Privacy News Highlights
11 June – 07 July 2008
Contents:
WW – Plan to Fingerprint Foreigners
Exiting U.S. Is Opposed
NZ – New Zealand Labour Dept Plans
to Collect Biometric Data from Immigrants
IN – E-Vote: Bangladesh Biometric
Voter Identification Project Nearing Completion
CA – LSAC allowed to Substitute
Submission of Photos for Fingerprints.
CA – Mandatory Body-Fluid Samples
Loom for Drivers Suspected of Being High
CA – Saskatchewan Commissioner Says
Privacy Law Must Change
CA – Newfoundland Freedom of
Information Office Takes Government to Court
CA – BC Privacy Concerns Quashes
‘Chronic Offender’ Program
CA – Commissioner Awards $407,923
for Privacy Research and Public Awareness
CA – Realtors Required to Collect
More Personal Data
CA – Consumers Wary of Personal
Information Requests: Survey
US – Consumers Punish Organizations
That Expose Their Data, But Can Be Mollified
US – Survey: Advertisers Should
Acknowledge Targeted Ad Concerns
WW – Social Banners: A New Beacon
for Advertisers? Facebook
EU – European Commission
Scrutinizes Online Advertising
US – Cyber Crime Feared More Than
Burglary, Study Suggests
CA – Toronto to Deploy
Second-Largest 311 Contact Center in North America
US – White House May Keep Documents
in E-Mail Flap Private: Judge
AU – Consultation on the Draft
Principles for Australia’s Health System
US – AAHC: HIPAA Hampers Biomedical
Research
WW – Diversinet Puts Personal
Records In Your Wallet
WW – Google Health Teams with
Insurer for Online Records
IN – India Sees No Security Threat
from BlackBerry
EU – EU Tries to Ease Fears on
Data-Sharing Talks with U.S.
EU – Public Wants Breach
Notification Law; IT Managers...Not So Much
UK – Proposed Changes May
Foreshadow UK Notification Law
UK – Information Commissioner Will
Serve Enforcement Notices on HMRC and MoD
UK – Mandatory Data Training for
Civil Servants
CH – Switzerland Data Watchdog
Warns Citizens’ Privacy Under Threat
EU – Swedish Data Inspection
Protects Messy Apartment Dwellers
EU – Sweden Rejects Fat Child Data
Registry
EU – Italian Privacy Advocates and
Jurists Launch New Privacy Institute
EU – Swedes Protest Sweeping E-Mail
Eavesdropping Law
US – ID Theft Red Flags Rule: Only
Half of Institutions Will Beat Deadline
US – Credit Card Firm Cut Limits
After Massage Parlor Visits, FTC Alleges
CA – Ministers’ Offices Not Subject
To Access Law, Court Rules
CA – Public Should See Alberta
Government Credit Card Bills: Privacy Commissioner
US – Regulators Take Aim at Nascent
DNA-Testing Industry
US – Electronic Health-Record
Standards Agreed
US – Proposed Rx Database Raises
Privacy Concerns
US – Boston Medical Pays for
Privacy Violations
US – Breach Reports Up in First
Half of 2008
US – Utah Hospital Billing Records
from Over 2 Million Patients Stolen
WW – Health and Business Data Being
Auctioned Online
UK – UK Health Agency Loses 31,000
Patients Records
WW – Heavy Hitters to Collaborate
on Promoting Digital-ID Tech
US – ID Card Serves Students, Rec
Centers, Libraries in D.C.
US – Medical ID Theft on the Radar
US – U.S. Contradicts Itself Over
Its Own ID Protection Advice
US – FTC to Conduct ID Theft Victim
Study
CA – Public Forum on Ontario
Proposed Enhanced Driver’s Licence
CA – Survey Finds Opposition to
Canadian Copyright Bill
WW – Google Adds Privacy Policy
Link on Homepage
CA – CIRA’s WHOIS Policy: A
Stunning Setback for Privacy?
WW – System Estimates Geographic
Location of Photos
CA – Canadian Air Passengers to
Undergo ‘Virtual Strip Search’ at Kelowna
WW – Firefox Dumps Privacy Browsing
Button
WW – Advertisers Should Answer
Concerns: TRUSTe
NZ – Commissioner Calls for Privacy
Act Amendments
EU – Greece Authorities Empowered
To Name And Shame
AU – Media Release: Privacy
Commissioner Publishes Case Notes for 2008
AU – Backflip Over OneSchool Online
Student Database
US – More Government Employee
Snooping Discovered
US – FTC Wants Strong Civil
Penalties For Spyware Distributors
EU – Dutch Government Wants to Halt
Publication of Mifare Flaw Paper
EU – Item-Level RFID Prevents Meat
Spoilage for METRO
US – School District to Begin
Microchipping Students
WW – Survey: Data Privacy Low on
Priority List
WW – Data-Breach Study Released
US – Study: More Than 630,000
Laptops Lost at Airports Each Year
US – Data Breaches Are Up 69% This
Year, Says Nonprofit
CA – Data Breaches Double in Canada
US – Laptop Searches in Airports
Draw Fire at Senate Hearing
US – Privacy Officers and Marketing
Depts Have Different Ideas About Data Security
WW – Microsoft Security Fix
Clobbers 2 Million Password Stealers
UK – Hackers Crack London Tube’s
Ticketing System
CA – Public Information Forum
Planned for Ontario Licence Enhancements
AU – Industry Will Deploy Access
Card, Says Australian Government
US – University Teams Share DOD
Grant
US – ISP backs off of Behavioral Ad
Plan
UK – British Phone Taps Breached
Privacy Law
WW – The Eyes and Ears of the
Neighborhood: CCTV surveillance
US – Senate Debates Rewrite of ‘78
Law That Created Secret Intelligence Court
UK – Insurer Scraps GPS
Vehicle-Tracking Policy
US – Groups Sue U.S. for Data on
Tracking by Cellphone
US – Judge Orders Release of Google
YouTube User Data
US – Former Customers Off Limits to
Verizon
US – Report: Privacy Leaders Need
Full Oversight
US – Want Some Torture With Your
Passenger ID Bracelet?
US – Connecticutt Governor Signs
Bill to Safeguard Personal Data
US – ACLU Files Lawsuit on Behalf
Of Virginia Privacy Advocate
US – GAO: Privacy Law Outdated
The
airline industry and embassies of 34 countries, including E.U. members, are
urging the U.S. government to withdraw a plan that would require airlines and
cruise lines to collect digital fingerprints of all foreigners before they
depart the U.S., starting in August 2009. Airlines said the change would cost
the industry $12.3 billion over 10 years, not $3.5 billion as the Department of
Homeland Security estimated in unveiling the proposal in April. Representatives
of the nations affected said it is the duty of the U.S. government, not private
companies, to enforce immigration and border security laws, and they raised
privacy concerns about companies collecting fingerprints. The plan to track
exiting foreign visitors is part of a program known as US-VISIT. For security
reasons, U.S. officials have put a priority on identifying incoming visitors..
Setting up systems to record exits is much more costly but still can help
enforce immigration laws and track security risks. [Source]
The
New Zealand Department of Labour’s planned “Single Client View” redevelopment
of its immigration ICT system will collect biometric data from immigrants and
integrate with other government identity management projects, according to a
proposal for a privacy impact assessment. “The collection of, and ability to
check, biometric data on all applicants is critical for immigration risk
management in the future,” the tender document says. “If approved, this project
will dove-tail into the whole-of-government work on identity management …
Obtaining biometric data on prospective citizens at the point they first
interact with a New Zealand Government agency dramatically reduces the risks of
identity fraud, especially given that they may not apply for citizenship for
many years after arriving in New Zealand.” The current technology has data
distributed across multiple systems and the department wants to replace that
with a system that delivers a single view of the client data. “This would make
all information available in one place and at one time for immigration decision
makers and external agencies. A single view can be achieved only when systems
coverage of all data sets is complete.” Other aspects of the project include
upgrading the system’s risk profiling methodology and allowing applications to
be made online. New Zealand Trade and Enterprise and the Ministry of Foreign
Affairs and Trade, both of which make immigration decisions offshore, would
also be given access to the system. [Source]
See also: [Ontario’s privacy commissioner
orchestrates voice biometrics integration]
A
biometric-based credentialing solution for the Bangladesh Voter Registration
Project is scheduled to conclude at the end of this month. This exclusive
contract was implemented in 2007, in order to prepare voter lists and issue
national ID cards, in preparation for Bangladesh’s general elections to be held
in December of 2008. To date, the solution has registered and issued national
ID cards for more than 75 million people and was the basis for the creation of
local voter lists for the upcoming election. The registration process
incorporates scheduled appointment times to enrol each citizen’s biometric
information. The enrolment data includes four fingerprints, captured with
BIO-key’s fingerprint ID software and FBI-certified fingerprint readers.
BIO-key’s WEB-key development platform was utilized to detect duplicate
registrations. Additionally, the solution employed 500 ID management servers
developed by Tiger IT and over 8,000 laptop computers equipped with Tiger IT
enrolment software. The biometric enrolment process has generated more than 300
million ISO fingerprint templates, making it the largest biometric deployment
ever recorded, according to BIO-key. Beyond establishing more accurate voter
lists to help ensure a full and fair election, the ability to verify one’s
identity provides significant benefits in the course of each citizen’s daily
life. For example, the National ID card is used by citizens to access up to 22
different services managed or offered by the government. The National ID card
also includes a standard barcode encoded with ISO fingerprint templates and PKI
digital hash that can be used to quickly verify the identity of the cardholder
while ensuring the integrity and authenticity of the ID card. [Source]
The federal Privacy Commissioner’s May 29th report on the Law School Admission Council’s practice of collecting fingerprints from LSAT test takers recommended that LSAC cease the practice but allowed it to substitute a practice of collecting test takers’ photographs. Some notable findings include:
§
the OPC rejected LSAC’s
argument that it was engaged in educational rather than commercial activity,
finding that its core activities provided a service to its member law schools;
§
the OPC held that
fingerprints are more sensitive than voice prints and less sensitive than one’s
photographic image; and
§
the OPC made another
comment de-emphasizing the significance of cross-border transfers of personal
information.
The
report also highlights the difficulty of sustaining a collection practice based
on deterrence alone. The case for deterrence is often logically compelling, but
proving that collecting information effectively deters misconduct is hard. (For
more on this theme, see the IPC/Ontario’s recent TTC report.) LSAC had not once
used a fingerprint to identify whether fraudulent test since it started
collecting them in the mid-1970, so it was difficult for the LSAC to justify
its practice on any ground other than deterrence. It also claimed that it
simply wanted to assure its members that it was doing all it could to ensure
the security of the test. The OPC seemed to accept this purpose as legitimate,
but not compelling enough to justify collection of fingerprints. The LSAC
proposed collecting photographs as a step-down solution mid-way through the investigation,
and the OPC held that this alternative would achieve the appropriate balance
because images are “marginally” less sensitive. [Source] [OPC Report]
Drivers
who get behind the wheel while high on drugs will face roadside testing and
they could be ordered to surrender urine, blood or saliva samples at the police
station under a controversial new law that takes effect July 2nd.
Drivers who refuse to comply will be subject to a minimum $1,000 fine – the
same penalty for refusing the breathalyzer. Police will be given their new
powers to nab drug-impaired drivers after almost five years of intense debate
in the federal Parliament. The law, passed this year after three failed
attempts, has been lauded by law enforcement and groups who say drug-induced
drivers are escaping unpunished at a time when their numbers are climbing. The
new law, however, has sparked warnings about potential court battles from
critics who contend that demanding bodily fluids is overly intrusive and
scientifically unreliable in detecting drug impairment. “This is going to be
challenged left and right,” predicted Murray Mollard, executive director of the
British Columbia Civil Liberties Association. Federal privacy commissioner
Jennifer Stoddart and the Canadian Bar Association have also raised alarm
bells. Testing is already happening in Quebec, Manitoba, and British Columbia –
but only when the driver voluntarily participates. But that hardly ever happens
because nobody “is going to consent to pee in a bottle” when they are not
legally required, said the chief executive officer of Mothers Against Drunk
Driving. [Source]
Saskatchewan’s
information and privacy commissioner wants to see the province’s 16-year-old
Freedom of Information and Protection of Privacy Act (FOIP) updated. In his
annual report released last week, Gary Dickson appealed to the provincial
government to consider modernizing the law to better address today’s concerns.
Specifically, Dickson said the commissioner should have access to documents when
investigating a privacy breach and privacy protection should be extended to
employees in the private sector, says the report. Justice Minister Don Morgan
said, “I’m thinking it’s something that’s due now, and we should probably set a
timeline and get on with it.” [Source]
The
information and privacy commissioner of Newfoundland and Labrador has filed
lawsuits against two provincial government departments for not following his
office’s recommendations. Commissioner Ed Ring said that he started legal
action against the Public Service Secretariat in May, and the Department of Transportation
and Works in June, for not releasing requested information his office deemed
they should.
The
first of those lawsuits was filed against the premier’s office for refusing to
release public opinion polls to the Telegram newspaper. Now, the lawsuits
against the Public Service Secretariat, headed by Finance Minister Tom
Marshall, and the Department of Transportation and Works, headed by Minister
Diane Whelan, are going to court. Ring said he wants the judicial system to set
a strong precedent for any future disagreements between his office and a
government department and to determine just which office gets to make the final
decision on whether to release information requested under the act. [Source]
An
aggressive police campaign designed to expose career criminals in Vancouver has
been suspended after B.C.’s Office of the Information and Privacy Commissioner
said it may violate provincial law. Among other things, the Vancouver Police
Department released photographs and brief criminal histories of three career
criminals, each of whom has more than 125 convictions for theft, break an
enter, assault and other crimes. The publicity blitz was to continue this week
with the release of more criminal profiles, part of its new “Chronic Offender
of the Week” program. That campaign has also been shelved. The B.C. Freedom
of Information and Protection of Privacy Act requires police to notify the
privacy office first before making such information public. This protocol was
not followed last week. [Source]
The
Privacy Commissioner of Canada has announced that 9 organizations will be
awarded a total of $407,923 through her Office’s Contributions Program for
research into privacy issues and to encourage the advancement of privacy
rights. This year, the Office of the Privacy Commissioner of Canada invited
proposals focusing on four priority issues: national security; identity
integrity; information technology; and genetic privacy and bio-banking. For the
first time ever, the Contributions Program also solicited proposals for
innovative public education, outreach and awareness raising initiatives. The
projects that are receiving funding cover a wide range of privacy issues-from
surveillance and children online to the spread of genetic information. This
year, four of the projects will focus on building awareness of privacy issues.
[Source]
In
an effort to help stop money laundering and terrorist financing, new
regulations took effect this week requiring the collection of greater amounts
of personal information during real-estate transactions. As a result of Bill
C-25, which passed in 2007, realtors now must collect the names, addresses,
dates of birth and occupations of both buyers and sellers, and both parties
must provide proof of their identities with a driver’s license or passport..
Agents must house the data collected for five years and provide it to the
Financial Transaction and Reports Analysis Centre of Canada, if requested. [Source]
Canadian
consumers are concerned about releasing their personal information to
retailers. That’s based on the results of an Ipsos-Reid survey of 1,001 adults
conducted in December 2007. The study, commissioned by Canada’s privacy
commissioner, revealed that nearly half of Canadian adults surveyed do not
provide personal data to retailers when asked due to privacy concerns and fears
of identity theft. 52% reported questioning retailers about why they ask for
such information as addresses, postal codes or telephone numbers at the time of
purchase. The results will help the commissioner’s office promote understanding
of the Personal Information Protection and Electronic Documents Act (PIPEDA),
which governs the collection, use and disclosure of personal information in the
course of commercial activities. [Source] [Full
Survey Report]
More
than half of the data breach victims questioned in a recent Javelin Research
survey reported decreased confidence in the organization that lost their data,
says an Internet Retailer report. And 30 percent said they would never again do
business with the company. The online survey polled 400 data breach victims in
May. The survey also found that consumers respond favorably to offers of free
identity protection services in the wake of a breach; 55% of those offered such
services reported satisfaction with how the breach was handled. [Source]
Marketers
ought to be aware that some consumers are suspicious about the phenomenon known
as “behavioral targeting,” a new report from eMarketer says. Called “Behavioral Targeting
Attitudes: The Privacy Issue,” the report released explores the digital ad
strategy, which collects consumer information and uses it to serve up ads that
they may find interesting or relevant. The takeaway point from the report:
“Consumers want ads that are relevant to their needs, but they have mixed
feelings about how that relevancy should be determined.” [Source] [Source] See also: [
Testimonials
have long been an effective method in the world of advertising, and now one
company plans to create personalized testimonials for its advertising partners.
Social Media, marketing service provider to applications used on Facebook,
MySpace, Bebo and Hi5, will roll out to clients and their users social banners.
The banners allow advertisers to include the name and/or photo of social
networking site users within ads intended for a user’s “friends.” The company
says it wants to “facilitate real conversation and interaction around certain
products and brands,” and has promised to give users the ability to choose to
share their information with the company, says a report on mashable.com. [Source]
At
a roundtable event in central London, the European Commission invited leading
industry figures to discuss issues of consumer protection and privacy in
relation to online advertising in Europe. Many present doubted the online ad industry
can be trusted to adequately guard consumers’ data. The meeting, titled “Consumer
Policy in the Digital World“ was called by the European Commissioner for
Consumer Protection, Meglena Kuneva, and centered on the themes of targeting
and profiling, and misleading commercial practices online. Attendees included
representatives from major U.K. and European consumer organizations,
legislative bodies, trade bodies, and key industry players including agencies
and technology companies. Key questions on the meeting agenda were whether
current legislation is sufficient to cover new and emerging online practices,
whether the self-regulatory and enforcement regimes were able to cope with
them, and what level of user awareness and consent is needed to allow fair data
collection and user tracking. In her opening
remarks, Commissioner Kuneva stated that data collection intended to
increase the value of advertising was “out of control,” and expressed concern
at the volume of data being collected without the consent or knowledge of the
consumer. “Current European legislation requires that users give their consent
for such data to be collected, but is this consent fair, and do consumers know
what they are consenting to?” she asked. “Now is the time to strike a balance
between effective use of data, and consumers’ privacy. Trust is the currency of
the online world,” she continued. [Source]
AVG
Technologies has released the results of its own research study that showed
U.S. citizens are more concerned about being the victims of cyber crime than
burglary or assault. Of the 1,000 PC users surveyed in March 2008 57% felt that
they will most likely be the victims of cyber crime with only 21% believing
they will be victims of burglary. [Source]
The
city of Toronto signed a contract with BearingPoint LP to deploy a unified 311
non-emergency contact center computer system. The multi-million dollar contract
calls for an overall implementation period of up to 22 months for the new
system. The new 311 Contact Center in Toronto will be the catalyst for
consolidation and reorganization of a number of city call centers, resulting in
more efficient service for the city’s 2.6 million residents and millions of
tourists and visitors each year. The 311 system will provide a single contact
phone number for access to city information and to place and track service
requests. The new system will also provide additional contact options for the
public including e-mail, fax, Internet, or in-person information requests at
counters. The Contact Center will be available 24 hours a day. When fully
implemented, the new 311 system in Toronto will allow users to obtain information
on all city services including committee and Council schedules, water and
wastewater information, road maintenance, social support programs (such as
children’s services and homes for the aged), property taxes, libraries and
more. In addition, the system will allow the public to submit and track a
request for city services such as pothole repair, large appliance pick-up, or
waterline inspection. The new system will allow 311 staff to provide
information on when the city will respond to a request and what steps will be
taken. The system is targeted to allow the city to answer at least 70% of
information inquiries at the first point of contact. [Source]
The
White House does not have to make public internal documents examining the
potential disappearance of e-mails sent during some of the Bush
administration’s biggest controversies, a U.S. district judge has ruled. In a
39-page opinion, Colleen Kollar-Kotelly said that the White House’s Office of
Administration is not subject to the Freedom of Information Act (FOIA),
even though its top officials had complied with the public records law for more
than two decades. [Source]
The
reform agenda for the health system is being developed at the same time as the
Australian Law Reform Commission is finalising its inquiry into privacy laws in
Australia. The Office of the Privacy Commissioner notes that each agenda shares
the common concern of examining the importance of national consistency. This
submission highlights the essential place for national consistent health privacy
regulation in an effective and efficient health system. [Source]
A
report of the Association of Academic Health Centers (AAHC) finds that the
Health Insurance Portability and Accountability Act (HIPAA) privacy rule has a
negative impact on the advance of biomedical research. The AAHC is a national
health-related nonprofit. The report, HIPAA Creating Barriers to Research and
Discovery, cites patient confusion, misinterpretation by research participants
and burdensome administrative procedures as some of the consequences the rule
has had on research and discovery of new treatments. “We now know that the
privacy rule is having a serious and detrimental impact on research and
ultimately patients,” said AAHC President Dr. Steven Wartman. The AAHC
recommends revision of the HIPAA Privacy Rule. [Source]
Toronto-based
Diversinet Corp. has announced new versions of its MobiSecure Wallet and Vault
applications for secure mobile access to medical and personal information. The
software Wallet creates a one-time password for access to the vault, with the
smart phone or PDA itself serving as the second factor in a two-factor
authentication system, according to Stuart Vaeth, the company’s chief security
officer. Files are stored in the server-side Vault application and can be
downloaded to the wallet on the phone. “The safety deposit box is a good
analogy,” Vaeth said. Not only does the Vault application validate the phone
accessing the account, “the phone actually validates the server based on a
shared key” known only to the server and the device. “Data at rest is always
encrypted,” and data in transit is encrypted by the password, Vaeth said. The
information is stored as data cards, wrapped in an XML document to allow
presentation on the phone. The information can be viewed, e-mailed or faxed to
another device. There can be multiple wallets for a single vault, and users can
temporarily delegate access to the vault to another device, for example, if a
user goes to a new medical clinic that’s not equipped with the software. A
potential market for the MobiSecure offering in any industry that handles
sensitive data that must be delivered to strongly authenticated parties. Aside
from health care, the legal profession and e-government are likely markets,
though “as a practical matter I think government moves too slowly for there to
be any chance of major adoption of a MobiSecure-type solution anytime soon,” he
said. [Source]
Blue
Cross and Blue Shield of Massachusetts has partnered with Google Health to
offer patients an online tool for managing and transporting their medical
records. It is the first health insurer to sign on to the service, which
debuted last month. A Blue Cross-Blue Shield vice president said the tool gives
patients voluntary access to detailed treatment records, pharmacy records and
laboratory results, among other data. Although some patient and privacy
advocates remain reluctant to embrace electronic health record initiatives due
to the potential for information breaches, Blue Cross-Blue Shield assures that
patient data will be secure and will not be shared without patient consent. [Source]
India’s
telecoms ministry does not see any security risk from Research In Motion’s
popular BlackBerry e-mail service and has no plans to shut the service, a top
government official said. Indian security agencies have said the BlackBerry
e-mail device could be used by militants to send e-mails that could not be
traced or intercepted, and the government wanted RIM to install servers in
India to help monitor traffic. “There is no threat from BlackBerry services,”
Telecoms Secretary Siddhartha Behura told reporters at an industry summit,
adding operators did not need the ministry’s approval to offer such services. [Source]
The
European Commission is seeking to ease fears that details about the medical
conditions and sexual preferences of EU citizens could be abused by the
American authorities under a trans-Atlantic system allowing law enforcement and
security agencies to obtain private information of travelers. Talks between
officials in the United States and Europe on the issue have been under way for
18 months and are reportedly close to an agreement, with a final deal possible
by the end of 2009. A key sticking point is ensuring that EU citizens can bring
complaints in U.S. courts when information transmitted to the United States is
incorrect or mishandled. The matter is complicated because the EU gives every
individual the right to bring a case in court about information held about them
regardless of nationality or residence, whereas the United States limits the
protection of its Privacy Act to U.S. citizens and legal permanent residents..
The EU is requesting that its citizens be allowed to use the Privacy Act in the
same way that U.S. citizens can. [Source] [U.S. and Europe Near Agreement on Private Data]
UPDATE: [European Lawmaker to Sue U.S. Over
Data]
As
the European Union mulls the possibility of a data breach notification law, new
research by Symantec and Ipsos Mori indicates that 96% of citizens want to know
if their private information has been lost or stolen, says a VNUnet.com report.
“This adds weight to the current debate for the introduction of an appropriate
law on notification,” said Symantec’s Richard Archdeacon. In contrast, a
Clearswift study of UK IT managers indicates that most do not think the public
should be notified when a data breach occurs, and many don’t even think the
police should be notified. [Source]
UK’s
privacy watchdog says a revision to the European Union’s (EU) ePrivacy
Directive could bring the UK closer to getting a data breach notification law
on the books. The revision includes proposals to require electronic service
providers to let users know if a data breach occurs. The amendments will come
to a vote later this year. UK Deputy Information Commissioner David Smith said,
“It looks as if breach notification may come out of the review of the ePrivacy
Directive, it could be a catalyst for a law to cover all types of
communications.” [Source]
Following
the release of a verdict from the Independent Police Complaints Commission, a
report from Pricewaterhouse Coopers chairman Kieran Poynter regarding the HMRC
data loss incident, and a report from Sir Edward Burton regarding the incidents
at MoD, UK Information Commissioner Richard Thomas says his office will serve
enforcement notices on HM Revenue & Customs (HMRC) and the Ministry of
Defence (MoD) for “deplorable failures” at both departments that led to
violations of the Data Protection Act. Last year, HMRC acknowledged the loss of
computer disks containing personally identifiable information of 25 million
families; MoD acknowledged that it lost a number of laptops, one of which
contained sensitive data of 600,000 recruits. Compliance with the enforcement
notices will include implementing all recommendations made. The departments
will be required to submit annual progress reports for the next three years. [Source]
[Source]
[Source]
[Source]
[Source]
[Poynter
report]
Civil
servants who deal with personal data are to undergo mandatory annual training
following the recent spate of data losses and thefts, including the loss of
personal details of 25m Child Benefit claimants. The move, described as a
change in culture, comes as one of the changes announced in UK Cabinet
secretary Sir Gus O’Donnell’s review of information security in government.
Action already taken to improve data security includes 90,000 HMRC employees
being given additional security training. Other changes include privacy impact
assessments, encryption and compulsory testing, stronger accountability with
clear lines of responsibility, scrutiny by the National Audit Office and spot
checks by the Information Commission. [Source]
The
privacy of Swiss citizens online is more and more under threat, according to
the Federal Data Protection and Information Commissioner. In his annual report
released last month, Hanspeter Thür warned that new technology made it easier
for criminals to illegally secure online data. He also said there had to be a
sharper focus on anonymous online reviews of professionals such as doctors of
lawyers. They could be subject to defamation, Thür added, through what he
called “internet mobbing”. The country’s data watchdog also announced that
access to official documents of the federal administration in Switzerland had
become easier since 2006 and the introduction of a transparency principle.
Access to official data can still be restricted or denied when national
security is deemed at risk. [Source] [Source]
The
Swedish housing corporation is not allowed to use log files collected from its
electronic key system to keep track of who has made a mess in the common
washing machine room, according to the local Data Inspection Board. Wash rooms
(similar to laundromats) shared among residents are commonplace in Sweden, in
both rental buildings and condominiums, and are almost always a source for
arguments, with neighbors communicating using only angry Post-it notes. But
Eslövs Bostads AB took it too far when the company started using entry-key
logs, which are saved for two weeks, to keep track of washing machine room
activities. The Swedish Data Inspection Board has sent an injunction telling it
to stop. “Electronic keys should be used to open and lock doors. Our
fundamental attitude is that you should be restrictive in how you use logs,”
said Göran Gräslund, director general at the board. He also is not pleased that
the housing corporation did not inform residents on how it planned to use
information from the logs. [Source]
A
nationwide obesity register planed by Sweden’s National Board of Health and
Welfare (Socialstyrelsen) has been rejected by the Data Inspection Board due to
privacy concerns. The health board wanted to use the register to keep closer
tabs on Sweden’s overweight children. The register was to include information
about the height and weight of every citizen under 18 years of age. But the
Data Inspection Board nixed the idea, pointing out that details about one’s
height and weight constitutes very sensitive information, especially for those
who view their weight as a problem. Therefore, collecting such information,
without consent from every child or parent, is seen as a violation of privacy.
The National Board of Health and Welfare wants to add the information to an
existing medical birth registry, but the Data Inspection Board objects to the
idea because doing so would give the registry a completely different purpose
than that for which it was created. [Source]
A
group of prominent Italian privacy advocates and jurists have launched the
Italian Institute for Privacy (www.istitutoitalianoprivacy.it/en/), a public
policy think tank focused on improving privacy protection in the digital age..
This broad-based coalition of prominent Italians will focus its efforts on the
protection of personal privacy online for citizens in Italy and throughout
Europe. Protection of personal privacy and data online is a growing problem
that will challenge European policy-makers. Implementation of an appropriate
legislative and regulatory framework that is pro-consumer, transparent and
allows for customer control is an important first step in the protection of
privacy. [Source]
A
public outcry against Sweden’s eavesdropping law reached new heights with
protesters sending more than 1 million e-mails to lawmakers. The law, narrowly
passed by legislators two weeks ago, will let officials eavesdrop on all
cross-border e-mail and telephone traffic, in what technology companies have
called the most far-reaching communications monitoring plan in Europe. [Source]
[Sweden Says ‘Yes’ to Surveillance Law]
[EFF Commentary]
Only
half of U.S. banking institutions say they will beat the Nov. 1 deadline for
compliance with the Identity Theft Red Flags Rule. This is the key finding of a
new survey aimed at gauging the success of institutions’ efforts to meet the
terms of the new regulatory mandate. The survey, administered in June by
Information Security Media Group, publisher of BankInfoSecurity.com and
CUinfoSecurity.com, drew 300 responses from financial institutions of all
sizes. With roughly four months to go before the Identity Theft Red Flags
deadline, an even 50% of institutions surveyed say they are close to compliance
and will beat the Nov. 1 date. A combined 47% say they either will barely meet
the deadline, won’t make it or don’t know. Only 3% of respondents say they are
already completely compliant. Full survey results will be previewed in the
upcoming webinar, ID Theft Red Flags Roundtable - Tips from Regulators and
Practitioners on How to Meet Nov. 1 Compliance, set to debut on July 9. [Source] see also: [UK: FSA fines stockbroker over weak data security]
See also: [The biggest legal risks around
mobile payments] and [ID
Theft Hits $1 Billion Down Under]
Government
regulators are suing a sub-prime credit card issuing firm, alleging that the
company secretly profiled its customers’ transactions and reduced the credit
limits of those who used the cards at bars, marriage counselors and tire
retread stores. The Federal Trade Commission filed the complaint against
CompuScore in a federal court in Atlanta on June 10, alleging the Visa-card
marketing service routinely abused debt collection law, failed to disclose
hidden fees, and withheld the credit limits it promised to subprime borrowers.
Most intriguingly, however, the complaint alleges that CompuScore kept track of
the kinds of purchases its card holders made, without adequately explaining
they were doing so or what kinds of purchases would lead to lower limits.
CompuCredit has based these credit line reductions on an undisclosed
“behavioral” scoring model that penalized consumers for using their cards for
certain types of transactions, including transactions touted in their
solicitation materials such as cash advances and transactions with the
following types of merchants: Direct marketing merchants; Marriage counsellors;
Personal counsellors; Automobile tire retreading and repair shops; Bars and
night clubs; Pool and billiard establishments; Pawn shops; and Massage parlors.
[Source] [Business Week Article] [Complaint]
Canada’s
access-to-information law does not apply to the offices of the prime minister
or cabinet ministers, Canada’s Federal Court has ruled. In a decision in an
omnibus test case that some fear will dramatically reduce the scope of
citizens’ rights to obtain government documents, the court said some records
created by ministers’ aides could be disclosed when they are “controlled” by
the bureaucracy, but are off limits in a minister’s office or the PMO. “If
Parliament wants such documents open to the public, then Parliament must amend
the Access Act,” Mr. Justice Michael Kelen wrote. Stephen Harper’s Conservatives
had promised to change the law to make it clear that it applied to ministers’
offices and the PMO. But they flip-flopped after taking power. [Source]
Alberta’s
privacy commissioner has ordered the release of details of how a former
provincial employee used his government credit card. Frank Work issued the
order after the Alberta government repeatedly denied requests by the CBC for
access to the credit card bills of former government employee Sasha Angus.
Angus, who was the executive assistant to Mark Norris, the former minister of
economic development, racked up $29,000 on his government credit card,
including for expenses related to a trip to Las Vegas, according to a 2004 memo
leaked to CBC News. In January 2007, Alberta Finance confirmed Angus, who left
the Alberta legislature four years ago, paid the entire amount back to the
government. The privacy commissioner says Angus’s bills should have been made
public. The decision sets a significant precedent, Wood said, because the
privacy commissioner has never ruled on the issue of access to records of
government credit card spending. [Source]
California
public health department appears determined to shut down one of the most
promising areas of the biotech field – genetic testing. Last month, the state’s
laboratory field services group issued 13 cease-and-desist letters to genetic
testing companies. And the tough talk in a recent teleconference among
regulatory officials confirms the seriousness of the department’s intent. “We
[are] no longer tolerating direct-to-consumer genetic testing in California,”
Karen Nickles, Chief of Laboratory Field Services at the health department,
told members of the Clinical Laboratories Advisory Committee on June 13.
Targeted companies include personal genomics startups 23andMe and Navigenics..
These services are seen as the leading edge of a new type of health care in
which consumers can use their genetic profile to tailor their medical and
lifestyle choices. The established medical community, however, is wary of the
technology arguing that the medical utility of some tests is unproven. [Source]
U.S.
consumer groups, insurers and privacy advocates together with Google Inc and
Microsoft Corp said last week they have agreed to standards intended to speed
adoption of personal electronic health records. The electronic medical record
field remains in its infancy. While U.S. privacy laws govern actions by medical
providers like doctors, there is little in the way of other established
privacy, security and data usage standards despite decades of industry effort.
Backers, which also include some doctors and employer groups, said they hope to
break a stalemate in moving medical records online, sparked by consumer fears
that their personal information will be abused, or held against them.
Principles for personal health records include an audit trail to track use of
the data, a dispute resolution process for consumers who believe their personal
information has been misused and a ban on using data to discriminate in
employment. Also signing on to the principles are WebMD; Consumers Union, which
publishes Consumer Reports; AARP, the seniors’ lobbying group, and America’s
Health Insurance Plans, which represents major insurers such as Aetna Inc.
Microsoft earlier this month announced that Kaiser Permanente, the biggest U.S.
health maintenance organization, will use the Microsoft’s HealthVault platform
to link Kaiser employees who volunteer to have their records transferred.
Google sells Google Health, a U.S. health data service that combines the
leading Web company’s search services with a user’s personal health records
online. [Source] See also: [U.S.
House Pushes For National E-Health Records] and [Privacy provisions threaten
health IT bill]
Drug
abuse deaths have surpassed traffic accident deaths for the past two years, and
New Hampshire Attorney General Kelly Ayotte wants to help curb this growing
problem by creating a centralized database to track commonly abused
prescription drugs, says an Associated Press report. The database would allow
doctors and pharmacists to check patients’ prescription histories to better
prevent abusers from seeing several doctors’ for prescriptions. But New
Hampshire lawmakers have rejected such a bill in the past, citing privacy
concerns. “How many New Hampshire people are going to end up with their names
on a secret database?” asked Rep. Joel Winters. “We don’t know.” [Source]
The
Boston Medical Center’s health insurance plan will pay the state of
Massachusetts $562,000 to settle a case about the improper use of patient
information. The hospital sent 2,600 patients with health insurance letters
promoting the hospital’s medical insurance. This was a fundamental violation of
privacy rules that limit use of personal information only to the purpose for
which it was collected. In this case insurance information was for the purpose
of paying medical bills. [Source]
Reports
of data breaches are on the increase compared to 2007 figures. The Identity
Theft Resource Center (ITRC)
analyzed 342 data breach reports between January 1 and June 27 of this year,
finding a 69% increase in the number of breaches reported compared to the same
time frame in 2007. Reports of breaches within businesses, health care
providers and banks rose, while reports from educational institutions, the
government and military declined. More than 20% of the data breach cases
studied were attributed to lost or stolen laptops or digital storage media,
according to the report. The number of breaches attributed to insider theft
increased from six to 16%. 44 states and Washington, D.C. now have data breach
notification laws. [Source]
[Source]
See also: [Data “Dysprotection:” breaches
reported last week]
The
billing records of 2.2 million University of Utah Hospital patients have been
stolen. The records were contained on backup tapes in a gray metal box and were
stolen from the vehicle of a courier who failed to deliver the box to a storage
center immediately after picking it up from the hospital on June 1. At least
1.3 million records contained patients’ Social Security numbers. The hospital
is notifying patients by mail, at an estimated cost of $500,000 for postage and
envelopes alone. The courier was fired from Perpetual Storage Inc., where he
had worked for 18 years. [Source]
More
than 500 megabytes of premium health- and business-related data, along with
stolen social security numbers, have been found being offered to the highest
bidder on crimeware servers in Argentina and Malaysia. Security firm Finjan
discovered the illicit data market and issued a report about its findings.
Finjan says the findings demonstrate how the market for illegally obtained data
functions and underscore the seriousness of computer compromises. Such success
has actually been problematic for cybercriminals. As more and more information
thieves succeed in their crimes, more and more stolen data floods the market. “Not
too long ago, credit card numbers and bank accounts with PINs were selling for
$100 or more each, on Web sites offering this type of stolen information,” the
report says. “Nowadays, prices have dropped to $10 or $20 per item.” A recent
analysis of four years worth of data breach investigations by Verizon Business
Security Solutions found that 87% of data breaches could have been prevented
with reasonable security precautions. [Source]
Unencrypted
laptops containing 31,000 patient records have been lost by two NHS trusts. A
laptop containing 11,000 patient records was stolen from a GP’s home in
Wolverhampton. And St George’s Hospital in London has admitted that six laptops
were stolen from its filing cabinets at the start of the month, containing the
records of 20,000 patients. Both data breaches break Department of Health
policy that states NHS mobile devices must be protected by encryption. Neither
trust has offered an explanation as to why the data was unencrypted. [Source]
The
Information Card Foundation (ICF), a nonprofit group, was formally launched
last week by a group of industry heavyweights, including Microsoft, Oracle,
Google and PayPal. The group will focus on bridging the communication and
technology gaps that exists between the various vendor and industry group
offerings in the information card space. The group will also work to create a
more unified and consistent message to consumers and businesses about the
security and ease-of-use benefits of information cards. Information cards are
essentially the digital equivalent to physical credentials such as driver’s
licenses and state-issued ID cards. The digital version allows the holder of
the card to authenticate his identity without needing to enter a username or
password when entering a site or conducting an online transaction. Over the
short term, ICF will try to get everyone in this space to agree to the use of
standard Web site icons that will indicate the site accepts digital information
cards, he said. Over time, ICF will work on promoting interoperability via its
own recommendations as well as by organizing interoperability events and
seminars. The group will also provide informational support for projects
involving the build-out of information card infrastructure for newer platforms,
including mobile devices. ICF also hopes to get involved in developing
policies, identity rights agreements and auditing standards to ensure that such
digital cards meet legal requirements. [Source]
See also: [Identification and Privacy:
Zero-Knowledge is not Enough | Paper]
The
District is rolling out an ambitious identification program this summer in what
it calls a first-of-its-kind effort by a major U.S. city to unify services on
one ID card. With the One Card, library accounts, public school attendance,
recreation-center use and other services will be tracked on a single piece of
plastic. Metro riders can have a SmarTrip chip implanted in the card. “The
eventual goal is that you’d need only one card across the entire District
government,” said the city’s chief technology officer. Over the next three
months, public libraries will begin issuing the One Card. In the fall, public
school students and D.C. government employees will receive the cards as IDs. By
2010, the Department of Parks and Recreation, which has begun issuing the
cards, will require the ID for using park facilities. Other services, including
DC Healthcare Alliance, plan to use the card. The card will be mandatory for
D.C. students and government workers, but other residents can choose not to
apply for the card. [Source]
Although
far less common than more traditional types of identity theft, medical identity
theft is increasingly coming onto the radar of healthcare and governmental
officials, says a Wall Street Journal report. Stealing someone’s medical
identity entitles thieves to a buffet of opportunities, such as financial
reimbursements for false claims or the execution of major and minor surgeries.
But unlike traditional identity theft, tampering with one’s medical identity
can bring about life-threatening consequences. Some insurers have implemented
authentication practices to help prevent the practice, others are using other
means to prevent the crime. Last month the U.S. Health and Human Services
Department commissioned a study on the issue. [Source]
When
it comes to the risks of identity theft, the U.S. government is not taking its
own advice. The nation’s Medicare agency and the Pentagon compel at least 52
million Americans to carry their Social Security numbers in their wallets,
contrary to warnings by the FTC that people should avoid doing so. The IRS
still tells taxpayers to write their SSN on checks used to make payments, a
potential problem for those using the mail rather than filing electronically. [SiliconValley.com]
The
FTC is looking for victims of identity theft for a study on the crime. The
commission wants input from victims who contacted the FTC between January 1 and
May 30, 2008, in order to gauge their experiences while exercising their rights
under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The
FACT Act lets consumers take a variety of actions to protect their identity if
they are or feel they may become a victim of identity theft. Identity theft
ranked highest on the FTC’s list of top consumer fraud complaints for 2007. [Source]
If
Canadians want to enter the United States by air, they are currently required
to present a Canadian passport. As of June 1, 2009, they will be required to
have that passport - or an alternate identification device that the U.S. has
deemed to be secure - to enter at land or sea entry points. Ontario is one of
several provinces that have announced their intention to implement an enhanced
drivers’ licence (EDL) as an alternative to a passport. Ontario’s Information
and Privacy Commissioner, Dr. Ann Cavoukian, has noted privacy issues to be
addressed in such an EDL proposal. On Wednesday, July 16, the
Commissioner, together with Professor Andrew Clement, are sponsoring a public
information forum at the University of Toronto to provide clarification about
Ontario’s proposed EDL. “We want to facilitate the provision of clear factual
information on the voluntary EDL initiative proposed in Ontario,” said
Commissioner Cavoukian. “The focus of this public forum is to help the public
understand the facts of the EDL proposal.” [Source]
See also: [Manitoba, U.S. look at
‘enhanced’ drivers licences]
A
poll from Angus Reid shows Canadians are clearly divided over the government’s
proposed copyright reform legislation, with male, younger and more educated
respondents particularly opposed to the bill. Demographically, respondents
between the ages of 18 and 34 were far more opposed to the bill than their
older counterparts, with 58 per cent saying they want their MP to vote against
the bill after it receives its second reading in the House of Commons, likely
this fall. [CBC]
Google
has added a link to its privacy policy on its homepage, stifling the argument
that the company might have been violating California’s online privacy
protection act by not displaying the link in a prominent enough location. On its
corporate blog, Google said “We added this link both to our homepage and to our
results page to make it easier for users to find information about our privacy
principles.” [Source]
Two
months ago, Michael Geist wrote a glowing review of the Canadian Internet
Registration Authority’s new “whois” policy that was supposed to better protect
the privacy of hundreds of thousands of Canadians. The column argued that the
policy, which governs access to personal information of dot-ca domain name
registrants, would serve as a model for other domain name registries around the
world. While dot-ca registrants across the country were being advised of the
new policy, special interests representing law enforcement and trademark
holders were quietly pressuring CIRA to create a back door that will enable
these two groups to have special access to registrant information. Just days
before the new policy took effect, CIRA caved to the behind-the-scenes pressure
and took a major step backward in the implementation of its policy. CIRA has
defended the changes by arguing that the policy will be reviewed in 12 months.
Yet CIRA could just have easily retained the no-exception policy and reviewed
its effect one year later. [Source] [Rebuttal from CIRA President and CEO]
Researchers
at Carnegie Mellon University have devised the first computerized method that
can analyze a single photograph and determine where in the world the image
likely was taken. It’s a feat made possible by searching through millions of
GPS-tagged images in the Flickr online photo collection. The IM2GPS algorithm
developed by computer science graduate student James Hays and Alexei A. Efros,
assistant professor of computer science and robotics, doesn’t attempt to scan a
photo for location clues, such as types of clothing, the language on street
signs, or specific types of vegetation, as a person might do. Rather, it
analyzes the composition of the photo, notes how textures and colors are
distributed and records the number and orientation of lines in the photo. It
then searches Flickr for photos that are similar in appearance. “We’re not
asking the computer to tell us what is depicted in the photo but to find other
photos that look like it,” Efros said. “It was surprising to us how effective
this approach proved to be.” Hays and Efros found they could accurately
geolocate the images within 200 kilometers for 16% of more than 200 photos in
their test set – up to 30 times better than chance. And even if their algorithm
failed to identify the specific location, they often found that it could narrow
the possibilities, such as by identifying the locale as a beach or a desert. [Source]
Tax
forms sent to 140,000 Britons included their National Insurance numbers,
visible on the mailing envelope alongside their names and mailing addresses.
The sender, HM Revenue and Customs (HMRC), blamed a wrongly calibrated machine
for the error and has agreed to flag the tax records of those affected in order
to fend off the increased threat of identity fraud. HMRC came under fire last
week on the release of a report about another breach at the department--one
that exposed the personal information of 25 million children. The report blamed
“serious institutional deficiencies” and an inadequate culture as causes of
that breach. [Source]
[HMRC & MOD data security breaches:
Tough action from Information Commissioner]
Starting
next week, passengers travelling though the Kelowna International Airport will
be asked if they’re willing to be scanned by technology that allows an officer
the “see” through their clothing in search of weapons or explosives. Airport
and security officials say this technology will make air travel safer and
security lines shorter. However, one civil rights group is calling the
technology “an abomination” and a “virtual strip search.” The seven-day pilot
project was announced Thursday by the Canadian Air Transport Security Authority,
a federal government corporation that provides air security services. A
spokeswoman for the Kelowna airport, said it’s the first airport in Canada to
use the technology, and the first airport in North America to pair the
full-body screening with a metal detector check. The B.C. Civil Liberties
Association, said the images are so detailed they will reveal whether
passengers have had vasectomies, penile implants, mastectomies or have a
catheter inserted. Similar pilot projects are taking place at a number of U.S.
airports, including Los Angeles International, New York’s JFK airport and
Phoenix Sky Harbor airports. Moscow, Osaka and Amsterdam airports are also
using the technology. [Source] Update:
[Commissioners’
Office Refutes CATSA Statement]
A
privacy feature set to be included in Firefox 3 has been dumped due to
technological concerns. Private Browsing is the feature allowing users to, in
the stroke of a key, disable all caching, cookie downloads, history records and
form data while online, says the report, meaning that you could surf without footprints.
But Mozilla’s Jonathan Nightingale said that the feature needed to be dropped
because it was likely to adversely interact with Web sites and mashups. [Source]
A
report released last week shows that consumers have mixed feelings about the
use of behavioral marketing strategies used to serve them targeted ads. The
report, “Behavioral Targeting Attitudes: The Privacy Issue,” which used metrics
from a TRUSTe study, found that of the 70% of Internet users who are aware that
their browsing activities could be used by third parties to serve tailored ads,
only about 23% said they were “OK” with the method. The study also suggested
that consumers might warm up to the method if given the option to opt-in to
receiving targeted ads. “One way to ensure that consumers welcome rather than
reject behaviorally targeted ads is to ask them to give their consent to
receive them,” the report said. [Source] [Press Release]
In
her report on the Privacy Act, New Zealand privacy commissioner Marie
Shroff recommended the government implement a mandatory data breach
notification law. Shroff also recommended measures to better protect data
transferred in and out of the country. The government has since introduced an
amendment bill on this issue, which Shroff identified as a priority. Shroff
also recommended the establishment of a national do-not-call database. “People
are constantly raising this with me and there is widespread concern about the
intrusion of cold-calling. Other countries have moved to address it and we can
draw on their experience, so we are bringing it to the attention of the
minister and the Law Commission by suggesting they look at it quite hard.” [Source]
A
Greek Supreme Court prosecutor gave police the green light to publish the
names, and even photographs, of people arrested in connection with certain
crimes including child pornography and drug dealing, even if they have yet to
be tried. As long as a prosecutor’s permission is granted, police can reveal
the identity of alleged perpetrators of “crimes against life, sex crimes, violations
of personal freedom or property, drug-related violations and crimes against
minors.” The Supreme Court prosecutor, who was responding to questions
submitted to the court by police, said officers could identify such individuals
even during the initial detention period. The point of revealing suspects’
identities, he said, is “to protect society as a whole, particularly minors and
more vulnerable members of society, and to support the State in its efforts to
punish the aforementioned crimes.” The prosecutor noted that the behavior of
individuals suspected of such crimes “is not covered by the notion of personal
data protection.” [Source] See also: [Misconfigured, virus-laden laptop nearly ruins
a life]
Australian
Privacy Commissioner Karen Curtis has released 11 new case notes of finalised
complaints that are considered to be of interest to the general public. Cases
chosen involve interpretation of the Privacy Act or associated legislation in
new circumstances, illustrate systemic issues or illustrate the application of
the law to a particular industry or subject area. The case notes are intended to
offer a synopsis only and not to be a comprehensive account. It is a function
of the Commissioner to endeavour to resolve complaints by conciliation where
appropriate. As a result, the outcome in any particular case will be affected
by a number of factors, including the applicable law, the facts of the matter
and the approach to the conciliation process taken by both the complainant and
respondent. [Complaint Case Notes,
Summaries and Determinations page] [Source]
The
controversial OneSchool online student database is being watered down after a
public backlash against its instigator, Education Queensland. School principals
are leading the erosion, with one primary school principal writing to parents
advising them that photos of students do not need to be posted on their
profiles. The photos were to be posted along with students’ academic
performance, career aspirations and extra curricular activities. The move
follows Education Minister Rod Welford’s defence of OneSchool when he dismissed
the idea that hackers would target the database of nearly half-a-million
students as “ridiculous, extreme and hypothetical”. [Source]
In
a New York Times “Bits” blog, Brad Stone discusses the privacy paradox: the
phenomenon where “normally sane people have inconsistent and contradictory
impulses and opinions when it comes to their safeguarding their own private
information.” Stone reports that soon to be released research on the topic
suggests that the less people are reminded about privacy, the more likely they
are to divulge private information. In a talk at the Security and Human
Behavior Workshop in Boston earlier this week, behavioral economist George
Loewenstein said of the research: “The cues that we rely on through culture and
evolution to tell us there is a privacy issue are not present on the Internet.”
Meanwhile, “the same technology magnifies the risk.” [Source]
A
State Department audit has revealed that government workers snooped inside the
electronic passport records of celebrities. Athletes, entertainers and other
notorious Americans were among those whose records were breached. No names have
been released. One person’s data was accessed 356 times by dozens of employees.
The State Department report cited a “widespread lack of controls” on the
personal data of passport holders, according to the Post. “This is
unacceptable,” said Senator Joseph Biden (D-DE). “The report makes it clear
that the private information of over 100 million Americans is vulnerable to
unauthorized access.” More than 20,000 government workers and contractors have
access to the system that maintains the passport records. [Source]
The
Federal Trade Commission today told the Senate Committee on Commerce, Science,
and Transportation “a civil penalty may be the most appropriate remedy and
serve as a strong deterrent,” to spyware distributors. Civil penalties would be
enacted when other enforcement options - seeking consumer redress or making the
operators give up their ill-gotten gains - are not appropriate or sufficient
remedies to deter spyware distributors. A Senate bill, S. 1625 Counter Spy Act,
is still in the Commerce, Science, and Transportation committee, would give the
FTC such power. S. 1625 would protect against the unauthorized installation of
computer software, to require clear disclosure to computer users of certain
computer software features that may pose a threat to user privacy, and for
other purposes. The FTC has established a federal-state spyware law enforcement
task force to discuss issues and trends in spyware law enforcement. The task
force consists of representatives from agencies such as the Department of
Justice and state attorneys general. Federal criminal and state law enforcement
actions are a critical complement to the FTC’s law enforcement actions. In
addition to the FTC’s spyware law enforcement initiatives, the agency has made
consumer education a priority. [Source]
Dutch
government officials have called on researchers at Radboud University to not
publish a paper detailing security flaws in the Mifare RFID chip used in the
UK’s Oyster prepaid public transportation smartcard. The chip was also being
used in a Dutch travel system card; that project has been postponed. One of the
researchers said that the content of the paper is not attack code, but
acknowledged that other groups may have begun developing exploit code. “Killing
the messenger does not solve the problem,” said researcher Bart Jacobs. “This
paper serves the interest of our society.” [Source]
An
RFID system developed to ensure meat safety and freshness is one of the
technology highlights at the new Future Store that German retailer METRO Group
opened two weeks ago. The new store in Toenisvort, Germany, is METRO Group’s
second Future Store, where the retailer showcases new technology and processes
in an actual retail store, and first for its real,- hypermarket brand. Each
individual package of fresh meat at the store is labeled with a passive Gen2
RFID tag that keys applications to prevent the sale of outdated product and
provide inventory information to drive replenishment and meat cutting
operations. [Source]
See also: [Chaos Computer Club Hacker Group
Sounds Alarm on Germany’s Data Privacy]
A
Rhode Island school district has announced a pilot program to monitor student
movements by means of radio frequency identification (RFID) chips implanted in
their schoolbags. Each chip would be programmed with a student identification
number, and would be read by an external device installed in one of two school
buses. The buses would also be fitted with global positioning system (GPS)
devices. Parents or school officials could log onto a school web site to see
whether and when specific children had entered or exited which bus, and to look
up the bus’s current location as provided by the GPS device. The American Civil
Liberties Union (ACLU) has criticized the plan as an invasion of children’s
privacy and a potential risk to their safety. [Source]
The
results of an Ernst & Young survey show that IT fraud and data privacy rank
low on the list of concerns of CIOs and internal audit chiefs, says a Director
of Finance Online report. Internal audit chiefs ranked corporate breaches and
data privacy sixth on their list of top ten IT risks for their organization,
and CIOs surveyed ranked the areas ninth. Overall, 65% of both groups do not
feel that data privacy and IT fraud are a serious threat to their
organisations. Ernst & Young’s Erol Mustafa said that making data privacy
part of an organisation’s overall risk management and compliance strategy will
help them address privacy risks more effectively. [Source]
See also: [UK: Mobile warriors leaking
company secrets]
Nearly
nine in 10 data breaches could have been prevented had reasonable security
measures been in place, according to a comprehensive report issued by Verizon
Business. The study also provides key recommendations to help organizations
protect themselves and urges them to be proactive. The “2008
Data Breach Investigations Report“ spans four years and more than 500
forensic investigations involving 230 million records, and analyzes hundreds of
corporate breaches including three of the five largest ones ever reported. This
study also found that 73% of breaches resulted from external sources versus 18%
from insider threats, and most breaches resulted from a combination of events
rather than a single hack or intrusion. Some of the findings may be contrary to
widely held beliefs, such as the idea that insiders are responsible for most
breaches. Key findings include:
·
Most data breaches
investigated were caused by external sources. 39% of breaches were attributed
to business partners, a number that rose five-fold during the course of the
period studied.
·
Most breaches resulted from
a combination of events rather than a single action. 62% of breaches were
attributed to significant internal errors that either directly or indirectly
contributed to a breach. For breaches that were deliberate, 59% were the result
of hacking and intrusions.
·
Of breaches caused by
hacking, 39% were aimed at the application or software layer. Attacks to the
application, software and services layer were much more commonplace than
operating system platform exploits, which made up 23 percent. Fewer than 25% of
attacks took advantage of a known or unknown vulnerability. Significantly, 90%
of known vulnerabilities exploited had patches available for at least six
months prior to the breach.
·
Nine of 10 breaches
involved some type of “unknown” including unknown systems, data, network
connections and/or account user privileges. Additionally, 75% of breaches are
discovered by a third party rather than the victimized organization and go
undetected for a lengthy period.
·
In the modern
organization, data is everywhere and keeping track of it is an extremely
complex challenge. The fundamental principle, however, is quite simple - if you
don’t know where data is, you certainly can’t protect it.
The
study shows that there is a growing worldwide black market for stolen data. The
breaches investigated represent a broad spectrum of industries. The retail and
food and beverage industries account for more than half of all cases
investigated. By contrast, financial services – an industry with great monetary
assets that are also typically well-protected, especially when compared to
other sectors – accounted for 14% of breaches studied. The report offers a
number of recommendations for enterprises. [Source]
A
Ponemon Institute survey of 106 airports in 46 states found that as many as
637,000 laptops are reported lost each year. Overall, more than 12,000 laptops
are reported lost at the airports every week, and 67% are never recovered. The
36 largest US airports account for more than 10,000 lost laptops each week. The
laptops are most commonly lost at security checkpoints and departure gates. The
survey also included feedback from 864 business travelers: 53% said their
laptops held confidential data; 42% said their data was not backed up; 16% said
they would do nothing if they lost a laptop while traveling on business; 77%
said the chance of recovering a lost laptop was less than ten percent. The
study was commissioned by Dell, which has just released “a suite of data
protection and asset protection services,” including laptop tracking and remote
data deletion. [Source] [Study]
[Source]
[Source] See also:
[Increase in Stolen Laptops Endangers Data
Security]
Businesses,
governments and universities reported a 69% increase in data breaches in the
first half of 2008 compared with a similar period in 2007, according to a study
by a nonprofit group that works to prevent fraud. The Identity Theft Resource
Center in San Diego tracked 342 data breach reports from Jan. 1 to June 27.
More than one-third of the reports came from businesses, a 27% increase over
2007. The center found that data breaches among health-care providers and banks
also increased. They now account for 15% and 10% of the breaches, respectively.
Breaches from educational institutions, government entities and the military
declined for the third year in a row, the center found. Yet Linda Foley, the
center’s co-founder, said it is difficult to say whether the numbers show an
increase in breaches, an increase in reporting, or both. She said better state
laws on data breach notification also might be encouraging more companies to
audit their own security measures. Hacking was the least-cited cause of data
breaches in the first six months of this year. Instead, lost or stolen laptops
and other digital storage media remain the most frequently cited cause of data
breaches, accounting for more than 20% of all reported cases, the center found.
The inadvertent posting of personal and financial data online prompted roughly
15%. Although the share of breaches from laptops and other mobile media fell
nearly 8 percentage points from last year, breaches caused by information
stolen by someone inside the company increased from 6% in all of 2007 to nearly
16% so far this year. An additional 13.5% of breaches came from subcontractors who
lost or stole their clients’ customer data. The breaches studied this year
involved almost 17 million consumer records. Foley said the true number of
records jeopardized by those breaches is probably far higher. In nearly 40% of
the breaches, the companies have not disclosed how many consumer records were
lost or stolen. Some 44 states and the District now have laws requiring
companies and organizations that experience a data loss or breach to alert
affected consumers. But Foley said that just three states -- Maryland, New
Hampshire and Wisconsin -- require reporting to state officials and routinely
publish that information online. [Source]
New
survey results from CA Canada reveal that incidents of confidential data loss
have doubled over the past two years, says an itbusiness.ca report. The survey
polled 200 IT security executives nationwide, finding that more than 20% of
Canadian enterprises experienced a loss of private data, says the report.
One-third of respondents feel that internal security breaches are the biggest
threat to their enterprise. A CA Canada spokesperson said that, while most
organizations have the tools to combat viruses and network attacks, “the
internal breaches need to be tackled.” [Source]
Advocacy
groups and some legal experts told Congress last week that it was unreasonable
for federal officials to search the laptops of U.S. citizens when they re-enter
the country from traveling abroad. Civil rights groups have said certain ethnic
groups have been selectively profiled in the searches by Border Patrol agents
and customs officials who have the authority to inspect all luggage and cargo
brought into the country without obtaining warrants or having probable cause..
Companies whose employees travel overseas have also criticized the inspections,
saying that the search of electronic devices could hurt their businesses. The
federal government says the searches are necessary for national security and
for legal action against people who bring illegal material into the country. [Source] [Source]
[Source] [Case
story] [Case
story] [Case
story] [Case
story] [Case
story]
A
study from the Ponemon Institute reveals a disconnect between what privacy and
security officers believe about the level of protection afforded customer data
and what the marketing department is actually doing with the data. Eighty
percent of respondents from marketing departments said their companies share
customer email addresses with third parties, while just 47 percent of security
and privacy officers said they shared email addresses. Twenty-nine percent of
marketing respondents said they believe their companies share Social Security
numbers, while just seven percent of privacy professionals said their companies
shared that information. There is no reason to believe that conflicting
responses came from within the same company, but the general trend is
worrisome. The study was funded by Strongmail. [Source]
Microsoft’s
June security updates were bad news for online criminals who make their living
stealing password information from online gamers. The company’s Malicious
Software Removal Tool -- a program that detects and removes viruses and other
bad programs from Windows machines -- removed game password-stealing software
from more than 2 million PCs in the first week after it was updated to detect
these programs on June 10. One password stealer, called Taterf, was detected on
700,000 computers in the first day after the update. “These are ridiculous
numbers of infections my friends, absolutely mind-boggling,” wrote Matt
McCormack, a spokesman with Microsoft’s Malware Response Center, in a Friday
blog posting. Between June 10 and June 17, Microsoft removed Taterf from about
1.3 million machines, he said. [Source]
Dutch
security researchers rode the London Underground free for a day after easily
using an ordinary laptop to clone the “smartcards” commuters use to pay fares,
a hack that highlights a serious security flaw because similar cards provide
access to thousands of government offices, hospitals and schools. There are
more than 17 million of the transit cards, called Oyster Cards, in circulation.
Transport for London says the breach poses no threat to passengers and “the
most anyone could gain from a rogue card is one day’s travel.” But this is
about more than stealing a free fare or even cribbing any personal information
that might be on the cards. Oyster Cards feature the same Mifare chip used in
security cards that provide access to thousands of secure locations. Security
experts say the breach poses a threat to public safety and the cards should be
replaced. “The cryptography is simply not fit for purpose,” said security
consultant Adam Laurie. “It’s very vulnerable and we can expect the bad guys to
hack into it soon if they haven’t already.” The Dutch government has taken the
breach seriously and says it is upgrading the smartcard system that secures its
buildings. “It’s a national security issue,” a spokesman for the Dutch Interior
Ministry told reporters. “We’re in the process of replacing the cards of all
120,000 civil servants at central government level.” [Source]
Ontario
has planned a public information forum in July to address privacy issues for an
enhanced drivers’ license (EDL) that can be used as an alternative to a
passport when entering the U.S. by air. The U.S. will require a passport, or an
alternate identification device deemed to be secure by that country, to enter
at land or sea entry points as of June 1, 2009. Ontario is one of several
provinces that have announced an intention to implement an EDL. The public
information forum will be held July 16 at the Faculty of Information Studies,
University of Toronto from 8:30 a.m. to 12:00 p.m. “We want to facilitate the
provision of clear factual information on the voluntary EDL initiative proposed
in Ontario,” said Dr. Ann Cavoukian, Ontario’s Information and Privacy
Commissioner. “The focus of this public forum is to help the public understand
the facts of the EDL proposal.” [Source]
See also: [Vermont ‘enhanced licenses’
available in January]
Deployment
of a national access card will be a job for private industry, not government,
according to the federal Human Services Minister, Joe Ludwig. The government
launched scathing criticism at the Howard government’s plans for a national
identity card, but has remained open at the philosophy behind the initiative..
Speaking at the 2008 Australian Smart Cards Summit in Sydney Wednesday, Ludwig
said the government does not reject the idea of a national identity card, but
will not deploy it without private investment. Ludwig said further
collaboration is required between government and non-governmental agencies to bolster
the framework and delivery of national smart card initiatives, including the
income management card. [Source]
Six
universities will share a $7.5 million dollar Defense Department (DOD) grant to
help agencies find ways to share sensitive information while also ensuring
privacy and security of that information, says a Government Computer News
report. A lack of information sharing among intelligence and law enforcement was
cited by the 9/11 commission as one of the problems leading to the terrorist
attacks. Purdue University, University of Michigan, University of Texas at
Dallas, University of Texas at San Antonio, University of Maryland-Baltimore
County and University of Illinois at Urbana-Champaign will form
multidisciplinary teams to study several privacy-related issues including
digital rights management and data mining. The grant comes from the DOD’s Multi
University Research Initiative program. [Source]
Charter
Communications, one of the largest providers of cable-based broadband service
in the U.S., has backed off of a plan to insert advertisements onto Web pages based
on its users’ Web-surfing habits after privacy advocates called the program an
“attack on users.” Charter said it has suspended a pilot program to use NebuAd,
a behavioral advertising vendor, to track its users’ Web-surfing habits and
deliver advertising based on that information. Charter’s decision comes less
than a week after two digital rights groups, Public Knowledge and Free Press,
accused NebuAd and participating broadband service providers of using security
exploits to spy on users. Charter’s original focus groups on the targeted
advertising suggested most customers would “look upon this service favorably,”
Charter said in a statement. However, since then, customers have raised
questions and suggested improvements to the program, the company said. [Source] [Source]
[Source]
See also: [Wiki NebuAd entry]
[Digital rights groups hit ISP ad firm for
spying on users]
The
European Court of Human Rights has ruled Britain breached international
conventions by monitoring emails and phone calls between Ireland and the UK.
Three organisations recently won their case against the British government for
the monitoring of communications between Ireland and the UK. The Irish Council
for Civil Liberties, Liberty and British-Irish Rights Watch won their claim
that the surveillance violated privacy law. The monitoring of emails and
telephone calls occurred over a seven year period in the 1990s. The European
Court of Human Rights ruled that the surveillance violated the right to privacy
laid out in the European Charter of Human Rights. [Source]
[Source] See also: [British lawmaker quits in protest at planned
terror laws]
Newly
designed artificial intelligence software gives closed-circuit television
cameras (CCTV) the eyes and ears of the neighborhood. Researchers at the
University of Portsmouth have developed the software, which will allow CCTVs to
recognize noteworthy sounds and swivel its lens toward the noise to record. For
example, the cameras would be attracted by sounds such as windows smashing or
crowd noise, and could even recognize specific words. But, said researcher
David Brown of the university’s Institute of Industrial Research, “We are only
listening for specific words associated with violence, not full conversations.”
According to the report, the goal is to use the software to better capture
criminal acts on camera and improve response times. [Source]
The
Senate, clearing a key parliamentary hurdle, has voted to begin debating a
broad revision of U.S. intelligence laws that includes a controversial plan to
grant immunity to telecommunications companies that assisted in the Bush
administration’s warrantless wiretapping program. On a vote of 80 to 15, the
Senate officially began debate on a sweeping rewrite of the Foreign
Intelligence Surveillance Act of 1978, with an eye toward final passage of
the bill as early as this week. The large margin demonstrated that the bill’s
opponents – the ACLU and other privacy rights organizations – do not have
enough support to derail the measure through a filibuster, which Sens. Russell
Feingold (D-Wis.) and Christopher J. Dodd (D-Conn.) had threatened. The bill
would require that the secret FISA court approve procedures for intercepting
foreign nationals’ e-mails and telephone calls. Spying on U.S. citizens,
including those overseas, would require individual warrants from the same
court. It also would establish the FISA law, and the secret court it created,
as the final legal authority on government spying. House Speaker Nancy Pelosi
(D-Calif.) and Sen. Barack Obama (D-Ill.), the party’s presumptive presidential
nominee, have cited the exclusivity provision as the main reason they supported
the bill. They said it is a rejection of President Bush’s stance that his wartime
powers gave him authority to approve the defunct warrantless wiretapping
program. The telecom immunity provision continues to be the bill’s source of
conflict. “This bill will effectively and unjustifiably grant immunity to
companies that allegedly participated in an illegal wiretapping program,”
Feingold said. Under the bill, the nation’s largest telecom companies could
have the more than 40 lawsuits they face dismissed by a U.S. district judge if
they prove they received written assurance from the Bush administration that
the spying was legal. Supporters and opponents of the legislation consider the
court review a formality. Rockefeller’s committee has released a report showing
that the companies received such letters earlier this decade. In yesterday’s
preliminary vote, 31 Democrats and one independent voted to debate the bill. [Source] See also [NYT: Congress Strikes Deal to Overhaul Wiretap
Law]
One
of the U.K.’s largest insurance companies has scrapped a high-tech vehicle
insurance plan that tracked drivers using GPS (Global Positioning System),
watching where they drove, their speed and at what time of day. The “Pay as you
drive” plan from Norwich Union was intended to give drivers a more flexible
option for covering their vehicles based on the actual circumstances under
which they were driving. Cheaper rates were offered for off-peak driving. But
after two years, a slower-than-expected installation of in-car GPS devices by
vehicle manufacturers put the insurer at an endless red light. The insurance
plan has been “paused” for now, said Norwich Union. However, “we have every
belief that telematics-based insurance is going to be a main driver in the
insurance industry,” Nelson said. [Source]
Two
civil liberties groups filed a lawsuit against the U.S. government this week,
seeking records related to the government’s use of cellphones as tracking
devices. The ACLU and the Electronic Frontier Foundation sued the government in
federal court in Washington under the Freedom
of Information Act. Last November, the ACLU had filed a FOIA request with
the Justice Department for documents, memos and guides regarding the policies
for tracking people through the use of their cellphones. The groups also want
to know how many times the government sought location information without first
establishing probable cause that a crime was taking place. The ACLU’s FOIA
request was made after an article in The Washington Post last fall revealed
that federal officials were routinely asking courts to order cellphone
companies to furnish real-time tracking data on individuals and that courts
sometimes have ordered the data released without first requiring a showing of
probable cause. [Source]
Viacom
wants the records of all Internet users who have watched videos on YouTube
since its 2005 inception, and a federal judge has ordered YouTube owner Google
to turn over the information. The data will be used by lawyers in Viacom’s $1
billion copyright suit against the company. The order requires Google to turn
over the login name and IP address of every user who has watched every video on
site, a number in the hundreds of millions. The companies are reportedly
looking for ways to protect the resulting information, but have yet to come to
consensus on how to do that. [Source]
update: [Viacom-YouTube Ruling Triggers
Far-Reaching Privacy Concerns]
The
federal government, speaking on behalf of former Verizon phone service
customers, has sent the communications company a stern message: Stop trying to
woo back those consumers who have opted for a new provider. They’ve moved on.
No more letters. No more presents. No more anything. Verizon had been using its
proprietary data to contact former customers and try to persuade them to give
the company another try. But a majority of members of the Federal
Communications Commission said such practices are illegal and infringe a
consumer’s privacy. [Source]
A
recent Government Accountability Office (GAO) report says that agencies should
give their senior privacy leaders full oversight over all key privacy
functions, says a Federal Computer Week report. After reviewing 12 government
agencies, the GAO concluded that in order for agencies to ensure consistent
implementation of privacy protections and effectively protect the personal data
collected by the government, privacy officials must have more oversight.
Currently, six out of the 12 agencies reviewed give their senior privacy
officials such leverage. In its report, the GAO recommended the other six
revise their policies to follow suit. [Source]
A
senior government official with the U.S. Department of Homeland Security (DHS)
has expressed great interest in a so-called safety bracelet that would serve as
a stun device, similar to that of a police Taser. According to a promotional
video found at the Lamperd Less Lethal website, the bracelet would be worn by
all airline passengers. This bracelet would:
The
Electronic ID Bracelet, as it’s referred to as, would be worn by every traveler
“until they disembark the flight at their destination.” Every airline passenger
would be tracked by a government-funded GPS, containing personal, private and
confidential information, and that it would shock the customer worse than an
electronic dog collar if he/she got out of line? [Source]
Conn.
Governor M. Jodi Rell signed into law legislation to help safeguard personal
information such as Social Security numbers, driver’s license numbers and
insurance, bank and credit card account numbers. Governor Rell said. “This bill
protects not just Social Security numbers, but any personal information. The
law requires anyone possessing such information to safeguard it, along with the
computer files and documents containing it, and specifically mandates that
businesses that collect Social Security numbers develop a privacy protection
policy. Those who violate the law will be subject to civil penalties of $500,
up to a maximum of $500,000 per instance.” [Source]
The
American Civil Liberties Union has filed a federal lawsuit on behalf of privacy
advocate Betty “BJ” Ostergren, whose failed quest to stop Virginia state and
county offices from posting public records containing Social Security numbers
on their Web sites instead resulted in a law prohibiting others from reposting
publicly-available sensitive information. Virginia recently amended its
Personal Information Act to prohibit individuals from disseminating public
records containing SSNs, even if they are publicly available on county
government Web sites. ACLU Virginia’s legal director Rebecca Glenburg says that
“Under the First Amendment, people have the right to publish truthful
information that is publicly available.” [Source]
[ACLU
lawsuit] [ACLU
Statement]
The
Government Accountability Office (GAO) says that Congress should update the
Privacy Act of 1974 in order to ensure that citizens’ data is protected, says a
USA Today report. The results of a new GAO report showing that the government
is not doing enough to secure the data it collects on citizens will be shared
in today’s hearing by the Senate Homeland Security Committee. “It is essential
for the government to collect and use personal information,” said Committee
Chairman Joe Lieberman, adding that the government must “properly balance our
many policy goals against potential incursions on privacy.” [Source]
Other US Legislative News: [New
Indiana law aimed at identity theft victims] [Missouri
Gov. signs identity theft bill]
One
in three information technology professionals abuses administrative passwords
to access confidential data such as colleagues’ salary details, personal
e-mails or board-meeting minutes, according to a survey. U.S. information
security company Cyber-Ark surveyed 300 senior IT professionals, and found that
one-third admitted to secretly snooping, while 47% said they had accessed
information that was not relevant to their role. “For most people,
administrative passwords are a seemingly innocuous tool used by the IT department
to update or amend systems. To those ‘in the know’ they are the keys to the
kingdom,” he added. Cyber-Ark said privileged passwords get changed far less
frequently than user passwords, with 30% being changed every quarter and 9%
never changed at all, meaning that IT staff who have left an organization could
still gain access. It added that seven out of 10 companies rely on outdated and
insecure methods to exchange sensitive data, with 35% choosing email and 35%
using couriers, while 4% still relied on the postal system. [Source]
The
Ninth U.S. Circuit Court of Appeals in San Francisco ruled that users of text
messaging services have a reasonable expectation of privacy under the Fourth
Amendment, even if the employer is paying for the service, says a CNET report.
The opinion stemmed from a city police department’s internal affairs
investigation during which investigators retrieved text messages from the SMS
provider to find out whether they were work related or personal. The court also
ruled that the SMS provider in this case violated the Stored Communications
Act, which prohibits the release of electronic communications without the
consent of the sender or recipient. [Source]
[Source]
--------