A presidential directive issued last week requires federal agencies to collaborate on methods used to collect, store and share biometric data--such as fingerprints, face and iris recognition data and behavioral characteristics--of people thought to be a threat to national security. The directive aims to ensure biometric compatibility and interoperability among departments. Under the directive, agencies must share biometric information on those whom authorities have an “articulable and reasonable suspicion that they pose a threat to national security,” says the report. [Source]

CA – Canadian Privacy Commissioner Halts Collection of Fingerprints by LSAC

A complainant objected to the requirement that students enrolled at Canadian universities be fingerprinted in order to write the Law School Admission Test (LSAT). The test’s creator, the Law School Admission Council (LSAC), stated purposes for collecting thumbprints was to assure the authenticity of test scores and to protect the integrity of the testing process. It acknowledged, however, that its primary purpose was one of deterrence – to prevent another individual from taking the test on behalf of the registered test-taker. The Assistant Commissioner was of the view that fingerprinting did not effectively meet the stated purpose, nor were the prints ever actually used for its intended purpose. This had the effect of making the loss of privacy greater than the benefit gained. In short, it was clear to her that this purpose could be appropriately met by authenticating candidates when they arrive to take the test. She therefore determined that the collection of fingerprints is beyond that required to fulfil the stated purpose, and is not limited to that which is necessary for this purpose. The Assistant Commissioner recommended that the company cease collecting fingerprints from students in Canada. The company responded that it would do so; however, it would collect photographic evidence instead. Moreover, it reserved the right to reinstate its fingerprint policy at any time. The Assistant Commissioner found that the collection of photographs was substantially less problematic than the collection of thumbprints, and that the organization had not simply substituted one unacceptable collection and retention practice for another. [Source] [Report]

CA – Privacy Commissioners Issue Joint Resolution on Child Privacy Online

To kick off their annual meeting in Regina, Canada’s privacy commissioners and ombudsmen issued a joint resolution on improving online privacy for children and young people. “As advocates, we have to help young Canadians find the information they need to be their own privacy watchdogs,” said the Manitoba ombudsman. The commissioners launched an interactive Web site, www.youthprivacy.ca, to aid their effort. The site includes advice and tools to become privacy-savvy, and a blog where young people can discuss how new technologies are affecting their privacy. At the meeting, the commissioners also launched the “My Privacy and Me” national video competition. [Source]

CA – BC OIPC Says 41 Days Too Long for Breach Notification

On May 7th, the British Columbia OPIC issued an investigation report in which it held that the Ministry of Health breached the security measures provision of the BC Freedom of Information and Protection of Privacy Act in circumstances involving the loss of an unencrypted magnetic tapes that contained the personal information of B.C. residents who received health care in New Brunswick. The OPIC held that Ministry breached the Act in light of the following actions:

sending data on unencrypted magnetic tapes (even though the data on the tapes would not be highly accessible given the near-obsolesce of the medium)
not requiring the sender to give notification of when the package would be received and not requiring the sender to use a courier with a tracking service (which contributed to the delay in discovering the package had been lost)
not instructing the sender to refrain from sending another unencrypted tape while the incident was still under investigation
taking 41 days to notify individuals of the breach

The OIPC also held that the Ministry did not follow best practice by only notifying the OIPC shortly before it gave notice to the affected individuals. It expressed a desire to help public bodies develop effective strategies to mitigate the risk of harm flowing from data breaches. [Source] [Investigation Report F08-02]

CA – New Brunswick Government to Amend Its Information and Privacy Legislation

The New Brunswick government has tabled a long-awaited bill to update the province’s Access to Information Act. Supply and Services Minister Jack Keir says a new Access to Information and Privacy Commissioner will be appointed, separating those duties from the already busy Ombudsman’s office. Keir says the Act has been broadened to include government, regional health authorities, school districts, universities, municipalities, municipal organizations, as well as provincial agencies, boards and commissions. While people would be able to appeal a decision not to release information, the new Bill doesn’t give the commissioner the power to order it released. [Source] [Source] [New information legislation a ‘significant improvement’]

CA – Transparency Needed on ACTA: Advocates

Last week, Canadian negotiators met with representatives from the U.S., Europe and Japan at the U.S. Mission in Geneva to negotiate the Anti-Counterfeiting Trade Agreement (ACTA). The ACTA, shrouded in secrecy until a leaked summary of the agreement appeared on the Internet last month, has sparked widespread opposition as Canadians worry about the prospect of a trade deal that could lead to invasive searches of personal computers and increased surveillance of online activities. Public disclosure of the draft documents might put an end to fears about iPod-searching border guards by clarifying the true intent of the treaty. Moreover, it could focus attention on other key concerns, including greater Internet service provider filtering of content, heightened liability for websites that link to allegedly infringing content and diminished privacy for Internet users. Greater transparency would also lead to a more inclusive process. To date, the ACTA negotiations have excluded both civil society groups as well as developing countries. In fact, reports suggest that trade negotiators have been required to sign non-disclosure agreements for fear of word of the treaty’s provisions leaking to the public. [Source]

WW – Slower Internet Growth Due to Privacy, Security Concerns: Study

Financial services research organization Stanford Group forecasts possible slowed growth in Internet advertising due to widespread discomfort among consumers and governmental officials about behavioral targeting – the method online advertisers use to track consumers’ online behavior so they may tailor ads to individuals. Stanford Group cites action in state legislatures and the FTC’s call for industry self-regulation as some of the signs that the model may face future regulation. In a statement, Stanford said: “We think the growing government scrutiny is likely to make it easier for consumers to opt out of behavioral tracking, which in turn will reduce the number of Web surfers that can be reached through behavioral advertising.” [Full Story]

CA – Ticketmaster Revises its Privacy Practices in Canada

In April 2008, the Privacy Commissioner of Canada recommended that a major U.S.-based online ticket vendor change their practices in order to satisfy Canada’s privacy laws. The move came in response to a complaint by a private citizen alleging that the policies and practices of Ticketmaster Canada Limited with regards to the collection, use and disclosure of customers’ personal information, violated PIPEDA. [Source]

WW – OECD Wants You on YouTube

The Organization for Economic Cooperation and Development (OECD) is asking for your input. Later this month, the OECD will host a high-level meeting of worldwide government officials in Seoul. At “The Future of the Internet Economy,” leaders will create and promote policies to enhance online confidence, technological convergence and creativity. OECD wants input from government attendees, industry, civil society groups and the general public, and has set up a YouTube channel for soliciting questions and comments. While the OECD does not generate binding treaties, its studies and recommended practices have proved influential. For example, the organization’s 1980 Privacy Guidelines became the framework of later national laws. [Source]

UK – Council Snoopers Access 900 Phone Bills

UK Councils have used laws designed to combat terrorism to access more than 900 people’s private phone and email records in the latest example of Britain’s growing surveillance state. Town hall spies found out who residents were phoning and emailing as they investigated such misdemeanours as dog quarantine breaches and unlicensed storage of petrol. The news prompted fresh calls from civil rights groups for a reform of the Regulation of Investigatory Powers Act (RIPA) [Source]

US – Proposal to Strengthen Health Information Technology Released

Members of the House Committee on Energy and Commerce have released draft legislation designed to strengthen the quality of health care and reduce medical errors and costs by encouraging the adoption of Health Information Technology (HIT). The discussion draft provides a roadmap for effectively promoting HIT and strengthening privacy protections for patients. “Although shifting from paper to electronic health records would greatly benefit patients and health care providers, we currently lack the infrastructure to make this much-needed transition work,” said the Committee Chairman. “This provisions included in this proposal will encourage faster adoption of health information technology while also ensuring that patients’ health information is protected.” [Source] [draft legislation]

US – Instant Rx Access Considered

California Attorney General Jerry Brown wants to update the state’s prescription monitoring system in order to more effectively fight prescription drug abuse. The proposed update involves revamping the Controlled Substance Utilization Review and Evaluation System so that doctors and pharmacists could obtain patient prescription drug histories almost instantly online. The database contains 86 million entries for prescription drugs dispensed in California. Beth Given of San Diego’s Privacy Rights Clearinghouse said the online access has upsides and downsides. “Obviously there is a good reason for it, but there could be significant privacy abuses that could end up harming individuals.” [Source]

UK – Password Sharing Leaves NHS Audit Trail In Tatters

Investigators have been unable to trace a doctor involved a medical blunder that ended in a patient’s death because staff in a Devon hospital had been sharing computer passwords. The case shows the incompatibility between the way doctors work in practice and the high security needed to protect large databases of confidential patient information under the £12.7bn National Programme for IT (NPfIT). Password sharing in the NHS is said to be endemic in the NHS partly because space for computer screens in wards is limited, as is time for clinicians to log in and out. Officials at NHS Connecting for Health who help run the NPfIT have said many times that national systems are more secure than paper records, in part because audit trials show who has viewed what patient records. [Source]

EU – Electronic Identity Project Aims for Seamless Movement Between EU Countries

This week, the European Commission unveiled a pilot project to ensure cross-border recognition of national electronic identity (eID) systems and enable easy access to public services in 13 member states. Throughout the EU, some 30 million national eID cards are used by citizens to access a variety of public services such as claiming social security and unemployment benefits or filing tax returns. The Commission’s project will enable EU citizens to prove their identity and use national electronic identity systems (passwords, ID cards, PIN codes and others) throughout the EU, not just in their home country. The plan is to align and link these systems without replacing existing ones. The project will run for three years and receive €10 million funding from the European Commission and an equal contribution from the participating partners. [Source] See also: [Cyber-democracy: Congress urges authorities to use E-tools for better interaction between elected representatives and citizens]

UK – Public Demands Data Breach Legislation: Survey

Public demand for EU or UK legislation mandating the disclosure of data breaches is growing, according to recent research by Symantec and Ipsos Mori. The results showed that 96% of the general public would want to be notified in the event of their personal details being lost or stolen. The loss of bank account details topped the list for notification at 85%, followed by passport number at 52%. However, research by content security firm Clearswift suggests that nine out of 10 UK IT managers believe that the general public should not be informed if a data breach occurs, and 61% do not even think that the police should be informed. Surprisingly, 60% of the UK respondents to the poll were unaware of the possible introduction of data breach notification legislation. When informed, half were in favour of such legislation being implemented. [Source] and also [Industry wary of data breach legislation]

EU – Hungary Scores Highly for Data Protection

An EU survey has found that Hungarians are more aware of data protection issues than the average EU citizen. While Greece ranked first, Hungarians are more knowledgeable of the organizations responsible for keeping their personal data from the wrong hands. Hungarians scored among the top three countries in half of the questions asked in the survey. While 28% of EU citizens know that an data protection ombudsman exists, this figure is 46% in Hungary. While 48% of Europeans feel that their personal data are adequately protected, this rate is 54% among Hungarians. Regarding their understanding of stricter regulations for handling sensitive information, such as health data and party affiliation, Hungarians finished in second place. This year’s survey concluded that in the older democracies of Europe, the quality of data protection is declining, while in the younger ones it is improving. The study is concerned about the rapidly increasing quantity of databases held on citizens and the proliferation of identification and fingerprint scanning equipment used without regard for citizens’ personal rights. [Original Story (in Hungarian) ] [Source]

EU – E-mail, Phone Monitoring to be Voted on by Swedish Government

A bill that will allow local authorities to monitor all types of wired traffic, including e-mails, fax messages and telephone calls is about to be voted on by the Swedish government. This week, the Swedish Parliamentary Committee on Defence approved the bill, which was published last year. The Committee also said more safeguards are needed, including additional details on when the data can be used, how it should be destroyed and who can access it. “We are about to give up an important right, not to be monitored by the state unless there are suspicions of serious crimes,” said the head of Swedish think thank Timbro. “One problem is that the lawmakers assume people in charge always have good intentions, and history has shown that is simply not the case.” The bill will let the Swedish Defence Radio Establishment listen in on wired traffic that passes Swedish borders, to protect against foreign threats. Authorities can turn to the Defence Radio Establishment when they need information. The bill also regulates wireless monitoring already conducted by the Defence Radio Establishment. [Source]

CA – Event: Youth Privacy Online: Take Control, Make It Your Choice!

Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, is inviting professionals with an interest in privacy and the safety of youth online to a one-day conference on September 4, 2008, at the Toronto Eaton Centre Marriott. Learn how children and youth can protect their privacy while continuing to extensively use the Internet - positive sum, not zero-sum. Other speakers include Parry Aftab, Esq., lawyer and advocate for the cyber-safety of children; Chris Kelly, Chief Privacy Officer of Facebook; and Alejandro (Alex) R. Jadad, MD, DPhil, FRCPC, FCAHS, UHN e-health innovation. Let’s put more knowledge about privacy into the hands of children and youth. For more information, please visit www.youthprivacyonline.ca. [Source]

US – Three Major ISPs Agree To Block Child Pornography

Verizon, Sprint and Time Warner Cable have agreed to block access to Internet bulletin boards and Web sites nationwide that disseminate child pornography. The move is part of a groundbreaking agreement with the New York attorney general, Andrew M. Cuomo, that will be formally announced on Tuesday as a significant step by leading companies to curtail access to child pornography. [NY Times]

US – New PCI Compliance Deadlines Loom

The deadline for compliance with the Payment Card Industry’s Data Security Standard DSS (PCI-DSS) 6.6 requirement is June 30. This requirement describes security steps that are intended to address threats to web applications. According to Bob Russo, general manager for the PCI Security Standards Council, forensic analyses of cardholder data compromises show that web applications are frequently an initial point of attack upon cardholder data. The Council crafted Requirement 6.6 to ensure web applications exposed to the public Internet are protected against the most common types of malicious input. [Source]

US – CDT Supports Transparency Act Improvements

CDT wrote today to sponsors of the Strengthening Transparency and Accountability in Federal Spending Act, a bill improving the Transparency Act introduced today by Senators Barack Obama (D-IL) and Tom Coburn (R-OK). CDT wrote to the sponsors of the bill in support for the goals of the legislation, including improved data quality on USASpending.gov and greater availability of information about recipients of federal money. [CDT letter of support, June 03, 2008]

EU – DNA Database Under Threat From European Court, Warns Police Chief

Murder, rape and child abuse investigations will be hampered if a European court rules that more than 500,000 DNA samples should be removed from Britain’s National DNA Database, a senior police chief said.The case is being heard by the Grand Chamber of the European Court of Human Rights, the rulings of which are binding and impossible to challenge. The case was brought by two men from Sheffield who were arrested in 2001 and had their fingerprints and DNA samples taken. They argue that, because they were not convicted of any crime, the samples should now be destroyed. Their case has been rejected in the British courts but was heard by the European Court of Human Rights in February. A judgment is expected later this year. More than 8,000 people who were on the database because they had been arrested, but not convicted, have been found guilty of subsequent offences after their DNA was recovered from crime scenes. The cases have involved about 14,000 offences, including 114 murders, 55 attempted murders and 116 rapes. The database holds 4.5 million samples and is by far the largest in Europe. About 60,000 personal samples are added to it every month. [Source]

US – CDT Testimony Supports Draft Health Information Legislation

CDT today testified before the House Health Subcommittee in support of draft legislation regarding health information technology and privacy legislation. CDT supports the draft language because it takes critical steps toward the goal of a comprehensive privacy and security framework, and targets many of the key issues raised by the new e-health environment. CDT urged the Subcommittee to develop this framework by building on the HIPAA Privacy and Security Rules. CDT also recommended including strong protections for health information held, or managed on behalf of consumers, by employers and companies not part of the traditional health care system. [CDT Testimony before House Health Subcommittee [PDF], June 04, 2008]

US – Students’ Tax Returns Filed Fraudulently; United Healthcare is Source of Data Leak

United Healthcare has been pinpointed as the source of the data leak that exposed personally identifiable information of 1,132 University of California Irvine (UCI) graduate students. The breach affects UCI graduate students who used the UCI Graduate Student Health Insurance program. The breach came to light in February, 2008 when a number of students attempted to file their tax returns electronically only to be informed by the IRS that their returns had already been filed and their refunds collected. All 155 people who experienced the problem used the aforementioned healthcare program; the breach affects students enrolled in the program for the 2006-2007 academic year. [Source] [Source]

US – Stolen AT&T Laptop Holds Unencrypted Management Compensation Data

A laptop stolen on May 15 from an AT&T employee’s car contains unencrypted “AT&T management compensation information, including names, SSNs, and [some] salary and bonus information.” Affected employees were notified eight days after the theft. The breach affects people throughout the US. [Source]

US – Stanford: Stolen Laptop May Affect 72,000

Stanford University determined yesterday that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way. The university is sending e-mails and letters to current and former employees whose personal information may be at risk, as well as posting information on the Stanford homepage, and notifying the media. Officials estimate that the problem could extend to as many as 72,000 people currently or previously employed by Stanford. [Source] and also [ETSU says stolen computer could lead to identity theft] and [S. Carolina - Stolen USC computer may affect 7000]

CA – Stolen Computer Holds Canadian Farmers’ Data

A laptop stolen from a programmer working for the Canadian Canola Growers Association contains PII of approximately 32,000 Canadian farmers. The compromised data include bank account numbers and social insurance numbers of farmers who have applied for Agriculture Canada’s advance payment programs. Those affected by the breach have been notified by letter. Security measures on the stolen laptop include strong password protection and a biometric fingerprint reader. [Source]

US – U.S. to Make Foreign Visitors Register Online

Residents of 27 friendly nations who can travel to the United States without a visa will be required to register online with the U.S. government at least 72 hours before departure starting in January, Homeland Security Secretary Michael Chertoff said last week. The Electronic System for Travel Authorization continues a trend after Sept. 11, 2001, of tightened security for residents of countries in the Visa Waiver Program, which includes 22 European nations, Japan, Australia, New Zealand, Singapore and Brunei. European officials have chafed at stepped-up U.S. demands even as the U.S. holds talks with former Eastern Bloc countries and others seeking to join the club. [Source]

CA – Enhanced Drivers’’ Licences Under Scrutiny

While Quebec’s privacy commission is being kept in the dark on a proposed enhanced driver’s licence, or Permis de conduire plus, Ontario’s Information and Privacy commissioner, who has been part of the EDL process in that province since 2006, is calling a public forum on the issue for July 16. In addition to Ontario and Quebec, British Columbia and Manitoba are also developing EDLs as an alternative to passports for crossing the U.S. border. Officials from the Ontario and federal governments, as well as privacy and human rights experts, are invited to the forum. [Source] [Quebec man proposes Wikipedia of body parts] and [Canadian Industry Minister Buffing Wikipedia Entry]

CA – Ontario Introduces Enhanced Driver’s Licence and Photo ID Cards

The Ontario government today introduced legislation that, if passed, will allow Ontarians to use an enhanced driver’s licences an alternative to a passport when crossing Canada-U.S. borders by land and sea. Also proposed is a photo card for people who do not drive, which has long been advocated by youth, people with disabilities and senior communities. Holders of the proposed photo card who are Canadian citizens will also have the option of enhancing this card for use as a passport alternative. [Source] [ CBSA website ] See also: [New York to Issue Enhanced Drivers Licenses]

CA – Electronic Identity Project Aims for Seamless Movement Between EU Countries

The European Commission unveiled a pilot project to ensure cross-border recognition of national electronic identity (eID) systems and enable easy access to public services in 13 member states. Throughout the EU, some 30 million national eID cards are used by citizens to access a variety of public services such as claiming social security and unemployment benefits or filing tax returns. The Commission’s project will enable EU citizens to prove their identity and use national electronic identity systems (passwords, ID cards, PIN codes and others) throughout the EU, not just in their home country. The plan is to align and link these systems without replacing existing ones. The project will run for three years and receive funding from the European Commission and an equal contribution from the participating partners. The European Commission, 13 of the 27 EU member states (Austria, Belgium, Estonia, France, Germany, Italy, Luxembourg, Netherlands, Portugal, Slovenia, Spain, Sweden and the United Kingdom) and Iceland (party to the European Economic Area agreement with the EU) will work together to enable different national Electronic Identity schemes to be recognised across national borders. “Electronic Identities do not yet do enough for mobile EU citizens,” said Viviane Reding, commissioner for Information Society and Media. “By taking advantage of the development in national eID systems and promoting mutual recognition of electronic identities between member states, this project moves us a step closer to seamless movement between EU countries that Europeans expect from a borderless Single European Market.” [Source]

UK – Committee Warns ID Cards ‘could threaten privacy’

The Home Affairs Select Committee wants to make sure that proper safeguards are in place for the National Identity Scheme--the project to create national ID cards for every British resident over the age of 16, set to roll out later this year. “It should collect only what is essential, to be stored only for as long as is necessary,” the committee said in a report, adding concerns about a forthcoming surveillance society. The committee wants the government’s assurance that any attempts to broaden the scope of the project will first be run by the information commissioner and that the scheme will not be expanded without MPs approval, citing the potential for “disastrous consequences” for mishandled data. [Source]

WW – Microsoft Disputes CardSpace Can Be Hacked

A Microsoft executive has disputed that the company’s CardSpace authentication-management technology can be hacked. The proof-of-concept attack recently outlined by a research paper isn’t a reflection of a real life situation, according to Kim Cameron, Microsoft’s chief identity architect. Microsoft is hoping CardSpace will become widely adopted for identity management. [Source]

US – CDT Releases “Internet in Transition”; Launches Companion Web Site

CDT has released “Internet in Transition: A Platform to Keep the Internet Open, Innovative and Free,” a 1.0 version of the organization’s policy recommendations on Internet and technology policy for the next administration and Congress. CDT also launched a companion Web site that, among other things, encourages Internet users to review and comment on the draft. Those comments will inform the final version of the transition document that will be presented to the new political leadership. [Press release, June 05, 2008] [Internet in Transition Web site, June 05, 2008]

US – CFP08 Videos Up On the Conference Web Site

Videos of the opening plenary session, Breaking the Silence, and Clay Shirky’s closing keynote are up on the conference web site. There’s also an audio-only track of the opening session. Thanks to Brian Pauze of Yale Law School for the assistance -- and with luck, more AV will be coming over the next few weeks. [Source] [Links for Video - see CFP2008 Program]

US – Potential Government Interception Worries Lawyers

A Bethesda law firm has filed suit to prevent the outsourcing of legal work to overseas providers until it can be determined that communications between firms and providers are not being monitored by government agencies. The practice of outsourcing legal work to foreign firms continues to grow--third-parties earned more than $100 million last year. But Joseph Hennessey of Newman, McIntosh & Hennessey said that there has been “very little discussion about what rights are waived” when the legal work is outsourced, and cited the government’s multibillion-dollar infrastructure for intercepting foreign intelligence as a potential problem. [Source]

WW – Commissioner Questions Cloud Computing

Ontario Information and Privacy Commissioner Ann Cavoukian earlier this week released a white paper concerning the use of cloud computing technology. At the First International Workshop on Identity in the Information Society in Italy, Cavoukian asked companies to implement responsible identity management before it creates problems, says a Web Host Industry Review report. She also outlined the technological foundation she says is needed to increase online security of data, such as identity management software based on open standards, audit tools, policies and others. The paper states that: “User-centric private identity management in the cloud is possible, even when users are no longer in direct possession of their personal data...” [Source] [Source] [News Release] [Paper] [Presentation]

CA – Univ. Of Ottawa Clinic Launches Privacy Complaint Against Facebook

Facebook has been hit with a new complaint about privacy intrusions in Canada. Facebook maintains it upgraded its privacy controls while learning from past mistakes, including its much-criticized Beacon advertising program. The new allegations were made by the Canadian Internet Policy and Public Interest Clinic, which is based at the University of Ottawa. The group’s filing described what it considered 22 violations of Canadian privacy law. [CBC] [Press Release] [Complaint] [CIPPIC page] [Coverage]

CA – Ontario Privacy Commissioner Releases Facebook Privacy Video

Ontario’s Privacy Commissioner’s Office and Facebook are collaborating on a video designed to educate young people about protecting their privacy on Facebook. The video will be available on Facebook and the Ontario Privacy Commissioner’s Web site. “We thought it would be useful to produce a video featuring the commissioner and the chief privacy officer at Facebook,” said Ken Anderson, Ontario’s assistant director for privacy. An estimated one in five Canadians use the Facebook site. The partners will launch the video on September 4 at the “Youth Privacy Online: Take Control--Make it Your Choice” conference in Toronto. The conference is for privacy experts, online companies and educators across the province. [Source] [Education pamphlet] [Audio interview with Ken Anderson] [Ontario Privacy Commissioner on Facebook’s Friends Lists]

WW – MySpace Privacy Flaw Exposes Paris Hilton, Lindsay Lohan Pics

MySpace and Yahoo have disabled data availability between the two services until a privacy flaw can be corrected. MySpace’s Data Availability initiative allows users to share profile information with other sites, such as Yahoo. A recent integration issue with the service caused a privacy breach that exposed private images of Paris Hilton and Lindsay Lohan, says a Channel Wire blog. “MySpace and Yahoo are firmly committed to keeping all users as safe and secure as possible,” Yahoo said in a statement. “Recently, MySpace and Yahoo were alerted to a vulnerability within the MySpace widget on the Yahoo mobile platform. The functionality of the widget has currently been disabled as we work to rollout an immediate fix.” [Source] [How safe is instant messaging? A security and privacy survey]

UK – ICO Issues New Guidance on Transfer of Employee Information

The Information Commissioner’s Office is helping organizations comply with the Data Protection Act when providing information about employees during a business transfer, says an OUT-LAW.com report. It has published the Transfer of Undertakings (Protection of Employment) Regulations, or TUPE, which are designed to preserve employees’ information when business or undertaking is transferred to a new employer. Details on salaries, hours, disciplinary actions or grievances must be provided to the new employer before the transfer occurs. ICO Assistant Commissioner Phil Jones said businesses should “consider their data protection obligations early in the transfer process and only transfer the information required by the new employer,” adding that employees should be told that their information will be passed on, when possible. [Source]

HK – Hong Kong Immigration to Tighten Data Handling Measures

Hong Kong’s Immigration Department has signed a joint agreement with the Privacy Commission to better protect personal data, says a report in The Standard. The agreement prohibits immigration officers from taking documents containing personal information out of the office, and provides other privacy-assurance measures, such as erasing identifying data from all documents; categorizing paper and electronic files with personal data; and prohibiting the use of portable electronic devices for transporting sensitive documents, says the report. Privacy Commissioner Roderick Woo Bun lauded the move, saying that he would encourage other departments to adopt these measures. [Source]

US – Man Accused of Causing Suicide, Stealing Identity

An appeals court says a Wisconsin man accused of driving his boss to suicide can be charged with identity theft for sending e-mails under his name. Christopher Baron was accused of hacking into the work e-mail of Mark Fisher, who was director of Jefferson’s Emergency Medical Service program. Baron forwarded to about 10 people e-mails that Fisher wrote to a female employee, suggesting the two were having an affair. Fisher committed suicide the next day. Baron was charged with six criminal counts, including identity theft. A judge threw out that charge, saying it was unconstitutional because Baron had a right to defame a public official with true information. [Source]

US – Study Shows Notification Laws Don’t Reduce ID Thefts

Researchers at Carnegie Mellon University examined whether the adoption of a breach notification law reduced the number of identity thefts reported in states. Since 2003, 43 U.S. states have adopted data breach notification laws. Using data from the FTC, the Carnegie team looked at identity theft complaints over a four-year period and found that, “There doesn’t seem to be any evidence that the laws actually reduce identity theft,” said Sasha Romanosky, a PhD student and co-author on the study. Researchers attribute the findings to consumer disregard of breach notification letters, elementary security practices at businesses and organizations and the fact that identity thieves are becoming better at what they do. Researchers acknowledge that their data sample is incomplete and based on a self-selecting population. [Source] [Source] [Source] [Study]

US – Government Sought Customer Book Purchasing Records from Amazon.com

Recently unsealed court records shed more light on the federal government’s attempts to secure the online book purchase records of 24,000 Amazon.com customers. “The subpoena is troubling because it permits the government to peek into the reading habits of specific individuals without their knowledge or permission,” said a U.S. Magistrate Judge in his ruling. “It is an unsettling and un-American scenario to envision federal agents nosing through the reading lists of law-abiding citizens while hunting for evidence against somebody else.” The Magistrate also expressed concerns that allowing the government to pry into people’s reading habits could function as intimidation, thereby depriving them of their right to read what they wish. “The chilling effect on expressive e-commerce would frost keyboards across America,” he wrote. [Source]

US – Congressional Investigation of ISP Data Collection Scheme Urged

Fifteen of the nation’s leading privacy and public interest groups today released a letter urging Congress to hold hearings on the growing practice of Internet Service Providers targeting ads to subscribers based on their personal Web activities. The letter urges the House Telecommunications Subcommittee leadership to investigate the Charter Communications’ plan to capture all of the messages and activities of their Internet subscribers and share that data with a third party firm who plans to use it to target those consumers with specific ads. The plan raises serious privacy and legal issues, the letter says. [Letter to House Telecom Subcommittee [PDF], June 06, 2008] [Group Press Release, June 06, 2008] [Coverage]

CH – Microchipped Olympic Tickets Cause Privacy Concerns

China has ratcheted up surveillance and security in every phase of the Beijing Olympics -- even the tickets. In a move unprecedented for the Olympics, tickets for the opening and closing ceremonies are embedded with a microchip containing the bearer’s photograph, passport details, addresses, e-mail and telephone numbers. [Source]

UK – Password Sharing Leaves NHS Audit Trail in Tatters

Investigators have been unable to trace a doctor involved a medical blunder that ended in a patient’s death because staff in a Devon hospital had been sharing computer passwords. The case shows the incompatibility between the way doctors work in practice and the high security needed to protect large databases of confidential patient information under the £12.7bn National Programme for IT (NPfIT). Password sharing in the NHS is said to be endemic in the NHS partly because space for computer screens in wards is limited, as is time for clinicians to log in and out. [Source] see also: [CompTIA: Mobile security threats a greater concern]

AU – Service Launched to Warn of E-Crimes

The Australian government is launching a no-cost, no-jargon Internet service that alerts computer users to cyber threats. It is the first time ordinary computer users have been offered access to information about local and global threats through a government agency. [Australian IT]

US – Retracing Your Public Transit Steps

Police access to customer transit card information continues to provoke debate, says a Wired blog network report. In Chicago recently, police apprehended a kidnapping suspect by tracking his movement through the L system using security cameras and his 7-day pass data. Counter-terrorism programs in London want access to the data from all customers in order to identify potential terrorists via travel patterns. And a new transport card in Paris requires personal information and a passport size photo. [Source]

US – Study Secretly Tracks Cellphone Users

Northeastern University researchers observed the travel patterns of 100,000 cell phone users without their consent for a physics study published yesterday, says an Associated Press report. The study tracked individuals by noting which cell phone towers picked up their signals when they made or received calls or text messages over a period of six months. Co-author of the study Cesar Hidalgo said that knowing people’s travel patterns can benefit society in terms of designing better transportation systems and fighting diseases. But some say this type of nonconsensual tracking is troubling. “There is plenty going on here that sets off ethical alarm bells about privacy and trustworthiness,” said Arthur Caplan of the University of Pennsylvania. [Source] [Nature article]

US – NY Split Panel Affirms Warrantless Use of GPS Device

The warrantless use of a global positioning device on a vehicle by police does not violate a driver’s right to privacy under either the U.S. Constitution or the N.Y. state Constitution, an upstate appeals panel has decided. The panel determined that the privacy expectations of individuals under both the federal and state constitutions are lower when they are in their automobiles than when they are in their homes. As to the 4^th Amendment of the U.S. Constitution, the panel found that nothing prevents the use of technology, such as the satellite-aided positioning devices, to “surveil that which is already public.” [Source]

UK – Police Did Not Breach Rights When Photographing Protester

Police-ordered photography of an anti-arms trade protester did not breach the protester’s privacy rights, the High Court has ruled. It is one of the few times that such alleged intrusion by the state rather than the media has been the subject of a UK ruling. Andrew Wood, a media co-ordinator for the Campaign Against Arms Trade (CAAT), claimed that the taking and storage of police photos was a violation of his privacy, but because they were taken in the public street and retained only for a specific purpose, the High Court rejected the claims. [Source]

EU – Study: Surveillance Changes Behavior

A study of 1,002 Germans found that the social effects of the nation’s data retention law changes the communications habits of its citizens. The Forsa Institute conducted the survey May 27 and 28, finding that 73% of respondents know about the retention requirements mandating that communication providers store customer data for six months. 11% said they had already abstained from using phone, cell phone or e-mail on certain occasions and 52% said they probably would not use telecommunication for communicating with sensitive contacts such as a drug counselor or psychotherapist. “The deterring effects of this law are life threatening,” said the privacy activist group that co-commissioned the study. [Source]

EU – Germany Considers Surveillance Legislation

In an effort to help protect against terrorist attacks, Chancellor Angela Merkel’s government earlier this week agreed to give Germany’s police forces enhanced powers to monitor homes, telephones and private computers, says an International Herald Tribune report. The proposed legislation would allow for surveillance of private apartments, computer searches and phone monitoring, and has many Germans voicing opposition about what they view as a “Stasi-”style system of keeping tabs on citizens. “We don’t want a spy state,” said a Social Democrat. “We want a state that works with tweezers instead of a sledgehammer in cases where we indeed have to protect the state’s security concerns.” [Source]

UK – BT’s Secret Phorm Trial Caused Some Browsers to Crash

A recently leaked report from British Telecom (BT) says that a secret trial run of technology used by online advertising company Phorm caused problems for some unsuspecting customers. In September and October 2006, BT allowed Phorm to deploy technology on its network that placed JavaScript code into every web page downloaded by the 18,000 users in the trial. The script sent data back to Phorm, allowing the company to develop a user profile and then send that user targeted advertisements. Some users experienced flickering problems when the script was sending the data to Phorm, and some experienced browser crashes. In some cases, the JavaScript appeared in the users’ posts in web forums. A US ISP is scheduled to test a similar technology, but legislators have called for its postponement due to a possible violation of privacy laws. [Source]

UK – Study Tracked People by Cell Phone for Six Months

A study of 100,000 people’s movements based on cell phone use found that nearly 75 percent stayed within a 10-mile radius of home over the course of six months. The study was conducted by Northeastern University in Boston without participants’ knowledge in an unnamed European country; in the US, such a study would be illegal. The locations were noted whenever the people sent or received a phone call or text message. Precise locations were not known; locations were tracked through the nearest cell phone tower. The information gathered about people’s travel patterns could be used to help design transportation systems or predict the spread of disease. [Source] [Source] Details and related material: [Source] [Source]

CH – China’s Golden Shield Surveillance Society

China is using people tracking technology developed in the US in its “Golden Shield” high tech surveillance and censorship program, creating a culture in which the government can track every move people make with closed circuit TV cameras and high level facial recognition technology. There are questions about whether or not the export of those technologies violates a law passed shortly after Tiananmen Square that forbids US companies to sell products in China that enable “crime control or detection.” The technologies are also used to manipulate difficult situations, like the March protests in Tibet, so those opposing governmental positions look bad, while the government appears benign. [Source]

CA – Bell Canada Sued For Throttling Internet Speeds

BellCanada is facing another challenge to its internet throttling practices as Quebec’s consumer watchdog, L’Union des consommateurs, has filed a class-action lawsuit against the company. The lawsuit alleges that by deliberately slowing internet speeds, Bell has misrepresented its service and raised concerns over privacy. [CBC]

US – FTC: Pretexting Decreases Privacy

The Federal Trade Commission (FTC) has put a stop to one company’s use of pretexting--a technique by which individuals use false pretenses to obtain consumers’ private information, says an SC Magazine report. Citing an invasion of privacy, the FTC has permanently barred Action Research Group and its affiliates from “obtaining, marketing or selling customer phone records or consumers’ personal information derived from those records,” and also banned them from “pretexting or using others to pretext to obtain consumers’ information.” In a separate action, a U.S. judge ordered the companies to relinquish $600,000 in profits. [Source]

US – TSA Bans ID-Less Flight

In a major change of policy, the Transportation Security Administration has announced that passengers refusing to show ID will no longer be able to fly. The policy change, announced last week, will go into force on June 21, and will only affect passengers who refuse to produce ID. Passengers who claim to have lost or forgotten their proof of identity will still be able to fly. [Source]

US – California Patient Rx Bill One Step Closer to Passing

The California Senate last week approved a bill to allow pharmacies to share patient prescription information with third-parties, says a San Francisco Chronicle report. This means that pharmaceutical companies could send direct mailings to patients via a third-party mailing firm, which would in turn pay fees to pharmacies. According to the spokesperson for the author of the bill, the legislation intends to give pharmaceutical companies a way to urge patients to take the medicine as prescribed and to refill prescriptions, when applicable. Patients could opt-out of the mailings at their pharmacy. But critics say the legislation violates patient privacy rights and opens the door for medical identity theft, according to the report. The bill now moves to the state Assembly. [Source]

UK – ICO Issues New Guidance on Transfer of Employee Information

The Information Commissioner’s Office has published new guidance to help organisations comply with the Data Protection Act when providing information about their employees under TUPE, the law that protects staff when a business is transferred. The Transfer of Undertakings (Protection of Employment) Regulations, better known as TUPE, ensures that employees’ terms and conditions of employment are preserved when a business or undertaking is transferred to a new employer. To achieve this, TUPE requires that certain information is provided to the new employer before the transfer takes place. This will include details of pay, contracted hours, holiday entitlement and any details of disciplinary or grievance action relating to that employee. The Data Protection Act does not prevent the transfer of this information as it is a requirement by law. However, both parties must comply with the Act when handling the information, for example ensuring it is accurate, up-to-date and secure. [ICO’s Guidance] [Source]

IS – Israel: Histadrut, Employers Draft Agreement Over Employee Computer Privacy

The Histadrut labor federation and employers organizations have formulated an agreement regarding how much privacy employees may have on their workplace computer, and what access should be permitted to their employer. They have adopted a form of the European model, which gives employees a great deal of privacy, even when the computer and the server belong to the boss. The American model, in contrast, tends to consider the boss’ right to enter an employee’s computer as a property right. A draft of the agreement is now being approved by the employers organization, a member group of the Coordinating Bureau of Economic Organizations. The Histadrut and the Coordinating Bureau are to report to the National Labor Court this morning on this collective agreement, one of the first of its kind in the world. They will request that it be expanded to include all workplaces. [Source] See also: [Mind reading by MRI scan raises ‘mental privacy’ issue]

AU – Email Leaks Lead to Increase In Sackings

More Australian workers are being fired for leaking company secrets via e-mail, with a local survey showing one in five businesses terminated an employee for e-mail breaches in the past year. Outbound e-mail is now a common avenue for data leakage, with 23 per cent of Australian respondents to a Proofpoint/Forrester survey saying their business had been harmed by exposure of sensitive or embarrassing data in the past year. [Australian IT]

--------