16-31 July 2013


US – Advocates Support Banning Biometrics in Schools

As more schools explore and adopt security systems for identification purposes, such a move “recently caused a stir in Florida when Polk County Schools decided to incorporate biometric data systems.” The use of technology such as iris scans could soon be banned in the state’s schools, the report states, noting the school district launched a pilot program “allowing a security company to install iris scanners on school buses” without notifying parents in advance. The security company has said it deleted all information gathered, but concerns remain and the ACLU of Florida says a bill is in the works to ban such systems, the report states. [WFSU]


US – Privacy Predicted to Be Next Competitive Differentiator

A Forrester survey that finds 62% of consumers say they would be “not at all likely” to do business again with a company known to have shared their PII with a data broker. Further, 37% report that they’ve abandoned a transaction online due to something they didn’t like in the terms of service, including the privacy policy. Finally, the study commissioned by analytics firm Neustar finds more than a quarter of respondents now using ad-blocking software. This leads Forrester to conclude that privacy is “the new green movement.”[GigaOm] See also: [New trends in data-driven remote healthcare in the U.S.]

WW – Consumers Changing Their Browsing Habits

New reports on the changing browsing habits of consumers in light of the recent NSA disclosures. Meanwhile, a new browser add-on has been introduced on Monday that aims to shield consumers from data mining by preventing users from disclosing contact information, CNET News reports . MaskMe, created by Abine, creates and manages “dummy” accounts for a user’s e-mail, phone number, credit card and website logins. According to the company, consumers tend to lose out in the “data-for-service exchange,” while companies win. Abine’s Sarah Downey said, “The real lesson is, ‘Stop: Don’t give out your personal information.’“ [The Associated Press]

US – Companies Shifting to Meet Consumer Expectations

Products are changing based on consumer expectations of privacy. Pinterest is now offering users a Do-Not-Track option. Google Now is a digital assistant capable of alerting users if a flight is delayed or a particular route is backed up with traffic, but Google reserves the service’s full functionality for those users who don’t mind their locations being tracked, the report states. And Facebook’s latest ad offerings target users based only on age and gender rather than more granular data. [Forbes]


US – Ballot Initiative Could Establish “Very Different Set of Privacy Rules”

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes. [Technology’s Legal Edge]


US – Microsoft Denies Giving NSA Unfettered Access to eMail

Microsoft says it is within its First Amendment rights to disclose national security requests for user data. Microsoft also says that it does not provide the NSA with encryption keys to access email, despite reports that they were helping the intelligence agency bypass security measures to access web chats through Outlook and putting backdoor access in its products to aid federal investigations. [eWeek] [The Register] [ComputerWorld] [ZDNet]

Electronic Records

US – New “Hub” Database Raises Privacy Concerns

As part of the massive overhaul of America’s healthcare system, databases from seven U.S. agencies—from the Internal Revenue Service to the Peace Corps—will be tied together in one $267 million computer system called the Hub to determine which U.S. citizens can purchase medical coverage. The size and breadth of the system is raising red flags from some who are concerned about privacy and security risks, as the system will include data such as identity, citizenship, income and family size. One lawmaker queried, “It’s information on 300 million Americans, all compiled in one place—what could go wrong?” Others note, however, that the system can only access data on potential enrollees and there’s not a central storage center for the data. [Source]


WW – Facebook Browsing Now “Secure” by Default

Earlier this week, Facebook made “secure” browsing a default setting. The option to use TLS (Transport Layer Security) encryption has been an available for two years. “Secure” browsing means that data sent to Facebook servers by users will be encrypted. Among the reasons it took this long for Facebook to make “secure” browsing the default setting is that the company had to wait for third-party applications to upgrade their platforms to avoid compatibility issues. [ComputerWorld]

EU Developments

EU – Hawkes Says Google, Facebook Safe from Audit

While Irish DPA Billy Hawkes announced last week he was beginning a formal audit of LinkedIn, the Office of the Data Protection Commissioner (ODPC) has said in e-mail correspondence with advocate group Europe-v-Facebook.org it will not be investigating Facebook and Google in relation to the NSA revelations. “We do not consider that there are grounds for an investigation under the Irish Data Protection Acts given that ‘Safe Harbor’ requirements have been met,” the ODPC wrote. However, that Safe Harbor agreement is now consistently under fire. Earlier this week, EU Justice Commissioner Reding said she would be reviewing the agreement, and now German privacy officials are calling on Chancellor Merkel to push for suspension of the Safe Harbor agreement. [The Independent]

EU – Commissioner Begins Inquiry Into LinkedIn

Irish Data Protection Commissioner Billy Hawkes has launched an audit of social networking firm LinkedIn, adding it could have ramifications worldwide. Hawkes has confirmed his team has begun the audit as part of a process that will look into all social media firms based in Ireland. LinkedIn suffered a data breach earlier this year. [The Independent]

EU – Safe Harbour Agreement “Under Review”, Says European Commission

Vice President of the European Commission Vivane Reding said the commission will present a “solid assessment” of the current Safe Harbor agreement between the EU and U.S. by the end of the year. The European Parliament has called on the commission to conduct such a review following revelations that Safe Harbor parties were involved in the U.S. National Security Agency’s surveillance program. Reding has said, “The Safe Harbor agreement may not be so safe after all.” [Out-Law.com]

EU – European Parliament Wants NSA Chief to Testify

The European Parliament is set to initiate an investigation into the NSA surveillance program disclosures and is amassing “an interesting list of witnesses” to testify about the issue, including U.S. National Security Agency Chief Gen. Keith Alexander, whistleblower Edward Snowden and The Guardian’s Glenn Greenwald. European Parliament plans to hold the series of hearings about the programs in September. A Deutsche Welle report asks if European Union interior ministers are partly responsible for collaborating with U.S. security agencies. European Home Affairs Commissioner Cecilia Malmström said that the EU is not solely responsible for data protection as security agency activities generally come under the jurisdiction of member states. [Slate]

EU – Germany Wants UN Privacy Charter

In response to the NSA disclosures, senior German government officials are lobbying for expansion of the 1966 UN human rights treaty to cover modern forms of communication such as e-mail and social networks. German foreign and justice ministers sent a letter—which was released more broadly on Wednesday—to their European Union counterparts last week: “We want to use the current debate to launch an initiative that would outline the inalienable privacy rights under current conditions.” The letter also suggests convening all 167 parties to the International Covenant on Civil and Political Rights. German data protection authorities have also called for suspension of a key data-sharing agreement between the EU and U.S. [The Associated Press]


UK – Critics Say UK Prime Minister’s Web Filtering Plan is Misguided

UK Prime Minister David Cameron’s plan to make Internet service providers (ISPs) and search engines filter pornography is seen by some as misguided. Open Rights Group executive director Jim Killock notes that “banning search terms seems unlikely to combat the serious activity, which is independent of search engines.” And technology journalist Simon Bisson writes, “What the UK government should be concentrating on is an effort to break the financial ties that hold the darknets together. Finding who holds the purse strings is a complex task, but it’s a technique that has been proven to work time and time again. And perhaps it should also be noted that it’s an approach that’s well within the capabilities of the powerful surveillance tools that government security agencies have put in place … to combat terrorism.” [ZDNet] [BBC] [CNET] [ComputerWorld] [Draft of Cameron’s Speech]


US – 160 Million Credit Cards Stolen; Indictment Reveals Wall Street Exposure

Five people have been indicted in connection with a series of major cyberattacks that compromised more than 160 million credit card accounts over a seven-year period. A separate indictment of one of the men exposed a two-year-long penetration of computers at the NASDAQ and shined a light on the vulnerability of global financial systems. The five men named in the indictment were allegedly involved with breaches for which Albert Gonzalez is currently serving a 20-year prison sentence. Between 2005 and 2012, the group allegedly breached systems at Heartland Payment Systems, Hannaford Brothers, and Dexia Bank Belgium, and a number of other organizations. [NYTimes] [WIRED] [ComputerWorld] [KrebonSecurity] [BBC] [CNET] [Justice.gov]

US – Bank Glitch Exposes Data on 150,000 Customers

“In a case that could serve as a warning to other banks that contribute customer data to public storehouses,” Citigroup said it improperly protected consumer data—including Social Security numbers, birth dates and other sensitive information—when it shared nearly 150,000 records with the government’s legal document system, otherwise known as the Public Access to Court Electronic Records (PACER). The bank reached a settlement with a division of the Justice Department to redact the customer data at its own expense, notify those affected and offer one year of free credit monitoring. In a statement, the bank said, “The redaction issues primarily resulted from a limitation in the technology Citi had used to redact personally identifiable information in the filings.” [American Banker]


US – Hulu: “Anonymous” Data Not Covered By VPPA

In new court papers filed last week, Hulu argues that sharing “anonymous” data about its users’ viewing habits with third parties is not a violation of the Video Privacy Protection Act (VPPA). Filed with U.S. District Court Judge Laurel Beeler in San Fransisco, the company wrote, “Hulu cannot be liable for disclosing anonymous user ID to comScore or Nielsen or to any other service provider.” Hulu acknowledges it shares users’ viewing histories, but removes names and any other identifying information. Instead, it assigns each user with an anonymous user ID prior to transmitting the data. In the class-action lawsuit filed against the company, users allege that third parties with whom the data is shared can re-identify the information. Hulu said it stopped the practice allowing such re-identification two years ago. [MediaPost News]

Health / Medical

US – Woman Awarded $1.44M; Company to Appeal

A Marion Superior Court jury has awarded a plaintiff “$1.44 million after finding Walgreens and a pharmacist violated her privacy when the pharmacist looked up and shared the woman’s prescription history.” The lawsuit alleged, “As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories.” In a statement, Walgreens has said it will appeal, stating it is “a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.” [Indianapolis Star]

US – VA Seeks Breach Lawsuit Dismissal

The VA has motioned to dismiss a lawsuit filed by patients affected by a breach earlier this year at William Jennings Bryan Dorn VA medical center. The VA filed the motion on grounds that plaintiffs have failed to prove the breached records were improperly disclosed. More than 7,400 patient records were on a laptop that was stolen last April. The government is now arguing that with lack of evidence that an unauthorized person viewed the records, the breach should not be considered improper disclosure under the Privacy Act, the report states. [HealthITSecurity]

WW – Google to Make $8.5 Million Donation in Settlement

Google will make an $8.5 million donation to nonprofit organizations in order to settle a class-action lawsuit alleging it leaked the names of search users. Google will also revise the “frequently asked questions” section of its privacy policy, the report states. Recipients of the settlement include the World Privacy Forum, Carnegie-Mellon, Harvard Law’s Berkman Center for Internet and Society and Stanford Law’s Center for Internet and Society. [MediaPost News]

Horror Stories

US – SEC, Retailer Announce Breaches

The Securities and Exchange Commission (SEC) has announced a data breach after a former SEC employee “inadvertently and unknowingly” downloaded the names, birthdates and Social Security numbers of employees on to a thumb drive and then transferred the data to another agency. The SEC did not learn of the incident until 10 months after it occurred. It is unclear how many employees were affected. Meanwhile, retailer Lakeland has warned customers of a potential data breach after two encrypted databases were accessed. [The Hill]

US – OHSU Reports 3,000 Records Breached

The Oregon Health & Science University has notified more than 3,000 patients their personal data was compromised after it was discovered the data was placed by resident physicians on two information-sharing services. Compromised data included patient names, medical record numbers, dates of service, diagnoses and providers’ names. The school said, “There is no evidence that the data were accessed or used by anyone who did not have a legitimate patient-care need to view the information.” [ModernHealthcare]

US – Details Emerge on Monroeville Breach

A situation involving the Office for Civil Rights (OCR) and the Monroeville, PA, 911 dispatch center in which the OCR told the center is had 30 days to conduct an investigation on protected health information that was exposed for a former police chief. Details obtained by the Pittsburgh Post-Gazette reveal that details on Monroeville 911 records were available to unauthorized individuals for an extended period of time, among other revelations. Meanwhile, a programming error has led to a data breach at Indiana Family and Social Services Administration. [Health IT Security]

US – Citibike Notifies 1,200 of Breach

NYC Bike Share, the company that designs and manages the Citibike sharing system, has notified nearly 1,200 customers that their credit card numbers, names and addresses were mistakenly posted on the back pages of its website for approximately 24 hours. The glitch reportedly occurred between April 15 and late May. One customer notified by the company said she was glad to have been notified directly, though she was surprised the incident happened. Some businesses just post cryptic messages on their websites, she said, adding, “I felt in a way they handled it more responsibly.” [New York Post]

US – Stanford Breached; Recognizing Bank Breaches

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.” Meanwhile, Bank Systems & Technology writes, “we have found that many employees, even those who are technically savvy, do not recognize as reportable events the situations that commonly result in a data breach.” [Source]

US – Medicaid Patient Records Potentially Compromised Via E-mail

The Office of the Medicaid Inspector General (OMIG) has announced an internal employee in New York sent 17,743 Medicaid patient records to a personal e-mail account in October 2012. The employee did not have OMIG consent to send the e-mail and has been placed on administrative leave. The potentially compromised information may have included patients’ first and last names, dates of birth, Medicaid client information numbers and Social Security numbers, the report states. [Health IT Security]

US – 1.8m Affected by Ubuntu Breach, Apple Hacked

Ubuntu Forums has suffered a massive data breach, the company announced on its site. Every user’s local username, password and e-mail address were stolen from the company’s database. Approximately 1.82 million users are subscribed. Meanwhile, the University of Virginia has notified 18,700 students of a recent data breach after a third-party mailing vendor accidentally sent the students’ Social Security numbers in brochures mailed to home addresses, and Apple says its website for developers has been breached, but says customer information is encrypted and was not affected. [ZDNet]

Identity Issues

US – Deception Is at the Heart of PLSC-Winning Papers

At each year’s Privacy Law Scholars Conference, scholars workshop papers that bring together the academic privacy community with those working in industry, advocacy, law and government. The IAPP awards the two papers that receive the most votes from attendees with a cash prize and a speaking slot at the IAPP Privacy Academy, to be held this year in Seattle, Sept. 30 through Oct. 2. In an exclusive for The Privacy Advisor, IAPP interviews the winners and discusses their inspiration for the papers and the conclusions they’ve drawn about deceptive privacy practices and what the FTC might start doing about them. [Privacy Advisor]

Intellectual Property

US – State AGs Want Ability to Prosecute ISPs for Third-Party Content

“If you want to run a European Internet company dealing with user-generated content, be prepared to put your personal liberty at stake.” The analysis is based on recent cases involving ISP executives charged with various crimes due to the content their users posted. But Europe isn’t the only place such dangers lurk. At a meeting of the National Association of Attorneys’ General last week, it was revealed that some state AGs are drafting a letter to Congress that would exclude state criminal prosecutions from Section 230, a provision that says websites aren’t liable for user-generated content or other third-party content. Essentially, the change would allow state AGs to prosecute Internet companies, including their executives, for violating state law via publication of third-party content. [Forbes]

Internet / WWW

WW – The Good, the Bad and the Ugly of the Internet of Things

In anticipation of a roundtable discussion on the Internet of Things this November, the FTC has released submitted comments—coming from industry, privacy advocates, academics and regulators. This Privacy Perspectives post explores the potential benefits and drawbacks of this nascent phenomenon as well as the privacy discussions that need to be hashed out. Meanwhile, Kashmir Hill of Forbes writes about hacking into a smart home. [Source]

Law Enforcement

US – ACLU: Police Tracking Innocent People’s License Plate Data

An ACLU report reveals that police departments across the U.S. are using license-plate readers to capture and store information about individuals’ whereabouts—without their knowledge. The report found that data on even those who have not been accused of a crime is stored in the database. The ACLU says rules must be enacted to restrict how such technology is used and for how long such data is retained. Meanwhile, the Center for Investigative Reporting writes local officials are moving forward with a federally funded project that aims to combine data on surveillance cameras, gunshot detectors, license-plate readers, Twitter feeds and alarm notifications into a single tool for law enforcement. [The Hill]

US – Feds Arrest Five in Largest Hacking Scheme Ever Prosecuted

U.S. Attorney Paul Fishman announced today the indictment of four Russians and a Ukranian in what he is calling “the largest hacking and data breach scheme ever prosecuted in the United States.” From 2005 to 2012, Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov and Dmitriy Smilianets allegedly uploaded malware into the computer systems of large institutions like Dow Jones, NASDAQ, JetBlue and 7-Eleven, then used that access to download and sell as many as 160 million credit and debit card numbers, along with other PII. Stolen funds reached into the many hundreds of millions. [The Star Ledger]


US – NTIA-Led Group Releases Code of Conduct

After a year of meetings and deliberations, the multi-stakeholder group organized by the National Telecommunications and Information Administration released yesterday statements showing general support for its Short Form Notice Code of Conduct, along with concrete examples of what the “nutrition label”-like short-form privacy notice might look like. These new notices won’t replace long-form privacy notices, but will serve as quick guides to which information is being collected by mobile apps and for what purpose. However, use of the short-form notices remains voluntary, and, noted Adweek, only two of the stakeholders committed concretely to use of the code of conduct. Other groups, such as the ACLU and EFF, voted to support the short form notices, but without committing to a full endorsement. And another 17 groups voted for more consideration. “It is not a consensus and not done,” said Stu Ingis, of the Direct Marketing Association. [WashingtonPost]

US – DAA, NAI Each Release Mobile Privacy Rules

The Digital Advertising Alliance (DAA) has unveiled its long-anticipated mobile privacy code. The rules state that ad networks and other related third parties should provide notification for online behavioral advertising—also known as cross-app advertising—with a provided opt-out. Additionally, ad networks and app developers must obtain opt-in consent from users for geolocation and address-book data collection. The grace period for implementation is expected to be nine to 12 months, potentially longer. The DAA is also working on an AdChoices opt-out icon for mobile apps. DAA counsel Stu Ingis said, “We envision that there will be an app that has the AdChoices icon in it, that consumers can download…Through the app, consumers can exercise choice with respect to all of the third parties.” DAA member the Network Advertising Initiative has released their final version of mobile privacy rules as well. [MediaPost News]

US – Study Says Short-Form Notice Can Be Ambiguous

A new study conducted by Carnegie Mellon University (CMU) reveals that the U.S. Commerce Department short-form notice proposal, as it currently defines data collection notice categories, has the potential to confuse consumers. The proposal calls for app developers to describe data types that will be collected—such as “biometrics”—and what types of third parties receive collected data—such as “ad networks.” The study surveyed 800 consumers and four experts about which terms they would use to categorize collection practices. Lorrie Cranor, a CMU computer scientist who oversaw the study, said the terms are “not well-defined, even the experts weren’t sure how to apply them,” and added, “When you have a bunch of lawyers and policy people coming up with the consumer tools, they’re not going to come up with something that is necessarily usable.” [Online Media Daily]

US – Study: Mobile Health Apps Carry Privacy Risk

According to a new study released yesterday by Privacy Rights Clearinghouse, many mobile health apps carry privacy and security risks. The report surveyed 43 free and paid apps—including the top 20 paid apps in health and fitness categories—and found several did not have privacy policies, transmit data without encryption and send user data to third parties such as ad networks and analytics companies. Privacy Rights Clearinghouse Founder Beth Givens said, “Data security and privacy—from a technical standpoint—is abysmal.” [GigaOm]

WW – Next Gen Video Game Consoles Raise Privacy Concerns

There are growing concerns about the privacy and data collection capabilities of the next generation of video game consoles. With more integration planned between consoles and social networking sites and video chat platforms, including Skype, “consoles are becoming as connected as the other devices we use every day,” the report states. The new systems will also feature motion- and voice-controlled technology used for recognizing users. Electronic Frontier Foundation Senior Staff Technologist Seth Schoen said, “Video game consoles pose problems akin to those of mobile phones because users often have very little visibility into what devices are doing and very little control over the software running on the devices.” [NBC News]

Online Privacy

WW – Mozilla Unveils Personalization Project, Catches Flak

Mozilla announced on its Labs blog it has begun testing a new personalized browsing experience with Firefox, whereby users choose with which Web sites to share which PII in exchange for personalized content. Elsewhere, the company explained how this fits with its philosophy of “Personalization with Respect.” However, while TechCrunch noted this is still just in the testing stages, AdWeek called the announcement “ironic” in light of the company’s Do Not Track stance, and lined up advertising representatives to say worse: “So the takeaway is that it’s OK for Mozilla to track, but not third parties?” asked Alan Chapell of Chapell & Associates, co-chair of the Mobile Marketing Association’s privacy committee. [Source]

US – Twitter Transparency Report Shows Growing Government Demand for Data

Twitter says the U.S. government continues to make the most requests for data on subscribers. In the first six months of the year, federal authorities made 902 requests for user information. In the same period last year, it requested information on 815 subscribers, the company’s transparency report indicates. Additionally, the U.S. government’s requests comprised 78% of all requests for user data. In its latest blog post, Twitter said it has “joined forces with industry peers and civil liberty groups to insist that the U.S. government allow for increased transparency into these secret orders.” [Washington Post]

US – Just How Creepy Is Predictive Search?

The New York Times reports on the new trend of apps utilizing predictive search to alert users to information they didn’t know they needed. From Google Now to Evernote to MindMeld, these apps scan users’ e-mail, calendar, notes and other items in the cloud or on a device to predict which information will be useful in the near future. A user might receive an alert that traffic is bad between midtown and the suburbs because the app knows that’s where the 10 a.m. meeting is. However, some observers are calling the services invasive and creepy, while others point to issues around context. “What works for a group of 30-something engineers in Silicon Valley may not be representative of the way that 60-year-old executives in New York tend to use their phones,” says UPENN Wharton School Prof. Andrea M. Matwyshyn. [New York Times]

US – Pinterest to Honor DNT Settings

Pinterest has added new site-personalization features for users drawn from their web-browsing activities but has also provided users with an opt-out choice. The company also announced it will support and honor users’ who select Do-Not-Track settings. “We’re excited to give everyone a more personalized experience,” Pinterest wrote in a blog post on Friday, “but we also understand if you’re not interested! We support Do Not Track, and you can change your account settings anytime.” The Electronic Frontier Foundation (EFF) supported the moves, which are similar to that of Twitter. “Hopefully, the decisions of Twitter and Pinterest are the vanguard of a new industry standard around respecting Do Not Track and soon this will be the default of all major websites,” the EFF wrote. [GigaOm]

WW – Terms and Conditions Documentary Examines Internet Privacy Issues

Terms and Conditions is a recently released documentary that examines the evolution of Internet privacy policies over the last 15 years. A dozen Internet privacy bills were introduced prior to September 11, 2001, but all were abandoned in the wake of the attacks. Instead, the PATRIOT Act was put in place, which led to the NSA’s wide-reaching data gathering practices. Assurances of anonymity have disappeared. The film compares Google’s privacy policy from December 2000 with that from December 2001. In short, the earlier policy clearly states that users’ identities are not traceable through cookies, but the one from a year later indicates that cookies might be able to be used to identify a particular user. That later policy says, in part, “Google will not disclose its cookies to third parties except as required by a valid legal process such as a search warrant, subpoena, statute or court order.” The film also addresses Facebook’s data retention practice. When users delete or remove content from their profiles, it merely gets flagged as deleted, but it still remains in the Facebook data banks and is accessible to Facebook or government agencies. [ArsTechnica]

US – W3C to Miss July Deadline for DNT

The World Wide Web Consortium (W3C) will not meet its “last call” deadline for putting out a Do-Not-Track proposal for public comment. W3C Co-Chair Peter Swire, CIPP/US, said, “There is not a way to get to last call by the end of July,” adding, “Next Wednesday, we will have a discussion about where we are and next steps.” According to the report, the group still has the opportunity to work on the proposals, but “the talks have turned so acrimonious that it seems unlikely the group will ever agree” on a Do-Not-Track standard for headers sent to browsers. [MediaPost News]

Other Jurisdictions

US – States Reviewing Policies Due to Anonymity Concerns

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law. [Bloomberg]

AU – Australian Government Considers Joining Merkel’s Agreement

The Australian government is considering participating in a global data protection agreement put forward by German Chancellor Angela Merkel following revelations of the U.S. National Security Agency’s (NSA) PRISM surveillance program. Meanwhile, Australian Federal Police Commissioner Tony Negus says there is no link between the NSA revelations and Australia’s push for a mandatory data retention regime. In an opinion piece for CNN, Sen. Al Franken (D-MN) writes he’s working on legislation that would require the U.S. government to report annually how it uses surveillance programs, including how citizens’ data is being collected and who sees it. And in another op-ed, former head of the U.S. Justice Department’s Office of Legal Counsel writes that NSA data collection shouldn’t be constrained. [ZDNet]

JP – Railway Company Apologies for Selling PII

Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states. [The Wall Street Journal]

Privacy (US)

US – Industry Groups Push for Federal Breach Notification Law

At a House hearing, industry groups called on Congress to move toward a federal data breach notification law. According to some witnesses, the current patchwork of state notification laws are burdensome for business. Though the hearing was mostly informative, according to the report, House Energy and Commerce Subcommittee Chairman Lee Terry (R-NE) expressed interest in pursuing legislation. Rep. Henry Waxman (D-CA) warned that federal legislation should not undercut state standards that already “have strong breach notification laws.” The Senate last month introduced federal legislation. [The Hill]

US – Legislator Calls on FTC to Curb Brick-and-Mortar Tracking

Sen. Charles Schumer (D-NY) has called on the Federal Trade Commission to institute rules to allow shoppers to opt out of smartphone tracking at brick-and-mortar retail stores. Schumer said that participating stores are “going to know a lot about you by following you around, even if you don’t purchase, even if you’re just browsing.” He also added that children can be tracked, and collected data may be stored indefinitely. [CBS New York]

US – Court Dismisses Class-Action Claim Against Gaming Site

The U.S. District Court for the Central District of California has dismissed a majority of the claims brought against Blizzard Entertainment, Inc., after a 2012 data breach. Hackers had gained access to customers’ accounts, including e-mail addresses and cryptographically scrambled versions of Battle.net passwords. Among other allegations, the plaintiffs claimed the company failed to notify users of the breach in a timely manner. The court said the plaintiffs “failed to allege adequate harm.” Meanwhile, a Colorado clinic reports it has fired an employee in its billing department who improperly e-mailed some patients’ protected information to her own personal account. [Mondaq]

US – Digital Advertiser Settles Privacy Violation

Digital marketing company PulsePoint has agreed to settle charges by the acting New Jersey attorney general and the New Jersey Division of Consumer Affairs that it bypassed consumers’ privacy settings in Safari browsers. The company allegedly used cookies to bypass settings that are designed to block targeted ads. Acting New Jersey Attorney General John J. Hoffman said, “This settlement puts online advertisers on notice that they must respect consumers’ privacy settings, or end up paying far more in penalties than any violations would generate in ad revenue.” Another provision of the settlement requires PulsePoint to post its data collection practices on its website. A company spokeswoman said PulsePoint took “user privacy very seriously” and that the cookies in question had been “primarily limited to technical purposes such as fraud detection” and not for targeted ads. [The New York Times]

US – Reddit Joins Lobbying Group

Link-sharing and discussion website Reddit has announced that it has joined the Internet Association, a Washington lobbying group. The association was founded last year and lobbies on topics including surveillance laws, privacy, regulation and cybersecurity. “In spite of reddit being an incredibly effective way to lower workplace productivity, we’ve also seen how online communities can have a transformative economic impact,” said Reddit’s general manager. The Internet Association recently wrote to the U.S. Executive branch and congressional leaders calling for greater transparency on national security-related requests for user data from Internet service providers. [The Hill]

US – The Privacy (and Security) Pro in the White House

Much has been made of Nicole Wong’s appointment to work on privacy matters in the White House under U.S. CTO Todd Park, but there’s another privacy pro in the White House who actually has “privacy” in his title: Ari Schwartz, Director for Cybersecurity Privacy, Civil Liberties and Policy, National Security Staff, who started in the job this past month. The Privacy Advisor gets the first interview with him about his new position. Meanwhile, Politico talks about growing pains for the PCLOB, with which Schwartz will be working closely. [Privacy Advisor]


US – Obama Seeks Industry Incentives, Including Limited Liability

A “preliminary” presentation has been set forth by the Department of Homeland Security that looks into offering incentives to industries that adopt voluntary cybersecurity standards. Potential incentives include tax breaks, cyberinsurance “perks” and protection against legal liability. A White House representative noted the presentation is a “snapshot in time” and it only “reflects some preliminary analysis.” Cybersecurity legislation failed to pass Congress last year so the Obama administration’s cybersecurity executive order relies on industry cooperation. The DHS and National Institute for Standards and Technology are working with business to create a framework. Meanwhile, cybersecurity experts weigh in on the recent announcement that DHS Secretary Janet Napolitano will retire. [POLITICO]

UK – Intelligence Agencies Support Security Assessment for Large Companies

UK intelligence outfits GCHQ and MI5 are supporting an effort from the Department of Business, Skills, and Innovation, that asks the UK’s largest listed companies to take part in a Cyber Governance Health Check. The process involves having the companies’ chairpeople and audit committee heads complete web governance questionnaires. The companies’ audit committees will have the opportunity to discuss security issues discovered, and participating organizations will be able to view anonymized information about other participating organizations. [ZDNet] [v3.co.uk] [Telegraph] [ComputerWorldUK]

US – Cybersecurity Bill Draft Is Circulating

There is no shortage of guidance for privacy and security professionals charged with designing and implementing a secure information infrastructure; existing regulations, ISO standards 27001 and 27002 as well as industry-wide practices are just the most prominent sources. But if congressional leaders get their wish, there will soon be yet another source of guidance: the Cybersecurity Framework from the National Institute of Standards and Technology. [Source]

WW – Cyber Insurance Policies on the Rise

Cyber insurance has become increasingly popular among businesses. That’s because of high-profile data breaches at companies including Citigroup and Sony and at governments around the world, the report states. “We’ve reached a threshold where people are now coming to us instead of us going to them,” said one industry executive, adding that his company, Aon Corp., has sold more cyber insurance policies within the last year and a half than in the five years prior. [Live Insurance News]

US – USDA Mobile Device Security Program Not Living Up to Expectations

Officials at the US Department of Agriculture (USDA) say that a mobile device security system it solicited in November 2012 is not functioning as specified in the contract. The solicitation from November 2012 specified “a fully functional 30 day pilot with vendor support … ready to support a minimum of 3,000 mobile devices.” The project is roughly a year behind schedule and parts of the project are incompatible with USDA’s network security infrastructure. The vendors hired for the USDA project are the same as those with which the Pentagon’s Defense Information Systems Agency (DISA) recently signed a three-year, US $16 million contract to provide security for 300,000 mobile devices. Neither DISA nor the Department of Agriculture required verification that the software being purchased is compatible with their existing software – resulting in extreme delays and significant additional costs at Agriculture and probably at DoD as well. [NextGov]

WW – Most Mobile Companies Have Fixed SIM Card Flaw

Nearly all mobile companies have patched a serious flaw that affected more than 500 million phones; the fixes were delivered within 10 days of notification. Karsten Nohl said that his team had found a way to remotely access and control mobile devices’ SIM cards. In some cases, the SIM cards could also be cloned. Attackers could exploit the flaw to eavesdrop on communications, pilfer information from accounts, and commit identity fraud. The attack allowed hackers to obtain SIM cards’ digital keys. The attack involves sending a text message to the SIM card that in certain cases, results in the card returning data that can be decrypted to reveal the key. [NBC News] [The Guardian]

WW – Researchers Hack Into Car Computer

Two security experts have demonstrated how they can hack into an automobile’s computer network to control essential functions, including shutting off the brakes. Charlie Miller, a security engineer at Twitter, and Chris Valasek, an intelligence security director at IOActive, have received a grant from the Pentagon to discover security vulnerabilities in automobiles. “When you lose faith that a car will do what you tell it to do,” Miller said, “it really changes your whole view of how the thing works.” Miller and Valasek plan to share their finding at next month’s Defcon hacker meeting in Las Vegas. A representative from Toyota said the real concern isn’t physically hacking into a car, as the duo have done, but wirelessly hacking into a car. “We believe our systems are robust and secure,” the representative said. [Forbes]

UK – Judge Bans Publication of Paper on Car Security System Hacking

A UK high court judge has ruled that a trio of computer scientists may not publish a paper describing how a weakness in a cryptographic algorithm used to identify automobiles’ ignition keys. The injunction was sought by Volkswagen, which also owns Porsche, Audi, Bentley, and Lamborghini. The Megamos Crypto system, which is discussed in the paper, is used by a number of the luxury car brands. Volkswagen asked that the researchers publish a redacted version of the paper because they maintain the information could be used to steal cars. The researchers say that the information is available online. They also notified the manufacturer of the vulnerable chip nine months ago to give the company time to address the security issues before they planned to present the paper. [ArsTechnica] [BBC] [The Register] [v3.co.uk]

WW – Governments Ban Lenovo PCs from Accessing Classified Networks

A recent report from Australia’s Financial Review revealed that for the past seven years, the governments of the US, the UK, Australia, New Zealand, and Canada have banned the use of Lenovo PCs to access classified networks. Together, these countries make up the “five eyes” electronic eavesdropping alliance. The ban was prompted by concerns that the Chinese government may have installed backdoors to allow monitoring. Lenovo acquired IBM’s PC division in 2005. When the US State Department purchased 16,000 Lenovo PCs in 2006, legislators’ security concerns resulted in the machines being relegated to use only on unclassified networks. [InformationWeek] [The Register] [qz.com]

WW – Questionable Apps in Google Play Store

Symantec says that over the last seven months, it has detected more than 1,200 suspicious or questionable apps in the Google Play store for Android. Most are removed from the store shortly after their appearance, but some remain available for several days. The objective of apps can be difficult to discern, especially when they employ several layers to obfuscate their intent. [InformationWeek] [ComputerWorld]

WW – Apple and Samsung Smartphone Antitheft Technologies to be Tested

The “Secure Our Smartphone” initiative asks phone makers to implement technology that will help reduce smartphone theft. This week, state and federal prosecutors in California plan to bring in experts who will try to defeat security measures on smartphones provided by Apple and Samsung. Apple’s iPhone 5 will have the “Activation Lock” feature enabled, and Samsung’s Galaxy S4 will come with the LoJack for Android feature. Federal prosecutors are still hopeful that the companies will eventually manufacture smartphones with kill switches. [CNET] [ComputerWorld]

WW – Cybersecurity Moved From 12th to 3rd Place on Lloyd’s Risk Index List

Lloyd’s Risk Index 2013 places cybersecurity near the top of the list of risk factors faced by businesses. Risk of cyber incidents was ranked twelfth in the 2011 Index and has moved, in three years, to third, following only high taxation and loss of customers. Cyber issues top the list of political, crime, and security risks. This may be attributable to increased politically and ideologically motivated attacks and the increased cost associated with attacks. The report questions whether organizations “are spending money on the right things” to effectively address cybersecurity, and posits that spending money on security measures and making sure that security recommendations are implemented might be a better investment than purchasing insurance policies that cover cyberattacks. An April 2013 report from the Insurance Information Institute suggests that about two-thirds of cyber incidents are due to issues within organizations’ control. [Lloyds Risk Index] [Lloyds Press Release] [Lloyds Report]


US – Senators Seek Changes to FISC, Section 215

Sen. Richard Durbin (D-IL) said changes to foreign intelligence surveillance court proceedings are needed and proposed adopting “a real court proceeding” to approve wiretapping requests, The Wall Street Journal reports. “Let’s have an advocate for someone standing up for civil liberties to speak up about the privacy of Americans when they make each of these decisions,” Durbin said, along with proposing the release of redacted FISA court transcripts. In a special to The Washington Post, Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) urge the White House to “end the bulk collection of Americans’ phone records and instead obtain information directly from phone companies, using regular court orders based on individual suspicion.” The prevailing sentiment, The New York Times reports, is that momentum is building in Congress to alter NSA surveillance.

US – NSA Amendment Voted Down In House

In a close vote, the U.S. House of Representatives defeated an amendment that would have prevented the National Security Agency from collecting large volumes of phone records. The 205-217 vote followed “impassioned debate over citizens’ right to privacy and the steps government must take to protect national security.” Rep. Jerrold Nadler (D-NY) said of Section 215, the provision under which the NSA collects phone metadata, “It’s going to end—now or later…The only question is when and on what terms.” Rep. Mike Rogers (R-MI) said he would draft legislation in the coming months to add more privacy protections to government surveillance programs. In an op-ed for The Times, David Brin writes of increased surveillance: “You can either fight this new era, or embrace it.” [The New York Times]

US – US House Defeats Measure to Rein In NSA Data Collection

By a narrow margin, the US House of Representatives voted down an amendment to the DoD Appropriations Act of 2014 that would have restricted the NSA’s authority for bulk collection of phone record metadata. Under the defeated amendment, the NSA would still have had the authority to collect phone records of suspects related to anti-terrorism investigations. The White House opposed the amendment, saying “this blunt approach is not the product of an informed, open, or deliberative process.” [WIRED] [ArsTechnica] [ZDNet] [ComputerWorld] [The Atlantic]

CA – Ontario Commissioner Discusses Dangers of Metadata

The Ontario Information and Privacy Commissioner Ann Cavoukian discusses the term “metadata,” frequently used since revelations of the U.S. National Security Agency’s surveillance program. While government officials defend the use of metadata, claiming it isn’t privacy invasive because it doesn’t access telecommunications content, Cavoukian says this is “fanciful thinking–perpetuating a myth that is highly misleading. The truth is that collecting metadata can actually be more revealing than accessing the content of our communications.” Cavoukian has also published a white paper on the topic.[Toronto Star]

US – Court Renews NSA’s Authority to Gather Phone Metadata

The US Foreign Intelligence Surveillance Court has renewed its order granting the National Security Agency (NSA) authority to collect metadata from telecommunications companies. The decision to renew the program was made “in light of the significant and continuing public interest in the telephony metadata collection program.” The order does not allow access to content of phone calls or the identity of subscribers. [ComputerWorld] [ZDNet] [Ars Technica]

US – US Justice Dept. Says NSA Snooping Does Not Violate Constitutional Rights

The US government has responded to a series of lawsuits challenging the NSA’s authority to snoop on phone records, saying that the intelligence agency’s activity cannot be challenged in court. The Obama administration maintains that the actions do not violate citizens’ constitutional rights and are conducted in the “public interest.” [WIRED] [US DOJ Filing]

US – NSA Adopts Procedures to Protect Data on its Networks

New rules adopted by the National Security Agency (NSA) aim to protect the top-secret data stored on its networks. A “two-man rule” requires that two systems administrators to work together when accessing systems containing highly classified data. The system is based on a similar procedure used in the handling of nuclear weapons. The NSA also plans to implement strong encryption for its most sensitive data. [NY Times]

NZ – Bill Would Expand NZ Intelligence Agency’s Domestic Surveillance

New Zealand’s parliament is poised to pass legislation that gives the Government’s Communications Security Bureau (GCSB) broader surveillance powers, including the authority to wiretap New Zealand citizens’ communications. GCSB’s domestic surveillance activity gained attention last year after it tapped communications of Megaupload founder Kim Dotcom, an action found to be illegal because Dotcom was a resident of the country. Public opposition to the bill is growing. [The Register] [stuff.co.nz] [NZHerald]

Telecom / TV

US – NJ Supreme Court: Get a Warrant for Cellphone Info

The New Jersey Supreme Court ruled that law enforcement must acquire a warrant prior to obtaining tracking information from a suspect’s cellphone. The ruling “puts the state at the forefront of efforts to define the boundaries around a law enforcement practice” that has divided courts around the country, and the issue will likely end up before the U.S. Supreme Court. Meanwhile, a House appropriations panel has unanimously adopted an amendment that would require law enforcement to get a warrant before accessing e-mail and other online messages. The amendment was added to the Fiscal Year 2014 Financial Services and General Government Appropriations bill and the privacy requirement covers the Internal Revenue Service, the Securities and Exchange Commission and other regulatory agencies. [The New York Times] [Text of decision]

US – Appeals Court Says No Warrant Required for Accessing Location Data

The US Fifth Circuit Court of Appeals in New Orleans, Louisiana, has ruled that law enforcement agents do not require warrants to track suspects’ locations through cell phone records. The ruling overturns an order from a federal judge in Texas. The new ruling indicates that cell phone records are the property of the carrier and are therefore not subject to reasonable expectation of privacy under the Fourth Amendment. Instead, the information is considered a business record. A court order is still required to search the records, but the requirements for obtaining a court order are less stringent than those for obtaining a search warrant. The Louisiana court cited the Stored Communications Act in support of its ruling. [CNET] [ComputerWorld] [ArsTechnica] [The Atlantic] [Text of Decision]

US – Fifth Circuit Decision “Doomed” at SCOTUS Level

Mark Joseph Stern contends that this week’s Fifth Circuit Court of Appeals decision that authorities do not need warrants to extract historical location data from cell phones “is doomed at the Supreme Court” level. “The Fifth Circuit’s cellphone ruling is almost certain to be reversed in the near future, barring a dramatic change of heart from one of the Supreme Court’s privacy lovers,” he writes. Meanwhile, TIME takes a look at five recent privacy cases in a report examining how the Supreme Court defines the right to privacy. [Slate] See also: [WSJ: Judges Ask Supreme Court to Take On Cell-Phone Searches]

US – Razor-Thin House Vote Prompts Privacy Action

A “razor-thin defeat” of a congressional measure to curb domestic surveillance and the subsequent reaction from lawmakers and privacy advocates. One former NSA analyst-turned-whistleblower said, “It doesn’t mean the end of it. It’s the beginning.” Sen Patrick Leahy (D-VT) announced the Senate Judiciary Committee will hold a hearing next week entitled, “Strengthening Privacy Rights and National Security: Oversight of FISA Surveillance Programs.” Rep. Adam Schiff (D-CA) is crafting legislation to create a special privacy advocate to appear in front of the FISA court as an “adversary.” The New York Times delves into the FISA court judges and the role played by Chief Justice John Roberts in choosing them. [The Guardian]

US – PCLOB To Meet With Private Sector

The Privacy and Civil Liberties Oversight Board (PCLOB) is slated to meet with Internet and telecommunications companies to determine what data and access to company servers they’ve provided to the U.S. government, Bloomberg reports. The move comes after the PCLOB held a hearing last week with privacy experts and former government officials. “It’s valuable to hear company perspectives on how the programs operate,” said PCLOB Chairman David Medine. “We want to hear both sides of it. We want to hear the government side, but we also want to hear the private-sector side.” Also, the PCLOB is getting reinforcements: Sharon Bradford Franklin is leaving The Constitution Project to join the board as executive director, The Hill reports. Meanwhile, a coalition of Internet companies and civil liberties groups are calling on the Obama administration and Congress to expand the disclosure of U.S. government surveillance programs. [Source]

US Government Programs

US – Senate Strongly Presses NSA; Bills Introduced; Classified Docs Released

A recent Senate Judiciary Committee hearing saw senators from both sides of the aisle press representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata. Committee Chairman Patrick Leahy (D-VT), on several occasions, expressed deep concern about the amount of Americans’ data being collected under Section 215. A number of senators said they were introducing legislation to narrow the scope of the collection of phone metadata. Obama administration representatives said they were willing to “reevaluate” the program. [Privacy Advisor]

US – Senators Aim to Change NSA’s Data Collection Practices

Undeterred by a recent House vote that failed to restrict NSA’s data gathering practices, a number of US senators say they plan to introduce legislation that will focus on the NSA’s phone data collection practices. The legislators say they want to make the NSA’s activity more transparent. Senator Al Franken (D-Minnesota) plans to introduce a bill that will require the NSA and other intelligence agencies to disclose the number of people whose information they have collected, and allow companies to disclose the numbers of surveillance requests made by government agencies. Senator Richard Blumenthal (D-Connecticut) will seek changes at the Foreign Intelligence Surveillance Court, adding the presence of public advocate lawyers. Senator Dianne Feinstein (D-California) wants the length of time that the data are held reduced from five years to two or three years. [ComputerWorld] [Ars Technica]

US – Documents Show Lawmakers Knew of NSA Data Gathering

Documents released by US intelligence officials earlier this week show that legislators were aware of the NSA’s wide-reaching data collection practices, but were prohibited from discussing the issue. The intent of releasing the information is to “allay concerns that the Obama administration was overstepping its legal authority.” [WIRED]

US – NSA Chief Defends Data Gathering Programs, Asks Disagreers to Help

In his keynote address at the Black Hat security conference in Las Vegas, NSA chief General Keith Alexander defended the agency’s data collection and surveillance practices. Alexander maintained that there have been “zero abuses of NSA PRISM,” and that the data gathering is an essential part of fighting terrorism. He said that the data collection programs have been mischaracterized, and that the allegations that they are “collecting everything [are] not true.” Alexander noted that queries of the collected phone call metadata are restricted. Alexander also told audience members, “If you disagree with what we’re doing, you should help us [make it better].” [WIRED] [ArsTechnica] [CNN] [SC Magazine] [NextGov] [CNN] The General’s entire keynote, defending NSA’s practices, is available on YouTube at the official BlackHat channel ]

US Legislation

US – Sen. Leahy Introduces FISA Privacy Act

Senate Judiciary Chairman Patrick Leahy (D-VT) has introduced legislation to reform America’s surveillance powers. The FISA Accountability and Privacy Protection Act of 2013 —which is cosponsored by nine additional senators—would narrow the scope of Section 215; allow for judicial review of “gag orders” provisions; move up the FISA Amendments Act sunset clause by two years; require the inspector general of the intelligence community to conduct a comprehensive review of the current law and its impact on citizens’ privacy, and mandate the release of an unclassified report for the public on the impact of the surveillance programs on individual privacy, the report states. The Senate Judiciary will host a hearing on privacy and the NSA disclosures on Wednesday. [Slate]

US – Hearing on Breach Notification

The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade held a hearing that saw industry groups pushing for a federal data breach notification law. Bloomberg reports that the push aims to create one streamlined process to preempt the differing requirements in 46 states and the District of Columbia. Corporate Counsel reports this is the fourth time in eight years the house has considered such a law. “The subcommittee called six witnesses representing technological and telecommunications trade groups, privacy software companies, and academia,” all of whom advocated for a federal standard, but differed on how it should read.

US – Hulu Argues No VPPA Violation

The online streaming company Hulu is facing a potential class-action lawsuit for violating the Video Privacy Protection Act (VPPA) for disclosing its customers viewing habits. While the company admits to sharing the information, it argues in court papers that because the data is associated with an ID number and not personal information there is no violation. “The consumers alleged in their lawsuit that third parties could figure out people’s identities from their User IDs, given that Hulu included the User ID in the Web page addresses of users’ profile pages.” Hulu claims in the court papers to have stopped this practice two years ago. [MediaPost]

US – Judge Orders Google to Reveal Blogger

A Manhattan judge says there is compelling enough evidence to unveil the identity of an anonymous blogger who has created blogs titled frederickschulmancrookedattorney.com and stopfrederickschulman.blogspot.com. “The web blogs…are causing actual, pecuniary injury to Mr. Schulman’s reputation as a zealous advocate for consumers against debt collection companies,” states Schulman’s court petition. Google questioned the necessity of revealing the bloggers identity, but the judge has ordered them to do so, though Schulman has yet to even file a defamation suit. The blogger has an opportunity to challenge the discovery, according to the report. Unless that happens, Google has two weeks to comply. [Wall Street Journal]

US – Congressmen Introduce Bill to Curb ID Theft of Deceased

Reps. Sam Johnson (R-TX) and Xavier Becerra (D-CA) have introduced HR 2720 to address the privacy of recently deceased individuals. “The bill would mandate that, starting January 2014, only death information older than three years would be made publicly available through the (Social Security Administration’s Death Master File), which will prevent criminals from filing fraudulent tax returns before the legitimate family files its return,” states the press release.

US – Bill To Spur EHR integration Between DoD and VA

Sen. Bill Nelson (D-FL) introduced The Servicemembers’ Electronic Health Record Act of 2013 (S. 1296), to set a one-year timeline for the integration of electronic health records between the Department of Defense and the Department of Veterans’ Affairs, among other things. The bill would amend the Wounded Warrior’s Act and requires the agencies to create standard forms and methods for data sharing, including giving consideration to storing data in the cloud. According to the report, a similar bill has been proposed in the Senate (H 2590), which has 44 co-sponsors and has been referred to the House Armed Services and Veteran’s Affairs Committees. [FierceEMR]

US – Judge Allows Orgs to Seek Dismissal of Wyndham Lawsuit

In a closely watched case, a federal judge in New Jersey will allow the U.S. Chamber of Commerce and other organizations to seek dismissal of a lawsuit filed by the Federal Trade Commission (FTC) against Wyndham Worldwide Corp. TechFreedom’s Berin Szoka said, “The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law.” As a consequence, companies do not have much by way of guidance from the FTC for what constitutes deceptive and unfair practices. University of California Berkeley Prof. Chris Hoofnagle said the dismissal is a “Hail Mary effort to stop the FTC from enforcing its unfairness power.” [ComputerWorld]

US – Lawmakers Preparing Legislation in the Wake of NSA Surveillance

In light of NSA surveillance programs that have recently garnered the world’s attention, Sen. Al Franken (D-MN) is drafting legislation that he writes “will require the federal government to annually report how it uses key authorities under the Patriot Act and the Foreign Intelligence Surveillance Act, including the authorities underlying the phone metadata and the PRISM electronic surveillance programs that recently came to light.” Rep. Mike Rogers (R-MI), chairman of the House Intelligence Committee, said on Wednesday that he would draft legislation in the coming months to add more privacy protections to government surveillance programs. According to The Huffington Post, Rep. Adam Schiff (D-CA) is preparing legislation that would create a privacy advocate to appear in front of the Foreign Intelligence Surveillance Court. This newest draft is the third proposal in Schiff’s push to reform the FISA court. He has also drafted laws “to declassify and publish the court’s opinions and to shift the power to choose its 11 judges from the Supreme Court’s chief justice to the president,” the report states.

US – CA Ballot Initiative Could Establish “Very Different Set of Privacy Rules”

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert for Technology’s Legal Edge. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes. Full Story

US – States Reviewing Policies Due to Anonymity Concerns

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records, Bloomberg reports. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law. Full Story

UK – ICO Says License-Plate Cameras Broke Law

The Hertfordshire Constabulary’s use of seven cameras to monitor traffic coming and going from the town is against the law, reports BBC. The force failed to carry out a privacy impact assessment, and according to the head of enforcement at the Information Commissioner’s Office, “The use of ANPR (automatic number plate recognition) cameras and other forms of surveillance must be proportionate to the problem it is trying to address. After detailed inquiries…we found that this simply wasn’t the case in Royston.” The police have been ordered to remove the cameras unless they can justify the use.

CN – Chinese Ministry Issues Telecom, ISP Privacy Rule

The Ministry of Industry and Information Technology of the People’s Republic of China has issued a new rule entitled Provisions on the Protection of Personal Information of Telecommunications and Internet Users, reports Hunton & Williams’ Privacy and Information Security Law Blog. The rule aims to implement the requirements of last December’s Decision on Strengthening Protection of Online Information, and is in keeping with the nation’s push toward protecting personal information. The rule imposes requirements on the collection and use of personal information by telecommunications and Internet service providers including collection limitations, use limitations, access and correction rights and breach notification.

UA – Federal Law in UAE: Photo and Video Without Consent Is Illegal

After the arrest of an official for assault, the official’s family has filed a case against the person who videoed the attack on the grounds of privacy invasion, reports Emirates 24/7. The cameraman has been arrested under Article 378 of the penal code, which makes publishing by any means material of an individual’s private life against the law. “It is not allowed for anyone to film others without the permission of the public prosecutor, or with the written permission of the person(s) who appear in the pictures. In this case it will be considered a violation of privacy,” said Major General Khamis Mattar Al Muzinah, acting chief of Dubai Police, adding, “At modern times in my view this law is highly significant in protecting a person’s private/family affair.”

Workplace Privacy

US – CIO Council Issues Social Media Guidance

The CIO Council has issued guidance calling on government agencies to be transparent about their use of social media. The guide, Privacy Best Practices for Social Media , states, “By being transparent about what type of information the agency is collecting and how it is collecting it, the agency can help minimize the public’s concern that the government is monitoring individual speech and actions on social media.” The guide offers best-practice advice on establishing a social media program and using social media for information sharing, among others. The guide recommends limiting “information gathering to facts surrounding an event” and collecting PII only “in very limited situations,” the report states. [GovInfoSecurity]

US – Survey: Employees Mistrust Policies; Some Orgs Don’t Have Them At All

An online survey of almost 3,000 employees in the U.S., UK and Germany showed that when it comes to “bring your own device (BYOD),” only 30% said they trust their employer to keep personal information private and not use it against them. The survey indicated a level of confusion over what constitutes personal information. Meanwhile, ZDNet cites Acronis’ 2013 Data Protection Trends Research report indicating the majority of Australian organizations don’t have a BYOD policy and 33% don’t allow personal devices into the corporate network. [The Telegraph]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: