01-15 June 2013



WW – Google Outlaws Facial Recognition, Voiceprints for Google Glass

Google has decided to ban facial-recognition technology from its Google Glass product, following pressure from the U.S. Congress. It has also banned voiceprints, which would allow the microphone to identify a speaker. App developers—including Lance Nanek, who built an app that would allow clinicians wearing the glasses to verify patient identities and pull their medical records without having to turn to a secondary device—are disappointed in the decision. The company says it will not allow such applications until “strong privacy protections” are in place, but the Future of Privacy Forum wonders “what sort of privacy protections can actually be put in place for this sort of technology?” [MIT Technology Review]

See also: [Google Irks Developers with Ruling on Facial-Recognition Apps] and also: [US: Parents angered after schools conduct ‘Minority Report-like’ iris scans on students as young as six without asking their permission]


CA – Privacy Czar to Meet With E-Spy Watchdog on Eavesdropping Concerns

Canada’s privacy watchdog plans to meet with the retired judge who keeps an eye on the national eavesdropping agency. Privacy Commissioner Jennifer Stoddart says she’s concerned that the public knows little about what Robert Decary does in his role monitoring the ultra-secret Communications Security Establishment. Stoddart said earlier this week she would look into any implications for Canada posed by the possible large-scale U.S. snooping. She also wants to know more about the CSE’s long-standing surveillance of foreign Internet, telephone and satellite traffic. The CSE said this week that it “does not have access to data in Prism.” [Source] [Federal watchdog laments having to ‘mop up’ after privacy violations] [Canadian spy watchdog has known about data-mining for seven years] [U.S. online snooping: What Canadians need to know] [Why Canadians Should Be Demanding Answers About Secret Surveillance Programs]

CA – New Treasury Board Policy Requires Reporting Every Data Breach

Treasury Board workers may soon have to report every data breach to the federal privacy commissioner, a change in policy that should come into effect by the fall. The policy change won’t spread to other departments that will still retain the right to not report data losses if they feel no serious privacy breach has occurred. In the fall, the Treasury Board will amend the government’s security policy to note that “security breaches may be privacy breaches” when personal information is or maybe compromised,” the briefing note says. “Reporting of both types of breaches will be mandatory to the Treasury Board Secretariat. We will coordinate amendments to the policy instruments relating to privacy and include mandatory reporting to the Privacy Commissioner at the same time,” the briefing note reads. [Source]

CA – NS Legislation Aims to Protect Health Privacy

The province said it is taking steps to keep Nova Scotians’ health information away from prying eyes. Under the Personal Health Information Act, members of the public whose information goes missing or is stolen from their doctor’s office, a nursing home, hospital or other health-care facility, will be notified immediately, health officials said in a news release. The act goes into effect this week. Patients may also access a list of those who’ve seen their private health information, and will be able to limit access to that information or withhold it, the release said. Hospitals, nursing homes, doctors, and several other bodies, including the provincial Health Department, are covered by the act. A staffer at such facilities will also be on hand to respond to privacy concerns, said the release. [Source]


US – $6M AOL Class-Action Approved

A federal judge has given “final approval to a class-action settlement between AOL and a class of more than 650,000 AOL members whose search queries were disclosed to the public” in a case that “has become almost folklore in the privacy world.” The case stems from a 2006 incident where AOL employees released search query data from members for research purposes. “Although the members had been supposedly anonymized, some of them were re-identified based solely on the patterns in their searches,” the report states. The settlement includes $5 million payments to class members as well as almost $1 million in legal fees. [Mondaq]

US – More than Half Polled OK with NSA Tracking to Catch Terrorists

A full 56% of more than 1,000 people polled by Pew Research believe the NSA program is an “acceptable way” for the government to hunt for terrorists. Among 1,005 Americans surveyed by the Pew Research Center, 56% said they believe that tracking phone records is an “acceptable way” to investigate terrorists. Taking the opposite view, 41% consider the practice unacceptable, while 2% weren’t sure. Drilling further, 62% believe it’s important for the government to track down potential terrorist threats even if that affects personal privacy. On the flip side, 34% said the government should not interfere with the privacy of its citizens even if that limits its power to investigate possible threats. Finally, 45% think the government should be able to “monitor everyone’s e-mail and other online activities if officials say this might prevent future terrorist attacks,” while 52% said they were against this practice. Overall, the percentage of people on both sides of the fence is largely the same as it was in 2002, not long after the Sept. 11, 2001, terrorist attacks, according to Pew. [Source]


US – Woman Who Uncovered Patraeus Affair Files Suit

The Tampa, FL, woman whose complaints about cyberstalking exposed the David Patraeus affair has filed a lawsuit accusing federal officials of violating her privacy. The woman, Jill Kelley, and her husband are seeking an apology and unspecified damages, stating the officials who leaked data about them should have been protecting their privacy. “Instead we received highly hurtful and damaging publicity from willful leaks from high-level government officials that were false and defamatory,” Jill Kelley said in a statement. “In addition, we also learned that our personal e-mails were wrongfully searched and improperly disclosed.” [USA TODAY]

UK – Government “Hasn’t Kept Up With Privacy Enhancing Technologies”

The HOC Science and Technology Committee met for the first time to discuss the progress of the government’s Digital by Default strategy. During the session, the Committee heard from Dr Martyn Thomas CBE, the highly experienced software engineer, currently working with the Institute of Engineering and Technology. Discussing ID assurance, and software vulnerabilities with government digital services, Dr Thomas said that while some services are working effectively online, the government has “a lot to learn about real science and dependable reliance on software.” “The government keeps announcing policies that might come unravelled as a result,” he continued.The Digital by Default discussion was the first of an ongoing investigation by the Science and Technology Committee. [Source]

NZ – Privacy Review Finds Vulnerable Agency IT Systems

The widespread failing has been revealed in a review of 70 government departments and ministries that was able to identify 12 systems at risk because of insecure passwords, potential access by unauthorised users or being connected to internal networks. However, there was no evidence of privacy breaches. KPMG investigated 215 publicly accessible computer systems and found 73% lacked formal security standards and had no formal risk management processes. The offenders included the Ministries of Social Development, Education and Justice, as well as the Earthquake Commission and the MidCentral District Health Board. The review – sparked by privacy breaches identified at Social Development Ministry kiosks in October 2012 – also found that many agencies could not provide documentation on whether or not there were vulnerabilities. Privacy Commissioner Marie Shroff said there are systemic weaknesses in the way privacy and security have been managed in the government sector. Ms Shroff said the review is a wake-up call for government agencies and welcomes the recommendations to improve information security. [Source]

US – South Carolina Proposes DMV-Controlled Electronic License Plates

South Carolina is considering a formal switch from regular license plates to solar-powered plates that will be electronically controlled by the state’s Department of Motor Vehicles. Compliance Innovations, the South Carolina-based company that wants to manufacture the plates and provide them to the state for less than $100 (the normal price is between $3 and $7), has provided a visual on their site. With one swipe of the mouse, a plain plate is emblazoned with bright red “EXPIRED.” In an effort to make the South Carolinian roads safer, supporters say the goal is to better advertise ‘criminal-status’ to the authorities. The DMV could electronically announce the offense on the license plate, easily broadcasting it to passing police cars. [Source]

UK – Survey Shows Public Trust In Government Protection of Digital Identity Data

A new survey has shown a significantly higher level of trust in government to handle the public’s digital identity data – which is part of the planned UK Online Identity Scheme. The figures show that a high level of support is present for the scheme – 91% support it. However, only 9% would put their trust in private companies to manage identity credentials. This is in contrast to the 61% that said they’d trust the government to handle their data. The report also showed the biggest swing in consumer security confidence since the annual survey began in 2007. [Source]


WW – Yahoo E-Mail Scans Not New Practice

Yahoo users will have their e-mail scanned so relevant ads may be sent to them isn’t actually news at all; the service provider has been doing so since 2011. “This is not about a new policy,” said Yahoo spokeswoman DJ Anderson. “We believe having personalized experiences benefits the user. If the user doesn’t want to have contextual-based or interest-based advertising, they can opt out of that through our ad interest manager.” Users may have simply become aware of the change when Yahoo recently informed users they will be required to upgrade to a newer version of Yahoo mail, which would require them to accept Yahoo’s terms of service and privacy policy. [CNET]

UK – BT Drops Yahoo as eMail Partner After Rise in Account Hijackings

UK telecommunications company BT has dropped Yahoo as its email provider following a growing number of customer complaints that their accounts were hijacked and used to send spam. Yahoo has been BT’s partner for subscriber email accounts. BT plans to move all six million accounts to its new BT Mail platform, which will be hosted by Critical Path. The accounts were vulnerable because Yahoo administrators had not applied a patch in the WordPress content management system that supported one of its blogs. [ArsTechnica] [ZDNet] [Telegraph]

CA – Commissioner Dismayed by Deletion of Emails in Cabinet Ministers’ Offices

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, has released the findings of her investigation into a complaint by Member of Provincial Parliament Peter Tabuns, who alleged the Chief of Staff to the former Minister of Energy had improperly deleted all emails concerning the cancellation of the Mississauga and Oakville gas plants. Over the course of the investigation, the Commissioner learned that in early 2013, staff in the former Premier’s office had approached the Secretary of Cabinet about how to permanently delete emails and other electronic documents. As a result, the scope of the investigation was expanded. At the root of the problems uncovered over the course of our wide-reaching investigation was the practice of indiscriminate deletion of all emails sent and received by the former Chief of Staff to the Minister of Energy. This practice violates the Archives and Recordkeeping Act (ARA) and the records retention schedule developed for ministers’ offices by the Archives of Ontario. This practice also undermines the transparency and accountability purposes of the ARA and the Freedom of Information and Protection of Personal Privacy Act (FIPPA). [Source]

US – Texas Passes Tough Email Privacy Law

Texas Gov. Rick Perry signed what has been called the toughest e-mail privacy bill in the country into law, meaning state law enforcement will need to get a warrant in order to search e-mail—no matter how old it is. The bill unanimously passed both houses of the state legislature before reaching Perry’s desk.

HB2268 surpasses the privacy protections under the federal Electronic Communications Privacy Act (ECPA), which allows warrantless searches of e-mails before they’ve been opened by the recipient and after they’ve been sitting unopened in an inbox for 180 days. Consensus is growing between government, industry and privacy advocates that this time-frame distinction is outdated and ECPA should be updated to require law enforcement to obtain a warrant before searching all e-mails, and in April, the Senate Judiciary Committee passed the ECPA Amendments Act, which would require just that. While this won’t stop federal law enforcement from gaining warrantless access, is Texas setting the precedent for ECPA reform here? The bill’s sponsor, Rep. John Frullo (R-Lubbock) says that the legislation “allows Texas to join other states in making sure law enforcement agencies are able to obtain critical evidence when criminals are using the Internet to commit crimes.” [Courthouse News]


US – Judge Stays Decryption Order in Feldman Case

A federal judge in Wisconsin has stayed a magistrate’s order that would have forced Jeffrey Feldman to decrypt 16 devices which authorities believe contain child pornography. US District Judge Rudolph Randa’s ruling came one day after US Magistrate William Callahan Jr. issued the decryption order. Callahan stepped aside and Feldman’s case was reassigned to Randa after Feldman’s attorney argued successfully that only District Court judges have the authority to issue decryption orders. Feldman’s attorney argued that the decryption order would force her client to build the government’s case against him. [WIRED] [WIRED] [ArsTechnica] [Defense Filing] [Stay of Previous Order]

EU Developments

EU – Ministers Mulling Exemptions to Rule

EU Justice Ministers will today consider granting EU institutions “a sweeping exemption” from new data protection rules that would require the institutions to employ a data protection officer and consult the European Data Protection Supervisor. The European Commission says the rule is currently stricter than general rules on data protection. The exemption would apply after the new regulation is passed, but would include the stipulation that the commission update existing law to bring it in line with the revised regulation. [EurActiv] SEE ALSO: [The Proposed EU Data Protection Regulation: Historic Privacy Framework or Swiss Cheese?]

UK – ICO Publicizes Concerns on Draft Data Protection Regulation

Concerned that the prescriptive nature of the proposed EU Data Protection Regulation will impose a significant additional administrative burden on regulators, the UK ICO has published on its website a letter to the Secretary of State for Justice which re-states the Information Commissioner’s concerns about the proposed Regulation. The key source of the Commissioner’s concerns is that the prescriptive nature of the Regulation will impose a significant additional administrative burden on regulators.  Coupled with the abolition of notification fees, the ICO’s current source of funding, the Commissioner suggests the ICO would no longer be able to intervene on the basis of risk and proportionality, and that this would make it less effective. Aspects of the Regulation which the Commissioner identifies as being of particular concern are:

  • The emphasis on punishment and sanctions at the expense of awareness raising and education
  • The requirement for all data breaches to be notified to Data Protection Authorities, rather than just those that pose significant risk
  • Prior authorization to be required for international transfers where this is not required under current regime
  • Limited discretion for Data Protection Authorities over administrative sanctions, which are imposed on the basis of process failures rather than privacy risks
  • Participation in a consistency mechanism that is insufficiently risk-based and contains unrealistic time limits [Source]

EU – French Government Has Serious Reservations About Draft EU Regulation

According to Fleur Pellerin, the French Minister for Digital Economy, the Minister of Justice has rejected the latest version of the draft EU Data Protection Regulation.  In Parliamentary questioning on 11 June, the Minister confirmed the French Government’s commitment to ensuring adequate protection of personal data, but stated that the French Government’s opposition is based on the current concept of “one stop shop” for data controllers established in more than one Member state of the European Union. This position follows the CNIL’s expression of concern because of the potential difficulties data subjects could face in submitting complaints to a foreign data protection authority. On the topic of international transfers, the Minister for Digital Economy also mentioned the fact that the French Government called the current international transfers safeguards “not satisfactory at all” and, in particular the Safe Harbor system which has been described as “less protective than the European framework.” [Source]

EU – Council of the EU Releases Draft Compromise

The Council of the European Union has released a draft compromise text in response to the European Commission’s proposed data protection regulation. The text narrows the scope of the regulation and “seeks to move from a detailed, prescriptive approach toward a risk-based framework.” In this exclusive for The Privacy Advisor, Centre for Information Policy Leadership President Marty Abrams and Wilson Sonisini Senior of Counsel Christopher Kuner both share their insights of this latest development, which has some privacy advocates up in arms. [Hunton & Williams’ Privacy and Information Security Law Blog]

EU – Sweden to Pay for Failure to Implement Directive

The Court of Justice of the European Union has held that Sweden failed to fulfill its obligations under EU law when it comes to implementing the EU Data Retention Directive. Sweden has been ordered to pay 3,000,000 euros. In 2010, the court found Sweden failed to transpose the directive into national law by its September 2007 deadline. Sweden complied in 2012 after internal debate over balancing privacy rights with the need to combat crime, but the commission ruled such difficulties did not justify failure to comply. [Hunton & Williams Privacy and Information Security Law Blog]

EU – Archivists Lobby Against Right To Be Forgotten

A group of French archivists is lobbying to keep personal data flourishing online in the face of the EU data protection draft’s “right to be forgotten” provision. Jean-Phillipe Legois, president of the Association of French Archivists says, “Today, e-mail, Facebook, Twitter, this is the correspondence of the 21st century. If we want to understand the society of today in the future, we have to keep certain traces.” The archivists have introduced a petition to present to the European Parliament. The petition has thus far received almost 50,000 signatures. Meanwhile, the French government has rejected the latest version of the draft regulation. [New York Times] See also: [Commentary: Will the Right To Be Forgotten Lead to a Society That Was Forgotten?]

UK – Council Fined for Data Breach

A UK Council has been fined for breaching the Data Protection Act. The council has been ordered to pay 70,000 GBP after a council employee sent a letter including personal details about an adopted child to a birth mother. The breach was caused by the council’s “underlying failure to have a clear policy and process for checking such correspondence, and relevant training for their staff.” [eSecurity Planet]

UK – ICO Funding Cited as Problem

The Information Commissioner’s Office (ICO) has revealed there is a high probability the agency will not have enough funding to accomplish its goals. The ICO risk register released late last week noted, “the ICO does not have enough funding to meet its obligations, the expectations of its stakeholders or achieve its plan,” adding, “In consequence, it (would have) to scale back what it wants to do and fails to deliver an acceptable level of service.” The agency has informed the government it needs more resources and has expressed concern that the proposed EU data protection regulation may have an impact. [Information Age]

UK – ICO fines Glasgow City Council for Unencrypted Laptops Loss

The ICO has fined Glasgow City council £150,000 following the loss of two unencrypted laptops – one of which contained the personal information of 20,143 people. The breach of the Data Protection Act, which happened on 28 May last year also included details of businesses adding up to a total of 38,000 affected individuals and organisations. It also follows a previously issued enforcement notice from three years ago – following similar breach involving an unencrypted memory stick. The two laptops were stolen from the council’s offices, which were being refurbished at the time – one laptop had been locked away in a storage drawer, with the key placed in an unlocked drawer where the second laptop was kept. One laptop contained the council’s creditor payment history file. The ICO issued the fine following an investigation that found the council had issued a number of staff with unencrypted laptops after encountering problems with the encryption software. Most of the devices were later encrypted, but the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for – at least six of these are known to have been stolen. Ken Macdonald, the ICO’s Assistant Commissioner for Scotland said: “How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised. The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for managers to receive asset management training. [Source]

UK – Public Services Ombudsman for Wales Wants More Privacy Power

Wales could become the first UK nation to have an independent watchdog with the power to stop the publication of some of its reports and to prosecute those who go against its wishes. Public Services Ombudsman Peter Tyndall wants more confidentially powers to protect vulnerable people. It would mean complainants could face contempt of court charges if they go to the media. But some warn it would mean less transparency. Mr Tyndall has legal powers to review complaints about public services such as hospitals or councils in Wales. Reports following an investigation are always anonymous with names of complainants and those associated with the complaint always removed. Currently, the ombudsman can choose not to publish reports but he does not have the power to stop a complainant speaking to the media. [Source]

US – Publishers Ask DC to Help Stop Cookie-Blocking Plan

About 60 small online publishers gathering in Washington, DC, as part of an Interactive Advertising Bureau (IAB) event are seeking “to persuade lawmakers to put more pressure on Mozilla to change its plans for blocking third-party advertiser cookies by default in its Firefox browser.” The IAB’s Mike Zaneis said, “The Mozilla plan has galvanized the small web community. They haven’t been as passionate about policy issues as they are this year.” Mozilla has announced the default cookie-blocking will not be included in its July release, but “small Internet websites still feel threatened,” the report states. [AdWeek]

EU – Spanish DPA Releases Guidance on Cookies Regulation

On April 26th, the Spanish Data Protection Agency (“SDPA”) issued its long-awaited guidance on the Spanish cookies regulation, which requires companies seeking to place cookies on users’ devices to obtain those users’ prior opt-in consent after providing them with clear and complete information about the use of cookies and the purposes for which data collected via cookies will be processed.  The guidance, which the SDPA drafted in collaboration with industry, takes a business-oriented approach and provides companies with several alternatives for complying with the regulation’s notice and consent requirements. [Source]

Facts & Stats

WW – Where do People Overshare Most Online? Hint: It’s not the U.S.

24% of global social media users share “everything” or “most things” online, according to a recent survey by marketing research firm Ipsos. But a few countries beat that average several times over: In Saudi Arabia, the clear frontrunner in the survey, more than 60% of respondents said they regularly pour out their feelings, photos and videos to their virtual friends. Those numbers stay pretty consistent across age groups and classes, Ipsos found. In fact, people older than 50 are the most likely to say they share “everything” online. Business-owners and executives — many of whom are likely both educated and prosperous — also lean toward oversharing. There seems to be a clear relationship between “oversharing” and Internet penetration: Nearly all the countries that overindex are in Asia, Africa and Latin America, where penetration is low; meanwhile, almost all the countries that “undershare” are in Europe, where more people are online. A report earlier this year by Saudi social media firm The Social Clinic found that Twitter usage in Saudi Arabia grew by 3000% in 2011 alone, about 10 times the global average. Facebook and YouTube have also seen growth in the double and triple digits: Facebook is now, per The Social Clinic, the third-most visited site in the KSA, and Saudi Arabians watch more YouTube videos than people in any other country. This becomes especially striking — almost unbelievable — when you consider that Saudi Arabia has only 28 million people. [Source and illustrations]


US – Gov’t Says Firms Can Open Up; Obama Defends NSA Programs

The U.S. government has said that U.S. tech firms may publish government requests for user data but can only do so when combined with state and local government requests. In our continuing coverage of the National Security Administration surveillance program leaks, we look at responses from Google, Apple, Facebook and Microsoft as well as reactions from President Barack Obama, who has defended the programs, Sen. Mark Udall (D-CO), who plans to introduce legislation that would curb some government data collection and how one lawsuit could break new legal ground. [Source] SEE ALSO: [California Makes A Move To Further Separate The Public From Its Public Records]

US – Machine-Readable Format Helps Disseminate Essential Info in Emergencies

Google and other technology companies told a panel of US lawmakers that providing emergency information in open formats will help drive it to top search results where people who need it will be most likely to find it. In the days surrounding last year’s Hurricane Sandy, Google received roughly 15 million queries for information about the storm, while the Federal Emergency Management Agency’s pages with Sandy information received 740,000 visitors. Government agencies often release pertinent information as PDFs and other formats do not make it to the top of search results, where they could do the most good to people looking for relevant information such as the projected path of a storm, shelter locations, and other emergency services. [NextGov]


US – Privacy Is Major Hurdle for Research Group

A group of geneticists have established a consortium aimed at creating database of genetic and clinical data that could be accessed by doctors and researchers across the globe. Experts from the consortium say the major challenge is a lack of standards for storing and sharing data and for assuring that patients consent to this sharing of their data. “The question is whether and how we make it possible to learn from these data as they grow, in a manner that respects the autonomy and privacy choices of each participant,” said David Altshuler of Harvard and MIT. The group consists of more than 70 medical, research and advocacy organizations active in 41 countries. [The New York Times] [Accord Aims to Create Trove of Genetic Data]

US – DNA Samples May Be More Identifiable Than Thought

While research subjects are often told that the DNA sample they’ve provided for the sake of science is not identifiable and their anonymity will be preserved, “geneticists nationwide have gotten a few rude awakenings, hints that research subjects could sometimes be identified by their DNA alone or even by the way their cells were using their DNA.” Such revelations are particularly concerning following the announcement that nearly 80 researchers want to combine the world’s DNA databases to make it easier for researchers to retrieve and share such data. Meanwhile, local law enforcement agencies across the U.S. have begun amassing their own DNA databases. [The New York Times]

US – Supreme Court Rules Police Can Take DNA

The U.S. Supreme Court has ruled police can take DNA swabs from individuals upon arrest without warrant. In a “sharply divided” 5-4 ruling, the majority said DNA testing is a legitimate police procedure. Justice Anthony Kennedy said, “Taking and analyzing a cheek swab of the arrestee DNA is, like fingerprinting and photographing, a legitimate police booking procedure that is reasonable under the Fourth Amendment.” Four dissenting justices argued that the ruling gives police new powers. Justice Antonin Scalia said, “Make no mistake about it: Because of today’s decision, your DNA can be taken and entered into a national database if you are ever arrested, rightly or wrongly, and for whatever reason.” [The Associated Press] SEE ALSO: [The Art of Turning Discarded Chewing Gum Into Your Portrait]

US – Supreme Court Ruling on DNA Swabs Could Lead to Big Brother Scenario

Police making warrantless arrests are now justified in using another identification tool: the DNA swab. That’s according to a 5-to-4 decision by the U.S. Supreme Court, which ruled law enforcement officers can use a buccal swab, a way of collecting DNA from the cells inside a person’s cheek, as part of their standard booking procedure for inmates. Maryland Attorney General Doug Gensler, who calls DNA collecting “the fingerprinting of the 21st century,” says the ruling will help police match unresolved crimes with their perpetrators. Despite the practice’s benefits, the ruling has also drawn serious concern from privacy experts, who worry the swab could create an incentive for police to arrest more people, or lead to the use of people’s DNA for non-judicial purposes, such as government tracking of individuals. Supreme Court Justice Antonin Scalia shares privacy concerns. In an angry dissenting opinion he read aloud in court, Scalia said: “Make no mistake about it: because of today’s decision, your DNA can be taken and entered into a national database if you are ever arrested, rightly or wrongly, and for whatever reason.” [Source]


US – Judge: Google Must Hand Over Data; EFF, Facebook Call for User Privacy

District Judge Susan Illston has ordered Google to hand over data requested in 19 National Security Letters (NSLs), noting, however, that “Illston all but invited Google to try again, stressing that the company has only raised broad arguments, not ones ‘specific to the 19 NSLs at issue’.” In a separate privacy issue, Google Glass will not include facial recognition technology at this time, the report states. Meanwhile, the Electronic Frontier Foundation (EFF) has filed an amicus brief in a California appellate court “urging the court to protect the privacy rights of social media users by requiring that all requests for their account information—including content—be directed to the users, rather than to third parties like Facebook.” [Network World]

US – Judge Says Google Must Comply with National Security Letters

A federal judge in California has denied Google’s request to modify or nullify 19 National Security Letters (NSLs). US District Judge Susan Illston ordered Google to comply with 17 of the letters after FBI officials submitted secret affidavits and has asked that the government “provide further information” about the other two before she makes a decision about them. In March, Judge Illston ruled that NSLs are unconstitutional because “the non-disclosure provision … violates the First Amendment.” The US government has appealed that ruling. Illston’s noted that her most recent ruling was made because Google had provided broad arguments as to why the letters should be thrown out or modified, and suggested that Google try again with “specific [information] to the 19 NSLs at issue.” National Security Letters allow the FBI and the US Department of Justice (DOJ) to request information about individuals from telecommunications companies; the vast majority of the letters also impose a gag order, so that the company from which the information is requested cannot acknowledge the letter’s existence, and the person whose information is requested cannot challenge the order. The NSLs can be served without judicial oversight. [CNET] [ZDNet] [InfoSecurity] [March Decision]

Health / Medical

US – HIPAA Loopholes Allow States to Sell Identifiable Data

HIPAA loopholes are resulting in the compromise of patient privacy. States are collecting medical data and selling it to researchers and other third parties. Discharge information is exempt from HIPAA privacy rules requiring the removal of 18 patient identifiers, for example. While many states remove the identifiers for discharge data anyway, Washington does not. “While the Office for Civil Rights hasn’t reported any complaints on the matter, the amount of discretion that’s allowed toward states when it goesto de-identifying data is an interesting privacy conversation,” the report states. [HealthITSecurity]

US – Audits Show Risk Assessment Requirement Not Being Met

The HIT Policy Committee’s Privacy and Security Tiger Team is considering methods other than attestation to call greater attention to the importance of risk assessments in HIPAA Security Rule requirements in HITECH Stage 3. Tiger Team Chair Deven McGraw says many healthcare providers are falling short on conducting timely risk assessments, noting that based on HIPAA audits the risk assessment requirement “is still not being met.” Meanwhile, A HealthITSecurity report questions where fine money resulting from HIPAA security audits is going. [GovInfoSecurity]

US – HHS Publishes HIPAA Administrative Simplification Provisions

The Department of Health and Human Services (HHS) has published an integrated version of the HIPAA Administrative Simplification Regulations, including sections on identifier standards, privacy rule, security rule, enforcement rule and breach notification rule, among others. Wiley Rein Partner Kirk Nahra, said this gives people “one place to put all these developments together. It’s not a ‘substantive’ development, but it makes figuring out what needs to be done and how the rules all fit together a bit easier.” Nahra noted the information will assist covered entities and business associates moving toward the September 23 deadline for compliance with the final omnibus rule. [HHS]

US – EPIC Issues Guidance to HHS for Mental Health Data

The Electronic Privacy Information Center (EPIC) has issued recommendations to the Department of Health and Human Services (HHS) about what it should do regarding releasing mental health data to the National Instant Criminal Background Check System. The recommendations put more onus on states to protect mental health data, stating “HHS should not amend the HIPAA Privacy Rule until the Department of Justice revises its Gun Control Act regulations” to define the standards prohibiting individuals from “shipping, transporting, receiving or possessing firearms.” [HealthIT Security]

US – States’ Hospital Data for Sale Puts Privacy in Jeopardy

Hospitals in the U.S. pledge to keep a patient’s health background confidential. Yet states from Washington to New York are putting privacy at risk by selling records that can be used to link a person’s identity to medical conditions using public information. The potential for a patient’s hospital record to be made public by anyone buying data compiled by states adds to ways privacy is vulnerable in an age of digitized health record keeping and increasingly sophisticated hacking. [Source]

US – FDA Issues Cybersecurity Guidance for Electronic Medical Devices

The US Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical devices. The FDA is urging manufacturers of these products to incorporate measures to protect them from malware and attacks, suggesting that the agency might not approve devices that haven’t taken cybersecurity into consideration. The FDA’s recommendations follow news of security issues in certain fetal monitors and software used in body fluid analysis. The agency also recommended that health care providers improve their cybersecurity practices, as it has noted instances in which passwords were widely distributed or even disabled on software that is supposed to have limited access. There are also reports that health care providers have not applied security updates “in a timely manner.” There is no evidence that medical devices are being targeted, and there have been no reports of patients injured or killed as a result of cybersecurity issues. [ComputerWorld] [FDA’s Cybersecurity for Medical Devices and Hospital Networks] SEE ALSO: [ICS-CERT Warns Health Care Providers of Hard-Coded Passwords in Medical Devices | Source | Source]

Horror Stories

US – Hospital Chain to Settle Suit for $275K

Canadian hospital chain Prime Healthcare has agreed to settle for $275,000 a U.S. federal investigation into alleged privacy violations. Prime’s Shasta Regional Medical Center was accused of violating patient confidentiality by sharing a patient’s medical records with journalists and e-mailing her treatment details to almost 800 hospital employees. While the company agreed to the settlement, it admitted no wrongdoing and claims it “would have prevailed in this matter based upon the merits.” California regulators fined Prime $95,000 for this breach last year, but the company says it plans to appeal that fine. [Los Angeles Times] SEE ALSO: [Breach Stats and Implications: A Roundup] and [ON: Hospital defends private records]

Identity Issues

US – Multi-Factor Authentication May Someday be Available as Tattoos and Pills

Motorola Mobility has demonstrated two authentication technologies that remove the need for people to carry around devices for two-factor authentication. The first is an electronic tattoo, a flexible, water-resistant sticker that lasts for several days. The second is a capsule that people can swallow daily. Its components are activated by stomach acids to emit a signal. Motorola said that the US Food and Drug Administration (FDA) has cleared the pill authentication technology for human use. [ArsTechnica] [v3.co.uk] [The Register] See also: [Emily Harris, 9-Year-Old Girl, Clears Customs With Toy Passport Identifying Her As Unicorn]

Intellectual Property

US – EFF Challenges Including of DRM in HTML5 Specifications Draft

The Electronic Frontier Foundation (EFF) has registered a formal complaint with the World Wide Web Consortium (W3C) regarding the proposed inclusion of digital rights management (DRM) in a draft of HTML5 specifications. The EFF maintains that the DRM technology, which is called the Encrypted Media Extension (EME), will erode online freedom. The EFF says that “existing web standards already permit equivalent functionality.” [The Register] [NetworkWorld] [EFF’s Complaint]

Law Enforcement

EU – Legislation Would Allow Police to Place Spyware on Suspects’ Devices

Draft legislation from Spain’s ministry of justice would give police the authority to remotely install spyware on computers, storage devices, and mobile devices being used by suspected criminals. The spyware would be installed only on devices physically located in Spain, and only when suspects are allegedly involved with terrorism, organized crime, or other serious offenses that carry at least a three-year prison sentence. The legislation as currently drafted raises some serious privacy issues: the spyware would give authorities access to data as well as account passwords. It would also affect people who share the targeted device with the suspect. [ZDNet]

US – NJ Bill Allowing Police to Search Cell Phones of Drivers Raises Concerns

Proposed legislation would allow police in New Jersey to search the cell phones of drivers involved in accidents to determine if they were texting or talking at the time of a crash. The measure is raising some constitutional concerns. Seton Hall law professor Jenny Carroll questions whether police seizure of the phones is a violation of a driver’s right to privacy. “To the extent that the Legislature may be able to argue that the driver has ceded some of his privacy interests by being in that accident, you can’t make that argument for the third party whom the driver was potentially in communication with,” she said. “And I think that is potentially an issue the Supreme Court is going to have to address as well.” Carroll says there have been conflicting lower court rulings on the constitutionality of similar laws enacted in Ohio, Florida, Washington, and California. Opponents also wonder how police would be able to determine if a phone was being held at the time of a crash or was being legally operated in hands-free mode. The American Civil Liberties Union of New Jersey also opposes the measure, saying it infringes on privacy rights and is likely to face a constitutional challenge. [Source]

US – Prosecutors’ Use of Mobile Phone Tracking is ‘Junk Science,’ Critics Say

At his trial last year on federal kidnapping and conspiracy charges, prosecutors sought to introduce cell tower evidence purporting to show that calls placed from defendant Antonio Evans’ cellphone could have come from his aunt’s house, where the victim was thought to have been held for ransom. What made the Evans case unusual was the fact that the defense even put up a fight to keep the cell tower evidence out of the trial. Evans’ lawyers said the technique has not been shown to be scientific. U.S. District Judge Joan H. Lefkow of Chicago took an in-depth look at the cell tower evidence the government was proposing to use and found it wanting. The judge wrote that an FBI special agent’s “chosen methodology has received no scrutiny outside the law enforcement community.” As a result, the court concluded that the government had not demonstrated that testimony was reliable. In 2011, the nation’s nine largest cellphone carriers responded to 1.3 million requests for subscriber information of all kinds, including cell tower records, from law enforcement officials, according to data compiled by a congressional committee. Cell tower records, also known as call detail records, are the billing records cell companies use to keep track of their customers’ calls. They show the date and time of all calls made or received, the numbers called, the duration of each call, and the cell towers used to begin and end a call. And those requests have been rising at an annual rate of 12% to 16% in the past five years. [Source]


US – US Agency Cracks Down on Medical Device IT Security

An American regulatory agency believes medical device manufacturers have to get tougher with IT security on anything that touches the Internet or a wireless network. The Food and Drug Administration (FDA) issued draft guidelines for vulnerabilities that electronic health equipment manufacturers should be addressing about before submitting products for approval. Aafter hearing comments from industry and the public the guidelines will be finalized and the FDA will have the power to refuse to approve devices if manufacturers don’t provide adequate plans for protecting their devices. [Source]

US – Court: Robber Has No Right of Privacy Against GPS Search of Stolen Phone

A person who steals a cellphone doesn’t have a privacy right that would prevent police from using global positioning to find the phone and arrest him, a state appeals court ruled in San Francisco. A three-judge panel of the Court of Appeal unanimously upheld the conviction of Lorenzo Barnes and sentence of 13 years and eight months in prison for a 2009 armed robbery in San Francisco. “Did defendant have a legitimate expectation of privacy in the cellphone he had stolen? The answer is an emphatic ‘no,’” Justice James Richman wrote in the court’s decision.Richman cited a 2005 decision in which the 9th U.S. Circuit Court of Appeals said, “The Fourth Amendment does not protect a defendant from a warrantless search of property that he stole.” Richman also noted that the arrest was based on a combination of the cellphone pinging and the victims’ description of the stolen purse and the suspect.That information taken together provided the officers with “ample reasonable suspicion for a detention,” the appeals court said. [Source]


JP – Japan Applies to Take Part in CBPR

Japan’s Ministry of Economy, Trade and Industry has announced the government’s June 7 application to participate in APEC’s Cross-Border Privacy Rules. “Japan applied for participation in the system, following the United States and Mexico,” the announcement states, noting, “In the future, if Japan is admitted to the system and the neutral certification organization is authorized, enterprises and other entities certified by this organization will be able to prove that the handling process of private information in their companies is compatible with the APEC Information Privacy Principles.” The division in charge of the application is the Office of International Affairs, Information Policy Division, Commerce and Information Policy Bureau. [Source]

Online Privacy

EU – French Court Orders Twitter to Disclose Names

A French case “threatens to undermine” Twitter’s record of keeping user identities private and raises questions about how non-U.S. rulings against U.S. companies will be enforced. The report references a French court’s ruling this week ordering “Twitter to disclose the names of users who tweeted anti-Semitic remarks,” noting the court determined “Twitter was ultimately responsible for the content on its website.” The report questions the enforceability of the law, noting “Twitter says it tries to comply with all local country laws” but “has made it clear it will default to American laws,” while the French ruling states that “adhering to French law is not optional.” [San Francisco Chronicle]

WW – Opera Releases Mobile Browser With Privacy Built-In

The Norwegian browser developer Opera announced this week the release of Opera Mini 4.5, a low-end mobile browser intended for “featurephones.” Notably, it has a built-in private setting that keeps any login or data from being saved to the phone. For example, friends can log in and check Facebook without worries their log-in information will be retained. [GigOm]

Other Jurisdictions

WW – UN Report: State Surveillance Violates Rights to Privacy, Expression

The UN Office of the High Commissioner of Human Rights drew attention today to its recent report indicating state communications surveillance undermines the human rights to privacy and freedom of expression. “Concerns about national security and criminal activity may justify the exceptional use of communications surveillance,” said UN Special Rapporteur Frank La Rue. “Nevertheless, national laws regulating what constitutes the necessary, legitimate and proportional state involvement in communications surveillance are often inadequate or simply do not exist…Who are the authorities mandated to promote the surveillance of individuals? What is the final destiny of the massive amounts of the stored information on our communications? These questions urgently need to be studied in all countries to ensure a better protection of the rights to privacy and the right to freedom of expression.” [UNHR]

NZ – Media Release: Websites Leave Children and Parents Guessing

A recent scan of NZ school websites and some popular children’s game sites showed there is often no information given to users about how their personal information collected via the site will be used and shared. The scan was part of an international “internet sweep” day, involving the New Zealand Privacy Commissioner and other overseas data protection offices in the Global Privacy Enforcement Network (GPEN). The amalgamated international results from the GPEN internet sweep will be available in coming months. Further international and domestic action to encourage improved information for website users will be considered once final results of the sweep are known. [Source]

Privacy (US)

US – Should Political Campaigns Distribute Voter Data?

In the 2012 Presidential race, the Obama for America 2012 campaign wanted to send e-mail messages to supporters asking them to contact other potential supporters and provide personal information in order to facilitate such action. The campaign decided against it in the end. “We couldn’t do the whole experiment we wanted to do, because people were really worried about sending out personal information over e-mail,” said Rayid Ghani, chief scientist of the campaign. Ghani was one of the political advisers who spoke at a recent conference on political campaigns’ use of data mining [MediaPost]

US – Largest Privacy Class-Action Suit Ever?

Digital analytics firm comScore is the target of what could be the largest privacy class-action lawsuit ever, potentially amassing tens of millions of plaintiffs. A Chicago appellate court denied comScore’s request to overturn a lower court ruling on allegations the company’s software violates the Stored Communications Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and the Illinois Consumer Fraud and Deceptive Practices Act, the report states. ComScore says it will fight the allegations and that the case is filled with inaccuracies, noting, it has had little opportunity to “educate the court” on its practices. The plaintiffs are seeking injunctive relief and damages of $1,000 per violation. [AdWeek]

US – Veterans Affairs Taken To Task Over 2010 Breach

House Committee on Veterans Affairs (VA) Chairman Jeff Miller (R-FL) and Ranking Member Michael Michaud (D-ME) sent a letter last week to VA Secretary Eric Shinseki demanding answers to a number of questions raised during a recent committee meeting regarding hacking by foreign nationals of the VA computer network in 2010. Will the VA be offering credit protection services to every veteran and dependent in its database? Why are there discrepancies in how the breach is being described at differing times? Why was Congress apparently not notified of these security compromises? “The fact is that we don’t know what they took but I believe (the VA) had a responsibility to the men and women who served this country to notify them at the point that they knew they were hacked,” Rep. Mike Coffman (R-CO) told Federal News Radio.

US – LinkedIn Seeks Second Dismissal of Class-Action Suit

U.S. District Court Judge Edward Davila is for the second time this year considering a class-action suit brought by Virginia resident Khalilah Wright against LinkedIn, alleging the company duped premium subscribers by implying there would be extra security for those paying more and that they would not be exposed to the kind of breach that resulted in 6.4 million users having their passwords posted online. Wright’s first suit was dismissed in March , as Davila ruled she failed to show a connection between her extra dues and the implied extra security. Wright is back now with an expert who’s conducted a survey showing subscribers expect extra security for extra membership fees. [MediaPost News]

US – Lawyer Taking Street View Case to Appeals Court

The U.S. Court of Appeals for the Ninth Circuit will this week hear arguments aiming to bring sanctions against Google over its collection of personal data from WiFi networks via its Street View mapping project. “Although these home networks were not password-protected, the communications transmitted over them were private and not broadcast for public consumption,” Elizabeth Cabraser writes in her appellate brief. “Such communications are protected from prying eyes by the Wiretap Act, as amended by the Electronic Communications Privacy Act.” Google attorneys say the data upload was unintentional and not illegal because anyone can access unencrypted WiFi signals. [The Recorder]

US – Biz Concerned About COPPA Compliance

When it comes to complying with COPPA changes going into effect July 1, “Industry advocates paint a dire scenario of costly audits, abandoned projects and disrupted business models,” while privacy advocates and the FTC “view the expanded rules as vital to protecting kids.” The changes include requiring additional types of companies to get parental consent before collecting information from children under the age of 13. Additionally, the changes broaden the definition of personal information, which will now include photographs and videos. DLA Piper’s Jim Halpert suggests, “The proposed rule will likely dry up the market for behavioral advertising on child-directed sites.” [POLITICO]

US – Legislators Seek to Declassify FISA Court Opinion

US lawmakers have proposed legislation that would declassify some opinions from the Foreign Intelligence Surveillance Court, following the leak of information that indicated the court has been ordering telecommunications companies to turn over customers’ call records. Specifically, the bill seeks to require that the Justice Department declassify the FISA Court’s interpretations of the Foreign Information Security Act and the Patriot Act. On June 12, the FISA Court “granted a motion not to block disclosure of an earlier … opinion that declared parts of the NSA’s surveillance under Section 702 of the FISA Amendments Act to be unconstitutional.” The Electronic Frontier Foundation filed the motion in May. [ArsTechnica] [WIRED] [ComputerWorld] [US Courts.gov]

US – Google Wants to Disclose Data on FISA Court Orders

Google, Facebook, Microsoft, and Yahoo have asked the Justice Department to lift gag orders that prohibit the companies from discussing FISA Court orders requesting customer data. Google and other companies have begun publishing data about the number of national security letters (NSLs) they receive annually, although those figures are given in ranges of thousands, which was the agreement reached with government. NSLs may not request content, but FISA Court orders are not bound by the same restrictions. Google wants to publish the data to support its assertion that it does not allow the NSA to gather information through a secure portal or put the requested data in a drop box for federal agents to retrieve, as has been reported. Google has a team that reviews every FISA order. Typically, the company delivers the requested information by hand or sends it to the requesting organization through secure FTP transfers. Hand-delivered data would likely be hardcopy or put on a memory disk or external hard drive. [Washington Post] [WIRED] [WIRED] [NPR.org] [Washington Post] [ZD Net]

US – Small Internet Businesses Head to Hill With Mozilla Topping Agenda

Small Internet publishers have been to Washington before to tell their story, but this time they are gathering with a singular purpose: to persuade lawmakers to put more pressure on Mozilla to change its plans for blocking third-party advertisers cookies by default in its Firefox browser. As many as 60 small Web companies will be visiting lawmakers this week as part of the IAB’s annual Long Tail Alliance Fly-In. Even though it’s the group’s fifth year on the Hill, this year they are more determined than ever to be heard. “The Mozilla plan has galvanized the small Web community. They haven’t been as passionate about policy issues as they are this year,” said Mike Zaneis, svp and general counsel of the IAB. “It’s an intermediary meddling in the business.” Although Mozilla announced earlier this month that it wouldn’t implement the default cookie blocker in its July release until it did more testing, small Internet websites still feel threatened. With fewer than 10 employees, often three-person operations, small Web publishers like JoyofBaking.com and Ikeafans.com depend on advertising revenue from ad networks and can’t afford to be cut off. Ahead of the trek to D.C., more than 960 ad-supported Internet businesses have signed a petition on the Interactive Advertising Bureau’s website, warning Mozilla that if it goes ahead with the cookie-blocking browser, many of them will be forced to close. Already, four GOP lawmakers, Reps. Mike Pompeo (Kan.), Marsha Blackburn (Tenn.), Walter Jones (N.C.) and Jeff Denham (Calif.), sent a letter to Mozilla urging it to commit to not blocking third-party cookies by default because it would favor large Web publishers to the detriment of smaller ones. “The third-party cookies that Mozilla Firefox would block are what allow the U.S.-based Internet publishing industry to sustain original, free content on thousands of small business websites in every corner of America,” the four lawmakers wrote. [Source]


US – Oregon Passes RFID Privacy Bill

Oregon, HB 2386 A, “Relating to radio frequency identification devices; and declaring an emergency,” is currently awaiting Governor John Kitzhaber’s signature. The law, if signed, would require students or parents of students to be notified if RFID devices are to be used to track students in any way. Further, the law would allow students or parents of students to opt out of wearing or carrying any item using RFID technology. The State Board of Education is tasked by the law to create standards for all local school boards that incorporate these mandates. No school district may employ the use of RFID technology without notifying the State Board first, until the standards are in place. [Bill]


US – NSA Leaks Increase EU-U.S. Tensions

The recent leaks of the National Security Agency’s surveillance programs are increasing tension between the U.S. and EU. The Obama administration lobbied in 2012 to have certain measures removed from the proposed EU data protection regulation that would have “limited the ability of U.S. intelligence agencies to spy on EU citizens.” The Privacy Advisor’s continuing coverage of the recent leaks also looks at recent revelations by Google of how it shares user data when it receives national security requests, and more. [Financial Times]

US – Sen. Asks PCLOB to Investigate NSA Programs

At a Senate Appropriations Committee hearing on Wednesday, Sen. Tom Udall (D-NM) said he has sent a letter, with bipartisan support, to the Privacy and Civil Liberties Oversight Board (PCLOB) asking it to “make it a priority” to investigate the National Security Agency’s (NSA) dragnet phone surveillance and PRISM programs to determine whether they were “conducted within the statutory authority granted by Congress” and “take the necessary precautions to protect the privacy civil liberties of American citizens under the Constitution.” He also asks NSA General Keith Alexander if the NSA will work with the PCLOB. The Privacy Advisor, in this exclusive, reports on the investigation and the NSA head’s defense of its programs. [Source] [PCLOB To Meet on NSA Revelations] [Will the NSA Leaks Be a Boon for Privacy Technology?]

US – First Lawsuit Filed Over NSA’s Surveillance of Verizon Data

A lawsuit had been filed against Verizon, the NSA, President Barack Obama, Attorney General Eric Holder and others over the constitutionality of the NSA’s wide surveillance program, which was disclosed late last week. The lawsuit alleges that the surveillance program violates the US Constitution as well as a number of federal laws. [WIRED]

US – ACLU Asks FISA Court on Constitutionality of Section 215 of Patriot Act

The American Civil Liberties Union (ACLU) has filed a motion asking that the Foreign Intelligence Surveillance (FISA) Court “unseal its opinions evaluating the meaning, scope, and constitutionality of Section 215 of the Patriot Act.” That section allows the court to issue national security letters (NSLs) at the request of the government, which has to demonstrate only that the information sought is relevant to an “authorized investigation.” Senators Mark Udall (D-Colorado) and Ron Wyden (D-Oregon) last year wrote Attorney General Holder, requesting the declassification of the secret court ruling allowing the broader surveillance powers. [WIRED] [ACLU]

US – NSA Whistleblower Edward Snowden

Edward Snowden, who leaked the information about the NSA’s data gathering practices, is currently in Hong Kong. Snowden is a former CIA technical assistant and more recently worked as a contractor for the NSA through Booz Allen Hamilton. One of the Guardian journalists who originally reported the story said that Snowden is hoping to obtain asylum in Iceland because of the way that country dealt with WikiLeaks. Icelandic law requires that asylum applications be made from within the country. Snowden told The Guardian that “the government has granted itself power it is not entitled to. There is no public oversight.” He also said that he “do[es] not expect to see home again.” [CNN] [ArsTechnica] [Guardian] [Interview with Snowden]

US – Verizon and PRISM Defended

President Obama said that the program gathering data from Verizon is legal and that “nobody is listening to your telephone calls.” As for PRISM, President Obama said that the Internet and email information gathered “does not apply to people living in the United States.” Director of National Intelligence James R. Clapper said that “the information acquired [through the Verizon order] does not include the content of any communications or the identity of any subscriber.” Clapper also noted that the programs were reviewed by a court and were found to be legal. While some US lawmakers have decried the fact of the broad information gathering conducted by the government on its own citizens, many others appear reluctant to make changes to the current laws that allow the harvesting of information from Verizon and nine Internet companies. Legislators from both parties noted the benefits of the program. [NextGov] [CSO Online] [NextGov] [InformationWeek] [ZDNet] [Viviane Reding, the justice commissioner of the European Commission will be raising these concerns at a meeting with the US Attorney General, Eric Holder, at a meeting this week in Dublin.]

US – Internet Company Executives Deny Participation in PRISM

Executives at Google, Facebook, and seven other companies identified as participating in an NSA surveillance program known as PRISM have denied that they allow intelligence officials direct access to their servers and user data. The companies have denied knowledge of PRISM, although it’s likely that the program would have been referred to differently in that circle. There is speculation that the companies’ statements have been carefully scripted; many have similar language, including a denial that the government has “direct access” to the data. [Washington Post] [The Atlantic] [WIRED] [ComputerWorld]

US – PRISM Gives NSA Access to Data on Servers of US Internet Companies

It now appears that the National Security Agency’s (NSA’s) reach extends beyond just Verizon’s call records. According to information provided to The Washington Post by a career intelligence officer, the NSA and the FBI are mining data directly from the servers of nine major US Internet companies, including Microsoft, Apple, Yahoo, Google, Facebook, Skype, and YouTube. They are accessing a wide variety of content, including audio and video chats, photographs, email, and connection logs. The program is called PRISM and focuses on foreign communications traffic. Some of the companies have said that they are not aware of PRISM. Facebook chief security officer Joe Sullivan said that they “do not provide any government organization direct access to Facebook servers” and that when the company receives a request for data, it is carefully scrutinized to make sure laws are being obeyed and then they provide only the information that is required by law. Material from an April 2013 internal briefing on PRISM said that NSA reporting uses raw information gathered through PRISM for nearly one in seven of its intelligence reports. US legislators who were aware of the program were bound by oath not to speak of it, even during a floor debate in the Senate late last year on the FISA Amendments Act. [Washington Post] SEE ALSO: {NYT: How the U.S. Uses Technology to Mine More Data More Quickly]

US – FISA Order Requires Verizon to Provide NSA with Metadata on All Calls

According to a document obtained by The Guardian, the US Foreign Intelligence Surveillance Court issued an order forcing Verizon to provide the NSA metadata on all calls made through its systems over the three-month period between April 25 and July 19 2013. The data gathered includes phone numbers of both parties, IMSI numbers for mobile callers, calling card numbers used, and time and duration of calls. While the content of the calls is not recorded or gathered, in some cases the location of the parties on the call may be included through cell site data. Senators Ron Wyden (D-Oregon) and Mark Udall (D-Colorado) have been trying to drop hints about the extent of the surveillance program but have been bound by oath not to discuss it. The Obama administration is defending the program as a necessary tool to protect the country from terrorist attacks. [James R. Clapper, Director of National Intelligence has issued a statement on this particular issue] [The Guardian] [WIRED] [Ars Technica] [Court Order]

US – Bradley Manning Trial Begins

The court-martial of Army Pfc. Bradley Manning for offenses related to the leak of classified information has begun. Manning, who has been detained since his 2010 arrest, allegedly gave more than 700,000 government and military documents to WikiLeaks. Among the 22 charges Manning faces is a count of aiding the enemy, which could bring a life sentence without the chance of parole. [Washington Post] [Washington Post]

US – Whistleblower Comes to Light, U.S. Gov’t Defends Its Programs

Former technical assistant for the Central Intelligence Agency Edward Snowden has come forward in an online interview with The Guardian, speaking of his reasoning for handing over classified information about the National Security Agency’s PRISM online surveillance program. This comes amidst continuing national and international debate and discussion about online privacy and surveillance practices. The U.S. government defended the program, international reactions (including potential EU-U.S. trade implications), the potential impact on online behavioral advertising and how privacy experts and advocates are reacting to the news. [The Privacy Advisor] [PRISM’S Impact on Global Data Flows] [Tech Firms, Lawmakers Respond to NSA Leak] [NSA Implications for Gov’t, Ad Industry, Consumers] AND ALSO: [Poll: Majority Of Americans Comfortable With Surveillance]

EU – European Institutions Tracking Users Despite Law

European institutions are tracking website users in breach of EU data protection rules. European Data Protection Supervisor Peter Hustinx said institutions are aware and guidelines are being drawn up to deal with the problem. The admission of the problem came after recent reports of the U.S. National Security Agency’s (NSA) Prism scheme. Meanwhile, The New York Times reports on differing European reactions to news of the NSA surveillance program. [EurActiv]

UK – CCTV Code Comes Into Force Despite Privacy Concerns

The government’s 12-point plan to regulate the use of surveillance cameras has come into force, despite widespread concern that it does too little to protect the public from unwarranted invasion of privacy. The Surveillance Camera Code of Practice aims to balance the needs of law enforcement for CCTV footage with individuals’ rights to privacy. Under the code, CCTV operators are required to stipulate the purpose of the cameras and are expected to conduct annual reviews to ensure their use continues to be justified. The code also places restrictions of the storage of footage and demands access is tightly controlled. Forensic science regulator Andrew Rennison became the UK’s first surveillance camera commissioner last year and will work in conjunction with the information commissioner to encourage compliance with the code. The code of practice was first published last year, with a consultation programme running between February and March this year. According to the government’s own figures, nearly a fifth of respondents said they would not support the implementation of the CCTV code of practice. Many of those expressed concern over the limited number of authorities that it would cover, and doubts that private sector firms would voluntarily adopt it. Almost a quarter also said they did not think the code of conduct would create greater transparency from CCTV operators. The government said it would review whether more authorities needed to be covered by the code and whether further legislation was needed to cover the private sector by 2015. There have been growing concerns over the proliferation of CCTV devices, many of which are connected to the internet. Last year, researchers discovered that many CCTV systems used by businesses and home owners could be easily compromised, allowing would-be snoopers free reign to use the devices to spy on properties. [Source]

CA – Ajusto Campaign Explains Usage-Based Car Insurance

Launched this month in Ontario and Quebec, Ajusto is the first usage-based car insurance (UBI) program offered by a major insurer in Ontario (Indutrial Alliance Auto and Home Insurance offers a similar product in Quebec). Ajusto modifies drivers’ insurance premiums based on their actual driving habits using data from a small device installed in the client’s car. What that means for consumers: safe driving equals savings. UBI systems like Ajusto weren’t viable in the past because of the expense of producing telematics devices and the complexity of using them. Aviva trialed a UBI as far back as 2005, but it relied on the driver physically uploading telematics data to a computer and voluntarily sending it to the company, which turned out to be overly complicated. Côté said the technology has come a long way since then. Ajusto allows a driver to see their savings rate change each month by logging into a user dashboard on the site, he explained. [Source]

Telecom / TV

US – State Prosecutors Introduce “Save Our Smartphones” Initiative

A group of law enforcement officials, politicians, and consumer advocates aim to help fight the growing theft of smartphones, which has reached “epidemic” proportions, according to San Francisco District Attorney George Gascon. The group plans to ask the manufacturers of the most widely used devices – Apple, Google/Motorola, Microsoft, and Samsung – to develop features that make the phones less attractive to thieves. The announcement of the initiative came on the same day that Gascon and New York Attorney General Eric Schneiderman were hosting a Smartphone Summit with representatives from major smartphone makers. [CNET] [Washington Post] [NBC News] [ComputerWorld]

WW – Apple iOS7 Will Include Activation Lock Security Measures

Apple has announced that the newest version of its mobile operating system, iOS7, will include a “kill switch” feature to make iPhone less attractive to thieves. Users will need to provide a valid Apple ID and password before they are permitted to erase data or turn off the “Find My iPhone” feature. The same combination of Apple ID and password will be required to reactivate the device after it has been erased remotely. iOS 7 is expected to be available this fall. [CNN] [eWeek]

US Government Programs

US – Nude Scanners Removed, Advocates Still Displeased

In accordance with the June 1 deadline set by Congress, the Transportation Security Administration (TSA) has removed “nude” x-ray-based body scanners from U.S. airports. But privacy advocates remain dissatisfied, citing the TSA’s continued use of different full-body scanners that employ millimeter wave technology. The current scanners display a generic figure and pinpoint areas on the body where hidden objects have been detected. But Marc Rotenberg, executive director of the Electronic Privacy Information Center—which sued the TSA in 2010 over the scanners—says there are “lingering questions about whether the millimeter-wave devices are retaining images.” A TSA spokesman said the machines are programmed not to retain them. [Los Angeles Times]

US – GAO Investigating Data Brokers

Sen. Jay Rockefeller (D-WV) has commissioned a study of data resellers by the Government Accountability Office (GAO) to be completed in late summer. GAO Managing Director of Public Affairs Chuck Young says the organization is looking into “laws and regulations regarding the privacy of consumer information held by information resellers and what gaps, if any, exist in this legal framework” as well as key proposed options to improve consumer privacy. The Senate Commerce Committee and the Federal Trade Commission also have ongoing investigations of data brokerage firms. [AdAge]

US – DHS Defends Searches of Electronic Devices Without Reasonable Suspicion

The American Civil Liberties Union (ACLU) obtained DHS’s December 2011 Civil Rights/Civil Liberties Impact Assessment through a Freedom of Information Act (FOIA) request. Regarding border searches of electronic devices, the redacted document says that “imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits.” The document observes that DHS has “been presented with some noteworthy Customs and Border Patrol and Immigration and Customs Enforcement success stories based on hard-to-articulate intuitions or hunches based on officer experience or judgment. Under a reasonable suspicion requirement, officers might hesitate to search an individual’s device without the presence of articulable factors capable of being formally defended.” [ArsTechnica] [WIRED] [Impact Assessment]

US – Man Drops Lawsuit Over Seized Laptop

A man whose laptop was seized by the US Department of Homeland Security (DHS) has dropped his lawsuit challenging the seizure. David Maurice House filed a lawsuit in May 2011, alleging that the seizure was motivated by his association with Bradley Manning. House was a founding member of the Bradley Manning Support Network. Data related to that organization, including donor information, were on the seized laptop. House said that the government has agreed to delete any copies of the data from his machine that it has made, and will give him notes agents made about the hard drive. DHS’s Department of Immigration and Customs Enforcement (ICE) seized the laptop, along with a thumb drive and a digital camera, when House returned from a trip to Mexico in November 2010. The equipment was kept for 49 days; regulations call for the equipment to be returned within 30 days. [WIRED]

US Legislation

US – Legislative Roundup

On May 28, in Oregon, HB 2654 officially became law. Going into effect Jan. 1, 2014, the law prohibits an employer from requiring or requesting employees or applicants for employment to provide access to personal social media accounts, to add their employer to a social media contact list or to allow an employer to view an employee’s or applicant’s personal social media account. It further prohibits retaliation by an employer against an employee or an applicant for refusal to provide access to accounts or to add an employer to a contact list. It similarly limits educational institutions.

On May 21, in Washington, SB 5211 officially became law. Going into effect July 28, 2013, the law prohibits employers from asking for social media log-in information, from engaging in a practice known as “shoulder-surfing” (essentially forcing an employee to log into a social media account while the employer looks on), from forcing someone to add an employer (or anyone else) as a social media connection and from forcing an employee to change privacy settings on an account.

Jackson Lewis rounds up the law’s implications and notable exceptions.

Washington and Oregon join Arkansas and Colorado in adding social media laws this spring.

New Jersey still awaits the fate of A2878, which was passed by the Assembly and Senate, only to be conditionally vetoed by Gov. Chris Christie earlier this year. Taking in the governor’s recommendations to eliminate a portion of the bill that would have allowed employees to sue employers who violated the law, a revised version of the bill unanimously passed the Assembly in late May and now awaits a vote in the senate. It appears likely the bill will eventually make its way to Christie’s desk and be signed into law. The law would prohibit any requirement to disclose user names and passwords or other means of accessing a social media account through any electronic communications device. [The Next Privacy Frontier: Geolocation]

US – California Legislature Wrangles With Social Media Privacy

In early May, the California Assembly followed an emerging national trend to protect more workers’ social media from employers’ prying eyes. On a 63-8 vote, the Assembly passed Assembly Bill 25, which would extend protections now given to private employees and job applicants to public employees and those seeking government jobs. The bill, by Assemblywoman Nora Campos, D-San Jose, prohibits employers from asking for user names and passwords as well as any other personal social media. But it’s drawing opposition from law enforcement groups and background investigators, who say the measure would ban many of the practices they use to disqualify applicants for such factors as drug use, gang affiliation and accessing child pornography. [Source]

US – Conn. Lawmakers OK Compromise Newtown Privacy Bill

Connecticut State lawmakers passed an 11th-hour compromise bill on the final day of the legislative session, preventing the release of crime-scene photos and video evidence from the Sandy Hook Elementary School massacre and other Connecticut homicides, concerned such records would be spread on the Internet. The bipartisan legislation came after days of closed-door talks and speculation about whether an agreement could be reached before the midnight adjournment. But once agreement was reached, the bill was quickly and overwhelmingly approved. It passed the Senate 33-2 shortly after 1:30 a.m. The House of Representatives then passed it a half hour later by a vote of 130-2. It now moves to Gov. Dannel P. Malloy’s desk for his signature. According to the bill, a new exemption is created under the state’s Freedom of Information Act. It prevents the release of photographs, film, video, digital or other visual images depicting a homicide victim if such records “could reasonably be expected to constitute an unwarranted invasion of the personal privacy of the victim or the victim’s surviving family members.” [Source]

US – Maine Lawmakers Pass Bill Requiring Warrant for Cell-Phone Tracking

Maine’s State Legislature has approved a bill that would require law enforcement to obtain a warrant from a court to access individuals’ cell-phone location data. If the bill becomes law, Maine would be the first state to impose such a requirement. The bill provides exceptions for emergencies, such as life or death situations or threats to national security. Law enforcement would also be required to notify people whose information was obtained within three days, but the time requirement can be delayed up to 90 days if a judge deems there is evidence that earlier disclosure could pose a threat to an investigation. [ComputerWorld]

US – Budget May Stop Maine Bill Requiring Warrant for Geodata

Maine’s House and Senate have both essentially passed LD 415, An Act To Require a Warrant To Obtain the Location Information of a Cell Phone or Other Electronic Device. LD 415 would do basically what its title says, with some 90-day delay allowances at the discretion of a judge. However, the bill does not yet sit on the governor’s desk awaiting signature. Because the bill has been assigned a fiscal note of roughly $234,000 over the next two years, it now sits with the Appropriations Committee, which must decide whether there is funding in the budget to cover the expense. [Source]

Workplace Privacy

US – NB Workplace Random Alcohol Tests Rejected by Top Court

The Supreme Court of Canada has overturned a company’s right to impose mandatory, random alcohol testing on its unionized workers in a dangerous workplace. In a 6-3 decision released, the court ruled the policy unilaterally adopted by Irving Pulp and Paper Ltd. in Saint John in 2006 for employees in safety sensitive positions is unreasonable. A dangerous workplace is not automatic justification for random testing, the court ruled in the case, which dealt narrowly with unionized workers and management’s ability to balance privacy rights with the need for safety in dangerous workplaces. The decision says dangerousness of a workplace only justifies testing particular employees in certain circumstances:

> Where there are reasonable grounds to believe an employee was impaired while on duty.

> Where an employee was directly involved in a workplace accident or significant incident.

> Where the employee returns to work after treatment for substance abuse.

“It has never, to my knowledge, been held to justify random testing, even in the case of ‘highly safety sensitive’ or ‘inherently dangerous’ workplaces like railways and chemical plants, or even in workplaces that pose a risk of explosion, in the absence of a demonstrated problem with alcohol use in that workplace.” [Source] SEE ALSO: [US: Employers and Schools that Demand Account Passwords and the Future of Cloud Privacy]

US – Hospitals Use Cameras, Sensor Tags to Track Hand Washing

Summerville Medical Center, a 94-bed acute-care hospital in South Carolina, is having employees wear sensor tags to determine who is washing their hands before and after coming into contact with patients. The technology was first rolled out in the medical center’s intensive care unit in the spring of 2012 and then expanded to its surgery units and the emergency room. Developed by GE Healthcare, the sensor tags are called AgileTrac RTLS (Real-Time Location System). The automated system supporting the RTLS tags collect up to 5,000 data points a day, compared with 700 per year with manual observation by staff. Each hospital caregiver wears a badge-like sensor tag that counts room entries and exits as well as the use of soap or sanitizer dispensers. The data collected from the system is used to model and characterize clinician-patient interactions, providing detailed data to help monitor and modify behavior. North Shore University Hospital on Long Island uses motion sensors to activate remote cameras that track when caregivers enter an intensive care room. The video cameras transmit the images to India, where workers for Arrowsite, a Web-based application services provider, check to see if clinicians are properly washing their hands. [Source]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: