16-31 August 2013


US – New Report Shows Ohio Police Secretly Use Facial Recognition Technology

Local law enforcement agencies have started to implement facial recognition technology that could transform police departments across the country. This week, Chrissie Thompson, state capital reporter for The Cincinnati Enquirer, revealed that Ohio’s Bureau of Criminal Investigation has used facial recognition technology to match drivers license photos and surveillance footage for months—without telling the public. The program launched June 6 of this year, and Ohio Attorney General Mike DeWine learned of it two weeks later. Ohio is just one of 26 states that have implemented facial recognition technology. Reporter Chrissie Thompson discusses her investigation, and Attorney General DeWine defends the law enforcement’s use of this technology. [Source]

US – Facial Scanning Is Making Gains in Surveillance

The federal government is making progress on developing a surveillance system that would pair computers with video cameras to scan crowds and automatically identify people by their faces, according to newly disclosed documents and interviews with researchers working on the project. The Department of Homeland Security tested a crowd-scanning project called the Biometric Optical Surveillance System — or BOSS — last fall after two years of government-financed development. Although the system is not ready for use, researchers say they are making significant advances. That alarms privacy advocates, who say that now is the time for the government to establish oversight rules and limits on how it will someday be used. [New York Times]

WW – Google Glass App Being Designed to Read Emotions

Catalin Voss, an entrepreneur and Stanford student from Germany, is working on emotion-recognition tools that could improve education and training by monitoring engagement. The company, Sension,  is among a handful of businesses making strides in emotion-recognition technology. The tools can analyze facial expressions and vocal patterns for signs of specific emotions: Happiness, sadness, anger, frustration and more. There’s a broad array of potential applications, including potentially creepy commercial ones. But the broader goal is to make machines communicate with humans in more natural ways. In that sense, it can be seen as the latest step in the long history of human-computer interaction, a layer on top of motion sensors like Microsoft’s Kinect controller or voice-recognition services like Google Now and Siri. The machines can understand more than the defined meaning of words or gestures, putting them into the context of the feelings with which they’re expressed. Voss stresses that they’re building privacy protections into their apps: They don’t upload facial images, store anything on the phone or attempt to identify individuals through facial recognition (which is banned by Google for Glass). He added that the team has no interest in pursuing any marketing applications of emotion recognition. [Source]

WW – Pay-Per-Gaze Tracking Patent Revealed

Earlier this month, the U.S. Patent and Trademark Office published a gaze-tracking system proposed by Google to monitor the pupils of a user wearing a head-mounted device, such as Google Glass. Connected to a server, the tracking system could infer emotion by detecting pupil dilation and eye movement and could potentially offer “a mechanism to track and bill offline advertisements in the manner similar to popular online advertisement schemes,” the patent states. In other words, the system could charge advertisers when opted-in users gaze at a given billboard, magazine, newspaper or other media. Additionally, the patent specifies that “personal identifying data may be removed from the data and provided to the advertisers as anonymous analytics.” A report by The New York Times delves into ubiquitous data collection , specifically data collected from wearable devices where “Records of voices and events will be a permanent part of the Internet the way text is already, held forever and searched, mined and inspected.” [Fast Company]


CA – Survey: 60% Would Surrender Online Privacy to “Foil Terrorist Plots”

Only a small sliver of Canadians are concerned with keeping their data private, especially in the name of safety and anti-terrorism efforts, according to a survey released by the Canadian Internet Registration Authority (CIRA). About half of Canadians said it was “completely unacceptable” for governments to monitor citizens’ email and online activities, showing a pretty clear split between Canadians as to whether privacy is a priority. Yet that number shifted significantly when pollsters asked respondents if the Canadian government could monitor everyone’s email and other online activities, if officials said that might prevent future terrorist attacks. About 77% of Canadians polled, or three in four, said that would be “completely acceptable,” or “acceptable in some circumstances,” with about six out of 10 saying they would “be willing to give up their Internet privacy if it would help the government foil terrorist plots.” [CIRA Survey] [Source]


WW – Teens Turn to Friends for Advice on Settings Management

A new report from the Berkman Center for Internet and Society at Harvard University indicates that while teens generally figure out how to manage their online privacy themselves, 70% report they have sought advice from someone else. The people they turn to are generally friends, parents or other close family members. The report is based on a survey that polled 802 parents and their children ages 12 to 17 as well as focus group interviews with 156 participants. [Source]

US – IAPP/PLSC Award-Winning Papers Posted

Earlier this month, The Privacy Advisor spoke with the authors of the award-winning papers from the Privacy Law Scholars Conference: Ryan Calo and Daniel Solove and Woodrow Hartzog. Now, both papers have been posted to the Social Science Research Network and you can read the current drafts. Find Solove and Hartzog’s “The FTC and the New Common Law of Privacy.” Find Calo’s “Digital Market Manipulation“ here. Geekwire talks with Calo as well about his paper and its implications for the current Internet marketplace. [Geekwire]

US – Prescription Rewards Program Raises Concern

A new prescription-drug rewards program gives store credit to opted-in customers for other nonprescription products. In February, CVS announced it was expanding its ExtraCare Pharmacy & Health Rewards program to include prescription drug purchases. According to the website, “each person must sign a HIPAA Authorization to join.” A representative from Privacy Rights Clearinghouse expressed concern, saying, “Pharmaceutical companies obviously would want to know what you’re taking and get you to buy more expensive medicines.” A CVS representative said, “We have extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers’ personal and health information,” adding, “We do not sell, rent or give personal information to any nonaffiliated third parties.” [Los Angeles Times]

WW – Researchers Earn Grant to Study Privacy Notices

The National Science Foundation (NSF) has announced it is investing $20 million in grants to more than a dozen universities to help tackle the “fundamental challenges” to the nation’s cybersecurity. One group of recipients, including researchers from Carnegie Mellon, Fordham and Stanford, aim to work on a multidisciplinary approach to create effective web privacy notices. The project’s lead investigator said, “If you read privacy notices, you quickly realize that they contain a lot of boilerplate text and that people seem to often be recycling entire sentences and even larger text fragments from one another,” adding, “This project will aim to exploit these types of patterns.” An NSF representative said its “investments in foundational research will transform our capacity to secure personal privacy, financial assets and national interests.” [National Science Foundation]


UK – Councils Sell Off Voter Information

More than 300 local authorities sold people’s names and addresses to more than 2,700 companies and individuals over five years, privacy campaigners have revealed. According to Freedom of Information Act requests made by Big Brother Watch, councils sold the edited electoral register – made of up all those people who register to vote and do not opt-out of the edited version – to pizza shops, estate agents, lobbyists and driving schools among others. The group calls on the Government to abolish the edited register or allow councils to offer people a permanent opt-out instead of the current system that requires people to opt out annually. Some 307 local authorities sold the edited electoral register to more than 2,700 different companies and individuals between 2007 and 2012. Big Brother Watch director Nick Pickles said: “Registering to vote is a basic part of our democracy and should not be a back door for our names and addresses to be sold to anyone and everyone. [Source]

IN – Indian Government Considers Ban on Gmail for Official Use

In what appears to be a reaction to the alleged Internet snooping by U.S. government agencies on users of U.S. based email services, the Indian government is said to be planning a ban on the use of U.S. based email services for official government use. The ban will force government workers to use only official Indian government email servers for official use. Many workers, including some government ministers, use hosted email accounts as they are easier to use and have better features than official email systems. India’s IT minister, Kapil Sibal, said there is no evidence of the U.S. accessing any Internet data from India [Times of India] [ZDNet] [Economic Times]

CA – Toronto Agencies Still Ask for Immigration/Citizen Status

A survey finds it’s risky for undocumented people to seek help from a service agency; half will “ask” about their status, and nearly one in three will “tell.” Almost half of Toronto’s community agencies ask for clients’ immigration status, and 30% say they would share the information with police and immigration officials. Those statistics are from a new city-funded report, the first ever to survey community service agencies about their policies on serving “non-status residents” — a growing population of migrants who are in Canada without immigration status. More than one-third of the participating agencies said they did not know or were uncertain about their legal rights and obligations if approached by law or immigration enforcement inquiring about a client. Some 71% said they did not have a formal policy about serving this population.The 32-page report will be released this week, as Toronto City Council is reviewing its municipally funded services in a bid to ensure they’re available to all residents, “legal” or not. In February, Toronto was declared to be Canada’s first “sanctuary city” for migrants without status. [Source]

US – Illinois Tollway to Post Names of Scofflaws

Motorists who use the Illinois Tollway but refuse to pay tolls and fines may already have collection agents chasing them, but by the end of the week the names of the most egregious scofflaws could also be posted on the Tollway’s website. The list will name those who have racked up more than $1,000 in tolls and fines, officials said. Until now, the Tollway had been reluctant to publicize the names. But Gov. Pat Quinn on Tuesday signed legislation allowing the Tollway to do so, along with the amount of fines and unpaid tolls owed by each violator. The Tollway’s action follows similar public shamings by agencies in Texas and on the East Coast. Last year the Illinois Tollway estimated that deadbeats had racked up about $300 million in unpaid tolls and fines since 2001. The Tollway said it issues about 1.4 million first-violation notices every year. The agency collected more than $33 million in revenue from toll violations in 2011, according to a recent audit. [Source]

US – DOE Notifies Employees of Second Data Breach This Year

The US Department of Energy (DOE) is notifying 14,000 current and former employees that their personally identifiable information was compromised when someone gained unauthorized access to an agency human resources system. The specific information compromised was not disclosed. The incident, which occurred in late July, is the second reported data breach at DOE this year. In February, DOE notified a few hundred employees about a breach launched by “sophisticated attackers.” [SC Magazine] [DarkReading]


US – Groklaw Announces Shut Down Due to Decline of eMail Privacy

The website Groklaw has announced that it will shutter operations to avoid US government surveillance. Groklaw promises its sources anonymity, but the revelation of the surveillance practices mean that the site can no longer ensure anonymity. Groklaw founder Pamela Jones pointed to the recently revealed US intelligence practice of gathering email from outside the country and storing the data for years in the hope that technology will eventually allow those protected by encryption to be read. Over the last several weeks, two encrypted email services – Lavabit and Silent Circle — have shut down operations rather than face the likelihood of being served warrants demanding customer data. [The Register] [ComputerWorld] [BBC] [Ars Technica] [German government refutes Windows ‘backdoor’ claims]

US – Google Wants “Precedent-Setting” Case Dismissed

Google has asked for a case against it, concerning its alleged electronic scanning of Gmail users’ e-mails for the purpose of sending targeted ads, to be dismissed. In a San Jose, CA, court, Google said “all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” The suit was filed on behalf of 10 people and is expected to be certified as a class-action. It’s also predicted to be a “precedent-setting case for other e-mail providers,” the report states. [Full Story]

Electronic Records

US – Electronic Data Does Not Constitute ‘Tangible Property.’

Insurance company Liberty Mutual has filed a lawsuit against the supermarket chain Schnucks seeking release from liability in relation to a computer security breach Schnucks suffered earlier this year. Between December 2012 and March of this year 2.4 million credit and debit cards used at 79 of Schnucks’ stores were compromised. As a result eight lawsuits have been filed against Schnucks by customers whose cards were hacked. Liberty Mutual is refusing to meet those claims stating that its coverage only applies to property damage and bodily injury and that electronic data does not constitute ‘tangible property.’ [Fox] [SupermarketNews] [Softpedia] SEE ALSO: [Canada: Tracking device may cut car insurance]


WW – Password-Cracking Just Got Smarter

Passwords just got a lot easier to crack. That’s because password-cracker “ocl-Hashcat-plus,” a freely available service for offline hashed password cracking, can now decode passwords with as many as 55 characters. The program previously could only crack passcodes with 15 characters or less, but Web users have increasingly used longer passcodes and phrases to protect their online data. “This was by far one of the most requested features,” said the program’s lead developer. The development means Hashcat users can now achieve as many as eight-billion guesses per second “on a virtually unlimited number of compromised hashes.” [Ars Technica]

EU Developments

EU – New EU Rule Requires Breach Notification Within 24 Hours

As of August 25, telecommunications operators and Internet service providers (ISPs) in the European Union (EU) must notify authorities within 24 hours of detecting a data security breach. While notification is already required, the mandatory 24-hour window is raising concerns because organizations will not have adequate time to conduct forensics. There is also movement toward broadening the scope of the requirement to include all industries. [SC Magazine] [v3.co.uk] [Infosecurity-magazine] [EU Data Breach Notification Rule: The Key Elements] See also: [Berlin Commissioner Talks Surveillance, Big Data and New Rules on Privacy] and also [New major incidents in 2012 report by EU cyber security agency ENISA]

EU – Breach Notification Schemes Prompt “Major Concern”

A draft opinion from the European Parliament’s Civil Liberties, Justice and Home Affairs Committee by Swedish MEP Carl Schlyter cites a “major concern” regarding two data breach notification schemes proposed under the draft Network and Information Security Directive and the planned General Data Protection Regulation. “A major concern that remains regards the relationship of the proposed system to the notification system proposed under the General Data Protection Regulation, and their effective coexistence, which is one of the reasons we highlight the fact that any EU cybersecurity legislation should follow the adoption of the General Data Protection Regulation, not precede it,” he writes. [Out-Law]

UK – Aberdeen City Council Fined GBP100,000 For Employee Data Breach

The United Kingdom’s Information Commissioner’s Office (ICO) has fined the Aberdeen City Council the sum of GBP100,000 (US$150,000) resulting from the leaking online of sensitive data relating to vulnerable children. The data was accessed on an employee’s home PC from where a file sharing program installed on the PC uploaded the information and shared it online. The information was first leaked on the 14th November 2011 and was detected by another member of staff on the 15th February 2012. Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said “As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.” [ITPro] [v3.co.uk] [The Register]

UK – Google Says UK Privacy Law Doesn’t Apply

Google has told British consumers in a privacy claim that it doesn’t have to answer to UK courts and the country’s privacy laws don’t apply to the company. Google will fight UK Safari users’ right to bring a case in the country and will force the plaintiffs to instead file the suit in California. The plaintiffs are seeking damages, disclosure and an apology from Google for allegedly circumventing users’ security settings and tracking them on Apple’s Safari browser, the report states. [IDG News Service].

Facts & Stats

US – COPPA Changes Leading to “Plummeting” Ad Revenue

COPPA changes that went into effect July 1 are creating headaches for publishers of “mom and pop” websites who say their ad revenue is plummeting. Judy Miller, founder of Apples4TheTeacher, a resource for teachers that also attracts children. Said, “The law is so subjective for what is a kids’ site and what is a mixed site, it just has thrown me into a tailspin.” The Interactive Advertising Bureau’s (IAB) Mike Zaneis said, “Unfortunately, this was all too predictable, as the IAB warned for two years that the impact of the new COPPA rules would mean less revenue for child-directed sites and fewer free offerings for families.” [AdAge]


US – Facebook friends could change your credit score

A handful of tech startups are using social data to determine the risk of lending to people. That’s because financial lenders have discovered social connections are a good indicator of a person’s creditworthiness, the report states. Lenddo, for example, determines whether an individual is “Facebook friends” with someone who was late in paying back a loan. “It turns out humans are really good at knowing who is trustworthy and reliable in their community,” said the company’s CEO. “What’s new is that we’re now able to measure through massive computing power.” [CNN] [Source]


CA – Sunshine Summit: Who’s Defending Your Right to Know?

In celebration of the 10th annual Right to Know Week, the Privacy and Access Council of Canada (PACC) is presenting the Sunshine Summits to raise awareness and generate discussion about access rights and practices. Experts from government, industry and academia will join together at Sunshine Summits in Toronto (September 23), Calgary (September 25) and Victoria (September 27) to explore Who’s Defending Your Right to Know. [Further details and registration] See also: [US: Last of the secret Nixon tapes released; include meeting with USSR’s Brezhnev]

US – Additional Guidance for Open Data Project

The White House has released additional clarification and detailed requirements to help agencies achieve open data project objectives. An executive order in May affirmed the importance of the open data project, noting that open data are a boon to economic growth, innovation, and government efficiency. Agencies must submit open data progress reports by November 1, 2013. [NextGov] [Project Open Data Implementation Guide]

US – Bloomberg Releases Data and Privacy Practice Review

In response to revelations last May that Bloomberg News and some of its journalists were using terminals that had access to sensitive financial subscriber data, the organization conducted and has now released the results of a comprehensive external review of its data and privacy practices. Conducted by Hogan Lovells and Promontory Financial Group, the review examined Bloomberg news stories, employees, client data systems and other documents, to locate and address the company’s governance framework. This exclusive for The Privacy Advisor looks into some of the recommendations and how privacy pros can use this example within their organizations to bolster the need for strong data and privacy frameworks. [Source]

UK – FOI Reforms In Effect September 1

As of September 1, amendments to the Freedom of Information Act go into effect, meaning public bodies in the UK will be required to disclose datasets “in an electronic form which is capable of re-use” when requested, subject to it being “reasonably practicable” to do so. The ICO has issued guidance on the law and advised authorities to consult its code of practice on anonymising personal data before responding to FOI requests. [Out-Law.com]

Health / Medical

US – Privacy, Pharmacy Groups at Odds Over Refill Reminder Funding Rule

The World Privacy Forum — a privacy rights group — is challenging an effort by the Specialty Pharmacy Association of America (SPAARx) to convince HHS to change a privacy rule that would limit funding for prescription refill reminder programs. The battle between privacy advocates and the pharmaceutical industry highlights the debate over the use of data in patients’ health records without patient consent. [Source]

US – Study: Dearth of Laws May Delay Mobile Health Apps

A recent report by TrustLaw Connect, a pro bono legal initiative of the Thomson Reuters Foundation, has shown that most African countries have not implemented laws to protect patient data, delaying efforts to launch mobile healthcare (mHealth) applications. “The primary risk of not having explicit laws assuring patient confidentiality is that many people may avoid accessing necessary services,” says William Philbrick, of the mHealth Alliance, noting this is “particularly true when we are talking about HIV.” Esther Ogara, head of eHealth at Kenya’s health ministry, says while it’s important to make laws to safeguard patient data, “countries must continue to deploy mHealth tools to save lives while they formulate laws.” [SciDevNet]

UK – Medical Details to Be Sold For £1

THE medical records of millions of British patients are to be sold off for £1 each. Backing the plan: Health Secretary Jeremy Hunt. GPs will send the individual files to a central database from next month. Private firms such as Bupa can then apply to buy them for research. But doctors do not have to tell patients about the plan, which has been slammed by privacy campaigners. Phil Booth, of campaign group medConfidential, claimed NHS England plans to backdate it 20 years. Shami Chakrabarti warns over privacy protection “The more people who have access to sensitive data, the greater risk it will not be protected properly.” He said: “This is a wholesale rewriting of the deal between patient and doctor. “When people go to the GP, they go for medical treatment, they don’t expect commodification of their patient records.” [Source]

US – More Healthcare SMEs Eyeing Breach Insurance

In light of a growing number of healthcare breaches affecting small- and medium-sized organizations, many are looking at acquiring cyber insurance. A recent Experian/Ponemon Institute study found a growing trend of organizations across industry sectors looking toward such protection. Experian Data Breach Resolution Vice President Michael Bruemmer said specifically with healthcare, 32% of organizations polled already have insurance and an additional 41% are considering it. Bruemmer also said he has seen a shift toward smaller healthcare practices showing interest in cyber insurance coverage. [American Medical News]

Horror Stories

US – Regulators, State AG to Investigate Advocate Breach

Federal regulators and the Illinois Attorney General’s Office confirmed this week they will investigate Advocate Medical Group’s data breach. The breach was the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services (DHHS) since its mandatory breach notification rule came into effect in September 2009, the report states. The July 15 breach affected more than four million patients seen by Advocate Medical Group from the early 1990s through July. Affected patients have begun receiving notification letters. DHHS investigates any breach affecting more than 500 people, but wouldn’t comment on the Advocate case citing the pending investigation. [Chicago Tribune] [Healthcare IT News: Second Largest HIPAA Breach Ever Affects Four Million] See also: [Ontario nurse fired after viewing 1,300 patient records]

US – Judge Dismisses Class-Action; Breaches Affect Business and School

A California federal judge has dismissed a proposed class-action accusing Symantec of concealing a data breach. Meanwhile, Sustainable a data breach at the Bonneville Power Administration has compromised the data of 3,100 employees. And the University of Mississippi has acknowledged that an employee mistakenly attached a spreadsheet containing nearly 2,300 students’ names, Social Security numbers, grade-point averages, races, genders and other details to a mass e-mail to students. [Law360]

US – Judge Approves $20M Facebook ‘Sponsored Stories’ Settlement

A federal judge has approved a class-action settlement that will require Facebook to pay $20 million for putting users in their “Sponsored Stories” advertising program without their permission. Originally, U.S. District Judge Richard Seeborg had said he had “serious concerns“ over the deal because it paid $10 million to charity but nothing to class members. The settlement now divides the $20 million among charities, the class-action attorneys and the 125 million U.S. Facebook users affected. [WIRED]

WW – Facebook to Compensate Users for Sharing Details on Ads

Approximately 614,000 Facebook users whose personal details appeared in ads on the site without their permission will each receive a $15 (£9.65) payout. The names and pictures of an estimated 150 million Facebook members were used in Sponsored Stories, but only those who responded to an email from the site earlier this year will be compensated. Privacy organisations will also receive some of the $20m (£12.9m) settlement. Facebook said it was “pleased” the settlement had been approved. The payout was approved by a US court following a class action filed against Facebook in 2011 by five of its users. The group said their details had been used to promote products and services through the site’s Sponsored Stories programme, without paying them or giving them the choice to opt-out. US District Judge Richard Seeborg acknowledged that the $15 payments were relatively small, but said it had not been established that Facebook had “undisputedly violated the law”. He added that the claimants could not prove they were “harmed in any meaningful way”. The court estimated that Facebook had made about $73m (£47m) in profit from the Sponsored Stories featuring details of the 150 million members. The settlement also requires Facebook to make changes to its “Statement of Rights” and to give users more information and control over how their details are used in the future. This move was estimated by the plaintiff’s lawyers to cost Facebook $145m in advertising revenue. Approximately 7,000 Facebook users opted out of the settlement altogether, allowing them to bring their own legal action against the social network. [Source]

US – Federal Reserve Employee Data Exposed

Law enforcement is working with the Federal Reserve to investigate a hacking incident that has resulted in the release of employee data online. Individuals claiming to be part of the hacktivist group Anonymous have claimed responsibility for posting online the “full details of every single employee at Federal Reserve Bank of America,” adding central banks have “systematically defrauded the planet.” The bank says the data was likely accessed more than six months ago, through a breach of its Emergency Communications Systems and includes names, phone numbers and e-mail addresses, among other information. [Bloomberg]

US – Citi Fined US$55,000 for Data Breach

The state of Connecticut has fined Citi US$55,000 as a result of a security flaw which led to a data breach exposing the personal details of 360,000 customers and the subsequent theft of US$ 2.7 million. The account details were accessed in May 2011 when a flaw in Citi’s Account Online Web-based service allowed criminals to log into the system, and by simply changing a few characters in the URL they were able to access other accounts. According to Connecticut’s Attorney General George Jepsen, Citi were aware of the vulnerability and that it could have existed for three years before the attack. Not only will Citi pay a fine of US$55,000, it has agreed to engage a third party to conduct a security audit of the Account Online system and will offer two years of free credit monitoring for any affected customers from the state. [Finextra] [Harford Business]

US – Northrup Grumman Data Breach

Employees of and applicants to Northrup Grumman’s linguist program have been notified that their personal data were compromised in a security breach. More than 70,000 people were affected. The incident: unauthorized database access sometime between November 2012 and May 2013. [SC Magazine]

Identity Issues

US – New Class-Action Sought Over UDIDs

A group of consumers seeking class-action status is alleging Apple’s pledge that it would restrict access to devices’ 40-character unique identifiers (UDIDs) “has thus far been ineffective and leaves class members’ personal information exposed.” The consumers, who had previously sued Apple after reports alleged developers could access iPhone and iPad UDIDs, have filed a motion asking U.S. District Court Judge Lucy Koh to grant them class-action status. While Apple does not define UDIDs as personal information, “the consumers argue that the identifiers become personally identifiable information when combined with other supposedly anonymous information, such as ZIP codes, occupation or area code,” the report states. [Media Post News] See also: [DMA Not A Supporter of “Reclaim Your Name” Campaign]

US – Texas Pastafarian Becomes First In U.S. to Wear Colander in License Photo

Trips to the DMV don’t typically elicit genuine smiles, but from beneath a metal pasta strainer, Texas Tech student and practicing Pastafarian Eddie Castillo flashed the “biggest, cheesiest” one he could muster last week. Castillo told KLBK that the triumphant moment came after a lengthy fight with the state’s Department of Public Safety that the unusual headgear was protected as part of his religious beliefs. Castillo is the first American to successfully have his government-issued photo identification taken while wearing a colander, though DPS officials are reportedly planning to follow up with Castillo in order to “rectify” the situation. Others have tried unsuccessfully, and Castillo told KLBK that he was surprised at his victory, which he called a “political and religious milestone for all atheists everywhere.” [Source] SEE ALSO: [Germany to add third gender option to birth certificates]

Internet / WWW

WW – NSA Surveillance Network Covers 75% of U.S. Web Traffic

The surveillance network set up by the National Security Agency (NSA) intercepts more U.S. Internet communications than has been publicly revealed. The system, allegedly designed to target foreign communications for intelligence purposes, has the ability to reach approximately 75% of all U.S. Internet activity—including, in some cases, the ability to retain written content of e-mails sent between Americans and domestic phone calls made via the web, the report states. One U.S. official, however, said the NSA is “not wallowing willy-nilly” though domestic communications, adding, “We want high-grade ore.” [The Wall Street Journal] [NBC News] [CNN] See also: [New Zealand has direct access to US surveillance]

WW – Project Loon Raises Concerns

The Atlantic explores Project Loon, Google’s plan for a “soaring, international balloon armada, beaming Internet to the parts of the world that don’t have it.” While the report acknowledges there is potential for humanitarian benefits in “bringing a connection to the farthest reaches of the developing world,” it also cautions, “If Google’s claims about the Loon balloons’ navigability are true, it is in fact an ‘unmanned aircraft,’ sometimes more pejoratively referred to as a drone,” with vast possibilities for data collection. And questions of jurisdiction abound, the report states, noting, “With its Project Loon, Google is venturing into not one but two vast open spaces—the law and the sky.” [Source]

WW – The Internet of Things: Baby Monitor Hacked

A Texas family heard noises coming from their toddler’s bedroom through their video baby monitor. A man was yelling obscenities at their child, and when the parents entered the room, he yelled obscenities at them as well. The family had taken security precautions, including enabling a firewall and establishing passwords for their router and the baby monitor camera, which connects to their Wi-Fi network. [BBC] [CNET] [NBCNews] SEE ALSO: [Webcam spying goes mainstream as Miss Teen USA describes hack]

Law Enforcement

BC – Police Tech Could Stop Crimes Before They Even Happen

Police technology is getting closer and closer to being able to stop crimes before they occur. The technology will draw from multiple data sets to predict that a specific crime will probably occur in a specific location at a specific time, he said, so police will know where to go before a crime has been committed. “We will actually be deploying police units preemptively to where crime isn’t happening, but where we’re predicting it might,” said Prox. Police cars are equipped with mobile terminals with touch screens for easy access to the data while on the go, so officers can make their own decisions on where they should be. The customized computer system from IBM has been used since 2007, and is making Vancouver’s police force leaders in North America, keeping pace with the likes of New York and Los Angeles. In addition to preventing crime, “big data” can also be used to solve cases traditional techniques couldn’t crack, said Prox. [Source]

CA – Calgary Planning to Put Cameras on More Police

Take a police-eye view of a driver getting a ticket via the body cameras that will soon be used by many more Calgary police officers after a pilot program was deemed a success. After testing body-worn cameras on a small group of officers for nine months, the Calgary Police Service has decided it wants to eventually equip all its uniformed officers with the devices. But police are still developing policies and guidelines about how the cameras will be used and what authorities will do with the recordings they capture — and privacy experts said it’s essential to address those questions before going much further. “One of the principles about privacy is openness and transparency. Their policies and practices should be readily available to the public,” said Kelly Ernst, senior program director at the Sheldon Chumir Foundation for Ethics in Leadership. “They probably shouldn’t be putting the cart before the horse.” [Source] See also: [US: Asiana crash photo leak prompts helmet cam ban]


WW – Researchers Show Method of Sneaking Malicious Apps into Apple Store

Researchers have demonstrated a method of creating malicious apps that evade detection by Apple’s app review. The apps, dubbed Jekyll malware, use program paths that do not exist during the app review process. [NBC News] [Information Week]

US – Apple Updates App Store Guidelines per COPPA Revision

Following the legislative update to the Children’s Online Privacy Protection Act in July, Apple has updated its App Store Review Guidelines. The revised guidelines offer stronger privacy protections and limit the way apps can handle user information. They also contain a new provision on Kids Apps, which apply to children under the age of 13. That provision requires apps to have a privacy policy and be made for kids within the age ranges of five and under, six to eight or nine to 11. Kids Apps rules also forbid apps from serving ads through behavioral targeting. [Information Week]

HK – PCPD: “Do No Evil” App Invades Privacy

Hong Kong Privacy Commissioner for Personal Data (PCPD) Allan Chiang Yam-wang has “found mobile app Do No Evil had supplied sensitive personal data—including names of litigants, partial identity card numbers, addresses, claims amounts and company directors’ data—to users without voluntary consent.” The PCPD found the smartphone application, which allows members of the public to access a database of millions of litigation records “seriously invaded” privacy, the report states. “I must make clear that personal data obtained from the public domain is still subject to regulation of the [Personal Data (Privacy)] Ordinance, otherwise consequences will be dire,” the PCPD said. The PCPD’s actions are receiving criticism from a corporate governance activist. [South China Morning Post]

WW – Android Malware Spreading Through Mobile Ad Networks

Malware targeting Android devices has been found to be spreading through mobile advertisement networks. Many developers include advertising frameworks in their apps to help boost profits. Advertisements in mobile apps are served by code that is part of the app itself. An attack scheme in Asia involved a rogue ad network pushing code onto devices. When users download and install legitimate apps, the malware prompts users to approve its installation, appearing to be part of the process for the app they have just downloaded. [ComputerWorld]

US – Study: Teens Really Do Care About Privacy on Their Smartphones

More than half of teens who use mobile apps say they avoid downloading some of them because of concerns about personal information being shared with others, including location-based data. And a quarter of teens say they’ve even uninstalled apps once they learned the apps might be collecting “personal information that they didn’t wish to share.” The findings are from the Pew Internet Project’s new report, “Teens and Mobile Apps Privacy,” which says that 58% of all U.S. teens, ages 12 to 17, have downloaded apps to their phones or tablets. For teen girls, location information “is considered especially sensitive,” Pew said in its report. A majority of them “have disabled location-tracking features on cellphones and in apps because they are worried about others’ access to that information.” In its survey of 802 teens, ages 12 to 17, and their parents, Pew found:

  • 58% of all teens say they’ve downloaded apps to their phone or tablet.
  • 51% of app users say they’ve avoided certain apps because of privacy concerns.
  • 26% of app users say they’ve uninstalled an app after they found out it was collecting “personal information that they didn’t wish to share.”
  • 46% of app users say they have turned off location-tracking features on their phones or in an app “because they were worried about the privacy of their information.”
  • Girls are more likely than boys to disable location-tracking features, 59% to 37%.

However, this privacy concern isn’t totally cause for parents to celebrate. “Some of the people” teens might be concerned about being tracked by are — perhaps not surprisingly — “their own parents,” Pew noted. “As early as 2009, the Pew Internet Project found that about half of parents of teen cellphone owners said they used the phone to monitor their child’s location in some way.” [Source]

WW – ‘Boyfriend Tracker’ App Pulled Over Privacy Concerns

Brazilians were outraged when they learned their country was a top target of the U.S. National Security Agency’s overseas spying operation, with data from billions of calls and emails swept up in Washington’s top secret surveillance program. Yet when it comes to the cloak and dagger effort of catching philandering lovers, all high-tech weapons appear to be fair game — at least to the tens of thousands of Brazilians who downloaded “Boyfriend Tracker” to their smartphones before the stealthy software was removed from the Google Play app store last week, apparently in response to complaints about privacy abuses and its potential to be used for extortion or even stalking. The app, called “Rastreador de Namorados” (Portuguese for Boyfriend Tracker), promises to act like a “private detective in your partner’s pocket.” Functions include sending the person doing the tracking updates on their partner’s location and forwarding duplicates of text message traffic from the targeted phone. There is even a command that allows a user to force the target phone to silently call their own, like a pocket dial, so they can listen in on what the person is saying. [Source]


SA – South African National Assembly Passes POPI

Eversheds’ Paula Barrett and Penelope Jarvis examine South Africa’s Protection of Personal Information Bill (POPI), passed by the South African National Assembly this month. “All that stands in the way of POPI becoming law is its translation into Afrikaans and the signature of South African President Jacob Zuma,” they write. Barrett and Jarvis examine the history of the legislation and detail what you need to know about POPI, including the conditions that must be met to process personal data legally and information on compliance and enforcement. [Privacy Tracker]

Online Privacy

WW – Facebook Changes Include Expanded Facial Recognition

Facebook has announced that it is “updating its privacy policies to clarify how the personal information of its more than one billion users” is collected and used—including at least one change: the expanded “use of facial recognition software to include profile pictures.” Some of the language is being included to comply with the recent $20 million settlement of a lawsuit over Facebook’s “Sponsored Stories” feature. Chief Privacy Officer Erin Egan, who outlined the changes to two legal documents, explained, “we revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services.” [The Wall Street Journal] See also: [US: Here’s The Most Amusing Way To Learn The Depressing News About Your Vanishing Privacy]

WW – Facebook Says Countries Sought Data on 38,000 Users First Half of 2013

In the first half of 2013, Facebook fielded governments’ requests for data on more than 38,000 Facebook users and complied with about 80% of those requests. That’s according to the social networking giant’s first report on the scale of data inquiries it receives globally. Of those, U.S. law enforcement authorities made the most requests, seeking data on between 20,000 and 21,000 users between January and June, the report states. That’s up from the amount of requests they made in the six month-period prior, which was roughly between 18,000 to 19,000. Authorities in India, the UK and Germany also requested data on large numbers of users. [Reuters] See also: [Researcher posts Facebook bug report to Mark Zuckerberg’s wall]

WW – LinkedIn to Allow Teens

Professional networking site LinkedIn will soon welcome teens ages 14 and up. The service was previously only available to users aged 18 and up, but it will launch “University Pages” in an effort to help college-bound students network. The change required LinkedIn staff to do some research on how to protect teens’ privacy online. Privacy settings for teens will include hiding birth dates, preventing their profiles from appearing in public search engines and only allowing their photos to be visible to “first-degree” connections. [Forbes]

US – Peter Swire Quits Group Tasked With Creating Out Do Not Track Standard

DNT of Co-Chairman Peter Swire has left the W3C’s working group tasked with creating a Do-Not-Track browser standard. “The 110-member international group was formed two years ago to unite all stakeholders on a tracking standard. But by the end of last year, the group was still nowhere near consensus, and browser companies such as Mozilla and Microsoft began to go their own way with their own browser solutions, causing a controversy with the interactive advertising community,” the report states. Swire, who was recently named to the Obama administration’s NSA review panel, wrote he is leaving due to the appointment, citing a “sense of responsibility” to serve on that panel, the report states. [Adweek] [FTC Getting Impatient on DNT]

Other Jurisdictions

NZ – New Zealand Government Passes NSA-Style Snooping Bill

New Zealand has passed a hotly-disputed bill that radically expands the powers of its spying agency. The legislation was passed 61 votes to 59 in a move that was slammed by the opposition as a death knell for privacy rights in New Zealand. The new amendment bill gives the Government Communications Security Bureau (GCSB) – New Zealand’s version of the NSA – powers to support the New Zealand police, Defense Force and the Security Intelligence Service. Opposition to the legislation has voiced concerns it will open the door to the NSA-style monitoring of New Zealand citizens in violation of their rights. A recent survey by Fairfax Media-Ipsos found that three quarters of New Zealand’s population is “concerned by the law.”[Source]

RU – Russian Senator Seeks Probe Twitter’s Compliance With Personal Data Law

Russian Sen. Ruslan Gattarov says Twitter’s privacy policies violate Russian and European data protection laws. Gattarov has asked the prosecutor general, the head of the federal communications agency and the Council of Europe’s data protection commissioner to conduct an investigation. He alleges certain parts of Twitter’s policies violate Russian users’ rights, including the omission of explanation for the reason personal data is collected and the lack of a translation of part of its policy into Russian. [Rapsi News]

WW – Tech Giants Concerned About Proposed Brazilian Law

Brazil is currently crafting its first nationwide set of data protection and Internet governance laws. Recent amendments to the country’s Internet Constitution, or the Marco Civil da Internet, have raised concerns among some U.S.-based tech companies. A new amendment would require data to be stored locally, causing representatives from Google and Facebook to raise red flags. Facebook’s Bruno Magrani has said the company is concerned because it would be “an enormous technical challenge” for the company and could jeopardize its service in Brazil. Part of the thinking behind storing data locally, according to Foreign Policy, is to protect Brazilians from U.S. government surveillance. [ZDNet]

Privacy (US)

US – Leaked NSA Audit Shows Agency Violated US Citizens’ Privacy

Leaked documents indicate that the US National Security Agency (NSA) has run afoul of privacy laws thousands of times since 2008. That year, Congress passed the FISA Amendments Act, which broadened the NSA’s data collection authority “in exchange for regular audits from the Justice Department and the Office of the Director of National Intelligence and … reports to Congress and the surveillance court.” Although NSA Director General Keith Alexander said that the agency has not abused surveillance powers and that it does not store data on US citizens, it has in fact done both. One of the leaked documents, a May 2012 NSA internal audit, listed nearly 2,800 incidents over the past year. [Washington Post] [WIRED] [The Register]

US – FISA Court Admonished NSA for Misrepresenting Surveillance Program

A document declassified by US intelligence officials shows that the Foreign Intelligence Surveillance Court criticized the NSA for providing misleading information about a surveillance program. The FISA Court opinion is reproachful of the NSA for misrepresenting the scope of the surveillance. The opinion found that some NSA surveillance activity violated the Fourth Amendment. [Washington Post] [ZDNet] [WIRED] [EFF.org]

US – President Meets with Surveillance Review Panel

President Barack Obama met with the panel he requested to review U.S. surveillance programs on the collection of telephone and Internet data for the first time on Tuesday. Obama announced the panel’s establishment earlier this month, saying, “It’s not enough for me, as president, to have confidence in these programs. The American people need to have confidence in them as well.” The panel will provide the president with interim findings in 60 days, and its goal is to examine how the U.S. “can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties.” [Bloomberg]

US – US Surveillance Guidelines Not Updated For 30 Years, Privacy Board Finds

Barack Obama’s new privacy watchdog has delivered its first bark, with a letter to intelligence chiefs urging them draft stronger rules on domestic surveillance, something it revealed had not been updated for 30 years. The intervention of the Privacy and Civil Liberties Oversight Board, its first since the appointment of new staff by the White House earlier this year, came as Obama acknowledged that technology was outpacing the checks put in place to protect privacy and said the National Security Agency was “scary to people”. Hours earlier, the Privacy and Civil Liberties Oversight Board (PCLOB) wrote to director of national intelligence James Clapper and the Department of Justice calling for them to begin formulating new guidelines to reflect recent advancements in surveillance capabilities. PLCOB also requested that “both the attorney general and the director of national intelligence work together to focus the attention necessary to update each element of the intelligence community’s procedures to collect retain and disseminate US persons’ information”. It said procedures should capture “both the evolution of technology and the roles and capabilities of the intelligence community since 9/11”. “Specifically, the board would appreciate receiving by October 31, 2013, an agency-by-agency schedule establishing a time frame for updating each agency’s guidelines,” added chairman David Medine. “In the meantime, the board would appreciate a briefing on the status of the guidelines and process for reviewing and updating them.” [Source]

US – FTC Announces $3.5M FCRA Settlement

The Federal Trade Commission (FTC) has announced a settlement with Cetergy Check Services, Inc., for failing to correct or delete inaccurate consumer information in a timely manner, violating provisions of the Fair Credit Reporting Act (FCRA). The agreement includes a $3.5 million civil penalty for the check-verification company due to “knowing violations…that constituted a pattern or practice of violations.” Meanwhile, the Future of Privacy Forum has recorded a podcast with Prof. Chris Hoofnagle about his essay “How the Fair Credit Reporting Act Regulates Big Data,” in which he points to consumer reporting as the first Big Data initiative and argues that use-based regulation hasn’t been effective. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – OMB Releases Privacy Guidance on “Do-Not-Pay Lists”

Office of Management and Budget (OMB) Director Sylvia Mathews Burwell has released mandatory guidance for agencies implementing the “Do-Not-Pay List” of contractors considered ineligible for government work. The memo also outlines how this can be done while adhering to laws that protect privacy. The memo also lays out the legal procedures for using an online tool designed for a “single point of entry” through which agencies can access data on determining a contractor’s eligibility for a benefit, grant or contract award, the report states. [Government Executive] [FierceGovernment]

US – Coalition of AGs Protest Navigator Program

New hires under the Affordable Care Act could threaten the private information of health insurance candidates, says Florida Attorney General Pam Bondi. Joined by a dozen other Republican state AGs, Bondi wrote a letter to Department of Health and Human Services (DHHS) Secretary Kathleen Sebelius arguing that DHHS’s forthcoming “navigator” program—designed to help Americans navigate paperwork of the new healthcare system—puts patients at risk. Bondi said those hired as navigators will not undergo background checks, meaning individuals’ personal information could fall into the wrong hands. “What if they’ve been convicted of committing identity theft or grand theft before?” Bondi said. “They could potentially still become a navigator.” [The Hill]

US – Judge Says Changing IP Address and Using Proxies May Violate CFAA

A federal judge in California has ruled that changing IP (Internet protocol) addresses or using a proxy server to access a public website from which a user has been banned constitute violations of the Computer Fraud and Abuse Act (CFAA). The case involves a company that aggregated and republished advertisements from Craigslist. The company, 3taps, received a cease-and-desist letter from Craigslist, and Craigslist blocked IP addresses associated with 3taps. The company used alternate IP addresses and proxy servers to get around the blocks. [Ars Technica]

US – Opinion: Final FIPP Is Crucial for Federal Privacy Programs

As federal programs as diverse as the National Security Agency and the Drug Enforcement Agency come under scrutiny for their privacy practices, Mary Ellen Callahan, former CPO at the Department of Homeland Security, says federal agencies of all kinds can avoid privacy disasters by adhering to the most crucial of Fair Information Practice Principles: auditing and accountability. In this latest post for Privacy Perspectives, Callahan lays out in detail how privacy worked at DHS under her watch and why CPOs need “holistic investigatory authority.” [Source]

US – Opinion: Who’s the Most Active Enforcer? FTC or OCR?

Robert Gellman discusses recent FTC enforcement activities, writing, “I want to put FTC privacy activities into a perspective by comparing the FTC with the Office for Civil Rights (OCR), Department of Health and Human Services.” Gellman cites statistics, writing the FTC reported 153 cases from 1997 through February of this year, while the “OCR investigated 19,726 complaints that revealed a violation during the 10-year period ending in April 2013.” Gellman opines, “It seems to me that it is difficult to look at the numbers and still think that the FTC’s record justifies grand claims about the role of the FTC as a general enforcer of privacy standards in the commercial sector.” [Concurring Opinions]

US – Opinion: Should Smith v. Maryland Be Revisited?

With more focus on the recent dragnet collection of phone metadata by the National Security Agency, NPR explores whether the legal precedent—the 1979 case, Smith v. Maryland—needs to be revisited. Smith v. Maryland is at least one case that supports the third-party doctrine—when information is shared with a third party, a person’s expectation of privacy is diminished. Stanford University Prof. Jennifer Granick said, “Nothing in Smith v. Maryland authorized mass surveillance, and the information that was collected (in that case) is a much narrower category than the information that the government’s currently getting.” Since so much data is now shared with third parties—including location information from smartphones—individuals are constantly revealing their location, which “is not information that you voluntarily disclose to anybody,” Granick added. [NPR]

Privacy Enhancing Technologies (PETs)

WW – Support for Anti-Tracking Wear on the Rise

When the developers of “OFF Pocket,” a sleeve for smartphones that blocks incoming phone signals, WiFi, GPS and Internet connections, launched their kickstarter campaign looking for $35,000, they ended up raising $56,447. NPR blogger Robert Krulwich offers his views on why the campaign was so successful. At some point, news of the U.S. government’s warrantless data collection combined with a proliferation of surveillance devices will “make us wonder… ‘Who’s watching me?’” he writes, adding, “once we start wondering, it’s only natural to think about protecting ourselves—and that’s the change, I suspect, that has just begun.” After its kickstarter success, OFF Pocket may go commercial, but concerns about use by terrorists have caused designers of other surveillance-blocking attire to hold back their technologies. [Source] See also: [Female football fans crying foul over ban on purses at all NFL stadiums]

WW – Companies Enhancing Ways to Go Incognito

Companies that offer secure online communication services are increasingly pushing private texting applications over encrypted e-mail. While consumer e-mail programs require authentication credentials—which are then stored in a database—for user login capabilities, the companies say the encryption for smartphone-based services happen on the device, so there is no way to unencrypt the messages remotely. Both Apple and Android secure messaging services say they have seen an increase in downloads in the past month. Meanwhile, a new website called justdelete.me collects on one page links that will delete online accounts, including social media, photo-sharing and shopping accounts, simplifying the process of vanishing from the Internet. [The Wall Street Journal]


US – FDA Publishes Security Guidance for Wireless Medical Devices

The US Food and Drug Administration (FDA) has published radio frequency guidance for wireless medical devices. The guidance includes information about authentication and encryption to prevent hackers from gaining control of the devices. [Health IT Security] [FDA.gov]

WW – RFID Identifies Drunk Individuals Before They Drive

A radio frequency identification system tested for two weeks in April 2013 at Singapore night club Zouk may have prevented alcohol-related traffic accidents, by warning parking attendants not to hand over car keys to inebriated patrons. The solution, known as the Pee Analyser, was developed by DDB Group Singapore, an advertising and marketing agency, at Zouk’s request. The technology was designed to make it easy to ascertain an inebriated individual’s blood-alcohol level before he begins driving. The trial’s focus was only on men, the company reports, since they account for 90% of drunk-driving arrests in Singapore. At Zouk Singapore, two urinals were equipped with devices that measure the blood-alcohol content of an individual’s urine. A ThingMagic Astra ultrahigh-frequency (UHF) RFID reader was installed near the urinal. During the pilot, as a male patron arrived at the club, he was provided with a valet ticket containing an embedded passive UHF RFID transponder. As that customer used the urinal throughout the evening, the sensors in the toilet determined the amount of alcohol in his urine. If that number exceeded the legal limit, the sensor transmitted a prompt via a wired connection to a computer, also wired to the ThingMagic reader—which, in turn, wrote that information to the patron’s ticket. The sensor then instantly reset, thereby allowing consecutive readings. For those possibly unfit to drive, the system displayed an alert on a video monitor above the urinal, stating: “You may have had one too many to drive. Call a cab, or use our drive home service.” An additional interrogator was mounted at the parking area in front of the nightclub. This device read every male patron’s card, and a screen displayed any warnings of high blood-alcohol levels, enabling the valet staff to determine whether or not to turn over each individual’s car keys. [Source]

NZ – Bar’s Toilet Cameras Spark Outrage

A Christchurch bar has sparked outrage after it installed cameras in its toilets in a bid to catch vandals and increase security. Popular music venue Dux Live says it was forced to introduce the in-toilet security system after a rising vandalism problem last year. The cameras have been approved by police and are even admissible as evidence in criminal courts, bar management says. This week, the Lincoln Rd bar posted footage from the cameras on its Facebook page to try to catch some people they allege to have done damage in the toilets. General manager Ross Herrick says he wants to “name and shame” bar-goers who were trying to steal framed pictures of famous musicians from the toilet walls. He denies it’s a breach of privacy, saying: “If you’re not doing anything wrong, you’ve got nothing to worry about.” Sensitive areas of the footage is blacked out, while the footage is only reviewed if there has been an issue, Mr Herrick says. “Only the guilty need be worried and only the perverted mind would think it possible that the camera’s were to be used in an indecent way,” he said. [Source] SEE ALSO: [Paris suburb to fight dog droppings with CCTV cameras]


US – Cybersecurity Policy Developments Roundup

In February, President Obama signed an Executive Order that put into motion a number of initiatives aimed at improving the cybersecurity posture of the “critical infrastructure” of the United States. Among the Order’s most significant provisions is Section 7, which directs the Commerce Department via its National Institute of Standards and Technology (NIST) to develop a voluntary Cybersecurity Framework for reducing cyber risks to critical infrastructure. The Framework must be technology neutral and include “standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risk.”

NIST is already well on its way to developing the Framework, which is expected to be widely influential. On July 1, NIST published a draft outline of the Framework, and NIST aims to publish a Draft Preliminary Cybersecurity Framework for stakeholder review and input in late August. In September, NIST will hold its fourth and final Framework workshop, which will focus on the August draft and other topics to be announced. NIST expects to publish the Preliminary Framework for formal public comment on October 10. Under the Executive Order, the Final Framework must be published by February 2014.

On July 30, the Senate Committee on Commerce, Science and Transportation unanimously approved the Cybersecurity Act of 2013, which would codify NIST’s role in developing the Cybersecurity Framework. The bill’s directives to NIST largely track the language contained in the Executive Order, and the bill further emphasizes that NIST should “coordinate closely and continuously” with the private sector in developing the Framework.

The Cybersecurity Act of 2013 has bipartisan support, being written by Senators Rockefeller (D-WV) and Thune (R-SD). And it has received support from business associations. The U.S. Chamber of Commerce, which has opposed cybersecurity legislation establishing regulatory-based cybersecurity standards (including the Cybersecurity Act of 2012, also introduced by Sen. Rockefeller), has endorsed the Commerce Committee’s bill. The Chamber wrote that the “bill takes smart and practical steps” in authorizing NIST to collaborate with industry in developing the Framework. “[P]ublic-private collaboration is essential to successfully countering highly adaptive cybersecurity threats,” noted the Chamber, and the Chamber welcomed the bill’s narrowly tailored industry focus. The Software & Information Industry Association has also endorsed the legislation.

The bill does not include measures relating to information-sharing programs, which have been generally viewed by industry and key policy makers as important elements of cybersecurity legislation. Recent revelations regarding the National Security Agency’s data-gathering operations will make it more challenging to draft acceptable privacy and civil liberties protections into such information-sharing legislation. Nor does the bill include measures relating to new Securities and Exchange Commission disclosure requirements, despite significant attention to these topics by Sen. Rockefeller. In response to Sen. Rockefeller’s request earlier this year, however, SEC Chair Mary Jo White noted that her staff is conducting an internal review of whether additional or new cybersecurity disclosure guidance is needed.

Meanwhile, the White House is working on ways to incentivize industry to adopt the Framework. On August 6, the White House released “Incentives to Support Adoption of the Cybersecurity Framework,” which summarizes eight incentive areas identified by the Departments of Homeland Security, Commerce and Treasury:

  • Cybersecurity Insurance: Collaborate with the insurance industry to “build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.”
  • Grants: Adoption of the Framework should be a condition or weighted criterion for receiving federal critical infrastructure grants.
  • Process Preference: Prioritize delivering technical assistance to operators of critical infrastructure based in part on whether those operators have adopted the Framework. Although, adoption of the Framework would not factor in to the prioritization of assistance delivered in incident response situations.
  • Liability Limitation: Agencies will consider whether reduced tort liability, limited indemnity, higher burdens of proof or the creation of a federal legal privilege preempting state disclosure requirements will encourage industry to adopt the Framework.
  • Streamline Regulations: Agencies will work to streamline compliance obligations by, among other things, eliminating overlaps between the Framework and existing laws and regulations and allowing for equivalent adoption of the Framework across regulatory structures.
  • Public Recognition: Consider whether giving the option to those who adopt the Framework to receive public recognition would incentivize participation.
  • Rate Recovery for Price Regulated Industries: Consider whether the regulatory agencies that set utility rates should allow utilities to recover cybersecurity investments related to Framework adoption.
  • Cybersecurity Research: Agencies recommend identifying where new solutions are needed to implement the Framework and supporting research and development to fill those gaps.

Because the Cybersecurity Act of 2013 codifies what the White House and agencies are already working to implement and because the bill has bipartisan support and the endorsement of business groups, the legislation has a reasonable chance of becoming law. With the draft Framework coming in a little more than a month, now is a good time for organizations of all types to consider the implications of these new cybersecurity standards. [Source]

US – NIST Releases Cybersecurity Draft Framework

The US National Institute of Standards and Technology has released a preliminary cybersecurity draft framework outlining standards and guidelines to support President Obama’s “Improving Critical Infrastructure Cybersecurity” executive order issued in February of this year. The NIST document states “The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk, in a manner similar to financial, safety, and operational risk.” A spokesperson for NIST said the document is a discussion draft ahead of NIST’s upcoming meeting in September where officials will meet with industry to discuss cybersecurity and help shape the forthcoming framework. [FCW] [Federal Times] [PCWorld] [NIST.gov]

US – Documents Reveal U.S. Launched 231 Offensive Cyber Operations in 2011

Classified budget documents released by Edward Snowden to the Washington Post reveal that the U.S. government launched 231 offensive cyber operations in 2011. The documents provide details of a budget aimed at breaking into foreign networks so that they can be put under the control of the U.S. The top countries targeted are China, Russia, Iran and North Korea. The documents outline that the NSA develops most of its software, but that it has devoted US$25.2 million for the “additional covert purchases of software vulnerabilities” from private research companies. According to an emailed statement from the NSA to the Washington Post “The Department of Defense does engage” in computer network exploitation but “The department does ***not*** engage in economic espionage in any domain, including cyber.” [Washington Post] [Atlantic Council] [Net-Security] [WIRED]

WW – Survey Confirms Woeful State of Application Security

In its “Current State of Application Security Report” the Ponemon Institute confirms most organizations surveyed have very lax application security. The survey reveals that 90% of all security vulnerabilities are at that application layer yet only 20% of IT security spending is at this level. The bulk of the security budget, the remaining 80%, focuses on networks and endpoint systems. The survey also reveals a serious disconnect between what senior management believes to be in place in relation to application security and what technical staff say is actually in place. Of the senior executives interviewed for the report, 71% believed that application security training is available and up to date. When asked the same question only 20% of technical staff agreed. Speaking about the results Larry Ponemon, founder of the Ponemon Institute, said “Hopefully, our findings stimulate awareness of the importance of application security as part of an organizations’ overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications”. [InfoSecurity] [Net-Security]

US – FBI and DHS Concerned About Android Vulnerabilities

According to an unclassified US government document, the FBI and the Department of Homeland Security (DHS) are concerned about security flaws in the Android operating system. Specifically, the document outlines concerns about threats faced by law enforcement officers and officials who are using devices running older versions of the operating system. The document says, “Android is the world’s most widely used mobile operating system and continues to be a primary target for malware attacks due to its open source architecture.” It also offers mitigation advice for certain types of threats. [CNET] [PublicIntelligence]

US – How Did Snowden Access All That Data?

The US government is having difficulty figuring out exactly what data Edward Snowden took while working as a contractor at the NSA because Snowden was careful to hide his digital footprints by deleting or bypassing electronic logs. The incident illustrates problems inherent in the structure of the data systems if they were so easily defeated. It also appears to refute assurances from the government that NSA surveillance programs are not subject to abuse because they are so tightly protected. [NBC] [ZDNet]

Smart Cards

US – Retailers Tops Concerns are Compliance and Security Vulnerabilities

A report assessing computer security for retailers and retail processing systems has identified compliance with PCI DSS is a major concern. Many of those surveyed stated the amount and variety of store systems they employ makes it increasingly difficult to manage vulnerabilities across all those platforms. While many of those surveyed showed a clear understanding of PCI compliance, they highlighted the challenge is ensuring all these systems comply with PCI. On average only 22% of those surveyed said they trusted the manufacturers of these systems to provide security. [Yahoo] [Net-Security]


US – Skepticism Over NSA Review Board; Massive “Black” Budget Revealed

Opinion is streaming in surrounding U.S. President Barack Obama’s creation of an independent board to investigate the NSA’s surveillance operations, and much of it is highly critical. Focus is generally on Obama’s promise that the experts on the panel would be “outsiders” and commenters’ opinion that the members of the panel are anything but—save Peter Swire. Also, The Washington Post has major revelations derived from a leaked copy of the U.S. intelligence community’s “black budget” Some revelations: The CIA’s budget is 50% larger, at $14.7 billion, than the NSA’s budget. The intelligence community was already worried about employees of contractors having too much access and had plans to reinvestigate at least 4,000 people this year with high-level security clearances. The CIA and NSA already are hacking into foreign computer networks to steal information and sabotage enemy states.• Counterterrorism plans account for one third of the entire intelligence spend. [The Privacy Advisor]

US – Leaked NSA Audit Reveals Thousands of Privacy Violations

The National Security Agency (NSA) broke privacy rules or overstepped its legal authority thousands of times each year, beginning in 2008. Most violations concerned unauthorized surveillance of U.S. citizens or foreign intelligence targets in the U.S. This roundup for The Privacy Advisor brings together thoughts from former DHS CPO Mary Ellen Callahan,, the leaked documents, government responses—including from the NSA and Sen. Dianne Feinstein (D-CA)—as well as reported comments from Reggie B. Walton, chief judge of the FISA court, who said the court is limited in its government oversight. Additionally, in a letter to the EU’s justice commissioner, the Article 29 Working Party’s head explores investigating whether EU data protection law has been violated. [The Washington Post]

US – Talks on Surveillance Transparency Break Down

In June of this year both Microsoft and Google filed lawsuits against the U.S. government to allow them to publish more details about the surveillance requests they receive from U.S. government agencies.

However, negotiations between the two companies and U.S. government representatives broke down leading to Microsoft and Google moving forward with their lawsuits. In a blog post on Microsoft’s website, Microsoft’s General Counsel Brad Smith said “We both remain concerned with the Government’s continued unwillingness to permit us to publish sufficient data relating to Foreign Intelligence Surveillance Act (FISA) orders. We believe we have a clear right under the U.S. Constitution to share more information with the public.” [Computer Weekly] [CIO.com] [TechNet]

US – School District to Monitor Students’ Social Media Posts

A California school district has hired a company to monitor and analyze students’ public social media posts. Aiming to intervene when students are in danger related to cyberbullying, substance abuse or despair, among other risks, the school will receive a daily report of student posts on sites such as Facebook, Instagram, YouTube and Twitter from company Geo Listening. The school district’s superintendent said the program means another opportunity to keep kids safe at all times, but some parents have concerns that the program is “big brother-ish.” [Los Angeles Times] [Privacy Advisor] See also: [Toronto schools won’t send ‘fat letters’ home]

US – State Board of Education Adds Student Data Privacy Provision

The Idaho State Board of Education Aug. 15 approved an addition to existing policy to further protect student identifiable data and ensure the privacy of all data is held to the highest standard, said Marilyn Whitney, spokesperson for the board. The Idaho Data Management Council, established in 2011 and overseen by the board, makes recommendations on the oversight and development of Idaho’s Statewide Longitudinal Data System (SLDS) and oversees the creation, maintenance and use of that system. The intent of the SLDS is to provide more and better information to Idaho education leaders, policymakers, students, parents and taxpayers to help inform decision making. The SLDS is an important tool for gathering, analyzing, and reporting progress toward the state’s education goals. The action added to the current policy regarding data protection by stipulating “the privacy of all student level data that is collected by the SLDS will be protected. A list of all data fields (but not the data within the fields) collected by the SLDS will be publicly available. Only student identifiable data that is required by law will be shared with the federal government,” Soltman said. [Source]

Telecom / TV

US – Telecoms Want FTC as Regulator

The biggest U.S. cable and telecommunications companies are lobbying for a relaxation of privacy rules to allow them to sell data on customers’ telephone use. The companies want to be regulated more like private companies such as Google and Facebook rather than public utilities, arguing the regulatory landscape hasn’t kept pace with technological advances. The change, which would require new legislation, would transfer oversight of the companies from the Federal Communications Commission to the FTC. FTC Privacy and Identity Protection Associate Director Maneesha Mithal supports the shift, saying current law seems “gerrymandered to have a carve-out on mobile.” Not everyone agrees. [Financial Times]

US – Gov’t Wants Court to OK Warrantless Cellphone Searches

The Obama administration has asked the Supreme Court to rule that police are free to search the contents of an arrested individual’s cellphone without a warrant. A First Circuit Court kept intact a ruling that searches are unconstitutional, but the administration wants the decision overturned, arguing that “police have long had the authority, without a warrant, to search items that are found on a person whom they arrest” and that creating exceptions on an “item-by-item” basis would complicate police enforcement. [SCOTUSblog]

US Government Programs

US – NSA Gathered E-mails Prior to FISA Court-Ordered Revision

A newly declassified Foreign Intelligence Surveillance Court (FISC) opinion from 2011. The 85-page opinion , released by U.S. intelligence officials, states that the NSA estimated the agency had collected as many as 56,000 “wholly domestic” communications per year. In the opinion, FISC Chief Judge John D. Bates wrote, “For the first time, the government has now advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court has been led to believe,” adding in a footnote, “The court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.” [The Washington Post]

US – NSA Paid Millions for Tech Companies’ Compliance with PRISM

Although major US technology companies have denied their knowing participation in the NSA’s surveillance program known as PRISM, recently disclosed documents show that the NSA footed the bill for the companies’ compliance to the tune of millions of dollars. [ZDNet]

US – NSA Allegedly Spied on UN offices and EU Embassies

The latest revelations from Edward Snowden, which were published in the German magazine Der Spiegel, claim the NSA spied on the offices of the UN and also EU embassies. The article claims the NSA not only breached the security of the EU embassies in Washington and New York but also the VPN between them. The article also outlines that while in the networks of the EU embassies, the NSA detected attacks allegedly originating from China and were able to hack back into the Chinese systems. The revelations have caused further outrage amongst EU countries, especially in light of the recent trade negotiations between the US and the EU. [Spiegel] [InfoSecurity]

US – PCLOB to U.S. Intelligence: Update Data-Gathering Guidelines Now

News that NSA analysts knowingly violated surveillance authority over the past decade, and were in fact disciplined for it, is just the latest information drawing attention to U.S. intelligence data-gathering activities. That scrutiny now looks to be leading to active changes. In its first major missive since its resurrection earlier this year, the Privacy and Civil Liberties Oversight Board has sent a letter to U.S. Attorney General Eric Holder and Director of National Intelligence James Clapper telling them the board believes that “key policies and procedures addressing privacy and civil liberties should be kept up to date to take into account new developments including technological advancements.” We roundup this news, a new agreement Germany would like to iron out with the Obama Administration and why the NSA might be a topic at enormous music and tech festival SXSW. [Privacy Advisor]

US – Drug Agents Grab More Data than NSA; ‘Profound Privacy Concerns’

When it comes to subpoenaing telephone records, U.S. drug agents may take the trophy from the National

New information revealed by The New York Times on a counterdrug program called The Hemisphere Project shows the federal government has been paying the telecommunications company, AT&T, to task workers on missions for the Drug Enforcement Agency and for detectives who work at local law enforcement levels. The phone workers’ job: to give law enforcement telephone records and related data that dates back to 1987. The NSA, meanwhile, only stores telephone data for five years. And that data is confined to the telephone numbers, the time of call and the duration of call. The Hemisphere Project sweeps in every call that travels through an AT&T switch point — not just every call placed by an AT&T customer. The program falls under the purview of the White House Office of National Drug Control Policy, The Times said. The Obama administration said not to worry — that the telephone data is stored only by AT&T, not the government, Fox News said. The government can only access the information via “administrative subpoenas” from the DEA, the White House said. American Civil Liberties Union, meanwhile, is outraged. The Hemisphere Project raises “profound privacy concerns,” said Jameel Jaffer, deputy director of the ACLU. “I’d speculate that one reason for the secrecy of the program is that it would be very hard to justify it to the public or the courts,” he said, Fox News reported. [Source]

US – DOC’s Cameron Kerry Tries to Reassure Europe Over NSA Spying

As he prepares to leave the Department of Commerce, General Counsel Cameron Kerry gave a speech Wednesday at the German Marshall Fund of the United States aimed to reassure European officials that the NSA is not violating their privacy rights. Kerry said it would be a sad outcome if the NSA disclosures led to “Internet policy-making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates. But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is located.” [The Hill]

US – Facebook Releases First Transparency Report

In its first ever transparency report, Facebook revealed that for the first six months of 2013 it received 25,000 requests from governments about Facebook users. Up to half of the requests came from US government agencies. Colin Stretch, Facebook’s general counsel, revealed that many of the requests related to criminal cases. The information requested in most cases related to basic subscriber information, such as name and length of membership. In other cases the requests looked for additional information such as IP addresses or account content. Facebook also revealed that it did not respond to every request saying that it responded to 79% of the requests from the US government. [ComputerWorld] [InfoSecurity] [Facebook]

US Legislation

US – Gov. Signs Bill to Regulate Law Enforcement Drone Use

Illinois Gov. Pat Quinn has signed a bill that will regulate law enforcement’s use of drones. State Sen. Daniel Biss (D-Ninth District) sponsored the bill and said it helps to maintain a reasonable expectation of privacy, the report states. The American Civil Liberties Union supports the bill, calling it reasonable. The bill includes exceptions for when the Department of Homeland Security decides surveillance is necessary to prevent a terrorist attack. [The Republic]

US – States Taking Lead in E-mail, Location Privacy

After delays in congressional efforts to update the Electronic Communications Privacy Act (ECPA), some states are taking matters into their own hands. Texas and Montana have both passed e-mail privacy laws—and Montana went a step further, becoming the first in the nation to pass location-tracking legislation. Maine passed a law requiring a warrant for police to access text messages, and Massachusetts lawmakers are considering an e-mail and geolocation privacy bill for mobile device data. New York and Florida have also announced plans to tackle this issue in their next session. But, as the report states, “state-level laws cover only state-level authorities and can’t compel federal investigators. For that, there must be congressional action.” [The Washington Post]

US – Illinois Gov. Signs Student HIV Privacy Law

Illinois Governor Pat Quinn signed into law a bill to protect the privacy of students with HIV. The law, introduced by state Rep. La Shawn Ford (D-Chicago) means that the state Department of Public Health and local health departments are no longer required to notify school principals of a student’s positive HIV status. Ford has been trying to get this bill passed since 2008, noting that it is “not only important for the privacy and confidentiality for students, but is also important for public health.” [Austin Weekly News]

US – New Jersey 12th State to Pass Workplace Social Media Law

New Jersey Gov. Chris Christie has signed A2878, a law restricting employer access to the social media accounts of employees and perspective employees, making the state the 12th to pass such a law. The terms provide exceptions for certain law enforcement-related agencies and allow for employers to implement and enforce policies on company-issued devices accounts or services; conduct investigations, and comply with requirements of the law. Employers who violate the law may face civil penalties of as much as $1,000 for the first violation and $2,500 for each subsequent violation. [Mondaq]

US – Advocacy Groups Oppose $8.5M Settlement

Advocacy groups including the Electronic Privacy Information Center, Consumer Watchdog, Center for Digital Democracy, Patient Privacy Rights and Privacy Rights Clearinghouse are opposing Google’s settlement in a privacy lawsuit, writing to U.S. District Court Judge Edward Davila that the donation of $8.5 million to nonprofit groups and schools should be rejected. While the groups cite several reasons, “the most significant is that the deal allows Google to continue engaging in the same activity that led to the lawsuit—leaking the names of people who use its search engine,” the report states, noting, “The only difference for Google is that the deal requires it to revise a section of its privacy policy.” [Media Post Blogs]

US – One-Hour Breach Reporting Provision Scrapped

A proposal that would require state health insurance exchanges to report data breaches to federal regulators within an hour of their discovery has been dropped from the final regulation. Instead the Department of Health and Human Services (HHS) will rely on the “strict” breach reporting provisions included in the HHS final rule, to be published in the Federal Register, slated to take effect by October 1. [GovInfoSecurity]

US – FTC Reaches First “Internet of Things” Settlement

TRENDnet, a maker of Internet-connected home video cameras, has agreed to settle with the FTC over charges “that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet,” an FTC press release states, adding, “This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices—commonly referred to as the ‘Internet of Things’ (IoT).” The FTC alleges the business failed to use “reasonable security to design and test its software, including a setting for the cameras’ password requirement.” Under terms in the settlement, TRENDnet must not misrepresent the security of its products and must create a comprehensive information security program and undergo a biannual third-party audit for the next 20 years. The FTC will host a roundtable in November exploring the privacy issues surrounding the IoT. [FTC press release]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [Adweek]

US – California Suspends RFID Legislation

In the wake of concerns from privacy groups, California legislators have suspended SB 397, which would have allowed RFID chips to be embedded into driver’s licenses and state identification cards. California’s Assembly Appropriations Committee put the legislation on hold “despite it having been approved by the California Senate, where it likely will be reintroduced in the coming months,” the report states, noting, “Had the measure passed, it would have transformed the Sunshine State’s standard form of ID into one of the most sophisticated identification documents in the country, mirroring the four other states that have embraced the spy-friendly technology.” [Wired]

US – State Bill Would Track Drivers’ Mileage

Oregon lawmakers have approved a bill that would tax drivers not on the amount of gas their cars burn but on the number of miles driven. The program, which would commence in 2015 with volunteers, would use technology to track driver’s mileage, but that has raised concerns about government surveillance of driving habits. In response to such concerns, the legislation limits who can see the information reported by tracking devices and requires the state and private entities tracking the data to destroy location information from participating drivers within 30 days of using it for billing. [Stateline].

Workplace Privacy

CA – Privacy Watchdog Says Companies Allowed to Track Employees with GPS

Do you like the idea of your employer being able to track your every movement via GPS? Probably not. But an adjudicator with the Office of the Information and Privacy Commissioner says that, under certain circumstances, it’s reasonable for a company to monitor employees using GPS technology. Members of the International Union of Elevator Constructors complained that ThyssenKrupp Elevator Ltd. and Kone Inc. were tracking employees via GPS, which they argued was an illegal intrusion into their personal privacy. But BC’s privacy watchdog says it’s reasonable for companies to use GPS technology to ensure workers are where they say they are, to manage staff, and/or to confirm billing. ThyssenKrupp attaches GPS devices to work vehicles, while Kone goes so far as issuing employees GPS-enabled smartphones. The only concern the Office of the Information and Privacy Commissioner was that ThyssenKrupp did not provide adequate notice to workers regarding GPS tracking. The company has been ordered to stop using GPS on employees until it informs its staff properly. [Source] See also: [How Surveillance Changes Behavior: A Restaurant Workers Case Study]

US – Web Privacy Bill Moving Forward In Wisconsin

A proposal that would make it illegal for Wisconsin employers to ask workers or job applicants to turn over their passwords to social media accounts such as Facebook is moving forward in the Legislature. A Senate committee has scheduled a recent hearing on the bill. That comes after an Assembly committee heard the measure in May. The bill has broad bipartisan support and it could be taken up by the full Legislature as early as next month. The movement to pass such laws is gaining steam across the country as employers have asked for employees’ user names and passwords to personal accounts. Some employers argue they need that access to protect proprietary information or trade secrets in order to comply with federal financial regulations. But others see it as a blatant invasion of employee privacy. “It’s not something that’s happened a lot,” said Sen. Glenn Grothman, sponsor of the bill and chairman of the Senate Judiciary Committee that is holding Tuesday’s hearing. He said the measure was designed to prevent “a busybody boss or busybody college administrator, or landlord for that matter, from looking at your private account.” [Source]

AU – AAMI Customers Use Privacy Breach in Their Favour

The blind carbon copy (BCC) button on emails exists for a very good reason. Unfortunately one of AAMI’s managers failed to use it the day she sent a message to 110 private addresses. Even worse than releasing private emails, the message went to all the people with ongoing disputes against AAMI with the Financial Ombudsman Service. Now the email has accidentally united a group of people, already very unhappy with one of Australia’s largest insurers, and who are now exploring the possibility of launching a class action. AAMI spokesman Reuben Aitchison said the email from a customer relations manager was a “simple but unfortunate human error involving a small number of customers. “Email addresses were inadvertently placed in the ‘To’ field of the email, rather than in the ‘BCC’ field. As soon as we realised our error, we contacted each affected customer to apologise, explain what happened and assure them that no other personal information was revealed.” Mr Aitchison said AAMI, owned by Suncorp, has provided further training to the staff member and used it as a reminder for the rest of the company about email protocols. [Source]




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: