16-30 September 2013


US – Homeland Security Testing Facial Recognition At Hockey Game

The Department of Homeland Security will test facial recognition software capabilities at a September 21 hockey game in the state of Washington. The Tri-Cities Toyota Center can seat 6,000 fans. Twenty specific faces will be sought by the technology, called the Biometric Optical Surveillance System (BOSS). A privacy impact assessment in 2012 found the technology was capable of capturing images of an individual from 50 to 100 meters away and can be set up to track an individual as he or she moves. Fans will be allowed to opt out and sit in an area without cameras; no names will be collected, and only government researchers will see the images, the report states. [Computerworld]

WW – Facedeals to Use Facial Recognition for Targeted On-Site Advertising

Facedeals CEO Dave McMullen says his company will soon be offering an opt-in service where consumers can select preferences ahead of time and then be offered deals via a text to their phones when cameras at establishments recognize their faces. In addressing privacy concerns, McMullen says the “double opt-in” service—the downloading of the app and then the process of registering—”ensures no one is signed up without their permission.” Further, he said privacy is already being infringed upon by every phone noting your location, camera recording your likeness and credit card transaction tracking your purchases. Why shouldn’t the consumer get something out of the deal? [MarketingLand]

US – Franken Wants Answers on Fingerprint Passwords

Sen. Al Franken (D-MN) is concerned about the fingerprint swipe password feature on Apple’s latest iPhone release. In a letter to Apple CEO Tim Cook, Franken wrote, “Passwords are secret and dynamic; fingerprints are public and permanent … If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints.” Franken asked Cook to answer questions on how fingerprint data will be protected and with which third parties it may be shared. Meanwhile, a group of hackers in Germany say they have successfully hacked the fingerprint feature. Full Story


CA – OPC Encourages Parliament To Review PIPEDA

With a new parliamentary session scheduled to begin in October, Sébastien Gariépy, spokesman for Industry Minister James Moore, has said “he could not confirm that the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) would be reintroduced by the Department of Industry.” An Office of the Privacy Commissioner spokesman noted, “Much has changed as the years have passed, and the commissioner believes Canadians need far stronger protections than what is being proposed with respect to data breaches. Our office would again encourage parliamentarians to proceed with a second review of PIPEDA.” [Bloomberg BNA] SEE ALSO: [Stoddart: PIPEDA “Really Doesn’t Do Anything”]

CA – Resurfacing of Photo Highlights Lack of Control

A photo of a deceased teen girl turned up in third-party dating ads on Facebook, highlighting “how little control anyone has over any image once it gets out into the Internet sphere,” says technology and law Prof. Robert Currie. “It really seems to me to be an unfortunate accident that is causing a lot of grief … But it’s just the kind of thing that is going to happen,” says Currie. The company posting the ad used an image scraper to get the image, according to its administrator. Facebook has banned the company, saying the ads are a “gross violation” of its policies. [The Canadian Press]

CA – Advertisers Offering Consumers Choice

The Digital Advertising Alliance of Canada (DAAC) has announced a program to allow consumers “to control whether they want to receive targeted advertising messages.” Canadians will soon begin to see an “Ad Choices” icon in this offshoot of a movement that began in the U.S. and later spread to Europe. The DAAC hopes to educate consumers about how they are targeted, while the Office of the Privacy Commissioner has said it is “pleased that the advertising industry is taking action on this issue … the use of online behavioural advertising has grown dramatically and we are concerned that Canadians’ privacy rights are not always being respected.” [The Globe and Mail]


US – Study: Consumers Favor Companies That Let Them Opt Out

A recent TRUSTe study has found that 62% of consumers will do more business with a company that gives them the option to opt out of online behavioral advertising. The study, which polled 1,171 U.S. Internet users, also found that 53% of consumers are more willing to click on an ad that gives them the option to opt out and that users feel more positive about the business behind an ad if the Digital Advertising Alliance’s AdChoices icon is displayed, indicating a growing awareness of the tool. [Truste Consumer Data Repoert]

US – Survey Results Indicate Companies Should Compete on Privacy

A survey shows “40% of companies use customer information collected online for targeting purposes and 88.5% of chief marketing officers (CMOs) expect this practice to increase over time.” Another report suggests data hoarding can be a drag on business , presenting dangers including potential legal issues surrounding the requirements to protect the data a company possesses. The CMO study indicates marketers “have very low levels of concern about how the use of online customer data infringes upon privacy.” Considering this in the context of a Pew survey where 86 percent of respondents indicated taking “steps to remove or mask their digital footprints,” the report suggests companies should compete on privacy. [Forbes]

WW – The Privacy Paradox for Bank Loyalty Programs

A recent survey of 6,000 individuals belonging to loyalty card programs across the U.S. queried respondents to classify certain types of targeted marketing as “cool and exciting” or “creepy and weird.” Respondents to the Maritz Loyalty Marketing survey on average enrolled in 7.4 loyalty programs, with 1.8 connected to a credit or debit card. Card program categories included retail, grocery, hotel, airline, entertainment and financial services. Respondents over the age of 50 tended to get more “creeped out” by use of their personal data than younger individuals even when special benefits were transmitted. The marketing function that received the highest “creepy” rating stemmed from reviewing Facebook posts of friends to determine rewards eligibility. [American Banker]

US – Acxiom to Create ‘Master Profiles’ Tying Offline and Online Data

Acxiom has launched a new system designed to combine consumers’ offline and online activities, which then processes the collected data using algorithms. The data is then made available to marketers for behavioral targeting and personalized ads on mobile, the web and eventually television, the report states. Acxiom Chief Technology Officer Phil Mui said, “We are making big marketing data truly actionable.” The new system is a significant shift for targeted advertising as the system—which features a new identifier to match user profiles—allows marketers to track users across devices into one profile instead of multiple profiles based on a given device. [Financial Times]


US – DOE Now Says July Breach Affected 53,000 People

The US Department of Energy (DOE) has updated information about a July data breach that compromised employees’ personally identifiable information. DOE now says that the breach affects 53,000 current and former employees, contractors, and dependents. The information compromised includes names, Social Security numbers (SSNs) and birth dates. The attacker or attackers exploited a known vulnerability in an unpatched ColdFusion system called DOEInfo. The department’s investigation indicates that the theft of the personal information “might have been the primary purpose of the attack.” DOE will notify all affected individuals within the next two weeks. [InformationWeek][DOE Cyber Incident Information]


WW – Email Surveillance Could Reveal Journalists’ Sources, Expert Claims

Creator of the email encryption software PGP, Phil Zimmermann, has told The Guardian that users of consumer e-mail services should be aware of the threat of exposing their metadata. Zimmermann says his opinions on privacy have changed drastically in the more than 20 years since he invented PGP, noting “more recently … everyone has become aware that metadata is becoming increasingly important—that the message headers mean a lot.” These risks prompted him to develop a new feature for his Silent Phone app that encrypts conversations earlier in the call process, but the report states, in spite of PGP flaws “becoming clearer with time,” he maintains that PGP is holding up just fine. ]Full Story]

US – App Maps Users’ Lives Via Inbox Scanning

An app built by a group of MIT researchers that visualizes users’ social lives by looking at their e-mail inboxes. Immersion uses timestamps and the to, from and CC fields to draw a map of the user’s social connections. It offers users a look at Big Data and the “digital exhaust they’re continually leaving behind,” said MIT’s Cesar Hidalgo, adding it’s a particularly useful perspective following revelations of NSA surveillance measures. The app does allow users to delete data upon logout. “If I am able to withdraw my money from my bank account, I should be able to withdraw my data from my e-mail provider,” Hidalgo said. [WIRED]

US – Problems Surfacing with Reassigned Yahoo Accounts

Some people who obtained reassigned Yahoo email addresses are receiving personal messages meant for the prior account holder. Some of the messages contain sensitive personal information, such as data about other accounts, emailed receipts, and appointment and travel confirmations. Earlier this year, Yahoo said it would begin reassigning email addresses and Yahoo IDs that had been inactive for more than a year. A company representative said that before reassigning the identifiers, they attempted to contact the account owners in several ways. Yahoo said they would unsubscribe the dormant accounts from newsletters and alerts and notify “merchants, ecommerce sites, financial institutions, social networks, email providers, and other online properties” that the account no longer exists before reassigning the name. [BBC] [CNET] [InformationWeek]

US – Users Sue LinkedIn Over Harvesting of E-Mail Addresses

A new lawsuit against LinkedIn has been filed by four users who claim the professional networking site accessed their e-mails without consent and used the harvested addresses of their contacts to spam non-users with invites to the service. In one claim, the suit alleges LinkedIn is “breaking into” external e-mail accounts pretending to be the user, but no details are offered. In response, LinkedIn has released a blog post refuting the claims. In separate class-action news, a Politics in Minnesota report details the mounting data protection lawsuits being filed against the government after one case resulted in more than $1 million worth of settlements from illegal government access to driver’s license records. [The New York Times ]


US – NSA Defeats Internet Encryption

According to documents leaked by Edward Snowden, the US government has spent more than US $10 billion over four years on the Consolidated Cryptologic Program. The documents also show that the NSA has used its influence to insert encryption weaknesses in currently used standards; used a variety of techniques – including hacking – to acquire cryptographic keys from various technology companies; and in some instances, broke into targeted machines to intercept messages before they were encrypted. [NYTimes] [ArsTechnica]

WW – Google Will Send All Searches Over SSL

Google is now sending all searches over secure sockets layer (SSL). Google has been using SSL to protect Google account holders’ searches since 2011. SSL encrypts connections between users’ computers and Google, which means that ISPs, Wi-Fi hotspots, and Internet cafes cannot intercept searches conducted through Google. Users’ search results will be protected, but their search terms and the fact they that they visited Google.com may not be protected. [SCMagazine]

US – RSA Warns Customers Not to Use Cryptography with NSA Backdoor

RSA Security has sent an advisory to some of its customers, urging them to stop using a cryptographic component that has been revealed to contain an NSA backdoor. Two of the company’s products, the BSAFE toolkit and Data Protection Manager, use the specification, known as Dual EC_DRBG, by default. RSA recommends that customers using the affected products switch to a different pseudo random number generator (PRNG). [ArsTechnica]

EU Developments

EU – Reports Call for EU Cloud, Student Data Protection

A report commissioned by the European Parliament that suggests the EU-U.S. Safe Harbor Framework does not protect against U.S. interception of European citizen data processed in the cloud and “urges the European Union to encourage development of local cloud computing capacity based on open source software as a way of safeguarding against U.S. intelligence community surveillance.” Meanwhile, a SafeGov.org report, “shows broad support for safeguarding especially vulnerable cloud user populations in public organizations, such as schoolchildren, civil servants and healthcare professionals and their patients, who are at risk of being tracked and profiled for online advertising purposes.” A U.S. lobbying group is proposing a code of conduct to prohibit “user profiling and data mining by cloud services used by European schools.” [Fierce Government IT]

EU – MEPS: Stop TFTP Agreement in Its Tracks

European politicians have demanded that a broad data-sharing agreement between the U.S. and EU be suspended. The demands to halt the Terrorist Finance Tracking Program (TFTP) at a recent hearing of the Civil Liberties Committee follow allegations that the U.S. National Security Agency illegally tapped banking data, the report states. “We have no evidence that they have actually been doing this, but they don’t deny it either. So in a way it is irrelevant whether they have used the opportunity so far, because they will continue to reserve that right in the future,” said Dutch MEP Sophie in’t Veld, adding she considers the agreement to be “effectively dead.” [PCWorld]

EU – MEPs Hear US Privacy Experts, Whistleblowers And Snowden Statement

At the fourth hearing of the Civil Liberties Committee inquiry into U.S. and EU countries surveillance of EU citizens, MEPs discussed the possibility of suspending EU-U.S. trade talks, creating international standards and the need for parliamentary oversight of surveillance activities. In a statement read aloud, whistleblower Edward Snowden said “the surveillance of whole populations … threatens to be the greatest human rights challenge of our time.” A former Microsoft executive has said he no longer carries a cellphone and only uses open-source software if he can check the underlying code. Meanwhile, at an event this week, U.S. Supreme Court Justice Antonin Scalia reportedly suggested the Fourth Amendment protects personal items, “not privacy, per se.” Meanwhile, a former NSA contractor and graphic designer has created four fonts that he claims cannot be analyzed by systems used to monitor online communications. [EuroParl]

EU – Lawmakers Accused of Rushing EU Data Protection Law

“Industrialists and diplomats have accused MEPs of rushing through data protection laws that they say would boost their electoral chances more than Europe’s economies.” At an event in Brussels, policymakers and industry representatives clashed over the EU draft regulation’s timeline, the report states, citing comments by the European Commission’s Paul Nemitz indicating companies that value their customers’ needs will not have issues with the new rules. “If you are operating cross-borders, your life is likely to become easier. Why? Because in the future, we’ll have one law in form of a regulation rather than 28 implementing laws based on a directive and we will have a consistency mechanism,” Nemitz said. [EurActiv]

EU – Dutch IT Trade Org Objects to Proposed Breach Notification Legislation

A trade organization representing IT companies in the Netherlands is objecting a proposed law in that country requiring technology companies to report security breaches. Nederland ICT says that Dutch companies are already required to report breaches to several organizations and that the new legislation would just create more administrative work. The draft legislation affects select industries that are part of the country’s critical infrastructure and aims to clarify notification requirements for those companies that experience breaches. The government says the bill intends that only severe breaches must be reported, but Nederland ICT says that if the bill becomes law, companies are likely to start reporting all breaches. [ZDNet]

EU – MPs Give Data Harvesters “Green Light”

Members of Parliament are giving companies that harvest personal data from Internet-connected devices “the green light … prompting disquiet over Parliament’s commitment to protecting consumer rights.” The House of Commons Culture, Media and Sport Committee noted in a report, “Increasing use is being made of personal data to target online advertising better … While concerns around this have prompted reviews of data protection legislation, we do not think the targeting of appropriate advertising—essential to so many business models—represents the greatest threat to privacy.” Consumer and privacy advocates caution, however, that consumers are losing control of their data, the report states. [Full Story]

EU – Google and Facebook Face Tougher EU Tax and Privacy Rules

France is pushing for the EU to adopt proposals that would see technology companies such as Google and Facebook regulated and taxed where customers use their websites. The proposals “could put Europe at loggerheads with the U.S., which has previously reacted angrily at attempts to impose greater regulation on the Internet.” Fleur Pellerin, France’s digital economy minister, said the campaign does not target American companies—though they are the ones on top, currently—but aims to “boost the ability of European actors to develop in Europe and gain positions that can compete on the same level playing field as the other international actors.” [Financial Times]


US – NSA Program Monitors Credit Card Transactions

The U.S. National Security Agency’s (NSA) “Dishfire” program collects information on credit card transactions from 70 banks worldwide. The NSA targets transaction information from large credit card companies such as VISA and MasterCard on customers in Europe, the Middle East and Africa, the report states, adding that credit card data and related text messages made up 84% of NSA financial database Tracfin in September 2011. [Der Spiegel]

US – CFPB Guidance: Fraud Reporting Won’t Breach GLBA

The Consumer Financial Protection Bureau (CFPB) has issued new guidance informing banks it’s their responsibility to report instances of suspected fraud of senior citizens and, according to the CFPB, reporting such exploits will not contravene the Gramm-Leach-Bliley Act. Bank tellers and other financial employees “can be instrumental in reporting such fraud,” said CFPB Director Richard Cordray, because they are familiar with the customers who may be exploited, The Wall Street Journal reports. [Source]


WW – Tech Giants Ask 21 Countries to Release Surveillance Data

Privacy advocates, human rights groups and tech companies are asking 21 countries to release information on their surveillance requests. The Global Network Initiative includes such companies as Facebook, Google and Microsoft and said in letters to the members of the Freedom Online Coalition—a group of 21 countries working together to advance Internet freedom—that governments should release the data and allow the tech companies asked to respond to such requests to do the same. [The Hill]

US – Microsoft Releases Data on Government Requests for Information

Microsoft’s most recent Law Enforcement Requests Report details the number of requests for information it received from governments worldwide in the first half of 2013. Based on that number – 37,196 – Microsoft looks to be on track to receive roughly the same number of requests it did in 2012, when it received just over 75,000 requests. The report breaks down the requests by country, and indicates the company’s response to the requests. Microsoft provided non-content user data for 77 percent of the requests, while it provided customer content for 817, or 2.2 percent, of requests. The US government made 7,014 requests affecting 18,809 accounts. The report does not provide information about US national security requests. [ComputerWorld] [ZDNet] [MSFT.com]


US – NIH Seeks Comments on GDS

The National Institutes of Health (NIH) is calling for comments following the publication of its draft Genomic Data Sharing (GDS) policy. The GDS, which applies to all NIH-funded research, “details the need to strip all data of names, Social Security numbers and other identifiers before uploading,” the report states, noting de-identified data is then required to be coded at random to protect privacy. “All data is subject to NIH’s desire for widespread sharing,” according to the report. [FierceBioTechIT]


EU – French Data Protection Agency May Fine Google for Privacy Violations

France’s data protection agency, CNIL, plans to fine Google for failing to comply with that country’s privacy requirements. Google was warned of the fines in June; the company was given three months to amend its privacy policy to clarify its collection and use of user data. The issue centered on Google’s decision to combine 60 services under a unified policy that allows the company to merge data from its different products, such as Gmail, YouTube, and Google+. The concern is that some users may not want their data connected in this way. Google maintains that its current privacy policy respects EU privacy laws. [WashingtonPost] [ComputerWorld] [CNET]

US – Google’s eMail Scanning May Violate Wiretap Law

A US federal judge in California has ruled that a lawsuit brought against Google for violating US wiretap law may move forward. The lawsuit alleges that Google violates the law when it scans email messages. Google maintains that it scans all emails that pass through its servers to check for spam as well as to create user profiles and provide targeted advertising. Google was seeking to have the lawsuit dismissed under a portion of the wiretap law that allows email providers to intercept messages if the action helps the message get delivered or is incidental to the efficient functioning of service. US District Judge Lucy Koh wrote in her decision, “the statutory scheme suggests that Congress did not intend to allow electronic communication service providers unlimited leeway to engage in any interception that would benefit their business models.” [Washington Post] [WIRED]

Health / Medical

US – Obama to Reinforce Privacy in Affordable Healthcare Act

The Obama administration is seeking to bolster privacy protections for Americans signing up for the federally mandated Affordable Healthcare Act. To help stem identity theft, personal privacy protection and fraud, the administration plans to launch a toll-free telephone number to report fraud incidents and an online verification system. Attorney General Eric Holder met with Department of Health and Human Services Secretary Kathleen Sebelius and FTC Chairwoman Edith Ramirez to discuss the privacy and security implications of the impending law. Concern has also been expressed about counselors—also called navigators—who are set to educate and help Americans enroll in the health exchanges. A House Committee report stated, “There are already reports from across the country that scam artists are attempting to impersonate navigators and assisters to steal credit card information and personally identifiable information in order to take advantage of massive confusion about Obamacare.” [Reuters]

US – Data Privacy Tests Needed, GOP Lawmakers Say

House and Senate Republicans have introduced legislation that would delay enrollment in the healthcare exchanges under the Affordable Healthcare Act until it is confirmed that robust data protection standards are in place. Sen. Orrin Hatch (R-UT), a sponsor of the Trust But Verify Act, says the Government Accountability Office must verify that data privacy safeguards are in place. “It would simply be irresponsible to open the exchanges without adequate safeguards to protect and secure consumers’ personal information,” Hatch said, adding, “While the administration claims that these safeguards exist, there is simply no way to verify these claims absent an independent review.” [The Hill]

US – Grace Period Ends for Updated HIPAA Rule Compliance

As of September 23, 2013, US organizations that handle protected health information must abide by updated Health Insurance Portability and Accountability Act (HIPAA) rules. The changes were established in 2009 and took effect in March 2013, but organizations were given a six-month grace period that ended this week. Among the new rules are a requirement that business associates of organizations covered by HIPAA must be in compliance with the rules’ security and privacy measures, and new restrictions on covered entities’ marketing and sale of personal health information. [SC Magazine]

US – HHS Releases Model HIPAA Privacy Notices

The Office for Civil Rights, in collaboration with the National Coordinator for Health Information Technology, has released three model privacy notices to help providers comply with the Health Insurance Portability and Accountability Act (HIPAA), according to a U.S. Department of Health and Human Services press release. The three new notice of privacy practice models were constructed out of input from “consumers and key stakeholders” and include the recent changes in the HIPAA Omnibus Rule. The three options include notice in the form of a booklet, a layered notice and a text-only version. [HHS]

US – HHS Launches Meaningful Consent Site for Providers

The Department of Health and Human Services (HHS) has launched an online resource to help healthcare providers “effectively engage patients” in choosing how they want their electronic health information shared. The site provides strategies and tools to help educate patients. “As patients become more engaged in their healthcare, it’s vitally important that they understand more about various aspects of their choices when it relates to sharing their health in the electronic health exchange environment,” said the chief privacy officer of the HHS Office of the National Coordinator for Health Information Technology. [HHS]

US – Omnibus Rule Kicks In, Four Compliance Steps for BAs

In light of the implementation date of the HIPAA Final Rule on Privacy and Security, there are four steps that business associates (BAs) need to take to comply with the update. For covered entities, the effects “are mostly incremental because the compliance structure remains unchanged,” but for BAs, the change “raises the risks of noncompliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities,” making them subject to government fines and civil penalties, the report states. Meanwhile, a new study reveals there is increasing confidence in cloud technology among healthcare policy decision-makers. [Government Health IT]

US – OCR’s Rodriguez Says Increased Enforcement Ahead

The Office for Civil Rights Director Leon Rodriguez said there will be increased enforcement of HIPAA regulations, highlighted the importance of appropriately protecting patient privacy and discussed the “what-not-to-dos” regarding healthcare privacy. “Today is a critical day for the Omnibus,” Rodriguez said. “On the one hand, you have to have assertive enforcement; you have to have credible enforcement, that really does play a critical role in obtaining compliance,” he noted, adding, “But at the same time, you have to set rules of the road that are understandable and consistent, and you really need to make sure people know what the rules of the road are.” [Government Health IT]

US – US Food and Drug Administration to Regulate Some Medical Apps

The US Food and Drug Administration (FDA) will impose the same regulations on certain mobile medical apps as it does on medical devices. The apps affected are those that perform the same functions as medical devices, like blood pressure monitors. According to the FDA, “If a mobile app is intended for use in performing a medical device function [such as diagnosis, cure, mitigation, treatment, or prevention], it is a medical device, regardless of the platform on which it is run.” Apps that log and track trends would not be subject to regulatory oversight. [NextGov] [FDA Document on Mobile Medical Applications]

US – DEA Cites Third Party Doctrine With Prescription Data Case

An argument submitted by the Drug Enforcement Agency (DEA) in response to an American Civil Liberties Union (ACLU) lawsuit over the privacy of certain medical records. According to the DEA, citizens who share medical records with pharmacies—or any other third party—have “no expectation of privacy” regarding that data. According to a blog post, ACLU Attorney Nathan Wessler wrote, “Just because we trust our doctors and pharmacists with our medical information, doesn’t mean the DEA should be able to easily access it too.” [The Verge]

US – Sensor Network to Track Seniors Launched

A new product designed to track the activity of seniors living on their own. The system, created by Lively, consists of various sensors strategically placed around a home that report movements—such as refrigerator or medicine cabinet doors being opened—to a base station connected to an app. The system aims to let concerned guardians know if individuals are taking their medicine and moving around the house. “This is not ‘Big Brother’ monitoring,” said one of the company’s founders, adding, “Lively’s passive sensing tracks just enough information to interpret meaningful activity that shows how you’re doing without sharing too much.” [TechCrunch]

Horror Stories

US – Underground Identity Theft Site Hacked Data Aggregators

An underground website that trades in identity theft data reportedly gathers information by breaking into computers at major US data aggregators. The site, SSNDOB, sells Social Security numbers (SSNs), birthdates, and other personal data. Network analysis showed that SSNDOB administrators were also operating a botnet that had infiltrated servers at LexisNexis, Dun & Bradstreet, and Kroll Background America. [Krebs] [The Register]

WW – Data Broker Hackers Also Compromised NW3C

Yahoo is facing claims its decision to recycle accounts that had been inactive for a year or more has resulted in individuals receiving e-mails intended for the previous owners. An Ohio psychologist is notifying clients of a burglary where “the thieves may have intended on stealing patients’ personal data when they stole the office’s entire computer supply.” Patients at a Canadian health region are also receiving letters after an employee accessed “patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.” Meanwhile, the “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center. Amidst all these reports, InformationWeek offers tips on the “lessons learned”  from data breach incidents. [Krebs on Security]

Identity Issues

US – NIST Awards Grants for Development of Trusted Identity Systems

The US National Institute of Standards and Technology (NIST) has awarded more than US $7 million in grants to five organizations to develop systems for online identity protection and verification. The grants are part of the National Strategy for Trusted Identities in Cyberspace (NSTIC). [Information Week]

AU – Australia Bar-Scanning Bill Raises Red Flags

An Australian bill is being considered that would require patrons of venues in Sydney’s Kings Cross to have their identity scanned and stored to monitor and enforce entrance bans on individuals who have committed serious crimes. The legislation would enforce ID scanning at 35 “high risk” venues and would collect names, dates of birth, addresses and photographs. Australia Privacy Foundation’s Roger Clarke said, “The measure doesn’t only affect the targeted individuals, it represents a serious imposition on all patrons of the venues that the government brings within its scope.” [The Guardian]

Intellectual Property

US – Copyright Attorney Suing Record Label Over Automated Takedown Notice

Harvard Law School professor Lawrence Lessig is suing an Australian record label that attempted him to sue him for copyright infringement. The matter involves a lecture given by Lessig that is available on YouTube. The lecture is in fact about the need for copyright law to be adjusted for the Internet. In the lecture, Lessig uses a clip from a song to which the Australian record label holds the rights. However, the company backed down after Lessig invoked the fair use legal doctrine. Lessig then sued the company for initiating a bad-faith lawsuit. Lessig filed the suit because he believes music labels should stop depending on automated systems to detect possible infringements and send takedown notices. [NPR.org]

EU – Spain Approves More Stringent Anti-Piracy Law

Spanish Legislators have approved new anti-piracy laws that punish even those who link to pirated content for either “direct or indirect profit.” People found guilty of piracy could face up to six years in prison for aggravated circumstances. [ArsTechnica]

US – MPAA, RIAA Help Draft Anti-Piracy Curriculum for Use in California Schools

The Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and several major US ISPs plan to pilot an anti-piracy program in California’s elementary schools. The curricula, which are adapted for each age level from kindergarten through sixth grade, were created by the California School Library Association and the Internet Keep Safe Coalition working with the Center for Copyright Infringement, which counts executives from MPAA, RIAA, and several large telecommunications forms among its board members. A draft of the program suggests that using other people’s works without permission is worse than copying someone’s answers on a test. Those helping to develop the curriculum stress that it is still in draft form. [WIRED]

US – MPAA Says Search Engines Should Do More to Prevent Piracy

The Motion Picture Association of America (MPAA) has released a report indicating that search engines need to make a more concerted effort to help fight piracy. The report comes just as the Commerce Department is considering ways to help private sector companies fight piracy. The MPAA’s report said that Google’s recent changes to its search algorithm have not had an effect on piracy. [WIRED] [LATimes] [Politico] [MPAA]

US – Netflix Monitors Piracy Sites to Determine Content to Buy

Netflix acknowledged that it tracks activity on known piracy websites to help it decide which movies and television programs to purchase for its online streaming service. Some others in the industry have noted that there can be an up side to piracy. According to the creator of “Breaking Bad,” piracy helped keep the show alive. Initial broadcasts of the show garnered few viewers, but once circulated through piracy, the show gained a following. A Time Warner executive suggested that the same is true of the “Game of Thrones” series. [BBC]

US – AT&T Issues Piracy Warning to Customers

AT&T is warning its customers that if they are found to be engaging in Internet piracy, their Internet access could be severed. The warning, which came in the form of a letter, is part of the company’s implementation of the so-called “six strikes” anti-piracy policy. The letter says the illegal activity “could result in mitigation measures including limitation of Internet access or even suspension or termination.” Several years ago, AT&T reportedly said it would terminate users’ accounts only upon receipt of a court order. [ArsTechnica]

Internet / WWW

WW – Is This the End? DAA Withdraws from W3C Process

In a letter sent to Jeff Jaffe, CEO of the World Wide Web Consortium, the Digital Advertising Alliance (DAA) announced that it is withdrawing “from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable ‘Do-Not-Track’ (DNT) solution.” Instead, the DAA says it is convening its own DNT process, beginning almost immediately, for evaluating “how browser-based signals can be used meaningfully to address consumer privacy.” That process “will be a more practical use of our resources than to continue to participate at the W3C,” wrote DAA Executive Director Lou Mastria. In this exclusive for The Privacy Advisor, we look at what’s next for the DAA, how the DNT process fell apart and whether legislators and the Federal Trade Commission are about to get involved.  [Full Story]

WW – W3C Not Ready to Give Up the Ghost

The World Wide Web Consortium (W3C) has announced the appointment of two new chairs for its Tracking Protection Working Group (TPWG). Carl Cargill, a director at Adobe, and Justin Brookman, from the Center for Democracy & Technology, will join incumbent Matthias Schunter, principal at Intel. This exclusive for The Privacy Advisor explores the new priorities for the W3C’s TPWG and insight from Brookman on what’s next for the multi-stakeholder process. [Full Story]

WW – With DNT, What Next for Policymakers?

In what can be perceived as a rollercoaster week for the World Wide Web Consortium’s Do Not Track (DNT) working group, IAPP VP of Research and Education Omer Tene asks if the appointment of the Center for Democracy & Technology’s Justin Brookman and Adobe’s Carl Cargill can save the process. “Hopefully, all sides will work together to pursue an agreed-upon solution, since an implosion of the process, which seemed inevitable on Tuesday as the Digital Advertising Alliance announced its departure from the group, would cast a long shadow over the prospects for multi-stakeholder resolutions to the burning privacy problems of our time,” he writes. In this post for Privacy Perspectives, Tene explores what’s next for DNT and the policymakers working on such a resolution. [Full Story]]

WW – Study: Whois System’s Privacy Controls Being Abused

A new study commissioned by the Internet Corporation for Assigned Names and Numbers (ICANN) indicates the Whois system’s current ad hoc privacy controls are being abused. ICANN—a pseudo-directory of contact details for domain names—is recommending the Whois system be replaced to include authenticated access. Currently, contact details for administrators of a domain are publicly available, prompting domain name owners to provide false information. [ZDNet]

Law Enforcement

CA – Police Pledge Adherence to Privacy Guidelines

Hamilton police have agreed to follow Ontario’s privacy guidelines for the use of video surveillance. The newspaper had previously revealed the police department’s video surveillance program appeared to be “violating provincial guidelines designed to protect the public’s privacy, and this had been the situation for years,” the report states. Deputy Chief Ken Leendertse announced new policies to comply with the provincial guidelines and promised an annual report reviewing the program “and its effectiveness according to the privacy commissioner’s ‘Section 4’ criteria, which deal with demonstrating an ongoing need for surveillance and proving the effectiveness of the tool,” the report states. [The Spectator]


WW – Usage-Based Car Insurance Raises Privacy Concerns

A new study out of the University of Denver reveals that pay-as-you-drive insurance plans may pose a potential privacy risk for drivers. Though insurance companies do not collect location data with these plans, the research found that driving habits, including speed, braking and acceleration, mileage and time of travel have the potential to reveal a detailed portrait of a driver’s movement within a specific time period. According to the research paper, “Customer privacy expectations in non-tracking telematics applications need to be reset, and new policies need to be implemented to inform customers of possible risk.” [Source]

US – New Offline Tracking Methods Come to Airports

Recent reports have detailed retailer tracking of shoppers via smartphones and other mobile devices, but the practice has extended to some airports, according to Covington & Burling Partner Nigel Howard in a recent post for InsidePrivacy. The offline tracking systems aim to follow passenger patterns, detail real-time movement of travelers and track retail behavior by using a unique identifier system. Though these systems provide several benefits, Howard writes, “they also raise privacy issues that might not fit neatly into the notice-and-choice framework that—notwithstanding the FTC’s recent efforts—still is the predominant model of privacy protection in the U.S.” [InsidePrivacy]

US – Apple Wants Class-Action Status Denied

Apple says iPhone users suing the company for allegedly allowing app developers to access personal information shouldn’t be able to proceed with a class-action lawsuit. In the case, consumers claim Apple misled them by sharing their devices’ unique identifiers with app developers after promising to protect their personal information. But Apple says consumers haven’t presented “a shred of evidence that even a single app transmitted ‘personal information.’” The company is asking U.S. District Court Judge Lucy Koh to reject the plaintiffs’ request for class-action status. [MediaPost News]

Online Privacy

WW – Google May Ditch ‘Cookies’ As Online Ad Tracker

There are rumours of a potential move by Google to replace third-party cookies with a new anonymous identifier (AdID) that would allow advertisers to track Internet browsing activity for marketing. The AdID would be communicated to online advertisers and ad networks that have aligned with agreed-upon guidelines in the attempt to give consumers more privacy and control as they browse the Internet. Though the program has not been officially announced by Google, a spokesman said, “Technological advancements can improve users’ security while ensuring the web remains economically viable. We and others have a number of concepts in this area, but they’re all at very early stages.” According to the report, Google plans to reach out to industry, government agencies and consumer groups in the near future. [USA TODAY]

US – Industry Reacts to Google Cookie Alternative

The ad industry is reacting to an unofficial proposal by Google to replace cookies with an anonymous identifier (AdID) system. Advertising executives, ad technology firms and analysts say that changing how consumers are tracked online would significantly affect the $120 billion industry. Interactive Advertising Bureau President Randall Rothenberg said, “This would be anticompetitive and potentially negatively impact all other online publishers.” Financial Times has published a Q&A to explore the proposed cookie alternative, and AdAge has posted a video with some industry reaction. Independent researcher Ashkan Soltani has posted a blog answering some questions on the AdID proposal. [Wall Street Journal]

US – Facebook Hires Privacy Pro as New Deputy Counsel

Facebook has hired Ashlie Beringer, a partner at California firm Gibson Dunn and co-chair of the law firm’s information technology and data privacy practice group, as the company’s new deputy counsel. Beringer will report to Facebook General Counsel Colin Stretch, “who was promoted from deputy to take the social network’s top legal job in June after long-running GC Ted Ullyot left the company.” Beringer will run Facebook’s legal department’s litigation, regulatory and product groups. She will begin at Facebook November 18. [TechCrunch]

US – Court Says Facebook “Like” Is Protected

The Fourth U.S. Circuit Court of Appeals has ruled in favor of a former Virginia deputy sheriff who said he was fired for “liking” the Facebook page of a man running for his boss’s position. Chief Judge William Traxler, Jr., said in the ruling, “On the most basic level, clicking on the ‘like’ button literally causes to be published the statement that the user ‘likes’ something, which is in itself a substantive statement.” However, the report cautions, “The decision may not protect social networkers who press the ‘Like’ button with abandon” as the First Amendment “primarily protects individuals from government action,” one expert notes. [MarketWatch]

US – Tumblr Inks Deal With Analytics Biz

Tumblr has signed a deal with analytics company DataSift, a move that could give advertisers more knowledge of what is posted on the site and boost Tumblr’s advertising sales. DataSift will have access to all of Tumblr’s real-time and historical data. DataSift currently has similar deals with Twitter and Facebook. Meanwhile, a report suggests that Google may have access to the WiFi passwords of every Android user, and, “Considering how many Android devices there are, it is likely that Google can access most WiFi passwords worldwide.” [TechCrunch]

Other Jurisdictions

AU – New Australian Privacy Principle Guidelines Released for Comment

The second stage of Australian Privacy Principle (APP) guidelines have been released for public comment. APPs one through five were published in August, and this next set addresses “new requirements for agencies in how they use or disclose personal information, undertake direct marketing activities and send data off-shore,” according to Privacy Commissioner Timothy Pilgrim. Noting specific concerns related to APP 8, Pilgrim said, “These new requirements provide a compelling business case for organisations to protect their business when planning to send personal information overseas.” The Office of the Australian Information Commissioner will accept submissions until 21 October. [ComputerWorld]

AU – Commissioner To Release Mobile Guidelines

Australian Privacy Commissioner Timothy Pilgrim plans to release new mobile privacy guidelines for app developers next week, and the guidelines will focus on third-party data sharing. Pilgrim has been consulting with industry and advocacy groups since draft guidelines were released last April. Pilgrim noted that app developers can expect more scrutiny of app industry privacy practices from regulators and the marketplace itself, the report states. The new guidelines are expected to be released next Monday. [IT News Australia]

SG – New Data Protection Guidelines for Singapore

Singapore’s Personal Data Protection Commission has issued new data protection guidelines for businesses operating in the country. Failure by consumers to opt out can signal consent to process data in certain circumstances, according to the new 18-page guidance note. The guidelines have been published to complement the Personal Data Protection Act—introduced in January and which goes into effect next July. One technology law expert said, “With the issuance of these advisory guidelines, the whistle has blown for organizations to kick off their compliance programs if they have not done so.” [Out-Law]

SA – South African President to Sign Data Protection Bill

The Protection of Personal Information Bill has recently passed in Parliament and will soon be signed into law by the president, report attorneys for Edward Nathan Sonnenbergs. The bill brings South Africa in line with international data protection laws, the report states, granting citizens the right to privacy when it comes to organizations collecting and processing their personal information by mandating compliance with eight conditions, including accountability, purpose specification and security safeguards. [Mondaq]

US – Experian Buys Fraud Detection Firm for $324 Million

Experian will acquire U.S.-based fraud detection group The 41st Parameter for $324 million. Experian noted it will increase its presence in the fraud prevention arena and bolster its current work in fraud detection and online authentication. [Reuters]

Privacy (US)

US – FTC Reaches Settlement With Company Over Unsecure Webcams

The FTC has reached a settlement with a company whose webcams lack adequate security. Trendnet cameras contain vulnerabilities that allow anyone online to view the devices’ feeds. Under the terms of the settlement, Trendnet may not refer to the cameras as “secure” in marketing materials. Trendnet must notify customers of the security issue, provide help to make the devices more secure, and undergo third-party security audits every two years through 2033. (The incident reported last month in which a stranger hurled obscenities at a Texas couple and their toddler through the webcam they were using as a child monitor involves a device from a different company.) [CNN] [The Register] [BBC] [Washington Post]

US – FTC’s Jessica Rich Lays Out Ambitious Ad Enforcement Agenda

FTC Director of Consumer Protection Jessica Rich remarks to the advertising community in New York City. “The FTC has long had a focus on national advertising,” she said. “We’re by no means finished.” Specifically, Rich noted the agency will step up enforcement in the digital arena, including mobile advertising disclosures. “This will be an area of increased law enforcement in the coming year,” she said. In addition to the “numerous privacy concerns” in the Big Data sphere, Rich said, “The NSA and Snowden incidents have done a lot to raise awareness about the collection of consumer data,” adding, “Consumers should be able to expect basic privacy and security protections.” [AdWeek]

US – FTC Files Complaint Against LabMD for Alleged Data Exposure

The US FTC has filed a complaint against a medical testing laboratory for allegedly exposing the data of more than 9,000 individuals. The complaint alleges that LabMD put the data at risk of theft in two separate incidents. In 2009, patient data were reportedly available on peer-to-peer (P2P) file sharing networks. In 2012, California police found identity thieves had documents from LabMD that contained personal information of more at least 500 patients. [SCMagazine][ArsTechnica] [FTC Press Release] [FTC Complaint Links] See also: [LabMD CEO Fights FTC Complaint, Asks for Standards]

US – GSA Offers Electronic Privacy Refresher

The General Services Administration Center for Excellence in Digital Government has released a memorandum on agencies’ use of social media and the dangers of posting content that contains personally identifiable information (PII). A specialist with the center, Tim Lowden, reminds agencies that they are required by Section 208 of the E-Government Act to conduct privacy impact assessments “when developing or before acquiring or using third-party sites or applications that collect PII.” Meanwhile, a Forbes report examines a recent high-profile case involving social media to question what the right balance is when it comes to protecting privacy while “promoting accountability” online. [FierceGovtIT]

US – Lawsuit Targets JPMorgan Chase & Co. Over Privacy Issues

JPMorgan Chase & Co. is facing a proposed class-action lawsuit accusing it of printing Social Security numbers on the outside of forms mailed to customers telling them of the bank’s efforts to protect their private data. The suit was filed last week in federal court in Chicago, IL, and alleges the bank put customers at risk for identity theft. “Chase even says on its website that providing Social Security numbers to an identity thief is ‘as good as gold,’” said the lawyer who filed the suit. It’s unknown how many customers were affected. [Reuters]

US – Survey: Orgs Lacking Comprehensive Privacy Programs

A new survey by Gartner has found the “perceived level of maturity attached to organizations’ privacy activities has decreased since 2011.”. While 43% of organizations have a comprehensive privacy management program in place, more than a third of organizations “still ‘consider privacy aspects in an ad hoc fashion,’” the survey found. And while 90% of organizations do have at least one person responsible for privacy, only 66% have a defined privacy officer role. [CIOOnline]

US – New Online Media Privacy Opinion Issued

According to a recent federal court opinion, “news organizations may be more liable in privacy lawsuits if their reporting is factually incorrect.” The opinion centers on how one gossip website used the plaintiff’s modeling pictures to allegedly publish a false story on the plaintiff, stating the model was a sister of a known celebrity. Senior District Judge Denis R. Hurley filed the opinion in Edme v Internet Brands, Inc. et al and denied a motion to dismiss in the case. Hurley noted that, although the published story “can be considered, for better or worse, a matter of public interest merely because its subject matter involved a celebrity,” the media website in the case reported an “undisputedly false” claim that the plaintiff was a sister of the celebrity, thus losing its newsworthiness. [Inside Privacy]

Privacy Enhancing Technologies (PETs)

WW – Patent-Approved Personalized TV Keeps Privacy in Mind

FourthWall Media has received the go-ahead from the U.S. Patent Office for its broadband device personalization technology. The technology analyzes consumer behaviors but addresses privacy concerns by storing viewers’ profile data only on the consumer’s own television or mobile device, the report states, where it can be used to indicate to targeted advertising technology which ad to run or what content would be preferred. [Rapid TV News]

WW – Box Aims for NSA-Resistant Cloud Security; Customers Hold the Keys

File-sharing service Box is working on a cloud storage solution that would put the encryption keys into the hands of its customers instead of the company. Box cofounder and CEO Aaron Levie said the current architecture of the company resembles that of Google or Microsoft “in that we are encrypting all the data on both transit and storage, but we obviously have to manage the encryption key because as a collaborative application we have to broker that exchange between multiple users.” Yet, with some forecasting a $180 billion loss in U.S.-based IT businesses in the wake of the NSA disclosures, the move to provide an “NSA-resistant” service is alluring. Levie said the company is “exploring ways that in the future our customer would be responsible for its keys, and that’s something we may make available to some of the largest organizations.” In other cloud computing news, Sweden’s data protection authority has ordered a Stockholm-based municipality to cease using Google Apps because it may contravene Sweden’s Data Protection Act. [Ars Technica]


US – US Senate Expands Data Privacy Investigation

Sen. Jay Rockefeller (D-WV) has announced he is expanding his investigation of the data broker industry after several companies refused to disclose specific details about their business practices around the collection and processing of consumers’ personal information. Expanding beyond the nine original data broker businesses, Rockefeller said he will investigate 12 additional health, personal finance and family-focused websites. To this point, the Senate investigation has found that data brokers categorize and market consumer dossiers into groups, and in some cases, the categories included names such as “Rural and Barely Making It” and “Ethnic Second City Strugglers.” Rockefeller said, “Regardless of whether such characteristics are positive, negative or erroneous, the process of determining these characterizations is not transparent to the consumer and is beyond the consumer’s control.” [Financial Times]


US – Report Says it’s Too Soon to Professionalize Cybersecurity

According to a recent report from the National Research Council of the National Academy of Sciences, it is too soon to introduce professionalization standards into the discipline of cybersecurity. According to a member of the committee that produced the report, professionalization may improve the quality of the people entering the profession, but it also prevents others from entering. The report, which was commissioned by the Department of Homeland Security (DHS), observes that because jobs in the discipline of cybersecurity are so diverse, professionalization requires careful analysis and must consider the particulars of each job. Professionalization should move forward when these two criteria are met: stable knowledge and skills requirements, and credible evidence of deficiencies in the workforce’s skills. [NextGov]


US – Judge Says Government Must Declassify More NSA Documents

The Electronic Frontier Foundation (EFF) has announced that a federal judge has ordered the US government to declassify additional NSA-related documents by December 20, 2013. The ruling was made in a lawsuit, Jewel v. NSA, which was initiated in 2008. [ArsTechnica] [EFF.org]

US – NSA Targets Internet Routers and Switches

According to information in documents leaked by Edward Snowden, while the NSA will target individual personal computers when necessary, the agency concentrates its efforts on Internet routers and switches. Routers are attractive targets because “people are … horrible about updating their network gear because it is too critical, and usually they don’t have redundancy to be able to do it properly,” according to Beyond Trust CTO Marc Maiffret. [WIRED]

US – FISA Court Orders Patriot Act Opinions Declassified

The US Foreign Intelligence Surveillance Court (FISC) says it will release some of the legal opinions justifying the government’s wholesale collection of phone data. The FISC has ordered the US government to start declassifying some of its opinions regarding the Patriot Act. The documents will be revealed as a result of a lawsuit brought by the ACLU. [ArsTechnica] [WIRED] [ComputerWorld] [FISC Order]

US – NSA Director Defends Data Gathering Practices to Legislators

NSA Director General Keith Alexander told US legislators that the Foreign Intelligence Surveillance Court (FISC) has not placed an upper limit on the number of phone records the NSA may collect. Alexander said, “I believe it in the nation’s best interest to put all the phone records into a lock box that we can search when the nation needs to do it.” Alexander and several other intelligence officials along with members of the Senate Select Committee on Intelligence were speaking at a committee hearing. At the same hearing, Alexander avoided directly answering a question posed by Senator Ron Wyden (D-Oregon) about whether the agency had used cell phone data to track callers. [ComputerWorld] [Charlotte Observer] Speaking at a cybersecurity summit earlier in the week, Alexander defended NSA data gathering. He also said he is willing to share cyberattack information with private sector organizations. [Washington Post] [ComputerWorld]

US – FISA Court Releases Rationale on Legality of Phone Metadata Collection

The Foreign Intelligence Surveillance Court (FISC) has declassified its rationale that the collection of phone call metadata under the Patriot Act is legitimate. The FISC also noted that no US telecommunication company has ever challenged court orders requiring them to provide bulk telephony metadata. [WIRED] ]FISC Opinion] [FISC Rationale on Legality of Metadata Demands]

US – NSA Deploying Security Controls to Prevent More Leaks

The NSA is taking steps to prevent more leaks like those conducted by former contractor Edward Snowden. The agency will digitally tag sensitive documents to limit access to specific analysts. The tags will also help NSA learn what people do with the data they access. NSA CTO Lonny Anderson said that what Snowden did could not be done today. Systems administrators and other people who have privileged access to the NSA system will not do anything alone. The NSA is also limiting how employees store data on removable devices. [ArsTechnica]

US – NSA Seeks Civil Liberties and Privacy Officer

The NSA is seeking a Civil Liberties and Privacy Officer to be selected from within the agency’s ranks. The new position will bring together “the separate responsibilities of NSA’s existing Civil Liberties and Privacy (CL/P) protection programs under a single official.” The officer will help NSA “ensure that CL/P protections continue to be baked into NSA’s future operations, technologies, tradecraft, and policies.” [The Register]

US – 20% of Cybersecurity Positions at DHS Directorate Remain Unfilled

According to the US’s Government Accountability Office (GAO), the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate’s Office of Cybersecurity and Communications, has more than a 20 percent vacancy rate for jobs. Part of the reason for this is the lag time created by obtaining necessary security clearances for personnel. DHS officials also cite low pay compared to private sector salaries, and the fact that there are not clearly defined skills sets for cybersecurity positions. [GovInfoSecurity]

US – Proposed Legislation Would Amend FISA to Limit Data Collection

US legislators have introduced the Intelligence Oversight and Surveillance Reform Act, which aims to protect people’s privacy without sacrificing security. The proposed bill would amend the Foreign Intelligence Surveillance Act (FISA) by prohibiting bulk gathering of phone records and emails and prohibiting national security letters (NSLs) from being used for bulk collection of data. It would also establish the position of an independent constitutional advocate to “argue against the government when the FISC is considering significant legal and constitutional questions.” [ArsTechnica] [CNET] [SCMagazine]

Telecom / TV

US – Court: Debt Collectors’ Cell Phone Calls Exempt from TCPA

A federal judge in Pennsylvania has ruled the Telephone Consumer Protection Act (TCPA) does not apply to debt-collection calls, even those made to cellular phones. In Roy v. Dell Financial Services, the court relied on an earlier court decision that “all debt-collection circumstances are excluded from the TCPA’s coverage.” The decision conflicts with that of nearly all courts that have examined the issue, the report states. Most have found that calls made using automatic dialing systems violate the TCPA unless “prior express consent” has been given. [insideARM]

US – Vodafone Calls For New Approach to Mobile App Privacy Comms

Mobile operator Vodafone is calling on the app development community to take the lead in communicating to consumers a consistent set of privacy guidelines similar to nutrition labels used by the food industry. Vodafone Global Privacy Counsel Kasey Chapelle said the company is telling mobile app developers and other third parties to help safeguard consumer privacy and to communicate how data is collected and shared with advertisers. “We need to develop short-form , consistent privacy notifications along the same lines as nutrition labeling,” Chapelle said, adding, “Mobile operators can’t play the role that we used to (in terms of protecting mobile users’ privacy) any more as people such as handset manufacturers (Apple for example) get involved (with app stores, etc.).” Vodafone is lobbying third parties through trade organizations such as the GSMA and the Mobile Entertainment Forum, the report states. [Marketing Week]

US – Reddit, Civil Liberties Groups Renew Push for Email Privacy

A coalition of digital civil liberties groups are making a renewed push for a bill to reform the Electronic Communications Privacy Act. The coalition relaunched a website this week that supports the E-mail Privacy Act, a bill that would require the government to obtain a warrant anytime it wanted access to e-mails or documents stored in the cloud. “Internet surveillance is not going to be completely solved until we have a warrant requirement for content, until the Fourth Amendment protections apply fully to the Internet,” said Mark Stanley of the Center for Democracy and Technology—one of the groups advocating for the bill. [Mashable]

US Legislation

US – California Governor Approves Online “Eraser Button”

California Governor Jerry Brown has signed a bill that requires apps, websites, and online services that target minors to offer an “eraser button.” The feature will allow young people to request removal of information that might have negative effects on their chances of getting into schools or gaining employment. The feature must be in place by January 2015. The button does not allow people to request the removal of content others have posted, nor does it require that the content be deleted from sites’ servers. [CNET] [How California Is Shaping Privacy Law]

US – California Gov Signs Tracking Disclosures into Law

California Gov. Jerry Brown has signed into law an amendment to the California Online Privacy Protection Act (CalOPPA) that requires websites to disclose in privacy policies how they react to Do-Not-Track signals, becoming the first state in the U.S. to impose such regulations on operators. As well as requiring operators to inform users about their handling of browsers and other DNT mechanisms, the law requires them to disclose whether they allow third parties to access personal information about users’ online behavior over time and on other sites. Operators who fail to comply with CalOPPA will receive a warning and have 30 days to come into compliance “before being deemed in violation of the law and subject to an enforcement action,” the report states. [rHunton & Williams’ Privacy and Information Security Law blog]

US – California Bill Would Extend Employee Social Media Law to Public Sector

The California Senate has passed a bill that would prevent public agencies from accessing employees’ or potential employees’ personal social media accounts except under certain circumstances. While Labor Code 980 already protects the social media accounts of employees and applicants in private-sector organizations, if Gov. Jerry Brown signs this bill, 980 will be amended to include public entities. The state sheriff’s association and probation officers oppose the bill, saying they won’t be able to appropriately screen candidates. [Lexology]

US – Gov. Signs Bill Allowing Kids to Delete Online Pasts

California Gov. Jerry Brown has signed into law a bill that requires online companies and app developers to give minors the ability to remove their online content. The bill is similar to EU proposals for a right to be forgotten. “A minor with a juvenile record can petition the courts to have it expunged when he turns 18,” said an attorney specializing in Internet privacy. “This new law is akin to what’s already out there in traditional law.” While the law only applies to Californians, companies based outside of the state must comply when dealing with California residents. [610KVNU]

US – UPDATE: Minnesota Off the Hook for DPPA Violation

While an employee of the Departments of Public Safety and Natural Resources may still see charges for inappropriately accessing drivers’ data through the state database, a judge has ruled that the state is not responsible for his alleged violations of the Drivers’ Privacy Protection Act (DPPA). The judge based her ruling on the plaintiffs’ failure “to allege that any act by the state defendants violated the federal Drivers’ Privacy Protection Act—specifically, the complaint does not allege the defendants knowingly ‘obtained, disclosed or used’ any of the plaintiffs’ personal information ‘for a purpose not permitted’ by the DPPA.” [Law360]

US – Senators Address NSA Phone Program; Rival Bills Issued

At least two new bills have been introduced in the Senate addressing the National Security Agency (NSA) phone surveillance program. The Senate Intelligence Committee is looking to swiftly pass legislation that would “change but preserve” the recently revealed dragnet program. The bill, backed by Sens. Diane Feinstein (D-CA) and Saxby Chambliss (R-GA), would require public reports revealing frequency of access by the NSA to the call log database, reduce the retention time from five to two years and require the NSA to send the data it searches to the Foreign Intelligence Surveillance Court for review. A rival bill, backed by Sens. Ron Wyden (D-OR) and Mark Udall (D-CO), would ban the collection program. [New York Times]

US – Sen. Leahy Aims to Revamp NSA Capabilities

Speaking at Georgetown University on September 24, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said he plans to aggressively pursue legislation to curb the National Security Agency’s surveillance powers. Leahy announced he is working together with USA PATRIOT Act author Sen. Jim Sensenbrenner, Jr., (R-WI) and Sen. Mike Lee (R-UT) to craft the new legislation. “I am convinced that the system set up in the 1970s to regulate the surveillance capabilities of our intelligence community is no longer working,” Leahy said, adding, “In my view—and I’ve discussed this with the White House—the Section 215 bulk collection of Americans’ phone records must end.” [The HIll]

Workplace Privacy

UK – Former Barclays Employee Fired, Fined for Accessing Customer Data

A former Barclays Bank employee has been fined GBP 3,360 (US $5,400) for accessing a customer’s data without permission. Jennifer Addo was found to have accessed the customer’s data 22 times between May and August 2011. The incident came to light when the customer noticed that a friend of Addo’s knew things about him that could only be found out by looking at information in the bank’s possession. Barclays terminated Addo’s employment shortly after the customer registered a complaint. [v3.co.uk] [Information Age] [Credit Today] See also: [I Spy With My Corporate Eye: The Employee Services Conundrum]




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: