The Homeland Security Department last week showed off an early version of physiological screeners that could spot terrorists. The department’s research division is years from using the machines in an airport or an office building — if they even work at all. But officials believe the idea could transform security by doing a bio scan to spot dangerous people. Critics doubt such a system can work. The idea, they say, subjects innocent travelers to the intrusion of a medical exam. The futuristic machinery works on the same theory as a polygraph, looking for sharp swings in body temperature, pulse and breathing that signal the kind of anxiety exuded by a would-be terrorist or criminal. Unlike a lie-detector test that wires subjects to sensors as they answer questions, the “Future Attribute Screening Technology” (FAST) scans people as they walk by a set of cameras. [Source] See also: [India’s use of brain scans in courts dismays critics]

BC – British Columbia Enacts e-Health Legislation

British Columbia recently enacted the e-Health (Personal Health Information Access and Protection of Privacy) Act (e-Health Act), which facilitates the creation of consolidated databases of electronic personal health information (Health Information Banks) and is intended to provide patients with “faster, safer, and better health care” by providing health-care professionals with secure access to patients’ information in a timely and effective manner. Features of the e-Health Act include the following:

§ creating a framework for the creation of Health Information Banks;

§ allowing individuals to exercise control over disclosure of their personal health information, through the issuance of “disclosure directives” by which the individual may request that access to his or her personal health information be blocked;

§ creating a Data Stewardship Committee, whose members are appointed from the healthcare sector, to evaluate request for information in Health Information Banks for research purposes;

§ providing that information obtained from Health Information Banks may not be disclosed for market research purposes;

§ providing whistle-blower protection to ensure timely reporting of any breaches of the legislation; and

§ providing for a maximum fine of $200,000 for breaches of the legislation, including for breach of the privacy protection provisions.

In addition to amending the Health Act, the e-Health Act amends legislation regulating pharmacies and PharmaNet, the current database system used by pharmacists to record and monitor all prescriptions filled in the province. An important aspect of the e-Health Act is the ability for researchers to access electronic personal health information for research purposes. Researchers’ requests are subject to approval by the Data Stewardship Committee, which may impose additional security and confidentiality requirements on disclosure. For planning and general research, upon approval by the committee, the information requested will be disclosed only after the administrator and the requesting party have entered into an information-sharing agreement. For health-related research, the requests are approved on the condition that the information cannot be used for contacting an individual to participate in health research. If a researcher wishes to directly contact the individual whose information has been disclosed, the researcher must receive approval from the Information and Privacy Commissioner for B.C. [Source]

AB – Privacy Watchdog Cautions Real Estate Council

Alberta’s privacy watchdog has ordered the Real Estate Council of Alberta to stop collecting and keeping some personal information from real estate agents. A real estate agent complained to the Office of Information and Privacy Commissioner that she was required to provide a copy of her birth certificate as a condition of renewing her real estate licence, the commissioner’s office said today. Copies were kept for the council’s files, she said in her complaint. “The Real Estate Council indicated that it had been collecting the information to prevent mortgage and identity fraud,” the commissioner’s office said in a release. The council has changed its procedures and was no longer collecting that information and was already taking steps to destroy information on file, it said. “The adjudicator determined that it was reasonable to confirm identity, it was unreasonable to collect and retain the information.” The adjudicator ordered the council to cease the practice and destroy any documents it still has. [Source]

CA –Tories Engaging in Citizen Profiling

The Conservative Party’s campaign computers hold the most detailed electoral data on Canadians ever assembled by a political party, the product of highly sophisticated technology and a four-year mission to make personal contact with every voter in the country’s key contested ridings. Political strategists say it is enabling the Tories to run the most micro-targeted campaign the country has ever experienced, aimed at favoured ethnic and cultural groups - Chinese, South Asians, Jews - economically beleaguered “battlers” and a broad spectrum of “aspirational voters” wanting more material gains for themselves and their children and feeling ripped off by the state, the elites and big business. The Conservatives have enlisted neighbourhood leaders - sports team coaches, community activists - to report information on voters to the party’s data collectors and introduce potential supporters to party campaigners, a technique known by its acronym of FRAN: Friends, Relatives, Acquaintances and Neighbours. The party spent time, money and effort to learn information such as the number of children voters have (three and they’ll be inclined to vote Tory) and whether they graduated from university or college (community college and they’re more likely to be Tories). They have assembled their voter data through geo-demographic and psycho-demographic surveys, huge-sample polling and personal contacts made with voters through direct mail, e-mail, telephone calls and FRAN contacts. [Source]

WW – Privacy Innovation Awards Announced

The sixth annual Privacy Innovation Awards were presented yesterday at the IAPP’s Privacy Academy in Orlando. The awards, sponsored by HP and the International Association of Privacy Professionals, recognize significant innovations in privacy-enhancing initiatives. The U.S. Federal Trade Commission, the Victorian Department of Justice in Australia, and the Privacy and Identity Management for Europe (PRIME) project received this year’s awards. “On behalf of privacy professionals worldwide, we congratulate the winning innovators for their leadership,” said IAPP Board President Sandra Hughes, CIPP. “This year’s results show how public sector initiatives can set a high bar for our field and underscore how cooperation between the public and private sectors is critical.” [Source]

UK – Web 2.0 Crime Mash-up Exposes Personal Information

The Met’s new crime mapping site is the latest in a line of services to raise disquiet in the Information Commissioner’s Office - which is charged with safeguarding privacy. The ICO’s particular concern is that by learning the exact whereabouts of a crime, an observer may then - by deduction and a little further research - ascertain the identity of the victim of that crime. For instance, if I knew the street - or indeed street address - of a burglary, I could - with some searching in the electoral roll and door-knocking - find out the name of the victim. [Source]

CA – Toronto Councillors Advocate Outing Tax Shirkers

If a corporation owes the City of Toronto more than $500,000 in property tax arrears, the details are spelled out in a regular report to city council. But if an individual falls that far behind on taxes, the details are kept under wraps. That’s to protect people’s privacy, councillors on the government management committee have been told. But some think the threat of public exposure might encourage people to pay up, and they plan to pursue the point with city lawyers at their meeting next month. Ontario’s information and privacy commissioner hasn’t specifically addressed the situation in Toronto, said spokesperson Bob Spence. The office would become involved only if someone put in a freedom of information request for details on arrears and was rebuffed. “Then the individual or group would have the right to appeal to us,” Spence said. “We have not received an appeal.” [Source]

CA – Spam Legislation Promised by Harper

Canada is the only major G8 country with no Internet anti-spam law and Conservative leader Stephen Harper wants to change that, reports City News. In Victoria, Harper said he will introduce legislation to prohibit companies from sending spam and would like to see violators pay $1 million in fines. Critics are guarded on the promise of such laws since most spam derives from areas where Canadian officials have no jurisdiction. [Source] [Source] Earlier this month the Supreme Court of Virginia struck down that state’s anti-spam legislation as unconstitutional, because it was ‘over-broad’. Its rules prohibiting misuse or misrepresentation of IP addresses applied not only to commercial but to all messages, including political or religious ones. This was an impermissible infringement on free speech, said the court. As a result, the commercial spammer was acquitted who had been convicted at trial and whose conviction had been upheld at the first level of appeal. [Jaynes v Virginia decision] Steptoe and Johnson, the DC law firm, said “the court essentially held that people have a constitutional right to falsify an IP address or domain name, since that is effectively “the only way” to send anonymous email.” (E-Commerce Week # 535, September 20, 2008)

US – Overturned Anti-Spam Ruling Considered

Legal experts are divided about last week’s Virginia Supreme Court ruling that a law to prevent email spam was unconstitutional. The decision, which found that the 2003 law violated the First Amendment right to free speech and was one of a string of recent losses in the Virginia court, is viewed by some as happenstance, and others as the result of the General Assembly’s more aggressive approach to legislating. “Internet service providers in Virginia were getting swamped by spam,” said former Republican attorney general Jerry Kilgore. “We were creative in drafting that legislation. Our legislative body has been very active in trying to be cutting edge.” [Source]

US – Hackers Access Palin’s Personal E-Mail, Post Some Online

A group of computer hackers said yesterday that they had accessed a Yahoo e-mail account of Alaska Gov. Sarah Palin, the Republican vice presidential nominee, publishing some of her private communications to expose what appeared to be her use of a personal account for government business. The hackers posted what they said were personal photos, the contents of several messages, the subject lines of dozens of e-mails and Palin’s e-mail contact list on a site called Wikileaks.org. That site said it received the electronic files from a group identifying itself only as “Anonymous.” [Source] see also [DOJ View on Email Privacy May Hamper Prosecution of Palin Hackers] [Palin Should Not Have Used Unsecure eMail for State Business Communication]

US – Hospital Workers Fired for Taking, Posting Photos of Patients

Two University of New Mexico Hospital employees have been fired for using their cell phone cameras to take photos of patients receiving treatment and then posting the images to a social networking Web site. Director of Public Affairs said the photos – mainly close-ups of injuries being treated in the Albuquerque hospital’s emergency room over the past few months – were posted on an employee’s private MySpace page. A few other hospital employees were disciplined and the investigation is ongoing, he said. The photos were discovered after a hospital supervisor received an anonymous tip about them and launched an investigation. The use of cell phone cameras in hospitals have caused breaches of patient privacy or concern about such violations in California, Arizona and South Dakota in recent years. [Source] see also [Princess Diana photographer fined for invasion of privacy]

IN – Indian Government Cracks BlackBerry Code

The Indian government has decrypted the data on Research In Motion’s (RIM) BlackBerry networks. The department of telecommunication (DoT), Intelligence Bureau and security agency National Technical Research Organisation (NTRO) have done tests on service providers networks for interception of Internet messages from BlackBerry to non-BlackBerry devices. The DoT had earlier asked RIM to provide the master key to allow access to contents transferred over their handsets. RIM had, however, said that it could not handover the message encryption key to the government as its security structure does not allow any third party or even the company to read the information transferred over its network. [Source]

EU – EU Data Protection Supervisor Weighs In On Criminal Records Exchange System

Last May, the European Commission began establishing an electronic European Criminal Records Information System (ECRIS) to help EU Member States share criminal records and exchange information on past criminal convictions. Last week, the European Data Protection Supervisor (EDPS) voiced support of ECRIS, provided that additional data protection guarantees be established to compensate for the current lack of a comprehensive legal framework on data protection in the field of cooperation between police and judicial authorities. EDPS emphasized the need for effective coordination in the data protection supervision of the system, which involves authorities of the EU member states and the Commission as provider of the common communication infrastructure. “The processing of personal data relating to criminal convictions is of a sensitive nature,” said Supervisor Peter Hustinx, “and the confidentiality and integrity of criminal records data sent to other member states must be guaranteed. It is therefore paramount that high standards of data protection be applied to the functioning of the system, which should ensure a solid technical infrastructure, a high quality of information and an effective supervision.” The EDPS opinion also includes the following recommendations:

§ A reference to a high level of data protection should be made in the decision as a precondition for the implementing measures to be adopted

§ The responsibility of the commission for the common infrastructure of the system, as well as the applicability of Regulation 45/2001, should be clarified to better ensure legal certainty

§ The Commission should also be responsible for the interconnection software of ECRIS -- and not member states as provided in the proposal -- in order to improve the effectiveness of the exchange and to allow better supervision of the system

§ The use of automatic translations should be clearly defined and circumscribed, so as to favor mutual understanding of criminal offences without affecting the quality of the information transmitted.

[Source]

UK – ICO Urges Consumers to Take Control of Their Data

The Information Commissioner’s Office (ICO) has called on consumers to use their legal rights to manage their personal information - because organisations aren’t doing such a great job. An ICO-sponsored survey of over 2,000 UK adults found the level of awareness around the importance of personal data had grown – 95% considered it ‘quite’ or ‘very’ valuable – and more than 70% claimed to routinely shred personal documents. But it revealed 44% of those questioned by the poll had never considered contacting an organisation to find out what information it holds about them. More alarmingly, 40% admitted they would hand over their details to a company without knowing whether it was trustworthy. [Source]

EU – EU / US Exchange of Travellers’ Information

An EU-USA exchange of letters show that the USA wants an agreement with the EU signed in December 2008 on the US ESTA (Electronic System of Travel Authorisation) system while the US side fails to answer derailed questions on privacy and protection. EU Commissioner Barrot wrote to Michael Chertoff, Head of US Homeland Security on 8 September 2008: [Full-text of letter to Chertoff]. This says that the EU wrote to the US on 4 August but that the reply of 29 August “fails to answer any of the specific questions we asked”. The reply from Chertoff, on 15 September 2008: [Full text of Chertoff reply] says that while they are “committed” to privacy: “the data we gather under US law from those seeking to enter the United States is not subject to negotiation.” The Chertoff response then refers to the EU-US “High Level Contact Group” on data protection and exchange as providing the solution and the matter should be resolved “in time for our signing an agreement when you come to Washington in December”. According to Tony Bunyan, Statewatch editor, “This is typical of the EU-US relationship. The US lays down the law and expects the EU to comply and if it does not then - as on visas - the US simply negotiates behind its back with individual Member States. The idea that the High Level Contact Group report could provide privacy and data protection to EU citizens is simply nonsense as the ACLU has observed. [Source]

ICO: Liberal Democrats Violated Privacy Rules

The Information Commissioner’s Office (ICO) has deemed the Liberal Democrats broke privacy rules by sending automated telephone calls to 250,000 citizens last week, and has ordered the party to refrain from further telephone campaigns or face prosecution. The ICO determined that the recorded message from party leader Nick Clegg was direct marketing which, under privacy and electronic communication regulations, is not permissible without the consent of those called. An investigation ensued after the Scottish National Party filed a complaint with the ICO. [Source] [Source]

EU – Plea for Robust Privacy Laws In Ireland

The Government was urged to introduce meaningful and robust privacy protections in line with international human rights obligations. Rights watchdog the Irish Council for Civil Liberties (ICCL) presented a letter to the Department of Justice signed by more than 3,000 people at the Electric Picnic musical festival. The body said Ireland’s privacy rules were lax and in need of immediate reform. Mark Kelly, ICCL Director, said: “The ICCL Calls on Minister (Dermot) Ahern and the Department of Justice to heed the voices of these 3,000 signatories and act to introduce meaningful and robust privacy protections in Ireland, in line with international human rights obligations.” [Source]

EU – Breach Disclosure Legislation on the Horizon

The EU is considering a directive that would force European companies to notify customers in the event of the loss or theft of their data, reports PCPro. “It will be mandatory for service providers to disclose to customers if their personal data has been breached,” said MEP Malcolm Harbour. The measure is part of the ePrivacy Directive and is expected to be approved. “The [European] Commission said that this will now become a requirement,” said Harbour. Despite Parliament’s early reluctance towards the legislation, “the general view now is that it’s a practical and workable proposal,” he added. The mandate would apply to any public web service. [Source]

UK – Don’t Hide Behind “Privacy” Eexcuses - ICO’s Response

The UK Information Commissioner’s Office recently issued a short press release entitled “Don’t Use Data Protection as a Duck Out, ICO Urges Organisations” [Source]

UK – Phorm Given the Green Light by UK Government

The Government has agreed to allow the controversial web monitoring company Phorm to continue its service. Phorm has developed a system called Webwise that tracks users’ browsing habits and categorises them so that advertising can be targeted more effectively. The service caused controversy after it was found companies had conducted trials of the technology with BT customers. BT had not sought consent from customers. Following a two-month investigation, the Department for Business Enterprise and Regulatory Reform (BERR) said Phorm could operate but only “with the knowledge and agreement of the customer.” BERR ruled that Phorm could continue to market its services providing it followed data protection guidelines that make it easier for UK web users to opt-out of the ad-targeting system. This will be done by presenting users with a statement about the product, which will then ask them if they want to be involved. It has also asked Phorm to give people easy to access information on how to change their mind at any point and provide an opt-out facility. To keep users privacy BERR also recommended that Phorm based its searches on a unique ID allocated at random, which means that there is no need to know the identity of the individual users. [Source]

CA – Credit Card Companies Deploying RFID-enabled Cards in Canada

Credit card companies are driving into retail outlets that were closed to them before. They’re using new technology that makes it faster to pay with credit cards than with cash or debit cards at parking lots, movie theatres, variety and convenience stores. No need to hand over the card to a cashier. No signature required. No personal identification number to punch in. Customers get a special card with a radio frequency antenna inside it. They wave it at a point-of-sale payment terminal that transmits data wirelessly to complete the transaction. MasterCard Canada was first to offer contactless payment several years ago. Its PayPass cards are accepted at Loblaws and Joe Fresh stores, Tim Hortons, Petro-Canada and soon at McDonald’s restaurants. The newer Visa payWave cards can be used at A&W, Burger King and Quizno’s fast food outlets. The average transaction takes eight seconds. There are other advantages for customers. You get a paper trail for small purchases, such as coffee, that often are not recorded when using cash. And you can collect reward points for more of your daily spending. But how secure is radio frequency identification (RFID)? Could hackers stand next to you with a gadget in a briefcase, listen in on the radio broadcast coming out of your wallet and steal your identity? There are no reported incidents, but much speculation of what could happen as thieves become more sophisticated. Manahan notes that RFID cards don’t transmit data constantly. They must come within inches of the card reader to send wireless signals. Also, the cards have a computer chip embedded in them. They can dynamically generate a secure code each time, which can also be encrypted, so it’s useless for fraudsters. “There’s never been a case in the world where a chip card with secure keys and encryption has been successfully copied,” says Mike Bradley, Visa Canada’s vice-president of products. [Source]

US – EPIC Publishes Open Government Litigation Manual

Today, EPIC published the 2008 edition of “Litigation Under the Federal Open Government Laws.” It is the most comprehensive, authoritative discussion of the federal open access laws. The 24th edition of this standard reference work features updated content and a foreword by Senator Patrick Leahy, co-sponsor of the OPEN Government Act of 2007. The book contains the texts of the US open government laws, including the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. Today’s publication date celebrates International Right to Know Day, which was established to raise awareness of every individual’s right of access to government-held information. For more, see EPIC’s 2008 FOIA Litigation Manual. [Source]

IS – DNA to be Used In Israeli Dog Mess Fight

Officials in an Israeli city have come up with an innovative way of tracking dog owners who allow their pets to foul the streets - DNA analysis. Authorities in Petah Tikva, near Tel Aviv, are setting up a special DNA database of local dogs. They will use the data to match dogs’ droppings to owners - and punish those who do not clean up after their pets. While those who keep the streets clear will be rewarded, owners who fail to scoop the poop could face fines. Owners were reacting positively to the six-month trial programme, she told the agency, because they wanted their streets to be clean. At the moment providing a DNA sample was up to individual dog owners, but the city was considering making it compulsory, she added. [Source and video]

US – GAO: Progress on Privacy Falls Short

A Government Accountability Office (GAO) report reveals that there is room for improvement in Health and Human Services Department efforts to protect patients’ health information in a national network environment. The report was part of a follow up examination on the department’s practices after a January 2007 GAO recommendation that HHS implement a privacy mechanism for the forthcoming network. Citing areas of progress, GAO auditors ultimately determined that improvements to date “fall short of fully implementing our recommendation.” [Source]

US – EMR Health Care Bill with Privacy Provisions Introduced

The chair of the House Ways and Means Health Subcommittee has introduced a bill to develop a national system of electronic medical records and incentives for using the system. Rep. Pete Stark’s (D-CA) Health-e Information Technology Act of 2008 includes privacy provisions that prohibit the sale of personal information and require consent before using a patient’s data for marketing purposes. The bill also calls for civil monetary penalties for those who violate patient privacy and mandates that patients be notified within 60 days in their event their records are exposed in a data security incident. [Source]

CA – Trend to Privacy Seen as Hurting Canadian Medical Research

As Canadians place more and more emphasis on safeguarding personal privacy, the trend is taking an inadvertent toll on medical research, often impeding access to intimate but crucial health information, scientists are warning. Privacy laws not only make public-health studies more time-consuming and costly, they can also significantly skew research results, argue University of B.C. epidemiologists in a recent paper in the Canadian Journal of Public Health that suggests that medical research be exempted in some way from privacy rules. Ms. Harris’s paper focused on studies where researchers want to interview a group of randomly selected patients, perhaps with cancer, and compare them with a control group of healthy individuals, often to try to explore possible triggers for a disease. The link between lung cancer and smoking was identified largely through such research. Anne Cavoukian, Ontario’s privacy commissioner, stressed that her province does allow agencies such as ICES to gain access to anonymous health records, putting it on the cutting edge in Canada of dealing with the issue. But she said she would not support allowing researchers to directly contact patients unless authorities or the patients’ own doctors had first asked for their permission. “I don’t want a cold call from a researcher who got my name and number from my neurosurgeon,” said Ms. Cavoukian, “You need to give notice to people first.” [Source]

US – Hospital Bracelets Face Hurdles as They Fix Hazard

New York’s 11 public hospitals are at the forefront of a national movement to standardize color coding of hospital wristbands to designate patient conditions, in which purple — the color of amethyst — means “Do Not Resuscitate.” Red, or ruby, indicates allergies, while yellow — call it amber — marks someone at risk for falling. The goal is to prevent potentially dangerous mistakes, like giving the wrong food to an allergic child, or allowing a patient with balance problems to walk unescorted down a freshly waxed hallway. While the new color-coding has been quickly embraced by at least 20 states and endorsed by the American Hospital Association, the purple bands, typically embossed with the letters D.N.R. to reinforce the message, are meeting with some resistance. The nation’s leading hospital-accreditation agency, known as the Joint Commission, has expressed caution about the new system, citing concerns about branding patients by their end-of-life choices, or inadvertently broadcasting those choices to family and friends who have not been consulted.The commission also said that children who do not understand the system had been prone to trade the wristbands like baseball cards. “You need to strike a balance between the need for patient safety and accuracy and the whole privacy concern and sensitivity and compassion for the patient,” said the executive vice president of the Continuing Care Leadership Coalition, a group of long-term-care providers in New York. [Source]

EU – Norway Sends Entire Citizenry’s ID Info to Media

Norway’s national tax office erroneously sent CD-ROMs crammed with the 2006 tax returns of nearly four million people living in Norway to national newspapers, radios and tv stations, news agency AFP reports. Although tax statements have been open to public scrutiny in Norway since 1863, the social security number of each citizen remains highly confidential. In 2002 the national tax office in Norway also shocked the nation when the financial details of all Norwegian taxpayers were published on the internet. Until then it was only possible to see other people’s figures by applying in person at a tax office. The head of the Norwegian data protection authority immediately asked for the practice to be stopped. However, it took almost a full year before the government, led by then-prime minister Kjell Magne Bondevik, passed a law restricting online access to a maximum of three weeks from the day of publication. The latest tax blooper happened on the eve of a historic transatlantic pact between Norway and the US to share data about the private lives of its citizens. Travel plans, email addresses, mobile telephone numbers and even surfing habits will be made available to American security services in an effort to combat terrorism. [Source] [Source] [Source] [Source]

UK – Banking Details of 1 Million Exposed

The Information Commissioner’s Office (ICO) is investigating a data loss event that exposed the banking information of more than one million Royal Bank of Scotland (RBS) customers. The information was contained on a Graphic Data server. Graphic Data, now MailSource UK, was the archiving provider for RBS. A former employee of Graphic Data recently sold the server on eBay, without first wiping the internal hard drive. On discovering the account numbers, passwords, mobile phone numbers and signatures, the purchaser notified authorities. “We are now investigating... and will be seeking an urgent explanation from Graphic Data...,” the ICO said in a statement.[Source] See also: [Second hacker in TJX case pleads guilty]

US – Forever 21 Acknowledges Payment Card Breach

Forever 21, a US retail clothing store, has acknowledged that as manyas 99,000 payment cards used by its customers over a four year period may have been compromised by the same group that stole payment card data from TJX. In a statement on its website released on Friday, September 12, Forever 21 said it was informed of the data theft a month ago. The breaches occurred on nine specific dates; the compromised information includes card numbers, expiration dates “and other card data,” but not names or addresses. Forever 21 says its systems have been in compliance with Payment Card Industry Data Security Standards since 2007. The company says it adopted additional security measures after learning of the breaches, but did not provide details. [Source] [Source] [Source]

UK – Missing Disks Hold Unencrypted NHS Employee Data

The Whittington Hospital NHS Trust in London has acknowledged that four CDs containing staff data have been lost. The disks were placed in a mail room out tray for recorded delivery instead of being sent by courier in accordance with trust policy. A staff member has been suspended in connection with the incident. The data on the disks include names, dates of birth, national insurance numbers and employment information of nearly 18,000 staff members. The disks did not contain bank account information. The disks were password protected, but not encrypted. [Source] [Source] [Source]

UK – Memory Stick Found in Street Contains NHS Mental Health Patient Data

A memory stick found on a street in Teesdale, England contains personally identifiable information of about 200 NHS mental health patients. An investigation determined that a technician who had been upgrading PCs did not delete the data from the device; the investigation also revealed that other trust staffers placed sensitive data on their hard drives in violation of an established security policy. The trust has contacted people affected by the breach, which occurred at the Tees, Esk and Wear Valleys Trust. [Source]

US – Former State Dept. Intelligence Analyst Pleads Guilty to Passport File Snooping

A former US State Department intelligence analyst has pleaded guilty to unauthorized access to a State Department computer for snooping on passport records of well known people. Lawrence Yontz could face up to a year in prison for accessing the files, which include those of major players in the current presidential race. A recent audit found “a general lack of policies, procedures, guidance and training” at the State Department’s passport bureau. Yontz admitted to having perused the files of approximately 200 well-known individuals and their families; he will cooperate with the government’s continuing investigation. [Source] [Source]

UK – Government Reveals First Identity Cards

The home secretary, Jacqui Smith, unveiled the first identity cards to be issued as part of the government’s controversial national scheme. The biometric card will be issued from November, initially to non-EU students and marriage visa holders. The credit-card-sized document will show the holder’s photograph, name, date of birth, nationality and immigration status. A secure electronic chip will also hold their biometric details, including fingerprints and a digital facial image. Compulsory identity cards for foreign nationals will kick-start the national identity scheme, with the first applicants having to apply for cards from November 25. Within three years all foreign nationals applying for leave to enter or remain in the UK will be required to have a card, with around nine in ten foreign nationals in Britain covered by the scheme by 2014-15, Smith said. The UK Border Agency will begin issuing the biometric cards to the two categories of foreign nationals who officials say are most at risk of abusing immigration rules - students and those on a marriage or civil partnership visa. The Conservatives say they support modern biometric cards for immigrants - but they say a national identity register remains unworkable. Phil Booth, head of the national No2ID campaign group, attacked the roll-out of the cards as a “softening-up exercise”. The government will start to issue cards to British and foreign nationals within the European economic area who work in sensitive roles or locations from next year, starting with airport workers. >From 2010, the government will target young people to get an identity card on a voluntary basis “to assist them in proving their identity as they start their independent life in society”, with full roll-out to all British citizens starting from 2011. The Conservatives have vowed to scrap the ID scheme if they form the next government. The shadow home secretary, Dominic Grieve, said that ID cards were an “expensive white elephant”. [Source]

[Nick Clegg criticism]

WW – Underage Kids Flock to Social Networks

Despite age requirements for use, hundreds of thousands of children between the ages of eight and 12 have created profiles on social networking sites using assumed dates of birth or other false methods, reports The Globe and Mail. “This is a huge issue,” said Canada’s Privacy Commissioner Jennifer Stoddart. It’s one that various stakeholders are working to address, including the U.S. and Canadian governments, and the social networking sites, themselves. “There’s no perfect way to verify age,” said Chris Webster of Nexopia, a social networking firm that has two dozen employees working to identify underage users. “They keep signing up and we keep chasing them.” [Source] [Santa Adds Facebook to Naughty List Over Friend Limit]

EU – ‘Uncloneable’ Biometric Passports Pass the Test

Europe has moved closer to the rollout of full biometric passports after key systems were shown to work. The UK was one of 27 countries that took part in the tests of RFID chips and passport readers for second generation ePassports. The tests demonstrated that it was possible for different EU countries to produce the ePassports to the same standard and that the ePassports could be recognised by passport authentication systems in multiple countries. Of the 27 countries, 12 completed the first round of tests and demonstrated their second generation ePassports could be recognised by authentication systems in more than one country. The second generation ePassports, due to be introduced in the UK in 2011/12, will be fitted with a RFID chip containing fingerprint scans and personal details, which will feature security measures to guard the data against cloning or tampering. First generation ePassports, introduced in the UK in 2006, typically hold only facial photo scans and ID information from the paper passport on a RFID chip. Second generation ePassport chips feature increased protection by requiring the passport reader to authenticate itself, reducing the chance of ‘skimming’ - the practice of an unauthorised reader extracting personal information from the chip. Chip readers will have to be authorised by the ePassport issuer up to one month beforehand to gain access to the ePassport chip. The communication between the chip and the reader is more strongly encrypted on second generation ePassports compared to the encryption on first generation ones. A spokeswoman for the Home Office said that additional protection on second generation chips would “prevent the chip data from being cloned”. The tests were run by digital security company Entrust. [Source]

CA – New Brunswck Gets High-Security Birth Certificates

New Brunswick has unveiled a state-of-the-art birth certificate that includes 20 new security features. The high-tech, passport-size document, made of a polymer material, is not a required upgrade for New Brunswickers with the old paper documents. The new birth certificates will be issued automatically to anyone born in the province from now on. And other New Brunswickers who would like a more secure certificate can buy one for prices starting at $20, based on size. But the document is not meant as a form of identification that could replace passports at border crossings, Byrne said. “It is really a foundation document to obtain other documents, such as a social security card.” [Source]

WW – Chrome Concerns - Google Internet Browser

It’s said to be speedy and robust, but Google’s new Chrome Internet browser worries some privacy advocates, reports the San Jose Mercury News. The unease stems from the ways Chrome can track users’ online behaviour. “It sounds like they developed a state-of-the-art surveillance program.,” said Jeffrey Chester of the Center for Digital Democracy. Some developers have written programs to disable the Chrome identifier responsible for the tracking. But Chrome product manager Brian Rakowski asserts that all users have the choice on whether to opt-in to the tracking, adding that “there’s a tremendous amount of confusion about this.” [Source]

EU – Google’s IP ‘Anonymization’ Inadequate, Says EU Watchdog

An influential group of European privacy experts said this week that it will lead hearings with Google over the search giant’s claim that EU data protection laws do not apply to it. The Article 29 Working Party said that Google is refusing to submit to Europe’s data protection regime and that “strong disagreements” remain. It said in a statement that Google “considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe.” It also said that Google “wishes to retain personal data of users beyond the six months period requested by the Article 29 Working Party, without any justification.” Alex Türk, chairman of the Working Party, also criticised Google for failing to improve its anonymisation mechanisms, which he called “insufficient”. He said that Google considers that IP addresses are confidential data but not personal data, “which prevents granting certain rights to its users”. Türk also accused Google of failing to “express the willingness to improve and clarify the methods that are used to gather the consent of its users.” [Source]

EU – European Parliament to Postpone IP Privacy Issue

European parliamentarians say more information is necessary before deciding whether IP addresses should be considered private data. Instead of voting on the matter this week during a review of changes to telecommunications laws, MEPs will ask the European Commission to produce a report on the matter. “First we need to know exactly what an IP address is,” said MEP Malcolm Harbour. MEPs will vote this week on cookies. Parliament will tighten provisions of an existing law that requires users’ consent before cookies can be placed on their systems. [Source]

EU – Data Protection Watchdogs to Hold Hearings With Google

The Article 29 Working Party will lead hearings with Google on its data retention and anonymization practices. Earlier this year, the party determined that search engine providers need not retain users’ personal data for more than six months. Although Google has announced that it will reduce its retention period from 18 to nine months, the company may still be in violation of European data protection law. Google’s Global Privacy Counsel Peter Fleischer said the company is “committed to engaging in a constructive dialogue with the Article 29 Working Party and other leading privacy stakeholders around the world.” [Source]

US – Profiles Help Grad School Admissions Officers

A recent Kaplan Test Prep survey found that an increasing number of graduate school admissions officers are using social networking profiles to help evaluate candidates, reports the Daily Princetonian. The research included data from admissions officers at 472 schools. Law schools, in particular, rely on such profiles. 52% of respondents reported that their visits to social networking sites have diminished an applicant’s chances for acceptance. “What you put on a social networking site ... [is] not very likely to get you into law school,” said Kaplan’s Glen Stohr. “But it could keep you out.” [Source[

KR – Korean Users May Delete Their Info at Suspicious Web Sites

Internet users will be allowed to erase data about themselves at Web sites that they believe are abusing their personal information, the Korea Communications Commission (KCC) said. The state-run Korea Information Security Agency (KISA) will provide a section in its Web page (http://p-clean.kisa.or.kr) that will provide users with a list of Internet sites they have subscribed to and allow them to pick sites they want their personal information deleted from. KISA will later provide an update on the termination process and confirmation after about four weeks. The service will be provided for a month, and will require users to submit their I-PIN numbers, a personal verification system for online users, pushed by the government as an alternative for resident registration numbers, a 13-digit code that identifies birth date, sex and registration site. The country has been rocked by a slew of data theft cases in recent months. In the most recent scandal, employees of GS Caltex were arrested for downloading the personal information of more than 11 million customers onto CDs and attempting to sell them on the black market. There has been criticism that poor control of private information is inevitable when companies are requiring subscribers to provide them with an extensive amount of data. [Source] See also: [Korea: (Editorial) Gov’t Negligence in Privacy Protection]

US – Supreme Court Hears Argument in Police Database Errors Case

The U.S. Supreme Court heard arguments in Herring v. United States. The case will determine whether an arrest based on inaccurate information in a criminal justice database should be upheld. EPIC filed a “friend of the court” brief in the case, urging the Justices to ensure the accuracy of police databases. The EPIC brief was filed on behalf of 27 legal scholars and technical experts and 13 privacy and civil liberty groups. EPIC explained how government databases are becoming increasingly unreliable, according to the government’s own studies and urged the Court to “ensure an accuracy obligation on law enforcement agents who rely on criminal justice information systems.” The amici warned that, “to permit a good faith reliance on data that is inaccurate, incomplete, or out of date will actually exacerbate the problem and increase the likelihood of unfair treatment in the criminal justice system.” Transcript. For more, see EPIC’s Herring v. U.S. page.

US – EFF Sues Bush Over Warrantless Surveillance

The Electronic Frontier Foundation has sued President Bush, the National Security Agency, and nine other public officials to stop what the civil liberties group characterizes as far-reaching and illegal surveillance on ordinary US citizens. The complaint, filed in federal district court in San Francisco, comes in response to a law Congress passed this summer granting retroactive immunity to telecommunications companies that participated in the NSA’s warrantless surveillance program. The legislation has stalled a previous lawsuit the EFF filed against AT&T, as EFF attorneys challenge the constitutionality of the law. As in the previous suit, the EFF is targeting AT&T’s practice of funneling internet traffic to a secret room in a San Francisco central office operated by the telecommunications company. “This case challenges an illegal and unconstitutional program of dragnet communications surveillance conducted by the National Security Agency...and other Defendants in concert with major telecommunications companies,” the complaint alleges. Using devices installed on AT&T’s network, “Defendants have acquired and continue to acquire the content of a significant portion of the phone calls, emails, instant messages, text messages, web communications and other communications, both international and domestic, of practically every American who uses the phone system or the Internet, including Plaintiffs and class members, in an unprecedented suspicion-less general search through the nation s communications networks.” The surveillance program has been in effect since shortly after the terrorist attacks of 2001, but they only came to light in 2005. One part of the program involves the interception of communications and phone and internet bills of millions of ordinary Americans, the EFF contends. The five plaintiffs are AT&T customers. They seek an order barring the government from continuing its “unlawful acquisition of the communications and records of Plaintiffs and class members.” They also want the government to destroy materials they’ve already collected under the program and to pay damages. The complaint also names Vice President Dick Cheney, his chief of staff, David Addington, former Attorney General, and White House Counsel Alberto Gonzales - among others. [Complaint] [Source]

US – Group Tells FTC More RFID Security Guidance Is Needed

The FTC heard from stakeholders on the use of radio frequency identification (RFID) at the commission’s “Transatlantic RFID Workshop on Consumer Privacy and Data Security.” One group urged the commission to tighten regulations on the use of RFID technology. The Electronic Privacy Information Center (EPIC) offered a number of proposals for protecting citizens’ privacy, including improving the visibility of tags and readers and not allowing tags to collect personal information. “We think the FTC has a role to play in safeguarding consumer privacy,” said Marc Rotenberg of EPIC. The FTC will accept public comments about RFID technology until October 23. [Source] See also: [FTC to study RFID as use becomes more widespread] [EPIC 2004 Guidelines] [FTC Workshop] and [Global Research Report: The Implanted RFID Chip: “Smart Cards” in a Surveillance Society] see also [Busting MythBusters’ RFID conspiracy tale]

US – Review of Counterterrorism Programs for Effectiveness, Privacy Impacts

According to a new report from the National Research Council, all U.S. agencies with counterterrorism programs that collect or “mine” personal data -- such as phone records or Web sites visited -- should be required to evaluate the programs’ effectiveness, lawfulness, and impacts on privacy. The report -- “Protecting Individual Privacy in the Struggle Against Terrorism: A Framework for Program Assessment -- sets out a program checklist agencies should follow, and urges Congress to establish new restrictions on how agencies can collect and use personal data. Press Release. EPIC has written extensively on the problems with data mining and opposed the establishment of Total Information Awareness. [Source]

US – Opinion: “Pendulum Has Swung” on Storing Customer Stats

Writing for the Wall Street Journal, Ben Worthen describes a shifting mindset in the business community, where organizations are weighing the benefits of storing customer data for future market research purposes versus the risks they acquire when housing the data. Although the best practices set by the payment-card industry ensure the protection of customer information, the industry mantra has become “if you don’t need it, don’t store it,” according to Troy Leach of the PCI Security Standards Council. “There’s a light going off saying that we’re creating additional risk without a lot of additional value by saving data,” said Leach. [Source]

US – IT People Most Worried About Corporate IT Fraud Worries, Not C-Suite

The results of a recent Kroll Global Fraud report show that 72 percent of senior executives feel their companies are highly or moderately vulnerable to information theft, loss or attack. The survey polled 890 executives worldwide, also finding big increases in fraud-related losses over the past 12 months. The results also showed that employees working outside the C-suite and in their organization’s technological trenches were more likely to view their companies as being highly vulnerable to IT fraud. [Source]

EU – Special Statewatch Report: The Shape of Things to Come

The EU is currently developing a new five year strategy for justice and home affairs and security policy for 2009-2014. The proposals set out by the shadowy “Future Group” set up by the Council of the European Union include a range of highly controversial measures including new technologies of surveillance, enhanced cooperation with the United States and harnessing the “digital tsunami”. In the words of the EU Council presidency: “Every object the individual uses, every transaction they make and almost everywhere they go will create a detailed digital record. This will generate a wealth of information for public security organisations, and create huge opportunities for more effective and productive public security efforts.” Seven years on from 11 September 2001 and the launch of the “war on terrorism” this major new report The Shape of Things to come (60 pages) examines the proposals of the Future Group and their effect on civil liberties. It shows how European governments and EU policy-makers are pursuing unfettered powers to access and gather masses of personal data on the everyday life of everyone - on the grounds that we can all be safe and secure from perceived “threats”. The Statewatch report calls for a “meaningful and wide-ranging debate” before it is “too late” for privacy and civil liberties. The report also contains four Case Studies: 1) the “digital tsunami” and the surveillance state; 2) The “convergence principle”; 3) Privacy and data protection; 4) EU-US area of cooperation. [Press release] [Source] [8-page conclusions]

EU – France Scales Back Database Plans After Outcry

The French government will scrap a decree that would have allowed the police to store private information on politicians and unionists, the prime minister’s office said after the text caused an outcry. The Edvige electronic database will still go ahead, but the government will come up with a new decree that significantly tightens the rules so that only people considered a security threat can be included. “The decree will explicitly rule out the collection of any data on people’s sexual orientation or health,” the prime minister’s office said in a statement. The first decree had made it possible to store such data, drawing widespread criticism. The statement also noted that the new decree will no longer allow the police to collect data on politicians, union activists or religious figures simply because of their activities. However, the new text will still allow the police to store data on minors as young as 13 if they are considered a threat to public safety. The main labor unions said in a joint statement that they were not satisfied. They reiterated that it was unacceptable for the database to include minors and called for stronger guarantees that citizens’ rights and freedoms would be respected. Opponents to the Edvige database have called for a day of demonstrations on Oct. 16. The first decree drew criticism from civil rights groups, workers’ unions, gay rights organizations and even from within the government, with one minister publicly voicing concerns. [Source] [From Edvige to EDVIRSP, a capital change, 21.09.2008] [Edvige:”insufficient rebound” (SM) 20.09.2008] [EDVIGE file becomes EDVIRSP 20.09.2008] [Edvige file : the opponents stay vigilant 19.09.2008] [RAS - Petition in order to obtain the abandoning of EDVIGE file] [France drops plan for political database after row 18.09.2008] [EDRi-gram: ENDitorial: Massive mobilization against EDVIGE, the new French database]

US – Big ISPs Opt for Opt-Ins

Before a Senate committee, three of the four largest U.S. Internet service providers (ISPs) said they will adopt a customer opt-in policy before tracking their online activities. At the Senate Commerce, Science and Transportation Committee hearing, representatives from AT&T, Time Warner Cable and Verizon said they will ask for customers’ permission if, at some point in the future, they decide to begin behavioral advertising programs. The companies are also interested in creating industry best-practices for information collection, and have established a group that will develop draft guidelines by year’s end. [New York Times]

UK – UK: Fears Over Privacy As Police Expand Surveillance Project

The police are to expand a car surveillance operation that will allow them to record and store details of millions of daily journeys for up to five years, the Guardian has learned. A national network of roadside cameras will be able to “read” 50m licence plates a day, enabling officers to reconstruct the journeys of motorists. Police have been encouraged to “fully and strategically exploit” the database, which is already recording the whereabouts of 10 million drivers a day, during investigations ranging from counter-terrorism to low-level crime. But it has raised concerns from civil rights campaigners, who question whether the details should be kept for so long, and want clearer guidance on who might have access to the material. The project relies on automatic number plate recognition (ANPR) cameras to pinpoint the precise time and location of all vehicles on the road. Senior officers had promised the data would be stored for two years. But responding to inquiries under the Freedom of Information Act, the Home Office has admitted the data is now being kept for five years. The police ANPR database is a system that was never sanctioned or debated in parliament and which threatens the freedom of movement, assembly and protest. Presented simply as a tool to fight crime and terror by the police, it will become one of the cornerstones of the surveillance state, and will give the police far too much power to track, in real time, the movement of people who may be bound for legitimate demonstrations and protest rallies. Linked with the government’s proposals to seize all our communications data to be announced in the Queen’s speech this autumn, this move signifies a profound change in our society and an irreversible transfer of power from free individuals to the state. [Source] [Source]

UK – Councils Ordered to Stop Snooping on Residents

Councils will be ordered to stop spying on local residents amid Government concerns over the continuing creep of the surveillance state. Ministers from the Department of Communities and the Home Office have undertaken a thorough review of official surveillance powers, some of which are open to public bodies such local authorities, the NHS and even the Coastguard. The review was triggered by ministers’ concerns that incidents where council staff were found putting microchips into residents’ dustbins and tailing parents to school had eroded public support for the entire enforcement system. Two-thirds of councils have taken up the snooping powers open to them under the Regulation of Investigative Powers Act since its introduction in 2000. Ministers plan to issue guidance and set strict new limits to ensure that in future the RIPA powers are not used to tackle minor infringements or the law or local regulations. John Healey, Local Government Minster, said: “These are heavy duty powers and they are needed to detect heavy duty crimes in cases were evidence can not be gathered in any other way.” [Source]

AU – Eligibility Requirements for Registration on the Do Not Call Register

The Office supports measures that allow individuals’ control over how their personal information is handled. The establishment of a national Do Not Call Register (DNCR) has been an important mechanism in helping individuals exercise this control. The Office recognises that the risks of direct marketing calls interfering with the privacy of individuals are likely to be most pronounced with private or domestic phone numbers, which are already covered by the DNCR. However, the Office submits that similar risks may apply to other numbers and that the protections of the DNCR should be extended to these numbers. Therefore, in response to the questions posed in the Discussion Paper, the Office believes that:

§ the DNCR should be extended to the phone numbers of small businesses, particularly where those numbers are also used for private or domestic purposes.

§ the DNCR should include faxes in its scope, particularly for private and domestic faxes. [Full report] [Article from London Review of Books on how cell phone location records and use records can categorize the users - for marketing, for finding terrorists (or people who may be terrorists ...) ]

US – Expanded Powers to Search Travelers at Border Detailed

The U.S. government has quietly recast policies that affect the way information is gathered from U.S. citizens and others crossing the border and what is done with it, including relaxing a two-decade-old policy that placed a high bar on federal agents copying travelers’ personal material, according to newly released documents. The policy changes, civil liberties advocates say, also raise concerns about the guidelines under which border officers may share data copied from laptop computers and cellphones with other agencies and the types of questions they are allowed to ask American citizens. In July, the Department of Homeland Security disclosed policies that showed that federal agents may copy books, documents, and the data on laptops and other electronic devices without suspecting a traveler of wrongdoing. But what DHS did not disclose was that since 1986 and until last year, the government generally required a higher standard: Federal agents needed probable cause that a law was being broken before they could copy material a traveler was bringing into the country. The changes are part of a broader trend across the government to harness technology in the fight against terrorism. But they are taking place largely without public input or review, critics said, raising concerns that federal border agents are acting without proper guidelines or oversight and that policies are being adopted that do not adequately protect travelers’ civil liberties when they are being questioned or their belongings searched. [Source] See also: [Leaked DHS Memo Highlights Data Protection Practices] and [DHS Fact Sheet: U.S. Department of Homeland Security 9/11 Anniversary Progress and Priorities]

US – Proposed Bill to Limit Border Searches

A California lawmaker has proposed a bill to limit U.S. Customs and Border Protection searches of electronic equipment at border crossings. Democrat Loretta Sanchez filed the Border Search Accountability Act of 2008, which would place conditions on searching electronic devices. The act would require that the owners of searched devices be present during the search and would place restrictions on how long border officials could keep the devices. In addition, business secrets, lawyer-client communications and other confidential information would have special protection. [Source] [Source] [Bill]

US – Stronger Identity Theft Act Awaits Presidential Signature

The Identity Theft Enforcement and Restitution Act of 2008 has been approved by both houses of US legislature and now goes before the president to be signed into law. The bill clarifies what constitutes identity and information theft and increases the penalties for those found guilty. The act does away with the minimum level of damages required for charges to be filed against information thieves. In addition, victims of identity theft would have the right to sue the culprits for restitution. [Source] [Source]

US – Nevada Data Encryption Law Takes Effect October 1

A Nevada law requiring that businesses encrypt all transmissions of personal, identifiable information over the Internet becomes enforceable as of October 1, 2008. An attorney who has been keeping a close eye on the issue has expressed concern that the statute is overly broad in its definition of what constitutes encryption, does not address industry standards, and is not clear about how those who violate the law will be penalized. [Source]

US – Massachusetts Adopts Tougher Data Protection Rules

The Massachusetts Office of Consumer Affairs and Business Regulation has released rules designed to help protect consumers’ personal information. The regulations, which go into effect January 1, mandate data encryption and checks on employee access to sensitive data such as Social Security and credit card numbers. The rules are intended to protect residents from identity theft. “This is necessary because of the growing concern among consumers about the large number of breaches of data containing their personal information,” said the undersecretary of Consumer Affairs and Business Regulation. [Source]

US – Connecticut Data Security / SSN Law in Effect Soon

A law to safeguard the personal information of Connecticut residents goes into effect October 1. In a Mondaq report, Andrew Serwin outlines the legislation, which mandates that those who possess the personal information of another person protect that information from misuse and discard of such data properly. The law also requires businesses that collect Social Security numbers to create and post a privacy protection policy outlining its principles for protecting that information. [Source]

US – Texas Launches Electronic Notification System to Combat Identity Theft

The Texas Department of Banking has launched a system expected to minimize the extent of identity theft, reports Identity Theft Daily. The Closed Account Notification System (CANS) informs major check verification companies, by the second business day, when a bank account has been closed due to fraudulent activity. Getting the verification companies involved in the process is expected to reduce the number of fraudulent checks accepted by merchants after an account has been closed. “Thieves are stopped in their tracks,” said Rep. Giddings (D-Dallas), author of the legislation. “No longer will identity thieves be able to profit from their crimes by passing bad checks for weeks.” [Source]

CA – TTC Gives Green Light to Drug Tests For Key Staff

The TTC has approved a limited drug-testing policy that will subject job applicants and workers most at risk of being impaired at work to saliva tests – if they’re in roles where safety is crucial. The move by commissioners somewhat defused opposition from human rights advocates and union leader Bob Kinnear, who had refused to rule out a strike or legal action if workers were forced to submit to the most controversial part of the proposed policy: random testing. Under a fitness-for-duty policy to be implemented within a year, TTC workers in safety-sensitive jobs will be tested if there is reasonable suspicion they have been using banned substances on the job, or following an incident in which drug or alcohol use is suspected as a factor. Those caught using drugs and alcohol at work, or who are returning to work after attending a substance-treatment program, will also be monitored through testing, though it’s not clear what form that testing will take. TTC chief general manager Gary Webster had argued for random testing of all employees as a deterrent. He suggested it was necessary to decrease the chances of a catastrophe, though proven cases of impairment have been relatively rare. Random testing would have made the TTC’s policy among the most radical in Canada – where, unlike in the United States, courts and human rights commissions have generally deemed random tests an invasion of personal privacy. Civil liberties experts and union officials argued that random tests would indeed violate workers’ dignity and privacy rights. [Source]