National Journal]

US – NJ Senate Passes Applicant Privacy Bill

New Jersey’s Senate has passed a law to prevent employers from requiring applicants to provide access to private accounts. The Assembly passed a similar bill in June. “There are plenty of other steps in a job application process for employers to gain a profound understanding of an applicant’s experience, fitness and personality,” said Republican State Sen. Kevin O’Toole, adding, “Applicants should not have to choose between preserving their due privacies and earning incomes.” The bill also bans “associated discrimination or retaliation” and allows applicants to sue for damages in the event of violations, according to the report. [NJTODAY.NET]

Workplace Privacy

CA – Supreme Court Confirms Privacy Survives in the Workplace

Many employers seek to remove any reasonable expectation of privacy by telling employees that they should not expect any privacy when using workplace computers during company time. Earlier this month, the Supreme Court of Canada grappled with the question of workplace privacy and arrived a somewhat different conclusion. Michael Geist’s technology law column (Toronto Star version, homepage version) notes it ruled that the workplace environment may diminish an employee’s reasonable expectation of privacy, but it does not remove the expectation altogether. The case involved a criminal action against a high school teacher, who was provided with school-issued laptop computer that could be used for incidental personal purposes. A computer technician at the school discovered nude photographs of a female student while performing routine maintenance on the machine. The school copied the images and turned over the computer and the images to police, who later charged the man with possession of child pornography and unauthorized use of a computer. The legal issue in the case turned on whether the police conducted a warrantless search of the computer in violation of the Canadian Charter of Rights and Freedoms, which guards against unreasonable search and seizure. To answer that question, the Court assessed whether the employee had a reasonable expectation of privacy, which they ruled depends upon the “totality of the circumstances”. Given competing interests, the Court ruled that the reduced privacy interest was not eliminated in its entirety. It therefore ordered that the teacher face a new trial. [Source] [CA — Privacy in Workplace Computers: Employers Can Manage Employee Expectations of Privacy – Earl G. Phillips, Partner, McCarthy Tetrault LLP]

CA – Supreme Court: Employees Have Computer Privacy Rights

The Supreme Court of Canada has ruled that employees have some privacy rights over workplace computers and that computers should not be searched by law enforcement without a warrant. In the 6-1 ruling, the court wrote, “Computers that are reasonably used for personal purposes—whether found in the workplace or the home—contain information that is meaningful, intimate and touching on the user’s biographical core.” The author of the ruling, Justice Morris Fish, added, “Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected.” [Toronto Star] SEE ALSO: [OIPC AB – Order F2012-23 – Alberta Corporate Human Resources re: collect an employee’s personal information (“PI”) for its operating activities] AND [Datatilsynet, Norway – “A Normal Day at Work”: Workplace Electronic Tracking] AND [FR – Companies, Other Than Those from the Banking and Financial Sectors, Now Allowed to Implement Background Screening Processing for the Detection and Prevention of Corruption – Denise Lebeau-Marianna and Idriss Kechida, Baker & McKenzie] AND [AB: Court injunction granted to prevent random drug testing]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: