17-31 October 2013

Canada

CA – Comparing Manitoba’s Privacy Law With Alberta’s

Mondaq analyzes the recently passed provincial privacy legislation in Manitoba, the Personal Information Protection and Identity Theft Prevention Act (PIPITPA), and how the legislation compares with Alberta’s Personal Information Privacy Act. Specific areas of comparison include breach notification, private right of action for breaches, security requirements and service transfers outside of Canada. “Organizations who already have processes in place to comply with Canada’s existing privacy laws will largely find that PIPITPA does not create new compliance obligations for them,” the report states. [Full Story]

Consumer

WW – Website, Researcher Rate Sites on Practices

A fledgling site is using crowdsourcing to rate the privacy policies of hundreds of websites. Called “Terms of Service; Didn’t Read,” the site’s tagline states, “‘I have read and agree to the terms’ is the biggest lie on the web.” Sites with the best practices are assigned to “Class A,” while the worst are put in “Class E.” Individual aspects of policies are given a “thumbs up” or a “thumbs down.” Meanwhile, researcher Rebecca MacKinnon’s “Ranking Digital Rights” project—which ranks companies on how well they respect users’ privacy rights—was thrust into overdrive since the NSA revelations. [Forbes]

US – Study: Consumers Enjoy Personalized Experience

A recent study indicates consumers want to be understood by the businesses with which they interact. In the SAS Institute survey, 71% of respondents said they are in fact concerned about recent news on government surveillance, but 60% said they expect businesses to know their preferences and understand their needs, the report states. In a post for The Wall Street Journal, University of Miami Associate Prof. Robert Plant discusses how consumers can make money off of their own data. Meanwhile, IBM’s Jeff Jonas writes that if a company is going to profit from consumer data, it must at least be transparent about it. [eWeek]

Electronic Records

WW – Researchers Push for More Patient Data Sharing

Two papers published in the New England Journal of Medicine back an international push to get drug companies to share patient-level data from clinical trials. Pharmaceutical industry reformers have been calling on drug companies to release patient data in order to ensure the safety and effectiveness of new drugs. Blowback from the release of certain pharmaceuticals, including Vioxx and Avandia, has revealed the dangers of concealed clinical drug trials, the report states. A group of academics advocating for such transparency said, “The question is not whether, but how these data should be broadly shared.” A Europe-based group of researchers said, “A managed-release environment that allows sharing of patient-level data while ensuring patient privacy would create a level playing field for all stakeholders.” [Milwaukee-Wisconsin Journal Sentinel]

US – Health Privacy Startup May Have Privacy Problem

Medical records startup Practice Fusion—which recently received $134 million in venture capital—and its potential privacy problem. The company offers free patient management services. It also has 75 million records of patients’ health conditions and prescriptions. The data is allegedly de-identified and then becomes available for analysts, pharma companies and market research. It launched a doctor review site in April filled with 30,000 doctor profiles and more than 2 million patient reviews. In some cases, neither the doctors nor patients knew the reviews would be available publicly. Meanwhile, Sen. Edward Markey (D-MA) has called on Walgreens to answer the privacy impact of its new “Well experience” pharmacy model. [Forbes]

US – Working the Kinks Out of the US’s Health Insurance Online Marketplace

President Barack Obama is launching a “tech surge” to address glitches in HealthCare.gov, the web online marketplace designed to help people find health insurance under the Affordable Care Act. Improvements that have been implemented since the site’s launch include increasing server capacity to deal with high levels of traffic and allowing people to preview plans without having to fill out a form. [NextGov] [ArsTechnica] [LA Times]

Encryption

US – Ruling Threatens Internet Privacy, Brief Says

The Electronic Frontier Foundation (EFF) filed a brief arguing that a court order requiring secure e-mail provider Lavabit to hand over its master encryption key undermines the security and privacy of the Internet. Filed in the U.S. Court of Appeals of the Fourth Circuit, the brief contends the order would have allowed the U.S. government to access the personal information of all of Lavabit’s 400,000 users. “This is like trying to hit a nail with a wrecking ball,” the EFF brief stated. Meanwhile, LinkedIn’s Intro service is raising privacy and security concerns. [IDG News Service]

WW – Anonymous VPN Service Shuts Down, Cites Gov’t Intrusion

CryptoSeal Privacy, a service providing anonymous virtual private networks, has shut down the consumer service portion of its business rather than risk U.S. government intervention. The move follows a similar business decision by former e-mail service provider Lavabit. A legal filing in Lavabit’s case has been seen as troubling for Cryptoseal, the report states. CryptoSeal wrote, “Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner … The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion and likely unconstitutional. But until this matter is settled, we are unable to proceed with our service.” [Ars Technica]

WW — E-mail Encryptors Form Dark Mail Alliance

Online encryption organizations Silent Circle and Lavabit have announced the formation of the Dark Mail Alliance, an open-sourced tool with end-to-end encryption. The group aims to improve e-mail privacy by preventing e-mails from being shared with third parties, scanned for ads or easily hacked. Both businesses earlier this year shut down their respective encrypted e-mail services rather than share users’ data with the U.S. government. Silent Circle CEO Mike Janke said, “We’re the rebels who have decided privacy is too important to compromise on,” adding, “We believe e-mail is fundamentally broken in its current architecture … This is an opportunity to create a new e-mail service where the keys are created on the device and only the user can decrypt it.” [Forbes]

WW – Windows 8.1 Comes with Automatic Disk Encryption

Microsoft Windows 8.1 ships with automatic device encryption enabled by default, but the feature’s hardware requirements mean that it works only on newer systems. [ArsTechnica] [ArsTechnica] [CNN]

US – US Government Sites Using Expired SSL Certificates

More than 200 US government websites appear to be using expired SSL certificates, putting site visitors at risk of having personal information stolen through man-in-the-middle attacks. Some of the expired certificates may be due, in part, to the government shutdown. According to a study from the University of California, users are likely to click through messages warning of expired certificates. [IT News] [NextGov] [Study of Browser Security Warning Effectiveness]

EU Developments

EU – LIBE Adopts Compromise Amendments; Sends Draft To Council

The Committee on Civil Liberties, Justice and Home Affairs voted Monday for a major overhaul of current EU data protection rules. The committee adopted “en bloc” a package of compromise amendments assembled by Green MEP Jan Philipp Albrecht, rapporteur for the proposed regulation, which represented only a fraction of the 3,000 amendments initially proposed to the committee earlier this year. Meanwhile, French newspaper Le Monde has reported on NSA internal memos detailing “the wholesale use of cookies by the NSA to spy on French diplomatic interests at the UN and in Washington.” [Privacy Advisor] See also: [Has the LIBE Committee Torpedoed the Safe Harbor?]

EU – Regulation Implementation May Come Sooner Than 2015 After All

The European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down. [EurActiv]

EU – Two Years Later, LIBE to Vote on Reg

The Guardian reports that after two years of gridlock, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled votes on the reports on the revised data protection regulation and directive for Monday in Strausburg. An announcement on the European Parliament’s website says, “The committee will adopt a mandate for negotiations with the council in order to try and reach a common agreement on the Data Protection package before the European elections in May 2014.” [Full Story]

UK – Gov’t to Consult on Jail Time for Breaches

The UK government is considering introducing the possibility of jail sentences for breaches of the Data Protection Act (DPA), Out-Law.com reports. Justice Secretary Chris Grayling has written to Home Affairs Committee Chairman Keith Vaz indicating “the public would be asked whether there should be new custodial penalties for breaches of Section 55,” the report states. While the current penalties are fines of different amounts, depending upon the court where the case is heard, Grayling “has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA,” the report states. [Full Story]

EU – ECJ: Protection Against Passport Fraud Outweighs Privacy

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU’s Charter of Fundamental Rights and was in line with EU law,” EUObserver reports. While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports. “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof,” the court has said. [Full Story]

UK – ICO: We Do Not Discriminate

Computing reports on the insistence of the Information Commissioner’s Office (ICO) that “it does not discriminate between private- and public-sector firms when deciding on data breach fines” and its assertion “nobody has been ‘let off’ fines” since the ICO received the power to levy fines up to 500,000 GBP three years ago. “I think there’s certainly no discrepancy on our part, favouritism or thoughts like that in any way,” said the ICO’s Simon Rice. Meanwhile, the ICO has announced it has prosecuted a pay day loan company and its director for “failing to register that the business was processing personal information.” The ICO is also warning organisations, in light of a Royal Veterinary College breach, to ensure their policies “reflect how the modern workforce are using personal devices for work.” [Full Story]

EU – ECHR Anonymous Posting Decision Sparks Concern

The European Court of Human Rights (ECHR) has ruled an Estonian court was correct when it fined Delfi in a case involving anonymous postings on the news website, Wired reports. Joe McNamee, executive director for European Digital Rights, said, “This baffling logic now appears to render it effectively impossible for an online publication to allow comments without positive identification of the end users … So much for the human right to privacy in the Convention. This will directly undermine individuals’ rights to free speech and indirectly undermine their right to privacy.” Lawyers in the UK, however, suggest if the original case had been held there, “the outcome would have been very different,” the report states. [Full Story]

EU – France Backs Fines for Sharing with U.S. Gov’t

France is backing EU proposals to fine companies sharing information with American intelligence services up to five percent of global revenue. The UK is prepared to clash with France on the fines—estimated to potentially cost UK businesses £360 million per year. France has also tabled a proposal for an international data transfer levy, the report states. “Core European values, namely the respect of fundamental rights, including the right to privacy and security, also matter just as much online as offline. Recent disclosures concerning surveillance activities have cast a shadow in EU citizens trust,” said European Commission President José Manuel Barroso. [The Telegraph]

Filtering

UK – UK ISPs Ordered to Block More Sites in Bid to Quell Piracy

A UK court has ordered Internet service providers (ISPs) there to block 21 additional websites suspected of encouraging illegal music filesharing. The blocks must be in place by Wednesday, October 30. Earlier orders have called on UK ISPs to block eight other sites, including The Pirate Bay. [BBC]

Finance

EU – Parliament To Vote on Suspending SWIFT

On the heels of the Committee on Civil Liberties, Justice and Home Affairs vote for a major overhaul of current EU data protection rules, the European Parliament will now decide whether the EU-U.S. agreement on data transfers under the SWIFT payment network should be suspended. Under SWIFT, the EU provides the U.S. with EU residents’ payment data in order to thwart terrorism. But U.S. NSA revelations have raised concerns about the program. The outcome of a vote today will be nonbinding. [EU Parliament]

US – Are Banks Regularly Violating the GLBA?

Forbes reports on the selling of personal information by the financial industry and new research by Carnegie Mellon University Prof. Lorrie Faith Cranor. She, along with her students, analyzed 3,422 financial institutions to better understand their data-sharing practices and to see whether they comply with the Gramm-Leach-Bliley Act (GLBA). Her research found that practices varied widely—including 27 organizations that violated GLBA regulations altogether, the report states. “There is really no way for a consumer to find the good banks,” Cranor said, “because you would never think to check all the privacy policies.” JP Morgan Chase Director of Public Affairs Steve O’Halloran said, “We post our consumer privacy notice on Chase.com. On this page, you’ll notice that customers can limit information that is shared with affiliates and non-affiliates.” [Forbes]

Health / Medical

US – Tiger Team Uncovers Skepticism of HIPAA Disclosure Rule

As the U.S. Department of Health and Human Services’ Office of Civil Rights prepares to finalize rules for accounting disclosures as part of the HITECH Act, the Privacy and Security Tiger Team (part of the Office of the National Coordinator’s Health IT Policy Committee) is surveying stakeholders, and the stakeholders aren’t thrilled. The disclosure rule allowing patients to ask for a report detailing all internal access to their records is “misguided,” says the American Hospital Association. The Confidentiality Coalition fears “frivolous lawsuits.” The National Association of Chain Drug Stores says there will be “enormous new burdens.” Comments are open through Oct. 25 if you want to chime in. [Government Health IT]

US – Healthcare Breach Case a Boon for Encryption?

A California appeals court ruled that the Board of Regents at the University of California can’t be held accountable for the loss of a hard drive containing the personal health information of more than 16,000 patients. The decision hinged on the hard drive being encrypted. Officials could not confirm the data was actually accessed. The report also notes that the case was decided under California’s Confidentiality of Medical Information Act, not HIPAA. Meanwhile, Fierce Health IT reports that the Government Accountability Office is pushing the Centers for Medicare & Medicaid Services to remove Social Security numbers from ID cards, noting that the inclusion “introduces risks to beneficiaries’ personal information.” [mHealth News]

Horror Stories

US – Laptop Thefts Result in Medical Breaches

A breach at California’s AMHC Healthcare where two laptops containing the personal health information of 729,000 patients were stolen. According to medical breach data kept by the U.S. Department of Health & Human Services, the breach is the second largest this year. [FierceHealthIT]. Seton Healthcare Family in Texas has also announced a breach involving a laptop theft.

WW – Adobe Breach Affected At Least 38 Million Users

The estimated number of registered Adobe products users affected by a recent breach of that company’s systems has been increased to more than 38 million. The breach was initially disclosed at the beginning of October. At that time, Adobe said that the attackers stole encrypted credit card information of three million customers. In addition to increasing the number of affected users, Adobe also said that the breach appears to have compromised source code for Photoshop. [KrebOnSecurity]

WW – Breach Roundup…

Meanwhile, the Department of Energy says the number of people affected by a breach resulting in stolen data in July 2013 is more than double the number it initially estimated. A new survey indicates two-thirds of U.S. adults wouldn’t return to a business if their personal data was stolen.

A former Department of Justice cybercrime prosecutor says organizations should develop a “defensible response” to data breaches and fraud incidents because it’s likely they’ll next face a regulatory investigation or legal action. [Bank Info Security]

Hackers broke into database service MongoHQ using the compromised username and password of an administrator. The hackers made off with the data of a “limited number” of users. [eWeek]

In Missouri, Boone Hospital Center has begun notifying 125 patients that an employee working with an affiliated clinic may have accessed their personal information, including birthdates, Social Security numbers and medical diagnoses. [eSecurity Planet]

In Minnesota, Allina Health has started to notify patients that their personal health information was improperly viewed by a certified medical assistant. More than 3,000 patients were affected, though it is not believed the information has been used nefariously. The medical assistant has since been fired.

Insurance company Fidelity Life says a USB stick with sensitive data on about 1,200 clients was stolen from an employee’s car. The data included personal bank account numbers on people who had investments with a recent acquisition, Tower Health and Life.

In South Carolina, about 33,000 residents have enrolled in the state’s new identity theft protection service. Those eligible for protection had their data exposed in last year’s hacking of the state Revenue Department. A new study indicates that of 16 million victims of payment card information breaches in 2012, more than 25 percent were also victims of identity theft. The report found that retailers are the prime targets for payment card breaches, and that’s a trend that doesn’t look to be changing soon.

A recent data breach at Adobe impacted at least 38 million users, the company says. The stolen data was posted last weekend to AnonNews.org. Adobe has been contacting those who’s encrypted password information was stolen and urged them to reset their passwords [KrebsonSecurity].

Supermarket chain Schnuck Markets has recently agreed to a proposed class-action settlement following a breach involving 2.4 million credit and debit cards earlier this year. The chain will pay each affected customer up to $10 for each card hit with a fraudulent charge and $10 an hour for “up to three hours of documented time spent dealing with the breach.” [eSecurity Planet]

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds. Attorneys say the settlement is “groundbreaking” and will likely “serve as a template for other plaintiffs in class actions over data breaches,” the report states. [Law360]

The U.S. Attorney’s Office has charged an alleged hacker in the UK with breaching thousands of computer systems in the U.S. and elsewhere. [Dark Reading]

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said.

Local law enforcement has opened an investigation into the theft of medical records from Northern Inyo Hospital in California. An employee in the hospital’s records department illegally obtained a patient’s medical file. The employee was subsequently fired. In the same state, the Legal Aid Society of San Mateo County is alerting patients of the burglary of 10 laptops containing personal data. The laptops were used by attorneys helping patients with healthcare services, and the data compromised may have contained medical data and Social Security numbers, HealthITSecurity reports.

In Florida, Broward Health is warning 960 patients about a data breach after a former employee stole their personal information. Wisconsin’s Memorial Hospital of Lafayette County has posted a notice on its website that it mailed 8,000 data breach notification letters after its third-party billing vendor accidentally sent their financial statements to the wrong people. In Virginia, two former nurse’s aides improperly accessed about 3,700 patients’ personal information in an identity theft scam, netting more than $116,000, The Virginian-Pilot reports.

An investigation by the Pittsburgh Tribune-Review has found employees or contractors committed more than 14,000 HIPAA privacy breaches since 2010, iHealthBeat reports. The breaches affected more than 100,000 veterans and more than 500 VA employees.

California’s Monterey County Department of Social Services has recently begun notifying residents that their personal data may have been exposed following access to the department’s computer by unauthorized users overseas.

An IT security vulnerability was found on News Corp’s major metropolitan websites in Australia, The Sydney Morning Herald reports. The details exposed include birthdate, e-mail address, number of children and household income.

PR Newswire is “conducting an extensive investigation” and has notified law enforcement over a breach earlier this year in which hackers broke into its networks, stealing usernames and encrypted passwords. The stolen data was recently found on the same Internet servers housing data stolen in an Adobe Systems breach, Krebs on Security reports, indicating the same party may be responsible for both breaches.

In South Africa, a variant of malware inserted into point-of-sale devices at South African fast-food outlets has cost local banks tens of millions, Mail & Guardian reports.

Following a probe by the UK Information Commissioner’s Office (ICO) into Panasonic UK’s data security policies, the company has agreed to strengthen its data security practices. The ICO will not serve an enforcement notice based on Panasonic’s plans.

Symantec Corp. is asking a federal court in California to toss out a proposed class action. The plaintiff in the case accuses Symantec of concealing a data breach and says the company is now raising “unavailing or scattershot arguments” in its aims to see the case dismissed.

Meanwhile, an article for CFO warns companies should do their due diligence before entering contract negotiations with cloud providers in order to avoid data-breach liability claims.

Identity Issues

US – Cali AG Releases Recommendations on ID Theft

California Attorney General Kamala Harris has released a report, “Medical Identity Theft: Recommendations for the Age of Electronic Medical Records,” that includes guidelines for the healthcare industry and insurers on preventing and remedying medical identity theft. The report focuses on the impact of identity theft on the accuracy of medical records and recommends that healthcare providers implement an identity theft response program, build awareness of the dangers and train staff appropriately, among other recommendations. “As the Affordable Care Act encourages the move to electronic medical records, the health care industry has an opportunity to improve public health and combat medical identity theft with forward-looking policies and the strategic use of technology,” said Harris. Accompanying the report is also a guide for consumers. [Report]

US – Mobile Devices to Become Identity Verifiers Thanks to Federal Grants

HID Global and two of its partners have received cybersecurity grants through President Barack Obama’s National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative. The grants will be used to develop systems that will enable mobile devices to carry credentials for identity verification to improve consumer privacy among other things, the report states. Dubbed the NSTIC Key Team, the companies will enable mobile devices “to be used like smart cards to secure applications and networks for a leading social media company, a healthcare organization and the U.S. Department of Defense.” [Dark Reading]

US – Experian Subsidiary Sold Data to Underground Identity Fraud Site

An underground website that sold data that could be used to commit identity fraud appears to have purchased a significant amount of information from the US credit bureau Experian. The site, Superget.info, sold Social Security numbers (SSNs), drivers license numbers, and financial data. Some of the data available on the site were obtained from a company called Court Ventures, which Experian acquired in March 2012. Court Ventures “aggregates, prepackages, and distributes public record data.” The data thieves operating Superget pretended to be a US-based private investigator to gain access to the data. [KrebsOnSecurity]

US – Brill to Headline “Reclaim Your Name” Event at NYU

Now that the partial government shutdown is over, FTC Commissioner Julie Brill can focus on her next public speaking event. She will headline NYU-Poly’s third Sloan Cybersecurity Lecture, “Reclaim Your Name: Privacy in the World of Big Data,” to be held October 23, with a speech she promises will be “pretty colorful.” In this exclusive for The Privacy Advisor, Brill previews her talk by saying companies are already responding to her call for data transparency and the ability to correct and suppress. “I look at Axciom’s AboutTheData website as a response to what I called for,” she said. “It’s not nearly full-blown Reclaim Your Name, but it’s a first step toward providing more transparency to consumers about data collection and use practices.” [Source]

EU – ECJ: Protection Against Passport Fraud Outweighs Privacy

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU’s Charter of Fundamental Rights and was in line with EU law.” While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports . “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof,” the court has said. [EUObserver]

Intellectual Property

US –MPAA Publishes List of Top Filesharing Sites Around the World

The Motion Picture Association of America (MPAA) has released a report that lists major illegal filesharing sites around the world. Ironically, the MPAA has criticized Google for returning high numbers of filesharing sites in its search results, but now MPAA has provided an organized list of many of those sites. The MPAA report was created to provide the US Trade Representative with the names of “potential Internet and physical notorious markets that exist outside the US.” [WIRED] [MPAA’s Report critical of Google]; [MPAA’s Report on Filesharing Sites]

Internet / WWW

EU – Europe Aims to Lead With the Cloud

The European Commission has outlined plans for the EU to become a “world leading” cloud computing market when it comes to data protection. While the commission acknowledges U.S. surveillance revelations “aggravated” existing concerns about foreign cloud storage, it says calls for regional-only cloud storage would be “misguided.” “Trust can be restored with more transparency and the use of high standards,” the commission said. “A better overview of standards, certification of the use of those standards and safe and fair contract terms for cloud computing are essential.” [Out-Law.com]

US — U.S. Group Lobbying to Prevent Cloud Mining in Europe

A U.S.-based group is lobbying for a code of conduct banning cloud providers from mining data and serving ads in European schools. Many schools across Europe use services such as Google Apps for Education, but some countries, including Sweden, have banned the use of U.S.-based cloud services because they do not comply with data protection law. SafeGov has released a report on the issue and is urging Europe to consider such a code of conduct. Meanwhile, The Guardian reports on how to manage data protection and disaster recovery in the cloud. [ZDNet]

Law Enforcement

US – City To Tighten Plate-Scanning Retention Limits

In response to an open records request, the Pittsburgh Parking Authority (PPA) will tighten its license plate scanning policy and regularly delete scanned photos from its database. Over the last eight years, the authority has taken millions of photos of parked vehicles and stored the data for up to 30 days in a database that potentially can be used to track a vehicle’s movement around the city, the report states. In a letter, PPA Executive Director David Onorato wrote, “This type of information will no longer be accessible, except with respect to vehicles that have outstanding parking tickets.” The Pennsylvania chapter of the American Civil Liberties Union applauded the move, with one representative saying, “It is really creepy when you can say, ‘You were at the Giant Eagle at such and such a time.’” [Pittsburgh Post-Gazette]

US – Aaron’s Settles FTC Charges That it Enabled Computer Spying

The Federal Trade Commission (FTC) announced that Aaron’s, Inc., has agreed to settle charges that it enabled computer spying on customers by its franchises. According to an FTC press release, the company is barred from using monitoring technology and must obtain consent before using location-tracking software. FTC Bureau of Consumer Protection Director Jessica Rich said, “Consumers have a right to rent computers free of cybersyping and to know when and how they are being tracked by a company.” In its Business Center Blog, the FTC details what businesses can learn from the settlement. [FTC]

Location

WW – Indoor Location Market Set to Boom; Privacy Concerns Loom

Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations“ function—and the new iPhone’s motion sensor chip are raising privacy concerns. [MediaPost]

WW – Mozilla Developing GeoLocation Public Data Service

Mozilla is working on a public geolocation data service using cell tower and WiFi signals to give developers “a more privacy-aware option than current alternatives.” “The data would be provided by cell towers, WiFi and IP addresses,” the report states, and could be made available to the public. It’s a service already experimentally operating in the U.S., Brazil, Russia, Australia and Indonesia. [PCWorld]

US – Federal Appeals Court Says Warrant Required for GPS Tracking

The Third US Circuit Court of Appeals has ruled that law enforcement officers must obtain a probable cause warrant before affixing GPS trackers to a suspect’s vehicle. The is the first appeals court ruling since the January 2012 US Supreme Court ruling in United States v. Jones that affixing a GPS device to a suspect’s vehicle constitutes a search under the Fourth Amendment. The justices did not rule on whether the search was unreasonable and thus required a warrant. This recent case, United States v. Katzin, involved a GPS device attached to the vehicle of a suspect in a series of pharmacy robberies. [ComputerWorld] [WIRED]

Offshore

BA – Bahrain Cabinet Approves Draft Privacy Law

Gulf Daily News reports that during the cabinet’s weekly session, it gave its initial approval to a draft legislation that “aims to provide legal protection of personal privacy, which is a fundamental constitutional right.” According to Minister of State for Information Affairs and official government spokeswoman Sameera Rajab, the bill “includes the protection of digital data,” in order to “enhance public confidence in electronic transactions through the preservation and protection of personal data.” The cabinet has referred the bill to the ministerial committee for legal affairs and, according to the report, more details about it will available after it is discussed in the National Assembly.

Online Privacy

WW – Privacy Advocates, Online Ad Groups Still Doubt Do Not Track Talks

Privacy advocates and the ad industry agree on one thing: the Do-Not-Track (DNT) talks should end, but, the co-chairmen of the World Wide Web Consortium DNT working group announced that talks will continue. Network Advertising Initiative President Marc Groman, CIPP/US, said the NAI “remains concerned about the lack of progress and transparency in the working group as well as recent stories of arbitrary decisions,” but added, “we will continue to engage to ensure that there is a voice for third parties and digital advertising, small- and medium-sized businesses, the long tail of the Internet and frankly the consumer.” [The Hill]

US – DMA Calls for New Privacy Laws; Marketing Questions Persist

The Direct Marketing Association (DMA) is asking Congress “to overhaul privacy laws in order to protect companies’ ability to use data for marketing purposes.” The DMA’s requests include asking Congress “to invalidate state laws ‘that endanger the value of data’ and to prohibit consumers from bringing privacy class-action lawsuits,” the report states. On the subject of direct marketing, a Forbes report entitled “Kroger Knows Your Shopping Patterns Better Than You Do “ looks at one of the nation’s leading grocery store chains’ ad campaigns. Meanwhile, in a separate incident, a DMA e-mail campaign this weekend “reportedly hit more than 100 spam traps and e-mail boxes of some of the world’s most prominent anti-spammers.” [MediaPost]

WW – Facebook Changes Teen Privacy Rules

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.” [FB Announcement]

WW – Facebook Tests Software to Track Your Cursor on Screen

New software is being tested by Facebook to increase the site’s ability to collect great amounts of user information, including the tracking of a user’s cursor on screen. In an interview with The Journal, Facebook Analytics Chief Ken Rudin said the collected data could be added to the company’s data analytics warehouse. According to the report, Facebook can use the stored data “for an endless range of purposes—from product development to more precise targeting of advertising.” Currently, the company collects two types of data: behavioral and demographic. The new tests would expand Facebook’s ability to collect behavioral data, according to Rudin. [The Wall Street Journal]

WW – New Open-Sourced Browser Blocks Ads by Default

WhiteHat Security has released a new open-sourced, ad-blocking browser for OS X. Called Aviator, the browser preserves privacy by default and treats ads like a security threat. The browser is also preconfigured to use anonymous search engine Duck Duck Go. WhiteHat Security Product Management Director Robert Hansen wrote , “(N)ot a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” adding, “Current incentives between the user and the browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.” The browser comes out after recent talks around an industry standard do-not-track option have had difficulty moving forward. [InformationWeek]

US – Sen. Schumer Backs Offline Do-Not-Track

We reported on Monday that the Future of Privacy Forum (FPF), along with nine analytics companies, proposed a retail store Do-Not-Track opt-out code of conduct, and on Tuesday, according to an FPF press release, the group received backing from Sen. Charles Schumer (D-NY). CNET News reports that eight out of the 10 major cellphone tracking companies have agreed to the code of conduct, including Euclid, a company that was questioned earlier this year by Sen. Al Franken (D-MN) about its tracking practices. The code requires stores using MAC address tracking technology to post conspicuous signs notifying consumers of the tracking and to offer a website where customers can opt out of being tracked. Schumer said, “This is a significant step forward in the quest for consumer privacy,” adding, “This agreement shows that technology companies, retailers and consumer advocates can work together in the best interest of the consumer.” [Source]

WW – The Economics and Future of Cookies

As the IAPP reported, cookies may be reaching the end of the road—but not with a whimper. Google, Facebook and Microsoft are designing their own online tracking systems “in ways that bypass the more than a thousand software companies that place cookies on websites,” which could mean a radical shift in the balance of power in the $120 billion digital ad industry. Evidon CEO Scott Meyer said, “There is a Battle Royal brewing … Whoever controls access to all that data can charge rent for it—and has a tremendous advantage going forward.” [Wall Street Journal]

Other Jurisdictions

US – Senators Wants Answers on Student Data Outsourcing

Sen. Ed Markey (D-MA) wants to know how student information is being protected when it comes to data collection and analysis within the education-technology industry. Markey sent a letter to Secretary of Education Arne Duncan asking how K-12 schools are outsourcing the management and assessment of student data to technology vendor. “By collecting detailed personal information about students’ test results and learning abilities, educators may find better ways to educate their students,” Markey wrote. “However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children.” [New York Times]

AU – Australian Prof: Privacy Tort Can’t Do Everything

The Australian takes another look at the Australian Law Reform Commission (ALRC) inquiry into privacy law, highlighting comments by Prof. Barbara McDonald, the commissioner in charge of the inquiry. “The law cannot do everything–even if we have a statutory tort for invasion of privacy, it is not going to stop people invading privacy any more than a law against murder stops murder,” she said. McDonald has been asked to produce a detailed design for a privacy tort but “is also examining alternatives to a privacy tort that could fill the gaps in privacy law without the need for the creation of a new method of litigating,” the report states. Meanwhile, The Age reports on the Australian Internet Governance Forum’s examination of the question of the ALRC’s consideration of whether Australia should introduce its own “right to be forgotten.” [Full Story]

HK – Hong Kong PCPD Orders Company To Stop Supplying Data

“Something of a furore has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data (PCPD) to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application,” Lexology reports. The PCPD said the app, Do No Evil, “seriously invaded” those individuals’ privacy. Commentators, meanwhile, are accusing “the PCPD of threatening freedom of information, making inconsistent decisions and being technophobic,” the report states. [Full Story]

Privacy (US)

US – Netflix Plaintiffs Say Settlement Doesn’t Help Them

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google. [MediaPost]  

US – Warrantless Surveillance Law May Face Test in Criminal Case

U.S. federal prosecutors “intend to use information gathered through the government’s warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday , the Justice Department announced it will use “information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act” in a case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a “big deal” that “will undoubtedly set up a constitutional challenge,” the report states. [CNET]

US – Tips on Complying With COPPA While Still Making Money

Sara Hanlon, the CEO of a website targeted to kids and their grandparents, offers tips on how to meet the challenges of the newly revised COPPA while continuing to bring in revenue through your website. “While there are expenses associated with compliance, the complexity of the law and the thought of overhauling an entire business model are bigger issues,” Hanlon writes, noting that for some, “the law has created opportunities to innovate in order to continue to profit.” Tips offered by Hanlon include: Read and understand COPPA, don’t “assume your lawyer, developer or anyone else is handling this for you;” create a “parents area” on your site, and join an FTC-endorsed Safe Harbor Program, among others. [AdAge]

US – FTC: Ignore Privacy Principles at Your Own Peril

U.S. Federal Trade Commissioner Julie Brill warns the data broker industry that it must protect consumer data or face the consequences. Companies that ignore “basic privacy principles do so at their own peril,” she writes, but urges the industry to join a collective creation of consumer-friendly online services, an initiative she called Reclaim Your Name. Meanwhile, the FTC is mulling potential regulation of the emerging Internet of Things (IoT) market. Referencing a recent settlement with TRENDnet, Hogan Lovells writes that the agency may be taking a broader view of “sensitive data.” The FTC will host a roundtable on IoT next month. An earlier Privacy Perspectives post looked at some of the comments provided to the FTC by industry and advocacy. [AdAge]

US – SCOTUS Won’t Hear Privacy Lawsuit

The U.S. Supreme Court will not hear a privacy case against a division of Thomson Reuters Corp. on whether it can collect and sell information on drivers provided by state agencies. “The decision not to hear the matter represented a win for the commercialization of publicly available information, although U.S. law remains mixed on the subject,” the report states. The lawsuit alleged the practice violated the Driver’s Privacy Protection Act. Meanwhile, Bloomberg reports that a lawsuit claiming LinkedIn illegally mined its subscriber e-mail lists has been assigned to U.S. District Judge Lucy H. Koh—the judge who recently ruled the Google wiretapping case could go forward. [Reuters]

US – Expose of Experian Sparks New Questions About Data Brokers

Recent revelations that a company acquired by Experian may have sold personal data to a group of identity thieves has prompted an investigation by Sen. Jay Rockefeller (D-WV). The Experian report comes as Rockefeller and the FTC are both already investigating the data broker industry. In a letter to Experian , Rockefeller wrote, “if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data.” On Wednesday, FTC Commissioner Julie Brill called on Congress to enact legislation to regulate the data broker industry. [MediaPost]

US – TSA To Screen Passengers Before They Arrive at Airports

The Transportation Security Administration (TSA) is expanding passenger screenings by searching government and private databases for data on passengers—including car registrations and employment information—before they get to the airport. The TSA says the practice, which was revealed in documents released by the TSA under government regulations on data use and collection, aims to streamline the security-check process for travelers who don’t pose a threat. “I think the best way to look at it is as a pre-crime assessment every time you fly,” said a spokesman from The Identity Project. [The New York Times]

WW – IAPP Hits 14k Members, Expands Into New Space

The IAPP celebrated the joining of its 14,000th member by opening up new office space this past weekend, continuing its growth in both the privacy industry and the warehouse space it occupies on the former Pease Air Force Base in Portsmouth, NH. The membership growth and need for office space obviously are closely connected. While it took more than 10 years to hit 10,000 members in 2012, membership has grown to 14,000 in 18 months since then, and the IAPP has had to add staff to support those members in their training, certification, events and publications teams along the way, along with the addition of the Westin Research Center, also housed in the IAPP’s offices. [Source]

Privacy Enhancing Technologies (PETs)

WW – Business Rx: Data Privacy Firm Wants to Sell to Consumers

Internet companies and entrepreneurs are making headlines with their privacy-focused business ventures. ManageURiD, formed last year, is intended to “dynamically and automatically determine how much of your sensitive personal information is available on the Internet and who is selling it” as well as manage its removal, monitor its reappearance and provide “a Personal Privacy Dashboard so you can see the current status, history and details … at any time.” Ars Technica describes how Private Internet Access, a small U.S.-based VPN, is “trying to stand up for privacy”—in part by not logging anything. Meanwhile, Mozilla’s new Lightbeam add-on for Firefox shows users “what companies are behind each cookie stored in their browsers and what information those companies are gathering.” [The Washington Post]

RFID

US – Former US VP Disabled Wireless Capability of Implanted Defibrillator

Former US vice-president Dick Cheney acknowledges that he had modifications made to his implanted defibrillator to prevent the device from being hacked. In 2007, Cheney had the device’s wireless feature disabled. [BBC] [The Register] [ArsTechnica]

Security

US – NIST Releases Preliminary Cybersecurity Framework

After a short delay caused by the partial U.S. government shutdown, the National Institute of Standards and Technology’s Informational Technology Laboratory has released the Preliminary Cybersecurity Framework required under President Barack Obama’s executive order, “Improving Critical Infrastructure Cybersecurity,” of February 2013. NIST will shortly open a 45-day comment period on the preliminary framework, which will be posted here . Comments can be submitted at csfcomments@nist.gov in Word or Excel format. The feedback is vital and at the top of the document NIST outlines the types of questions they’d like answered, including issues of cost-effective implementation and existing best practices. The practices described in the document are voluntary. Some are critical of voluntary standards because they in turn become the de facto industry standards, which means companies that suffer breaches could be found liable if they have not implemented the practices. Private companies operate most elements of the country’s critical infrastructure. The final version of the document is scheduled to be released in February 2014. [GovInfoSecurity] [CNET] [Bloomberg] [SC Magazine] [Draft Framework] [NIST]

US – Workarounds Put Brands at Risk

User behavior is a major and growing source of privacy risk. We can see the extent, drivers and types of user behavior causing noncompliance issues and risks in recent research, which found 52% of healthcare workers globally use risky workarounds that are out of compliance with policy, and 66% find security protocols “burdensome.” This presents an opportunity—increasingly urgent—for privacy-enhancing technologies to enable workers to do their jobs efficiently without putting the brand at risk. [The Privacy Advisor David Houlding]

UK – 66% of UK Organizations Lack Staff with Key Technical Cybersecurity Skills

Twenty-four out of 25 UK firms report not having the adequate security measures to battle cyber attacks and two-thirds report that the lack of staff with advanced technical skills is the cause. [Telegraph]

WW – Mobile Firefox OS Exploits at Conference In India Next Month

A teenager who has discovered a way to infect Mozilla Firefox mobile operating system with malware says he will remain silent about the exploit until a November summit in New Delhi, India. Shantanu Gawde developed malware that allows attackers to gain remote access to devices’ SD cards, transfer contacts, track locations, control radio functions, and upload and download pictures, music, and video. [SC Magazine]

Smart Cards

US – Loyalty Cardholders Concerned About Privacy

Privacy is a factor for consumers considering whether to join loyalty card programs. A Mintel survey has found 32% of consumers believe “privacy is an important attribute of any loyalty program,” the report states. The study also found that 13% of respondents were frustrated “with too much personal information being requested during enrollment” and 10% cited concerns about “a lack of control over the privacy of their information,” according to the report. Mintel’s Ika Erwina said, “Reassurance of privacy is undoubtedly a key strategic tool in loyalty program engagement, but there is a paradox at play here between personalization and privacy.”[Supermarket News]

Surveillance

US – NSA Admits Snooping on World Leaders’ Calls

The NSA has acknowledged that it snooped on phone calls of 35 world leaders, including German Chancellor Angela Merkel. The White House was unaware of the program until this summer; once it learned about the snooping, it was stopped. The WSJ story says that the surveillance decision was made at NSA and did not require approval from the president. According to other sources, US intelligence officials say that the State Department and the White House both signed off on the surveillance program. While it is possible that the president was not briefed on specific NSA operations targeting foreign leaders’ communications, the National Security Council and senior members of the intelligence community would be aware of the activity, according to an unnamed former US intelligence official. [The Wall Street Journal] [CBS News] [CNET] [Washington Post] [LA Times]

WW – Spying Fallout Continues; Countries Draft UN Resolution

Internal documents from UK intelligence agency GCHQ indicate fears of a “damaging public debate” on the scale of its activities. GCHQ feared such a debate could lead to legal challenges against mass-surveillance programs, the report states. In the U.S., former Secretary of State Hillary Clinton called for a “full, comprehensive discussion” on the balance between privacy and security; experts debated the worth of mass data collection to begin with, and U.S. Rep. Alan Grayson (D-FL) said in an opinion piece that he learned much more about U.S. surveillance policies from the media than from intelligence meetings. Meanwhile, Germany and Brazil are reportedly working on a UN General Assembly resolution on surveillance. [The Guardian]

US – Report Says NSA Intercepted ISPs’ Data

Google and Yahoo are upset with a report that the NSA has secretly intercepted “large amounts of data as it flows across fiber-optic cables that carry information between the worldwide data centers.” “We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryptions across more and more Google services and links, especially the links in the slide,” said Google’s chief legal officer. Meanwhile, the American Civil Liberties Union says an FBI program that collects reports about suspicious activity lacks privacy safeguards. [The Guardian]

WW – After NSA Disclosure, Tech Giants Look to Increase Defenses

Days after the latest National Security Agency leak showing the agency had tapped the data centers of Yahoo and Google—allegedly without either company’s knowledge— many large tech companies, including Facebook and Twitter, have been spending time and resources bolstering internal networks to protect their consumers’ data. “What began as a public relations predicament for America’s technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital data,” the report states. ACLU Senior Analyst Chris Soghoian said some companies are taking steps to ensure “surveillance without their consent is difficult,” but added, “what they can’t do is design services that truly keep the government out because of their ad-supported business model, and they’re not willing to give up that business model.” [The New York Times]

US – NSA Reform Bill Expected; Feinstein Backs “Total Review”

House and Senate lawmakers plan on introducing legislation to limit the NSA’s surveillance powers. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials. [The Hill]

WW – Schools Grapple With Cyberbullying and Privacy

Emerging social network monitoring systems are designed to survey publicly available posts of students and the corresponding issues around free speech and children’s privacy. Now that students’ cries for help and instances of bullying and threats can be found online, several companies are offering software to help schools detect such outbursts, but do schools have the legal right to do so? Several cyberbullying cases have made their way to federal courts. American Association of School Administrators Executive Director Daniel A. Domenech said of the issue, “It is a concern and, in some cases, a major problem for school districts,” adding that the line between school and student rights can be confusing. One school administrator is weary of such online technology, saying, “The safety and well-being of our students is our top priority, but we also need for them to have the time and space to grow without feeling like we are watching their every move.” [New York Times]

Telecom / TV

US – New TCPA Rules in Effect October 16

The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) go into effect today. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines, according to a Covington & Burling client alert. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. In this Privacy Tracker exclusive interview, listen to TCPA expert Yaron Dori, partner at Covington & Burling, talk about what these changes mean for your organization and its practices, and hear advice on how best to comply. [Full Story]

US Government Programs

US – Top U.S. Intel Officials Testify; Relations Fray Further

Top U.S. intelligence officials testified yesterday in a rare open hearing with the House Intelligence Committee, with National Security Administration Director General Keith Alexander and Director of National Intelligence James Clapper among them. While they were in concert with one another, the House committee members were, at times, singing different tunes. This exclusive for The Privacy Advisor reports on the hearing and rounds up the fallout from continued leaks about U.S. intelligence operations and how they’re affecting trade talks and the Safe Harbor with the EU. [Source]

US – The Feds: Data Brokers’ Next Big Customer

CNN reports on one commercial data broker “that tracks and stores the employment and salary information of millions of Americans” and its “big, new customer—the federal government.” The U.S. government is now using The Work Number, a database owned by Equifax that includes “54 million active salary and employment records and more than 175 million historical records,” in a pilot program aimed at determining eligibility for such benefits as food stamps, a World Privacy Forum report has found. The World Privacy Forum is pointing out privacy concerns, including that commercial databases such as this “do not have to meet the same strict privacy and accuracy standards that government-operated databases do,” the report states. [CNN Money]

US – Fordham Law Releases Privacy Curriculum for Middle Schoolers

Teenagers are tough to keep track of. After school, it’s on to sports practice and social lives and the rest. But one central place they can be found en masse is online. Not only are 93% of 12 to 17 year olds online, according to a recent study from the Pew Internet & American Life Project, but they’re sharing more about themselves than ever before. It’s that kind of data that prompted Fordham Law’s Center on Law and Information Policy to use funds from a cy pres privacy settlement to establish open-sourced curriculum for middle school kids. More than a dozen U.S. law schools have signed on to the program. [Source]

US – US Defense Secretary Wants DOD to Step Up Data Protection

In a memo earlier this month, US Defense Secretary Chuck Hagel ordered the Defense Department to implement measures to protect unclassified controlled data from being accessed by hackers. He has ordered DOD’s chief information Officer and the undersecretaries of defense for acquisition, technology, and linguistics; policy; and intelligence to assess unclassified DOD networks to evaluate their vulnerability to attacks and develop strategy to mitigate those risks. Hagel also called for DOD, the NSA, and DISA to develop means to assess loss of technical data and the consequences of those losses; identify critical acquisition and tech programs that need stronger protection; and make sure they are being adequately protected. [Federal Times] [NextGov]

US Legislation

US – Franken and Heller Reintroduce Bill on Surveillance Transparency

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. “The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused,” said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes. [Broadcasting & Cable]

US – Lawmakers to Reintroduce Kids’ Tracking Act

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button.” The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age. [The Hill]

US – States Take Action Where Federal Gov’t Hasn’t

State legislatures around the country have rushed to propose a new series of privacy laws. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland (R-District 92) said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. [The New York Times]

US – California Governor Vetoes Privacy Bill Again

California Governor Jerry Brown has once again vetoed legislation that would have required law enforcement authorities to obtain warrants before searching suspects’ electronic communications. Governor Brown said the bill would impede investigations and would impose requirements beyond those in existing federal laws. This is the third time he has vetoed the legislation. [ComputerWorld] [Governor Brown’s Memo Explaining Veto]

US – Are Class-Actions Becoming Too Big To Settle?

The Recorder looks at privacy class-actions through the lens of recent suits against Google over its Street View and Gmail services, questioning whether it’s possible that plaintiffs now have too much leverage. Classes comprising millions of people and statutory damages could mean cases, such as the Street View case, become too expensive to strike a deal, the report states. As U.S. District Court Judge Richard Seeborg said in a recent class-action over Facebook’s sponsored stories, because of the class size, “even a modest per-class member payment could easily require a total settlement fund in the billions of dollars.” The “too-big-to-settle” phenomenon is likely to grow as Internet companies add to their user bases, the report states. [Full Story]

US – Does the U.S. Have a De Facto National DPA?

Traditional thinking posits that the U.S. does not have a national data protection authority. “But tell that to Google. Or TJX. Or CBR Sytems. Or any of the dozens of other companies that have been pursued by the U.S. FTC over the past several years for alleged data security or privacy violations,” writes Steptoe & Johnson Partner Jason Weinstein. In this installment of Privacy Perspectives, Weinstein writes, “The FTC has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act,” and, thus far, “the FTC is batting a thousand…” Challenges from Wyndham Hotels and LabMD, however, “symbolize the frustration felt by many companies” that believe they have been victimized once by a breach and then again by the FTC. [Full Story]

US – Amendment Would Require EU Permission for U.S. Law Access

Lawmakers have introduced an amendment to the Data Protection Regulation being debated in the European Parliament that could require U.S. companies to seek clearance from European officials before complying with U.S. law enforcement requests for data, The New York Times reports. The amendment responds to U.S. NSA revelations and could be decided as soon as Monday, when the Committee on Civil Liberties, Justice and Home Affairs (LIBE) will vote on amendments to the European data protection regulation. A coalition of U.S. consumer, privacy and public interest groups have written to European Parliament expressing support for the proposed regulation. Meanwhile, a European official said the proposed regulation will not modify Safe Harbor, though there has been widespread speculation over Safe Harbor’s future. Wilson Sonsini Goodrich & Rosati’s Christopher Kuner in Brussels told the Daily Dashboard that while Safe Harbor has always been controversial and that controversy has reached a fever pitch following the Snowden revelations, he “doubts very much it will really be suspended. I think what they will push for is to get some improvements … I think it’s more realistic that Safe Harbor will always have some utility.” [Full Story]

US – PA House Passes 911 Privacy Bill

Patch.com reports, that the Pennsylvania House has passed HB 1041, providing an exemption to the state’s Right-To-Know law for information that could identify a 911 caller. The bill is sponsored by Joe Hackett (R-Delaware), who noted, “the identity of the caller must be kept confidential to prevent cases of retribution against informants and to ensure the public has a sense of safety and privacy when reporting a crime or other emergency.” The bill now heads to the Senate.

US – Texas AG Seeks to Stop Dating Service’s Database Sale

Texas Attorney General Greg Abbott wants to stop the sale of an online dating service because of concerns about the personal information involved. True.com filed for bankruptcy protection more than a year ago and is selling its assets, which include a 43-million member database—two million of whom are Texans. “The proper course is for True.com and its bankruptcy trustee to seek the customers’ permission before selling their private information to a third party—and that’s exactly what our legal action asks the bankruptcy court to require before the case proceeds,” Abbott said. [KFYO]

US – Is DoJ Setting Up New SCOTUS Wiretapping Test?

The U.S. Department of Justice is potentially setting up, for the first time, a Supreme Court test of whether it’s constitutional to notify a criminal defendant that evidence against him came from wiretapping. Additionally, the department’s National Security Division is looking through closed cases to find other defendants who faced similar evidence that resulted from a 2008 wiretapping law—which allowed eavesdropping on suspects without a warrant when the communications crossed borders, the report states. Columbia University Law Prof. Daniel Richman said, “It’s of real legal importance that components of the Justice Department disagreed about when they had a duty to tell a defendant that the surveillance program was used … It’s a big deal because one view covers so many more cases than the other, and this is an issue that should have come up repeatedly over the years.” [New York Times]

US – A Model Bill to Put CPOs in State DoEs

Sheila Kaplan, independent education and information policy researcher, student rights advocate and EPIC advisory board member, has written a model bill that would install chief privacy officers in state Departments of Education (DoEs). Kaplan outlines the problems she sees with FERPA, the risks of not adequately protecting data held by DoEs and why tackling this problem at the state level makes sense. “Students deserve a true advocate for their rights in a data-driven environment that often places profit and corporate interests above the privacy rights of children and their families. Those who bear responsibility for student records need a reliable resource to help them manage their obligations.”. [Privacy Tracker]

Workplace Privacy

US – State Medical Board Releases Social Media Guidelines

The Rhode Island Board of Medical Licensure and Discipline has released a set of guidelines for physicians’ use of social media to help establish acceptable patient privacy interaction, Health IT Security reports. The board’s Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice sets standards for protecting patients’ privacy, avoiding online requests for medical advice, acting with professionalism and being transparent about one’s credentials and aware that posts could be publicly available. In a Privacy Perspectives post earlier this year, Indiana University Health Chief Privacy Officer Valita Fredland wrote about why healthcare providers should utilize social media. [HealthIT Security]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: