Biometrics
NZ – Privacy Issues Raised In Face Recognition for Problem Gamblers
The Department of Internal Affairs says the use of facial recognition technology for problem gamblers at gaming machines raises privacy issues. The technology, developed by the company Positive Outlook, takes photos at the machines and locks them down when an excluded gambler approaches. It is being trialled at a Hamilton pub and may be used at other pubs and clubs around the country. Regulatory services general manager Maarten Quivooy says significant issues need to be worked through before the technology is used more widely, as there are concerns about who manages and has access to the database that stores people’s images. He says there are also questions about the speed and level of accuracy of the camera technology, and the cost. Positive Outlook says the technology does not breach privacy. A company director, Bruce Tevarthen, says as it is an opt-in system, only images of those who have elected to formally enrol are held. He says the images database is administered by an independent party. [Source]
Canada
CA – Canadian Senate Remands Bill C-377
On June 26, Liberal, Conservative and Independent senators joined together in a rare demonstration of non-partisan co-operation to amend Bill C-377, a private member’s bill that would have forced labour unions to publicly disclose an unprecedented amount of personal information relating to individual Canadians and businesses, and post them, with names, on the Internet. The Privacy Commissioner of Canada testified that this would be a “significant invasion of privacy.” We were told repeatedly by constitutional experts that the bill was unconstitutional, that the issues addressed fell within provincial jurisdiction, and that we would be exceeding our constitutional jurisdiction if we passed it. Five provinces told us the bill should not proceed. These were governments of every political stripe — Liberal, NDP, Parti Québécois and Conservative. Together, they represented more than 70 % of the population of Canada. They told us the bill could destabilize labour relations in their provinces; one minister said it would be “a grenade in the room of collective bargaining.” A Senate committee sat for three weeks of hearings studying Bill C-377. They heard from 44 witnesses. The overwhelming weight of the evidence was that the bill was deeply flawed. Many Canadians have written to applaud the actions of the Senate in amending the bill and returning it to the House of Commons for further consideration. They say it demonstrates exactly why the Senate exists, and the importance of sober second thought. [Source] See also
CA – Supreme Court Will Hear Case Dealing With Privacy Rights for Cellphones
The Supreme Court of Canada is taking on the question of whether police can access information on a cellphone that isn’t protected by a password. The court has agreed to hear an appeal from Kevin Fearon, who was arrested after an armed robbery in Toronto in 2009. Police obtained photos of a gun and cash, as well as a text message about jewelry, after taking a closer look at Fearon’s phone, which was unlocked. After he was convicted, Fearon appealed, arguing that police breached his rights when they examined the phone after his arrest. The Ontario Court of Appeal said it was all right for the police to look through the phone in a cursory fashion to see if there was evidence relevant to the crime, but after that they should have stopped to get a search warrant. Had the phone been password-protected or otherwise locked to anyone other than its owner, “it would not have been appropriate” to look through the phone without a search warrant. The appeal judges referred to a decision in a murder case in which the judge did not allow evidence from a personal electronic device because it “functioned as a mini-computer,” which has a high expectation of privacy. The contents of that device were only extracted by a police officer using specialized equipment, the judges noted. “There was no suggestion in this case that this particular cellphone functioned as a ‘mini-computer,’ nor that its contents were not ‘immediately visible to the eye,’” the court said in its ruling. “Rather, because the phone was not password-protected, the photos and the text message were readily available to other users.” Defence lawyer Sean Robichaud said that approach failed to take into account the amount of information many people keep on their cellphones these days. Fearon also appealed over the issue of access to a lawyer, saying he was left in an interview room for five hours without an opportunity to contact counsel. The Supreme Court, however, said the appeal will be limited to the cellphone issue. [Source]
WW – International Privacy Coalition Call on the EU to Increase Data Protection
In response to revelations regarding PRISM and related surveillance programs, privacy advocates from the U.S., Canada and Europe have issued a consensus statement calling on the EU to increase data protections. The EU’s data protection framework has been a model of privacy protection for many countries in the world, including Canada. The EU framework gives citizens vastly more privacy protections than citizens have in the US. The EU is currently reforming its data protection framework and the US is lobbying heavily to see EU privacy protections eroded. Gathered in Washington, DC for the conference on Computers, Freedom and Privacy (CFP), a dozen groups from both sides of the Atlantic joined the “Washington Statement,” including the American Civil Liberties Union (ACLU), the Electronic Privacy Information Center (EPIC), European Digital Rights (EDRi), Privacy International, and the British Columbia Civil Liberties Association (BCCLA). The group warned policymakers that “Our common future, on both sides of the Atlantic, needs privacy and a strong European law. We call on European policy makers to defend this human right now, as an essential prerequisite for preserving privacy, freedom of thought and of expression in vibrant democracies.” [Source]
CA – Businesses Push for Freedom to Share Personal Data Across Borders
If business groups in Canada and the United States get their way, new free-trade rules would limit the ability of governments to block cross-border flows of personal and financial data. The Canadian Chamber of Commerce, which speaks for 200,000 businesses across the country, is joining the U.S. Chamber of Commerce to push for new data standards in future free-trade deals, starting with the 12-country Trans-Pacific Partnership. The lobbying push is part of an
effort by the business community to stamp out what it sees as rising “digital protectionism” – everything from Internet censorship to privacy laws mandating the storage of certain personal data within countries. “What we’re seeing increasingly is that governments are trying to impose controls on the flow of data in a variety of ways,” said Perrin Beatty, the Canadian chamber’s president and chief executive officer. [Source]
CA – Media Trampled on Terror Suspects’ Rights: Civil Liberties Group
The mob of reporters and photographers that swept through the suite of a Surrey, B.C., couple charged in the alleged Canada Day terror plot had no legal right to snoop through their home, according to the BC Civil Liberties Association (BCCLA). Two days after Mounties arrested Amanda Korody and John Nuttall, their landlord allowed media members to walk freely through the basement suite. A QMI Agency staffer who went into the house twice witnessed a reporter rifling through a notebook belonging to the couple and videotaping pages. He also noticed things were moved after his initial visit — drawers and closets were opened and artifacts appeared rearranged and grouped. The QMI Agency legal team advised the newsroom to refrain from publishing photos from inside the house. BCCLA executive director Josh Paterson said no one should have been in the house in the first place, as there’s only a handful of specific reasons a landlord can legally enter a suite. “They can do it if there’s an emergency, they can do it if they have to show the unit, or if the tenant had abandoned the unit, but there’s no information here to suggest any of those things are true,” he said. “Just because you got arrested and maybe put in jail, doesn’t end your residential tenancy. That’s a whole separate process. [Source]
CA – Canadian Retailers Using Postal Code Information to Target Customers
In line at the cash at the LCBO, Ikea or Walmart, the cashier takes your card and asks for your postal code. Why is she asking? What should you do? Retailers, including the LCBO and Ikea, say postal code information is collected to fine-tune services for customers, including product selection, and to target flyers to specific neighbourhoods to reduce waste and save money on postal services. But the potential exists for using postal code information to compile personalized mailing lists that can be sold or shared. Data collection and management companies including Harte-Hanks Data Services and Solutions, which operates worldwide, offer businesses the ability to use software to match postal codes with credit card information to come up with unique addresses. “Users simply capture names from the credit card swipe and request a customer’s ZIP code during the transaction. GeoCapture matches the collected information to a comprehensive database to return an address,” according to information posted to the firm’s website. “Works at the point of sale to identify customers, understand purchase behaviour and follow up with dynamic, personalized marketing.” Canadians are more worried than ever about the misuse of their personal information, according to the results of a survey released late last year by the Office of the Privacy Commissioner of Canada. “Seven in 10 think that their personal information has less protection in their daily lives than it did 10 years ago, an increase of 10% since 2011. As well, the majority (56%) are not confident that they have enough information to know how new technologies affect their personal privacy which is the highest expression of a lack of confidence for this question since tracking began in 2000,” the survey found. It also found that Canadians are reluctant to share their personal information with organizations (57% never or rarely do so), and most (60%) have asked for an explanation of how an organization will use their information. No one is obliged to divulge their postal code at point of purchase, says Scott Hutchinson, a spokesman for Canada’s privacy commission office. “People who may wish to entertain the request should be encouraged to ask why the information is needed and what it will be used for; and if they don’t like the answer, they can be equally encouraged to simply just say ‘no,’ ” he says in an email to the Star. [Source]
CA – Ontario Privacy Commissioner Receives Anti-Bully & Online Safety Award
Ontario’s Information and Privacy Commissioner Ann Cavoukian is the latest recipient of the KnowledgeFlow CyberSafety Champion award for her relentless drive to raise awareness in support of the most important causes affecting youth and families in the information age. “Dr. Cavoukian consistently raises the bar across a number of important domains. Her efforts to curb the victimization of the most vulnerable members of our society is something that we are proud to recognize” said Claudiu Popa, CEO of Informatica Corporation and founder of the KnowledgeFlow.ca Initiative. [Source]
Consumer
US – Americans Divided on Snowden; Young Alito Pushed for Protections
The New York Times reports on a poll indicating division among Americans on whether Edward Snowden is a traitor or a whistleblower. The Quinnipiac University poll indicates the majority of those surveyed—55% —said he was a whistleblower for revealing the National Security Agency’s (NSA) PRISM program, while 34% said he was a traitor. Meanwhile, a report cited in the Electronic Privacy Information Center’s lawsuit asking the Supreme Court to halt the NSA’s surveillance program indicates that Supreme Court Associate Justice Samuel Alito, in his days as a Princeton undergraduate, urged strict safeguards to protect personal privacy online. [Source] [US: Poll Shows Complexity of Debate on Trade-Offs in Government Spying Programs] See also: [Post Mortem, What Happens to Your Account Info?]
US – Complaint Filed Over Jay-Z/Samsung App
The Electronic Privacy Information Center (EPIC) has filed a complaint on Jay-Z and Samsung’s Magna Carta Holy Grail app. “Samsung failed to disclose material information about the privacy practice of the App, collected data unnecessary to the functioning of the Magna Carta app, deprived users of meaningful choice regarding the collection of their data, interfered with device functionality and failed to implement reasonable data minimization procedures,” EPIC said in its complaint, filed July 12. [Arts Technica]
E-Government
AU – Govt Releases Security and Privacy Requirements for Cloud
The federal government has set out provisions for government agencies using cloud without compromising security or privacy. Attorney-General Mark Dreyfus said the policy will help government agencies make decisions around whether to offshore or outsource processes and requires agencies to seek government approval before storing personal information in the cloud. The policy follows the May release of the and the Australian Government Cloud Computing Policy v2.0. Dreyfus said several privacy safeguards have been built into the policy, which has been called the Australian government policy and risk management guidelines for the storage and processing of Australian government information in outsourced or offshore ICT arrangements. Under the policy, approval will be required by both the minister responsible for the information and the Attorney-General before personal information can be stored in the cloud. [Source] See also: [How to address the risks of 24/7 government] and [How Ontario faces big data privacy challenges]
JP – Japan Govt Used Wrong Privacy Settings in Google Groups
Japanese government officials and journalists have mistakenly revealed internal memos, draft stories and interview transcripts by reportedly using the incorrect privacy settings in Google Groups. Yomiuri Shimbun, a Japanese newspaper, reports it found more than 6,000 cases where public or private organizations revealed nonpublic information, including hospital records, via the wrong privacy settings. [ZDNet]
US – Google Glass Privacy Concerns Persist in Congress
U.S. Rep. Joe Barton of Texas says he is “disappointed” in Google’s response to privacy worries caused by the emergence of Google Glass. In a statement released after the Republican congressman reviewed Google’s response to a letter sent to the company by members of the Congressional Bi-Partisan Privacy Caucus — a group set up to examine the privacy issues Google Glass causes — Barton said he believes that the general public needs to be given more choice to ensure their privacy is not violated. In May, congressional leaders wrote to the tech giant to establish what controls will be put in place to protect consumer privacy. Addressed to Google CEO Larry Page, the letter (PDF) questions whether Google Glass will “infringe on the privacy of the average American,” and asks what place facial recognition technology will hold in relation to the headset’s ability to record video and take photographs. Google, in response to the letter, says that “protecting the security and privacy of our users is one of our top priorities,” and one way of doing so is making sure Google Glass requires voice activation to take video footage or shoot images. In addition, Google says that such actions activate the product’s screen, which is a change visible to others. To address facial recognition technology worries — where personal information about others or objects could be revealed without consent — the tech giant says that it “will not be approving any facial recognition Glassware at this time,” and will “prohibit developers from disabling or turning off the display when using the camera.” No changes in Google’s privacy policy are planned with the emergence of Google Glass. Finally, Google says that all files stored on the device will be deletable by users. Headsets can be remotely wiped in the case of loss or theft, and the company is currently experimenting with different ways to “lock” Glass flash memory to secure data. [Source]
US – Google Glasses Secretly Film Arrest
Documentary filmmaker Chris Barrett captured an arrest using Google’s wearable computer during a trip to the Jersey Shore boardwalk on July 4, where he witnessed a fight resulting in police intervention. Barrett filmed the incident without being noticed, the report states. “More notable than the video itself is the ease at which it was captured without the knowledge of those in the middle of the melee. His footage foreshadows the rapidly approaching future where everything can be filmed serendipitously by folks wearing devices like Google Glass without the knowledge of the parties involved,” wrote Thompson Reuters’ Christophe Gevrey. [Business Insider]
Encryption
US – Microsoft Provided NSA More Help Than Previously Disclosed
Relying on NSA documents provided by Edward Snowden, The Guardian reported that Microsoft recently worked with the FBI to help the NSA get around encryption on Microsoft services, such as online chats on Outlook.com, and to monitor conversations on the company’s Skype service. The newspaper also said that Microsoft worked recently with the FBI to streamline the way NSA can access users’ files on SkyDrive, Microsoft’s online document storage service, when Microsoft is required to provide that information for foreign-intelligence purposes. Microsoft said it doesn’t provide governments with blank or direct access to Microsoft services. [Wall Street Journal]
IN – Indian Govt Can Now Intercept Consumers’ BlackBerry Communications
BlackBerry has come to an arrangement with the Indian government to allow “lawful interception” of communications in realtime. The system allows the Indian government to track consumers’ communications sent to or from any Blackberry device, regardless of whether the message has been delivered or read. The system does not include corporate email messages sent over BlackBerry Enterprise Server. News of the arrangement has raised questions among analysts about whether the Indian government will now turn its attention to Apple, whose iMessage and Facetime services use end-to-end encryption. [ZDNet] [BBC.co.uk]
EU Developments
EU – European Parliament Demands Information on PRISM
The European Parliament has passed a resolution demanding that the US government provide “full information on PRISM and other such programmes involving data collection.” In addition, the European Parliament Civil Liberties Commission has voted to launch an “in-depth inquiry” into privacy and civil rights issues for EU citizens raised by PRISM. The Parliament is calling on member nations to consider putting a hold on counter-terrorism data transfer agreements with the US until the data are better protected. [ComputerWorld] [WashingtonPost] [Europarl] [[Europarl]
EU – EU Special Committee to Investigate Spying Reports
As headlines continue to abound regarding concern from EU officials and member states, EurActiv reports the European Parliament “plans to establish a special committee to investigate reports that an American spy agency monitored phone calls and e-mails of EU institutions and some member states.” The panel, which will be established as part of the Committee on Civil Liberties, Justice and Home Affairs, will deliver its report by year’s end and “formulate proposals on adequate redress measures in case of confirmed violations and put forward recommendations to prevent that similar espionage events happen in the future,” the report states. Following communication with U.S. Attorney General Eric Holder, Justice Commissioner Viviane Reding said, “The U.S. appears to take our concerns regarding PRISM seriously,” noting Holder has committed to setting up an expert group “to assess the matter in detail…and the group will have its first meeting this month and a second one in Washington in September.” Meanwhile, in a TechNewsWorld interview, Oxford Prof. Viktor Mayer-Schönberger opines, “People feel they have been deceived; people feel that they cannot trust the U.S. government.” [Source]
EU – EU Wants Data Protection Bill by May 2014
EU Justice Commissioner Viviane Reding is calling to accelerate movement on the data protection bill currently stuck in the European Parliament’s civil liberties committee. “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file,” said Reding in her appeal on Monday. Meanwhile, Hogan Lovells’ Christopher Wolf opines in Financial Times that “it is wrong to assume the U.S. is the worst regarding surveillance,” arguing that Europe does its fair share. [EUObserver] SEE ALSO: [Breach Requirements Are Coming: Roundup]
EU – Netherlands: The Dutch Cookie Monster
On June 5, 2012 new Dutch legislation on the use of cookies entered into force. This new regime, which introduces a requirement for informed consent based on an opt-in system, has major implications for online advertising companies focusing on Dutch customers. To implement Directive 2009/136/EC [ePrivacy Directive], the law regarding cookies in The Netherlands has now been revised to include a consent that should be given explicitly by the internet-user in cases of “third party” and “tracking cookies”. The same requirement of explicit consent applies should a provider want to place cookies for online behavioural advertising purposes. [Source]
EU – Majority of Retailers Say New Rules Will Harm Business
More than two-thirds of online retailers say proposed changes to EU data protection rules will damage business. That’s according to a recent survey by the European Multi-channel and Online Trade Association, which represents more than 80 percent of EU online traders, the report states. The survey polled 90 companies from the UK, Germany, Austria, France, Sweden, Switzerland, Greece and Spain. [EurActiv]
EU – Sky Deutschland to Broadcast Ads Directly into Train Passengers’ Heads
Sky Deutschland has developed technology to transfer adverts from train windows directly and silently into commuters’ heads. Passengers leaning their head against the window will “hear” adverts “coming from inside the user’s head”, urging them to download the Sky Go app. The proposal involves using bone conduction technology, which is used in hearing aids, headphones and Google’s Glass headset, to pass sound to the inner ear via vibrations through the skull. BBDO spokesman Ulf Brychcy told the BBC: “If our customer Sky Deutschland agrees, we will start with the new medium as quickly as possible. [Source]
EU – Dutch DPA Rules Against Mobile Telcos
The Dutch Data Protection Authority (DPA) has found that four mobile phone operators–KPN, Tele2, T-Mobile and Vodafone–violated Dutch laws regarding user data retention and anonymization. According to the regulator’s study, which began in 2011, the companies failed to delete or anonymize data such as websites visited and apps used as quickly as possible, as regulations require. Of the four, KPN is reportedly the only operator to have resolved each of the issues identified by the investigation. The others claim to be actively addressing the issues in cooperation with Dutch regulators. Meanwhile, Bird & Bird’s Berend van der Eijk has said a bill proposing fines of up to €450,000 for public and private organizations that fail to meet notification requirements “is very likely” to pass, noting the earliest it would enter “into force would likely be 1 July 2014, or more realistically, 1 January 2015.”
CH – Swiss DPA Releases Annual Report
Switzerland’s DPA has issued its 20th Report of Activities, covering the timeframe of April 2012 to March 2013. Hunton & Williams’ Privacy and Information Security Law Blog details the report’s focus on several data protection issues including employer monitoring of employee behavior at work, businesses’ social media and loyalty program analytics and whistleblowing provisions.
EU – Regulators Prepared to Take Action Against Google
The UK Information Commissioner’s Office (ICO) has written to Google to warn the company that it could take “formal enforcement action” if it does not alter its privacy policy by September 20. “In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act,” an ICO spokesperson said. The updated policy “does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.” Meanwhile, Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar says his office will join other European regulators, including Spain, in taking action against the company. [Out-Law.com]
EU – DPA Asks Facebook for Clarifications
The Italian Data Protection Authority, the Garante, is requiring Facebook to provide clarifications by July 20 on personal data processing following recent announcements of a “bug” that cause the exposure of personal information. Panetta & Associati Studio Legale’s Rocco Panetta writes, “Facebook has already assured that the unwanted data processing has occurred due to a mere technical bug.” Despite that, he notes, the Garante is requiring confirmation on six points, including the duration of the event and measures taken to resolve the issue. [Privacy Advisor]
EU – Twitter Gives Anti-Semitic Posts to Authorities
Microblogging site Twitter has complied with a French court’s request to hand over tweets related to a number of racist and anti-Semitic messages that were posted on its site. An appeals court ruled last month that the company must hand over the names of the users propagating the anti-Semitic messages, raising the thorny issue of online anonymity and hate speech. Twitter said in a statement that handing over the data will “put an end to the dispute” and that it will work with the Union of Jewish French Students to “fight racism and anti-Semitism.” [CNET News]
Facts & Stats
US – California AG Breach Study Highlights Importance of Encrypting Data
A report from California’s attorney general found that in 2012, 2.5 million California residents had their personal information compromised in the 131 security breaches that were reported to the AG’s office. The report also notes that had companies encrypted their stored data, 1.4 million people would not have had their personal information exposed. Under state law, breaches do not need to be reported if the data affected are encrypted. [SCMagazine] [Press Release] [California’s first data-breach report finds 131 incidents hit 2.5 million citizens] and [NZ: Privacy breaches already at 20]
Filtering
WW – Visa and Mastercard Blocking Payments to Some VPN Providers
Swedish online payment service provider PaySon says that Mastercard and Visa have ordered the company to stop allowing payments to some virtual private network (VPN) providers and anonymization services. The new focus on VPNs and anonymization services appears to be directed at five companies that have been linked to P2P piracy. In a related story, WikiLeaks says that its Icelandic payment processor, Valitor, is once again accepting donations from credit cards for the organization. In 2010, Mastercard and Visa ordered payment processors not to process payments to WikiLeaks. An Icelandic court ruled recently that Valitor must resume processing payments to WikiLeaks. [TechEye] [The Register] [TechDirt] [ArsTechnica] [Reuters]
Finance
WW – Privacy Concerns out of M-Pesa Mobile Banking
The mobile phone-based money transfer system M-Pesa, which has brought mobile banking to the poor in Kenya, can be used to identify unsuspecting users, potentially compromising their privacy. Grace Githaiga, a Nairobi-based ICT expert, said in order to use the system, a user must submit their ID card number and address, which in turn are transferred to an M-Pesa agent. According to Githaiga, it’s not clear where the data ends up. Additionally, a loophole in the system means users can identify other users who might otherwise wish to remain anonymous. She notes that Kenya does have pending data protection legislation, though not an existing law, “but that tells you that there’s debate around data protection, and some of these things are going to be raised in that bill.” [Deutsche Welle]
CA – Privacy Debate Looms as Canada Prepares to Share Bank Data with U.S.
Tightening tax evasion versus protecting personal privacy looms large for Canada as it prepares to announce a deal with the United States to share banking information. The arrangement would allow Ottawa to soften the blow for Canada – and the roughly one million Americans who live here – when it begins complying with the more controversial aspects of a sweeping new U.S. law that takes effect on Jan. 1. The Foreign Account Tax Compliance Act (FATCA) was signed into law in March 2010, and many of its provisions start on Jan. 1, 2014. It requires financial institutions in other countries to tell the U.S. Internal Revenue Service about Americans’ offshore accounts worth more than $50,000. Canada and the U.S. are negotiating whether Ottawa or the financial institutions will send the information, but the clock is ticking. If no deal is reached, banks operating in Canada will have to give the data directly to the IRS. Canada and the U.S. already share financial information to track activity like money laundering and terrorist financing, but the U.S. tax act creates a need to sort out exactly what will be shared and how. Canadian banks have urged Ottawa to take on the reporting duties through the Canada Revenue Agency, which could ensure that privacy laws are respected when information is sent south of the border. Over the past year, the U.S. has signed bilateral deals to enforce the act with Germany, Japan, Spain, Norway, Switzerland, Ireland, Mexico, Denmark and the United Kingdom. The FATCA has created considerable concern for Americans in Canada, given that many have long ignored a U.S. rule requiring citizens to file annual tax returns even if they are not earning income in the United States. The leaders of the G8 recently pledged support for the automatic transfer of financial information to crack down on global tax evasion. “The privacy implications of FATCA in Canada will depend on the details, which have yet to be determined,” said the federal Privacy Commissioner’s office. “Many of the people who have contacted us have expressed concern about their personal information being shared with U.S. authorities.” That concern is warranted, said Queen’s law professor Arthur Cockfield, who specializes in tax law. “No foreign government should be able to come into our country and demand personal information about our own citizens and residents,” he said, noting that the negotiations are aimed at smoothing over this problem by ensuring exchanges are mutual and at the government-to-government level. “There’s really been a conceptual shift around FATCA in the last, say, three or four months,” he said. “It was mainly hated by Canada and at least some European governments.” Mr. Cockfield said stories on tax evasion by the International Consortium of Investigative Journalists, which began in April and for which he provided commentary, have clearly changed the international political scene as European leaders began promising automatic exchanges like FATCA. [Source]
FOI
US – US Justice Department Revises Policies on News Media Data Seizure
Revised guidelines from the US Department of Justice limit the government’s access to journalists’ records except in cases in which the journalist is the subject of a criminal investigation. Ideally, journalists are protected by the First Amendment regarding freedom of the press and the Fourth Amendment regarding unreasonable search and seizure, as well as the privacy Protection Act and other laws. The need for a revised and clarified policy became evident when the government launched an inquiry that characterized a journalist as a spy, criminalizing his efforts to obtain information from a source; and when the government obtained phone records for AP journalists. [Information Week] [Justice.gov]
US – NY Court Takes Up Teacher Pension Privacy Issue
New York’s highest court will soon decide whether the names and benefits of retired teachers in public pension plans should be made public. The Empire Center, a project of the fiscally conservative Manhattan Institute think tank, was denied the names by the state and city teachers’ retirement systems under the state Freedom of Information Law. In refusing to release the information, the teacher pension systems cited a recent court decision that protects police retiree names. Lower courts agreed with that privacy argument, and the Empire Center appealed to the Court of Appeals, which accepted the case last week. The Empire Center collects such data for its own research, for news media and for private individuals to track how public money is spent and to help identify any abuses. The center doesn’t seek addresses or other data from the records, which were once provided by the retirement systems as public documents. Arguments are expected within weeks; a decision could come weeks later. Empire Center Director Timothy Hoefer said the Court of Appeals decision to take the case is seen as a “ray of hope for public transparency.” [Source]
Genetics
WW – Little Debate on Privacy as DNA Collection Flourishes
The collection of DNA by governments around the world is flourishing but there is a lack of public debate about the privacy and ethical issues raised by such collection. Yaniv Erlich of MIT’s Whitehead Institute for Biomedical Research said there is a lot of upside to having DNA databases, but said, “our work shows there are privacy limitations.” Others have warned of “mission creep” where law enforcement use DNA to gather data on racial origins, medical history and psychological profiles. A University of Baltimore forensics professor said, “There’s got to be a debate… Do we want to have a society where 5% of the crime is unsolved, or do we want to have a society where 100 percent of the crime is solved” but privacy goes extinct? “What’s the trade-off?” [The Associated Press] [Spread of DNA databases sparks ethical concerns]
WW – Privacy and the Family Genetic Inheritance
In this audio episode of Family Caregivers Unite, Dr Gordon Atherley interviews Ma’n Zawati, LLB, LLM, a lawyer and Academic Coordinator of the Centre of Genomics and Policy at McGill University. He shares his personal story, describes his research and work as a lawyer, and explains the Centre’s research regarding family genetic information. He discusses protections provided by privacy and security laws against theft and disclosures of our genetic information that could be harmful to us. He suggests ways in which the principles underpinning laws could be improved so our genetic information and that of our families can be better protected. He says what more he wants to do and see done by governments to improve laws to protect against abuse of our and our families’ genetic information. He says what more help is needed by individuals and their families so they can understand and speak about their fears of the risks of abuse of their genetic information. He shares his message for family caregivers. [Source]
US – Court Ruling On DNA Swabs Worries Local Privacy Advocates
A major decision handed down by the Supreme Court puts the right to privacy up for debate. The court ruled it is ok to take a DNA mouth swab from a person simply while under arrest to see if they could be connected to unsolved crimes. Law professor and defense attorney Richard Kling calls it a “dangerous precedent” but admits a mouth swab is just like a fingerprint. “With no probable cause and with no warrant and no consent, you can now be forced to give a DNA swab which can be used to investigate you for anything and everything — regardless of whether you’re under suspicion,” said Kling. “It creates this massive database nationally of DNA,” said Ed Yohnka of the ACLU. “It opens up all kinds of opportunities for discrimination, denials for other kinds of mistreatment that frankly we shouldn’t do because government shouldn’t have the information in the first place,” said Yohnka. [Source]
Health / Medical
US – Workers Fired Over Kardashian Breach
Five healthcare workers from Cedars-Sinai Medical Center—a common destination for celebrities seeking medical treatment—have been fired for unauthorized access to 14 patient records, including those of Kim Kardashian. Representatives from the organization said they have a “high standard for security” and “in this case that standard was violated.” In other breach news, the personal records of as many as 277,000 former patients of a North Texas hospital were found in a Dallas park and included contact details and SSNs. And Long Beach Memorial Medical Center has notified 2,864 patients their medical records have been compromised. Reports state the breach stems from an internal employee but no further details have been issued thus far. [Reuters] See also: [NZ: Ryder’s privacy breached during hospital stay – investigation] and [Florida Department of Health sweeps confidential Rx data leak under rug] and [US: Fort Worth Hospital Notifies Patients from 1980 to 1990 of Potential Records Privacy Issue]
US – Health Sites Under Scrutiny Over Mining of Data
Illinois Attorney General Lisa Madigan’s recent inquiry into the data-mining practices of popular health websites such as WebMD and Health.com. Madigan has sent letters to the sites’ executives citing concerns about the dissemination of data related to web surfers’ health-related searches, the report states. “Health-related information, which would be protected from disclosure when said in a doctor’s office, can be captured, shared and sold when entered into a Web site,” Madigan wrote, adding that consumers likely overlook such concerns if information on disclosures is buried in privacy policies. One researcher recently found third-party entities often track patients searching health-related terms. [The New York Times] See also: [Privacy, security concerns of enabling patient access to PHI]
US – Digital Diapers Track Children’s Health
Newly developed baby diapers complete with digital tracking technology can detect potential urinary tract infections, kidney dysfunctions and dehydration. Developed by Pixie Scientific, the diaper connects to a smartphone app and can transmit the health data to a central database where a physician can interpret the information. The technology is currently being tested by a number of children’s hospitals and, if successful, would then be submitted to the U.S. Food and Drug Administration for approval. Pixie Scientific’s founder said, “You really don’t want to overload parents with data they don’t understand…Eventually, the quantified self idea will be mostly silent and unobtrusive, just something inside the existing flow of life.” [The New York Times]
Horror Stories
US – WellPoint to Pay US $1.7 Million for HIPAA Violations
The U.S. Department of Health and Human Services (HHS) has announced that insurance provider WellPoint has agreed to pay a $1.7 million fine for inadequately protecting a database containing more than 600,000 personal records, according to an HHS press release. Between October 2009 and March 2010, the health data of 612,402 individuals—including names, addresses, birth data and Social Security numbers—was accessible online. The investigation revealed WellPoint “did not have adequate policies and procedures for access to the online application database” that was breached and did not have “technical safeguards” in place for access verification. WellPoint was ordered to pay US $100,000 to the state of Indiana to settle charges resulting from a breach that exposed personal information of 32,000 Indiana patients. [SC Magazine] [ComputerWorld] [BusinessWire] [IT World] See also: [North Carolina: Some security experts criticize Blue Cross’ handling of private data] [Wyndham, LabMD Cases Challenging FTC: Two cases could disrupt FTC’s data security authority]
UK – ICO Fines NHS Surrey Over Patient Data on Resold Hard Drive
NHS Surrey has been fined GBP 200,000 (US $302,000) over data remaining on a hard drive sold on eBay. The storage device held records of nearly 3,000 patients and had been given to a third-party for secure destruction. The drive in question was in a PC that was part of a lot provided to the data destruction company. All the hard drives and data were supposed to be destroyed, and the company had provided certificates saying that the actions agreed upon had been taken. The ICO chastised the hospital for providing inadequate oversight of the data destruction company. [TechWorld] [v3.co.uk]
UK – Sony Drops Fine Appeal
Sony has abandoned its appeal of a GBP 250,000 (US $376,000) fine imposed after a 2011 PlayStation Network (PSN) hack. The UK Information Commissioner’s Office (ICO) fined Sony in January 2013, after finding the company negligent for inadequately protecting PSN user data. Sony initially said it would appeal the fine, but has since changed its position, citing the company’s “commitment to protect[ing] the confidentiality of [its] network security from disclosures in the course of the proceedings.” Sony has stated that it remains opposed to the decision. [BBC.co.uk] [v3.co.uk]
WW – Data Breach Roundup
Four million members of Club Nintendo—Nintendo’s member website—have had their names and contact information illegally accessed, according to the videogame maker. The company has been quick to note that is has not confirmed misuse of this information. “Nintendo confirmed there had been around 15.46 million fraudulent login attempts from June 9 through (last) Thursday, of which 23,926 were successful,” The Japan Times.
An employee at Guilford County Schools in North Carolina sent a PDF containing the names, addresses, grades and other records of 456 rising seniors at Page High School to a student’s guardian. The school district reports that the breach was accidental and was quickly identified and investigated.
Indiana’s Family and Social Services Administration began notifying some 187,533 individuals that the state agency accidentally disclosed their personal information, monthly benefit amounts, some medical information and even Social Security numbers to members of the public. The breach allegedly stemmed from a computer programming error.
Morningstar revealed that it suffered a breach last April, compromising personal information and credit card details from some 2,300 users of its investment research service, Morningstar Document Research. Morningstar further warned that the passwords and e-mail addresses of some 182,000 users may have been illegally accessed. The AP reports that Morningstar offered affected customers a year of free identity protection services.
The Information Commissioner’s Office (ICO) could impose a fine of up to 200,000 GBP on Herefordshire Council following a breach that was reportedly “so sensitive that to reveal its details also risks breaching the Data Protection Act.”
Pulse, a weekly medical publication, published survey results showing that the number of data breaches at 55 UK hospitals increased 20% year-on-year through June 2013. Many of the reported breaches were one-off incidents, giving rise to the possibility that the increase might reflect more thorough reporting practices and awareness rather than increased data theft or inadequate security.
In breach litigation in the U.S., the Tennessee Court of Appeals ruled that a lawsuit stemming from the hacking of Copper Basin Federal Credit Union’s computers can move forward. The lawsuit alleges that the hacking and the resulting illegal transfer of funds was a result of negligence by Fiserv Solutions, a contracted technical support provider. The complaint claims that Fiserv failed to activate the antivirus firewall and protection software it required the credit union to purchase as part of its service contract.
In Missouri, the Office of the Attorney General has determined Schnuck Markets Inc. did not violate Missouri data security law, St. Louis Business Journal reports, noting the determination follows an investigation into a widespread data breach at Schnucks.
The Federal District Court for the Middle District of Florida threw out a class-action lawsuit alleging that employees at Adventist Hospital System’s Florida Hospital Celebration sold patients’ PHI. The dismissal for lack of subject matter jurisdiction notes that as HIPAA/HITECH does not provide for a private right of action, just a regulatory penalty, there was no sufficient federal issue to justify a hearing in federal court. State law, however, may accord the plaintiffs an avenue to pursue their claims.
ID Experts has compiled 12 “top trends in data breach, privacy and security” as enumerated by some of the top minds in the field. Advanced persistent threats—long-term, undetected hacks—and globalized data thieves top the list. A colorful infographic makes things easy for those who want to do less reading. Meanwhile, Corporate Counsel offers advice for communicating with customers following a breach incident.
The University of South Carolina has sent letters to 6,300 students whose personal information may have been on a stolen laptop, Greenville Online reports. The information included Social Security numbers. The school is currently working toward a new cybersecurity program.
A Virginia trooper has been indicted on one felony and eight misdemeanor counts of computer invasion of privacy based on allegations she was improperly using the Virginia Criminal Information Network.
Personal information stolen from Michigan Department of Community Health website: Thieves have obtained the personal information of about 49,000 individuals from Michigan Department of Community Health records, a department spokeswoman confirmed.
Game company Ubisoft has announced its systems have been breached by cybercriminals, recommending users change passwords immediately. The attack divulged user names, email addresses and encrypted passwords, Ubisoft said. The company said it does not store payment information. [Source]
Identity Issues
US – Internet Groups Complain About COPPA Compliance Costs
Internet groups have complained to the FTC that new regulations to protect children’s privacy online are financially burdensome to start-ups. The regulations went into effect July 1 and not only hold sites and apps that collect data from children under 13 responsible for ensuring parental consent but also for any affiliated third-party services collecting data on their sites. The FTC estimates annual compliance costs for current web services at $6,223 and new services at $18,670. The report states 85 to 90 percent of the web services are run by small businesses. [Los Angeles Times]
US – The USPS Is Selling Data to Brokers
The United States Postal Service (USPS) has a relationship with various data brokers. According to the report, the USPS will sell change-of-address information to a data broker provided the firm purchasing the data has the user’s previous address. The USPS National Change-of-Address program (NCOA) approves licenses to approximately 500 companies. “There’s nothing terrible about NCOA, but people should be given a choice,” said privacy expert Bob Gellman. “New movers are fodder for data brokers, who sell mailing lists to marketers and who also maintain lifetime files on every household in America. NCOA is a prime source of this information.” There is, however, a loophole for consumers that prevents data brokers from accessing the updated address. [Forbes] See also: [US: Is IRS Legally Free to Expose Private Info?]
CA – Canadian ePassports Arrive July 1
Starting July 1, Canadians will receive a redesigned ePassport featuring several new security and anti-counterfeiting measures, including an electronic chip that stores the user’s personal information. Travellers are not required to replace their current passports. Older passports will remain valid until their stated expiry date, Passport Canada says. Addressing privacy concerns, the agency says the passport chips can only be read from a 10-centimetre range, making it unlikely that the chip can be read without the user’s knowledge. Canada is the last G7 country to adopt chip-enhanced passports; over 100 countries, including the U.S., France, Germany and the U.K. already employ ePassports. [Source]
US – Equifax Credit Agency Snags TrustedID
Equifax, one of the three largest U.S. credit-reporting agencies, has acquired TrustedID, which specializes in identity protection. The terms were not disclosed in Monday’s announcement, but AllThingsD pegs the price at about $30 million. Palo Alto, Calif.-based TrustedID, which was founded in 2004, will become part of Equifax Personal Solutions, its direct-to-consumer business unit. Equifax’s interest in the smaller company is threefold: its technology is robust, its existing partner relationships (for example, its exclusive deal with AARP) are coveted, and Equifax’s own credit and identity products could use reinforcement. TrustedID’s data protection abilities reach far, from social media to snail mail. Equifax has previously indicated that it sees the personal data security market as a growth opportunity. [Source]
JP – Train Operators’ e-Ticket ‘Big Data’ Sale Sparks Privacy Backlash
Last week, JR East – Japan’s largest train operator – and Hitachi made a seemingly nondescript announcement that East Japan Railway was selling the anonymized e-ticket histories of millions of passengers as marketing data, and it almost did not get noticed. A few prominent bloggers then highlighted the fact that this is the first time that e-ticket transaction histories would be sold to third parties as marketing data, sparking a storm of discussion that has now spilled over to social networking sites. JR East continues to argue that the data is mostly anonymous. “There is no way to determine the identity of specific individuals from the data, so we feel there is no privacy issue.” [Source]
Internet / WWW
US – Utah ISP Won’t Share Your Data Without a Warrant
A tech company operating in Utah that has spent the past 15 years “resolutely shielding customers’ privacy from government snoops in a way that larger rivals appear to have not.” Xmission is Utah’s first independent and its oldest Internet service provider and has only 30,000 subscribers, but it has cited the Fourth Amendment in order to rebuff dozens of warrantless requests from local and federal law enforcement authorities. “I would tell them I didn’t need to respond if they didn’t have a warrant, that to do so wouldn’t be constitutional,” said Founder and CEO Pete Ashdown. “I’m not an unpaid branch of the government or law enforcement.” [The Guardian]
US – Researcher Finds Health-Related Searches Threaten Privacy
A researcher at the University of Southern California says patients searching for health-related information online may have their privacy threatened. Marco Huesch searched key terms such as “depression,” “herpes” and “cancer” on health-related websites. Using free privacy tools such as DoNotTrackMe and Ghostery, Huesch found third-party entities tracking him. Sampling 20 high-traffic sites, including the Food and Drug Administration and WebMD, at least one third-party entity—and as many as six or seven—were tracking him on each site, he found. Additionally, 13 out of 20 sites contained third-party elements that tracked user data, and seven of those 13 leaked Huesch’s searches to tracking entities, the report states. [AFP] SEE ALSO: [Stalkers use online sex ads as weapon]
WW – Visualizing Your Metadata
The New York Times reports on Immersion, an MIT Media Laboratory project that mines a consenting user’s e-mail metadata and creates an interactive graphic. “The result is a creepy spider web showing all the people you’ve corresponded with, how they know each other and who your closest friends and professional partners are,” the report states. Meanwhile, a German politician who sued a telecommunications company for his phone data over a six-month span has, in conjunction with ZEIT ONLINE , created a mapped visual of his day-to-day life. By combining Green Party Politician Malte Spitz’s phone data, which includes location information, with publicly available data—including information relating to his political life, Twitter feeds and blog entries—a robust and detailed interactive portrait emerges of Spitz’s personal movements. [New York Times] SEE ALSO: [You may already be a winner in NSA’s “three-degrees” surveillance sweepstakes!] and [UK Businesses Get Creative With Consumer Data at the ‘MIDATA’ INNOVATION LAB Launch] [Internet inventor Vint Cerf: No technological cure for privacy ills]
Law Enforcement
US – Security Cameras at Boston’s July 4th Celebration Raise Privacy Concerns
One thing you can expect to see in Boston on this Fourth of July: many, many more police than usual — and many more security cameras too. Law enforcement is responding aggressively to the the security issues raised by the marathon bombings, and the ACLU of Massachusetts is raising privacy concerns. Massachusetts State Police Superintendent Col. Timothy Alben said security cameras are being deployed at and around the Fourth of July events in unprecedented numbers. Operated wirelessly, the cameras’ recordings will be downloaded to a central server, he said, where, from a technical point of view at least, they could be kept indefinitely. “We haven’t developed a policy on how long we’ll keep it,” Col. Alben said. “I think again we did a lot of this in preparation for this particular event. And, as we move forward, we’ll refine the policy, I think, on keeping it.” That lack of refinement has the ACLU of Massachusetts concerned. Kade Crockford, who directs the group’s Technology for Liberty Project, says it is legitimate for law enforcement to deploy such cameras to protect safety at big public events. “That said, I think it’s very troubling that the police do not have a policy to govern the use of these cameras,” she said. Most police which use surveillance cameras do have such policies, Crockford noted. They are needed, she said, to ensure that free-speech protected activities — including anti-federal surveillance protests scheduled for the Fourth of July — are not monitored illegally. [Source]
Location
US – Data Brokers Are Now Selling Your Car’s Location for $10 Online
Forbes reports on the business of license-plate recognition. One data broker, TLO, announced recently it has begun selling location information on license plates that have been filed and identified, and police have started using the technology to track suspects. TLO’s “massive” database claims to add up to 50 million new vehicle sightings each month. “One possible longer term issue around license-plate recognition is that new firms in the field seeking to gain market share could gather specific data such as who was visiting what churches or mosques, underground clubs or medical clinics and perhaps distribute that information more freely than companies now do,” the report states. [Source]
US – States Move on Laws Requiring Warrants for Cellphone Records
The New York Times reports on a recently passed Montana bill that requires police to obtain a search warrant before determining a suspect’s location based on cellphone carrier records. Realizing the value of metadata and the ability of cellphones to track our daily movements, Montana’s governor signed the location information privacy bill—reportedly the first of its kind in the nation—into law on May 6. Other states are working to pass similar bills. Maine’s version is on its way to the governor’s desk, and Massachusetts will hold a legislative hearing on a similar measure next week. [Source] [Source]
Online Privacy
WW – W3C Rejects Ad Industry’s DNT Proposal
The World Wide Web Consortium (W3C) has rejected the Digital Advertising Alliance’s (DAA) draft proposal for a universal Do-Not-Track standard. W3C said the DAA proposal was “less protective of privacy and user choice than their earlier initiatives.” The group says it will instead work from the “June draft,” though even privacy advocates say the draft faces “insurmountable obstacles to adoption by the deadline at the end of this month.” [AdAge] [Daily Examiner] [MediaPost: Mozilla Questions IAB’s Do-Not-Track Estimates] [As the Do Not Track standard unravels, privacy alternatives emerge]
WW – Do-Not-Track Continues To Spark Fires
Microsoft’s newest version of Internet Explorer (IE) allows users to grant permission for specific websites to log their movements. IE11 was debuted in the Windows 8.1 preview last week and features a default Do-Not-Track setting with a “user-granted exceptions” option. Meanwhile, following criticism over its plans to move forward with a project to block third-party cookies in the Firefox browser, Mozilla’s Harvey Anderson said there’s “no constitutional right that allows people to modify my computer.” The Digital Advertising Alliance has called the proposal “draconian.” [IT Pro]
WW – Twitter Adopts DNT by Default
Twitter will begin using cookies to track users and deliver advertising, but because its program abides by Do-Not-Track settings and has a clear opt-out, privacy advocates are praising it. An Electronic Frontier Foundation activist said in a blog post, “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.” Meanwhile, Vine, a video-sharing site owned by Twitter, has added privacy settings to its services—including the ability to make Vines private. [PC Pro]
WW – Facebook Rolls Out Graph Search to Millions
Several hundreds of millions of people will have access to Facebook’s Graph Search beginning this week, six months after its beta testing. The tool is “designed to take any open-ended query and give you links that might have answers,” according to Facebook CEO Mark Zuckerberg. Upon its initial release, the tool prompted concerns that it would compromise the privacy rights of minors. It “makes paying attention to privacy settings much more important if you don’t want embarrassing photos from years ago dredged up or your public contact information scraped,” the report states. [Tech Crunch] SEE ALSO: [Facebook defends Graph Search’s privacy controls for teens | Facebook blog post] and [Facebook’s new promoted-post feature sparks privacy concerns] and also: [How To Opt Out of Receiving Facebook Ads Based on Your Real-Life Shopping Activity]
Other Jurisdictions
AU – Media Companies Told to Adapt to Australia’s New Digital Privacy Laws
Changes to the Privacy Act mean digital publishers face fines of more than $1 million unless they are transparent about personal data they collect and use. The new rules come as the traditional print media targets users who now prefer to use mobile devices through social media sites like Facebook and Twitter. The warning is highlighted in a report released by the consulting group PricewaterhouseCoopers. [Source]
IN – Gov’t Surveillance Raises Trust Concerns
The New York Times reports on India’s Centralized Monitoring System—its new surveillance program—and whether citizens can trust that the government will not infringe on their privacy. The government has said it will abide by laws mandating that it receive proper authorization prior to intercepting communications and that privacy will be better protected. “But there are a host of reasons why the citizens of India should be skeptical of those official claims,” the report states. [Source]
Privacy (US)
US – How First PCLOB Meeting Affects Private Firms
At the Privacy and Civil Liberties Oversight Board’s first public meeting since its reemergence under new Chairman David Medine, the focus was very precise: What direct and concrete improvements could be made to improve “Surveillance Programs Operated Pursuant to Section 215 of the USA PATRIOT Act and Section 702 of Foreign Intelligence Surveillance Act.” Ideas generated included making the FISA Court adversarial, decreasing the vagueness around “data minimization ,” instituting a data retention law and a number of other suggestions. [The Privacy Advisor]
US – Judge Grants Chevron Access to Activists’ Online Data
A U.S. federal judge has ruled to allow Chevron, via subpoena to Microsoft, Google and Yahoo, access to the IP usage records of more than 100 environmental activists, journalists and attorneys. The company has requested the records to piece together a lawsuit alleging the oil company was the victim of a conspiracy ending up in an $18.2 billion judgment against it for the dumping of 18.5 billion gallons of oil waste in the Ecuadorean Amazon, the report states. The Electronic Frontier Foundation’s Marcia Hoffman said, “These sweeping subpoenas create a chilling effect among those who have spoken out…” The subpoena, according to ERI, requests personal information of each account holder and every login over a nine-year period. [Common Dreams]
US – The Future of Consumer Privacy Class Actions
The New York Law Journal explores the potential future of consumer privacy class-action lawsuits in light of the recent comScore decision, noting that it and “other recent decisions allowing privacy cases to proceed in the absence of actual damages suggest that the legal landscape may be changing, and that privacy could be the next significant frontier in class-action litigation.” Meanwhile, The Sun Sentinel reports malpractice lawyers have argued that a new Florida law, Ch. 2013-108, may violate patient privacy. [Source]
US – Children’s Privacy Suits To Be Heard in NJ
The U.S. Judicial Panel on Multidistrict Legislation has sent six class-action lawsuits alleging Google and Viacom “violate children’s privacy by using cookies to track their Internet use and target them for ads” to New Jersey to be heard. A nationwide class-action was filed back in December in Texas by Stephanie Fryar, who “claimed that when her sons registered and created profiles on three Viacom-operated websites…the defendants placed a doubleclick.net cookie ‘id’ on the children’s computers to track their communications to those websites and others,” the report states, noting similar cases were filed in California, Illinois, Missouri, New Jersey and Pennsylvania. [Courthouse News Service] [National Law Journal]
US – Leslie Harris to Step Down at CDT
Leslie Harris, who has headed the Center for Democracy & Technology (CDT) since 2005, announced this month that she will resign from her post in March of 2014, just as the CDT celebrates its 20th anniversary. Harris made it clear that she is not retiring but rather “right-sizing,” and she is hardly done with her work in the privacy arena. Hear her thoughts on CPOs’ human rights obligations, the status of current legislation, where CDT goes from here and more. [Source]
US – DHS Secretary Napolitano Resigns to Head University of California System
Homeland Security Secretary Janet Napolitano, who led the burgeoning Department of Homeland Security through a host of policy changes in the era after the Sept. 11, 2001 attacks on the U.S., is resigning to head the University of California system. Napolitano, just the third person to lead the 10-year-old department, told her senior staff Friday she would be leaving to become the president of the University of California system. The university also announced Napolitano’s nomination to be the 20th president of the statewide system. A former Arizona governor and attorney general, Napolitano was appointed by President Barack Obama in 2008. She had led the department through a series of policy changes with respect to protecting the public safety, including a focus on enforcing immigration laws. [Source]
Privacy Enhancing Technologies (PETs)
WW – Pirate Bay Founder Aims to Create Spy-Proof Messaging App
It took 36 hours for users to contribute $100,000 to fund an app designed to avoid government spy agencies. The app, called Heml.is, is Swedish for “secret.” It aims to give users an alternative to major tech companies. “We’re building a message app where no one can listen in, not even us,” the creators said of the product. Pirate Bay founder Peter Sunde is working with app developers to create a mobile messaging application that uses end-to-end encryption, which means that only the sender and the recipient will be able to read messages. Sunde says there will not be ads on the app and that it will not sell user data to advertisers. The funding will come solely from users, who will have to pay extra to use certain features, such as sending images. [CNET] [ComputerWorld] [Source] See also: [Kremlin Returns to Typewriters]
WW – New Privacy Enhancing Technology Preserves Web Anonymity and Privacy
Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, presented the 2013 Award for Outstanding Research in Privacy Enhancing Technologies (PET) Award via video at Indiana University in Bloomington, Indiana. Dr. Cavoukian and Microsoft co-sponsor of the award, which was created in 2003 to encourage the development of technology to protect privacy, rather than to threaten it. The winners are selected by a global panel of leading technology researchers. The winning paper “Adversarial Stylometry: Circumventing Authorship Recognition to Preserve Privacy and Anonymity” is based on research conducted by Sadia Afroz, Michael Brennan, and Rachel Greenstadt. The paper examined methods for defeating stylometry which has recently been revolutionized online with advances in computer algorithms. The privacy concern which arise from stylometry is that it can be used to reliably link anonymous or pseudonymous text to identifiable individuals. In order to lessen these risks, the authors developed software called “Anonymouth” that assists users by suggesting modifications to their text defeat stylometry. [Source] [More information about the privacy technology awards]
UK – Anonymisation Network Launched at University of Manchester
The University of Manchester has launched a new expert network that will help businesses to safely manage and share sensitive information. The UK Anonymisation Network (UKAN) was supported by the University and is now led by Dr Mark Elliot, who is based at The University of Manchester’s School of Social Sciences. Funding was provided by the UK Information Commissioner, while the Open Data Institute also offered support alongside the Office for National Statistics and the University of Southampton. UKAN will provide advice to organisations and companies on how to reduce the risks around holding personal details of individuals and the inadvertent sharing of data. The network aims to lay a foundation of best practice for anonymisation and give advice to anyone who handles sensitive data, especially those in health, education and policing. UKAN will help to deliver the Government’s Transparency Initiative, which hopes to dispel any culture of data secrecy within Government departments, public bodies, businesses and other organisations.“The network will also provide important best practice advice on how data can be successfully anonymised in compliance with the UK Data Protection Act,“ said Christopher Graham, UK Privacy Commissioner. [Source]
Security
WW – Chinese CERT Reports Increases in Mobile Malware – 80% on Android
According to data from the National Computer Network Emergency Response Team/Coordination Center of China (CNCERT/CC), China experienced a 25-fold increase in detected mobile malware samples between 2011 and 2012. More than 80% of the malware samples targeted Android devices. Forty percent of the malware was designed to launch fee-based services on the mobile devices. CNCERT/CC also reported that in 2012, 73,000 Trojan and botnet command-and-control servers hijacked 14.2 million host machines in that country. [ComputerWorld] [ZDNet] [PCWprld] See also: [Critical Android Flaw Lets Attackers Insert Code Into Signed Apps] and [South Korean Defense Ministry to Prohibit Certain Smartphone Functionality]
US – CTO Tests Company Employee’s Phishing Smarts
Several weeks ago, the chief technology officer at Atlantic Media sent out a phony phishing email to all 450 company employees. The message appeared to come from Google Apps and asked recipients to click on a link to confirm their account information. When the employees clicked on the link, they were taken to a website that revealed the security test. About 120 employees clicked on the link. Another 120 opened the message but did not click on the link. CTO Tom Cochran noted, “Telling someone that something is bad can happen is not as good as demonstrating it.” The remaining employees either called or messaged Cochran about the suspicious message, and some flagged it in their inboxes. While Cochran believes in the value of security education for employees, Bruce Schneier says they are a waste of companies’ time and money, because “you’re only as strong as your worst offender.” Schneier noted that a better choice would be “investment in systems that take user mistakes out of the loop.” [SCMagazine]
US – Symantec Releases Mobile Privacy Product
Symantec has released a new privacy product capable of scanning a mobile device for data an application may be leaking about the user. Norton Mobile Security for Android devices checks for “malicious applications, privacy risks and potentially risky behavior.” While Norton’s suite of mobile security products have typically focused on malicious threats, Michael Lin, vice president of Symantec Mobility Solutions, said that this latest solution reacts to the fact that “now we are seeing threats impact mobile applications and data being shared without the user’s knowledge or consent.” This latest product aims to “protect users from these types of privacy threats as well.” [Source]
Surveillance
WW – Spying Reports Give Momentum to ECPA Reforms, Spur Legal Actions
Revelations about the U.S. NSA surveillance of domestic and foreign communications should add momentum to the already politically charged atmosphere surrounding updates to the U.S. Electronic Communications Privacy Act—and on both sides of the aisle, Politico reports. Already, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has co-sponsored a reform bill, and House Judiciary Committee Chairman Bob Goodlatte (R-VA) has pledged to make the issue a priority. In the UK, lawyers for Privacy International have filed legal papers calling for an immediate suspension of Britain’s use of material from the NSA’s PRISM program, and in the U.S., The New York Times reports on EPIC’s plans to file an emergency petition with the Supreme Court today asking that it stop the NSA’s surveillance program altogether. The Hill discusses “five unanswered questions about the NSA’s surveillance programs,” including the scope of the programs, additional data being collected under the USA PATRIOT Act and other programs the public may not be aware of, and The Guardian reports on the NSA’s bumpy ride at a recruitment drive on a U.S. college campus last week. See also [‘America has no functioning democracy’ – Jimmy Carter on NSA
EU – EU Officials, U.S. Privacy Group Seek Answers, Action
PC World reports the “European Parliament gave European Commissioners and national ministers some extra ammunition Thursday in discussions with the U.S. following allegations about American spying and the PRISM scandal: possible suspension of data-sharing agreements.” The European Parliament is asking the U.S. “to provide full disclosure of any spying activities” and has established an inquiry to review the allegations, but it “stopped short of suspending bilateral trade talks due to start on Monday,” the report states. Meanwhile, the European Commission has written to the UK for answers about its surveillance program, Tempora. In the U.S., the Electronic Privacy Information Center’s Domestic Surveillance Project announced Thursday that it plans to file a petition with the Supreme Court “to vacate the Foreign Surveillance Intelligence Court ruling” authorizing the NSA’s collection of metadata on U.S. phone calls. [Source] SEE ALSO: [Claims that France has Internet spying program similar to America’s hugely embarrassing to Hollande]
EU – German Chancellor Calls for New ISP Agreement; NSA Fallout Continues
German Chancellor Angela Merkel has called for a strict European agreement on data protection that would require all ISPs operating in Europe to reveal the personal information they keep and with whom they share it. Merkel has suggested that the requirement could be codified within the International Covenant on Civil and Political Rights, but there’s some doubt as to the feasibility of that. Meanwhile, EU Justice Commissioner Viviane Reding said revelations surrounding the U.S. National Security Agency’s surveillance program helped add momentum to the case of those already calling for stronger data protection measures in the EU. Meanwhile, Politico reports on privacy issues’ impact on U.S.-EU trade talks. [CNN] See also: [No Feds at DEF CON, What Comes Next?]
US – Brick-and-Mortar Tracking on the Rise
Last year, department store Nordstrom sought to learn more about its customers by testing a new technology that allowed it to track customers’ movements via the WiFi signals from their cell phones. But when it posted a sign telling customers they were being tracked, it heard complaints and eventually ended the program. “The creepy thing isn’t the privacy violation, it’s how much they can infer,” said one shopper. An increasing number of businesses now offer the technology for brick-and-mortar shops to track users like digital shops can. Meanwhile, the ACLU has criticized AT&T’s plans to sell anonymous customer location data, saying customers can be identified. [The New York Times] [Senator Franken Letter to Euclid] See also: [TTC suspends covert camera use]
Telecom / TV
US – AT&T Privacy Policy Updated, May Start Selling Anonymous User Data
AT&T has a new privacy policy and may begin selling anonymized user data to third parties. The company cites “more relevant advertising” as its reason for selling the data, joining other big tech companies in the practice. AT&T will offer customers the opportunity to opt out, and plans to sell demographic and device information as well as information on viewing behavior through its television service. Pointing to Verizon’s use of consumer data, AT&T’s privacy policy states, “we similarly plan to provide our customers with these sorts of personalized services, and we’re committed to doing so in line with our long-standing policy to respect and protect our customers’ privacy.” [Slashgear]
US Government Programs
US – NSA Files Show Microsoft Encryption Was Bypassed
The Guardian reports on documents obtained from Edward Snowden on the U.S. National Security Agency’s (NSA) surveillance programs that indicate encryption was bypassed to access documents. The documents show “Microsoft helped the NSA to circumvent its encryption” and the NSA had “pre-encryption stage access to e-mail on Outlook.com, including Hotmail,” the report states. Microsoft has responded, “When we upgrade or update products, we aren’t absolved from the need to comply with existing or future lawful demands,” noting customer information is only provided “in response to government demands, and we only ever comply with orders for requests about specific accounts or identifiers.” Meanwhile, The New York Times reports that Sen. Ron Wyden (D-OR) has said he believes the NSA may soon abandon the practice of collecting bulk phone records.[Source] See also: [US-Made Internet Monitoring Tools Detected on Networks in Sudan, Iran, and Syria]
US – FISA Court Wants Obama to Declassify Yahoo Case
The U.S. Foreign Intelligence Surveillance Court has ordered the Justice Department to review a 2008 secret court opinion—allegedly requiring Yahoo to turn over online communications of its consumers—to determine how much it can publicly release. Judge Reggie B. Walton also called on the Justice Department to review the arguments Yahoo and the government made in the case. Walton would then publicly release the court’s justification. Meanwhile, the Electronic Frontier Foundation has recognized Yahoo “with a star of special distinction” in their Who Has Your Back survey “for fighting for its users in (secret) courts.” [The Washington Post] See also: [For NSA chief, terrorist threat drives passion to ‘collect it all,’ observers say] [Can Gov’t Safely Use FISA To Justify Surveillance?]
US – Postal Service Tracking, Retaining Images of Mail
The New York Times reports on a little-known but long-running surveillance system by the United States Postal Service (USPS). Leslie James Pickering, a bookstore owner who, a decade ago, was spokesman for a radical environmental group flagged by the FBI as eco-terrorists, noticed a handwritten card mistakingly delivered with his mail stating any mail headed to his address should be shown to a supervisor first. He was being tracked by the Mail Isolation Control and Tracking program, in which the USPS photographs the exterior of every piece of paper mail processed in the U.S. The more-than-a-century-old program provides such images to law enforcement officials who request them, the report states. [Source]
US – Updated COPPA Rules Now in Effect
The US Federal Trade Commission’s (FTC’s) revised rules for the Children’s Online Privacy Protection Act of 1998 (COPPA) took effect on July 1, 2013. The law prohibits the collection of personal data from children without first obtaining verifiable parental consent. It also requires websites to have clear and accessible privacy policies, and to ensure the security of information it collects from children under age 13. The updated rules specify that personal information now includes “geolocation information and persistent identifiers that can be used to recognize a user over time and across different websites or online services,” and photos, videos, and sound recordings. COPPA applies to smartphone apps as well as websites. [Information Week] [COPPA Amendments]
US – NPPC Joins in Lawsuit over EPA Privacy Breach
The American Farm Bureau Federation and the National Pork Producers Council (NPPC) have jointly filed a federal lawsuit and temporary restraining order to halt disclosures of farmers’ personal information by the U.S. Environmental Protection Agency (EPA). The move comes after the EPA released the personal information of tens of thousands of farmers, including names, addresses and personal contact information, after a number of Freedom of Information requests by animal rights groups. Filed before the U.S. District Court for the District of Minnesota, the order seeks to stop the disclosures and clarify the EPA’s role in keeping personal data private in such circumstances. [National Hog Farmer]
US Legislation
US – Florida Attorneys Work to Overturn Malpractice Law
Five lawsuits filed in state and federal courts on Monday claim a new Florida state law (SB 1792) violates patients’ privacy rights. The law, which went into effect on Monday, aims to protect doctors facing malpractice suits and, according to one complaint, authorizes “unlimited and unfettered release of personal health information to those defendants without the valid consent of claimants.” “The law allows—but does not require—any healthcare provider called as a witness to breach patient confidentiality and give the defendant’s attorneys information about a patient’s treatment,” reports The Miami Herald. The provision applies only to the pre-filing informal fact-finding period; once a suit is filed, court rules apply.The suits, filed in Tallahassee, West Palm Beach and Miami federal courts and in state courts in Pensacola and Fort Lauderdale, claim this provision contravenes HIPAA.
US – Missouri Gov. Vetoes Workers’ Compensation Database
Missouri Gov. Jay Nixon axed a bill that would have created a database of workers who have filed workers’ compensation claims in the state. The law would’ve allowed employers to input job applicants’ names and Social Security numbers into the database to see whether they had filed a claim, the date of the claim and its status. According to a report in The Republic, Missouri’s Division of Workers’ Compensation estimated the database would start out with 554,000 records, adding about 13,000 per year.
US – Senate Issues Draft Cybersecurity Bill
The US Senate is circulating a draft cybersecurity bill. A similar measure failed last year. The bill aims to establish voluntary cybersecurity standards for organizations that operate elements of the country’s critical infrastructure. It also calls for increased research and development in cybersecurity defenses and increased software vulnerability information sharing. [NextGov] [The Register]
Workplace Privacy
US – Court Ruling Impacts BYOD
What happens to an employee’s expectation of privacy regarding her personal e-mails on her company-issued Blackberry after she leaves the company? If a recent ruling by the U.S. District Court for the Northern District of Ohio stands up to further scrutiny, the answer could be that a former employee has greater expectations of privacy after her departure than while she was still employed. In Lazette v. Kulmatycki, the court ruled the Stored Communications Act (SCA) applies to unauthorized access of employees’ personal e-mail accounts, among other determinations. [Source]
CA – Enforcement of Privacy Policy in Steel v. Coast Capital Savings Credit Union
In a recent decision of the British Columbia Supreme Court, the Court upheld the termination for cause of a help desk analyst in the IT department who had been employed for over 20 years at Coast Capital Savings Credit Union. (Steel v. Coast Capital Savings Credit Union, 2013 BCSC 527) Employees at Coast were permitted to have a personal folder in which they would keep confidential business documents. Under the privacy policy at Coast, the files in the personal folder could only be read or edited by the employee who had the folder. Help desk employees were allowed to access personal folders but could only do so to resolve a technical problem and only if the employee who had the personal folder first gave permission to the help desk to access the folder. The restrictions on access to personal folders were clearly set out in the privacy policy at Coast. An employee tried to open a confidential spreadsheet in her personal folder. She got a message on her screen that the document was already in use by the help desk. The document in question was a waiting list of employees for parking spots. This was a confidential document that had information about employees’ seniority and rates of pay. The help desk employee had not requested permission to view the document in the other employee’s personal folder. She accessed it because she was curious about the waiting list for parking. Coast terminated her employment on the basis of breach of the trust “that is required in a position that holds access to confidential and private information.” Coast stated that it no longer had confidence in her. The Supreme Court decided that the help desk employee was in a position of trust because she was “given the ability to access confidential documents” as a result of her position on the help desk. She was not allowed to do that without the consent of the other employee. The Court stated that, “the employer had to trust Ms. Steel to obey its policies and follow the protocols. It had to trust Ms. Steel to only access such documents as part of the performance of her duties and follow the protocols when she did so. Such trust was fundamental to the employment relationship in relation to Ms. Steel’s position.” Accordingly, the Court upheld the termination for cause. The Court’s decision to uphold the termination for cause of an employee with over 20 years of service for a single breach of the privacy policy is a clear indication that Courts are prepared to treat privacy issues very seriously. If employees in a position of trust violate privacy policies, they may well be subject to termination for cause. [Source]
US – BYOD Spurs Worker Worry About Personal Privacy
Employers aren’t the only ones worried about workers using their own mobile devices in the office, new research shows. A study by network access solutions provider Aruba Networks revealed that BYOD , which is the term used for employees using personal smartphones and tablets for work purposes, is causing workers to be fearful of their employer checking out their personal information. Specifically, 45% of U.S. workers worry about giving their company’s IT department access to their personal data, and 46% said they would feel violated if their IT staff were to access any personal information contained on their mobile devices. The research found that these concerns are leading many employees to keep their personal devices away from the IT department, thus putting company data at risk. Nearly 20% of U.S. workers have not told their employers that they use a personal mobile device for work. The study discovered that some employees are so insistent on keeping their mobile-device use private that they would delay or fail to inform their employer about a data breach. More than 10% of those surveyed would not report that their personal device had been compromised, even if it leaked company data, and 36% would wait before reporting the data breach. [Source]
UK – Home Office Asks Supreme Court to Make Landmark Privacy Ruling
Britain’s Supreme Court judges are being asked to make a controversial ruling on whether the criminal records disclosure system infringes the human rights of some former offenders, preventing them from getting jobs. Home Office lawyers are asking the Supreme Court justices to overturn an Appeal Court ruling that the records disclosure system violated the human rights of some people who argue that previous incidents, where they got into trouble with the police, should be kept secret. Lawyers say the hearing later this month will result in one of the UK’s most important privacy rulings to date and could further provoke critics of human rights laws who are already angry at a recent European Court ruling that criticised Britain for its system of indeterminate life sentences for people convicted of the most serious offences, including multiple murders. Some MPs have argued for tightening rules on the reporting of convictions, particularly serious ones, to deter offenders from even applying for jobs working with the vulnerable. But civil liberties campaigners claim the existing rules mean that teenage “indiscretions” can blight employment prospects for a lifetime. The Appeal Court said the records disclosure regime legitimately sought to protect employers and children or vulnerable adults, but held that the disclosure of all convictions and cautions was “disproportionate” to that aim. An independent review of the disclosure regime has already recommended the introduction of a filter to remove minor and old convictions where appropriate, but the Government says it is still considering the issue. The UK government has already faced criticism from Strasbourg on this issue after it ruled that blanket notification rules imposed on sex offenders without the possibility of review breached their human rights. David Cameron described that decision as “appalling”. The far-reaching implications of any Supreme Court ruling became clear after The IoS learnt that vetting checks on people applying for jobs in “caring professions” have turned up almost a quarter of a million crimes in the past two years alone. Nick Pickles, director of the civil liberties group Big Brother Watch, said: “The risk-averse culture within the public sector has meant people struggle to get a second chance if they have any blemish on their past.” [Source]
+++
Privacy News Highlights 