Biometrics

WW – UKBA to Exchange Fingerprints with US

The UK Border Agency plans to start exchanging fingerprint data with the US, Canada and Australia in the near future The organisation, which gained full executive agency status on 1 April 2009, says in a business plan issued on the same day that that it plans to work with the USA, Canada and Australia to “introduce a system of appropriate data protection arrangements for fingerprint checks and data sharing”. This is intended to help identify and bar foreign criminals from entering the country, and is planned for “early 2009”. The agency said that by December 2008 it had enrolled more than 3.6m sets of fingerprints from visa applicants, finding more than 5,200 cases of identity swaps. All visa applicants now have fingerprints taken, and since June 2008 these have been checked against the police’s Ident1 national fingerprint database. Of the 800,000 checks on Ident1, there were 4,000 positive matches, some of which have found visa applicants who are wanted by the police. The agency, which introduced identity cards for foreigners in 2008, says in the business plan that it will extend biometric identity cards for foreign nationals “to other high risk categories” during 2009. By 2011 all new applicants coming to the UK for more than six months, or extending their stay, will have to have a card. There are also plans to open its National Border Targeting Centre in December, checking 60% of all international passenger movements, although the UKBA aims to have the centre ready for use in November. It expects to check 95% of movements by the end of 2010. It also expects to have automated gates, which allow European passport holders through border controls if a computerised system matches their face to the image in their passport, in 10 terminals by August 2009. Such gates are already in use at two terminals. [Source]

WW – Fingerprints Replaces PIN-codes and Passwords at Corporations

Gemalto and Precise Biometrics today introduce Gemalto .NET Bio. This innovative solution enables organizations to enhance network security and protect online identities by replacing weak, static passwords, with strong authentication. The Precise Match-on-Card™ technology stores and verifies users’ fingerprint information directly on a smart card, in this case a Gemalto .NET card. The fingerprint information never leaves the card and is never stored in a database, thus protecting their digital identities and privacy. Organizations employ Gemalto smart cards and tokens for strong user authentication to their networks, as well as for data encryption and digital signature services. [Source]

US – U.S. Banks Sign Up for Biometric Project

The US-based Financial Services Technology Consortium has launched a project to investigate the use of biometrics for verifying customer IDs. The FSTC says over 20 banks have expressed an interest in the project, including the American Bankers Association which has signed on as a sponsor. Dan Schutzer, executive director FSTC says the programme will endeavour to develop a methodology for banks to better select, specify, evaluate and deploy biometric applications with greater customer acceptance. The initiative grew out of a panel discussion at a joint FSTC/Bits summit in early March. A follow-up meeting is planned for later this month at Wells Fargo Bank in San Francisco. [Source]

Canada

CA – Trash Search Doesn’t Violate Privacy Rights, Says Top Court

The Supreme Court of Canada has dismissed an appeal from a convicted ecstasy trafficker who argued police violated his privacy rights by searching through his trash. In a 7-0 ruling issued Thursday, the court said Russell Stephen Patrick had abandoned his privacy rights when he put the garbage bags out for collection on the edge of his property “to which any passing member of the public had ready access.” The court did say police must have a “reasonable suspicion” that a criminal offence has happened or will happen before doing such a search. [Source]

CA – Identity Theft Bill Introduced

Officials have re-introduced legislation targeting identity theft. “This legislation will provide police with the tools they need to protect Canada’s families, seniors, and businesses from the numerous harms of identity crime,” said the Honourable Rob Nicholson, Minister of Justice and Attorney General of Canada. The law would create new offences for: obtaining and possessing identity information; trafficking in identity information; and unlawfully possessing or trafficking in government-issued documents that contain personal information. The law would also create offences for redirecting mail, possessing a counterfeit mail key, and possessing instruments for gaining debit and credit card information. “This legislation helps combat the complex and growing problem of identity theft...,” said Minister Nicholson. [Source]

CA – New Brunswick Will Not Develop Enhanced Driver’s Licences

New Brunswick will not develop enhanced driver’s licences for border crossings into the U.S., Premier Shawn Graham announced last week. Beginning June 1, crossing the Canada-U.S. border will require a passport or other acceptable document. “We found that the cost to residents would be almost as much as a passport, which will still be required,” said Graham in a release from the provincial government. Graham advised New Brunswickers to act now to secure an alternate border crossing document such as a passport, a NEXUS card, or a FAST card. [Source]

CA – Alberta ParkPlus Privacy Implications Probed

The city of Calgary’s ParkPlus system has come into question. The pay-for-parking system snaps photos of all parked vehicles, which, a lawyer for law firm Miller Thompson says, violates provincial privacy laws. “All vehicles are photographed, not only those vehicles where no valid payment has been made,” says a Miller Thompson report on the system. A portfolio officer for Alberta’s privacy authority reviewed the system in December, deeming it okay. But a spokesperson for that office says that opinion is not binding. “It is open to challenge,” said Wayne Wood from the commissioner’s office in Edmonton, “someone can still file a complaint.” [Source]

CA – BC MP Private Member’s Bill Targets Cyberbullying

A Vancouver MP wants to amend the Criminal Code to target children and teenagers who use mobile phones and the internet to bully others. Currently, the code makes harassment, libel and spreading false messages criminal offences. However, “it isn’t explicit that it applies to electronic messaging,” Liberal MP Hedy Fry said, following a news conference in Ottawa. The day before, Fry had introduced a private member’s bill to specify that harassment, libel and spreading false messages by electronic means are also criminal offences. Fry said that clarification is important because the internet is now the biggest mode of communication that people have. At her news conference, she cited a 2009 University of Toronto survey of more than 2000 students that found 50 per cent had been bullied online. [Source]

CA – Ontario Privacy Commissioner Issues Paper on Wireless Healthcare Privacy

Wireless handheld technologies offers a practical and affordable solution to the ongoing problem of keeping a large, mobile and dispersed workforce connected with each other and more importantly, connected with one’s clients. The benefits of wireless communications are many, but, there are also privacy risks. Unauthorized access or disclosure of personal data can occur through loss or theft of a mobile computing device or through unauthorized interception during the wireless transmission of personal data. Without appropriate safeguards, storing personal data on a mobile computing device and transmitting it wirelessly can be like using an open filing cabinet in a waiting room. This paper provides guidance on privacy best practices for home care organizations when integrating wireless handheld technologies to enhance the efficiency and effectiveness of home care services. It also includes an example of an initiative by We Care and its technology partners, Healthanywhere and Medshare, both Blackberry Alliance Members with Research in Motion (RIM). [Source] [Paper]

Consumer

UK – Privacy Groups Oppose Advert Targeting

A survey of 1,000 British consumers has revealed that 45% are open to targeted advertising as long as they have the choice to opt-out. Online analytics firm Coremetrics commissioned the study, which also found that 35% of consumers feel the delivery of tailored adverts helps them discover new products. Regulators and advocacy groups worldwide are examining the potential privacy implications of behavioural targeting. Some UK opponents feel the method is illegal under the Regulation of Investigatory Powers Act. [Source]

UK – Poll Measures Privacy Trust

A BBC World News American/Harris poll last month asked adults how much they trust various entities to handle their personal information in a secure manner. The responses indicate that healthcare providers are the most trusted entities, while social networking sites are least trusted among those polled. Twenty percent said they have “a great deal of trust” in doctors’ and hospitals’ handling of their personal information, while five percent indicated “a great deal of trust” with social networking sites. The study measured respondents’ trust levels with search and portal sites, the federal government, banks and brokerages and e-mail providers, as well. [Adweek]

E-Government

US – U.S. Senators Opposed to Fusion Centers

On the topic of Department of Homeland Security (DHS) fusion centers, two former U.S. Reps. accustomed to disagreeing have found common ground. Former Georgia members of Congress Bob Barr and Cynthia McKinney are concerned about fusion centers’ infringement on Americans’ privacy rights. There are 70 fusion centers nationwide. They were implemented to align counter-terrorism efforts across the nation. Barr and McKinney were quoted in an American Civil Liberties Union (ACLU) request on Wednesday for the DHS to investigate fusion centers’ privacy impacts--citing five examples of alleged abuse. The ACLU request came on the same day that House Homeland Security Subcommittee members met to discuss fusion centers. [Source]

E-Mail

CA – Five-Country Study Finds Little Protection for Anonymity

Laws in Canada and around the world are reinforcing technology’s ability to undermine the anonymity of citizens, according to a new study by leading scholars from Canada, U.S., U.K., Netherlands and Italy. The study, to be unveiled on April 8th in Ottawa, reveals scant protection of anonymity, a preference for laws requiring people to be identified and an increasing encroachment of the law into areas where there were previously no rules prohibiting anonymity. These and other research findings are outlined in the recently published book, Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society. Professor Ian Kerr, Research Chair in Ethics, Law and Technology at the University of Ottawa, was the principal investigator of On the Identity Trail, which studied the impact of technology on privacy, identity and anonymity. The book’s co-editor is Valerie Steeves, Assistant Professor at the University of Ottawa’s Department of Criminology and Faculty of Law. Professors Kerr and Steeves will discuss their research findings at an event organized by the Office of the Privacy Commissioner this week. [Source] [ID Trail website] [Geist blog]

Electronic Records

CA – Organization Promotes Opting Out of B.C. eHealth System

A consortium of organizations concerned about patient privacy has created a campaign to inform citizens of their right to opt-out of the eHealth system. The eHealth system will put patient data into a centralized database that will be available to healthcare sector concerns, the Ministry of Health and other government players. The BC Civil Liberties Association, the Freedom of Information and Privacy Association and others, created the campaign--”BC’s Big Opt-Out“ –to let the public know about potential risks associated with this storage of and access to their medical data. The BC campaign is based on TheBigOptOut.org, a UK initiative for the same purpose. [Source]

US – Health IT Concerns

A study of 4,000 U.S. adults’ attitudes towards health information technology (HIT) has found that many are interested in using HIT, but have concerns about the privacy of their personal medical information. Conducted by the Deloitte Center for Health Solutions, the study found that 42% of respondents are interested in moving their records online, while 55% want more online communications with their physicians and 57% want to be able to schedule appointments, purchase prescriptions and conduct transactions online. 38% of respondents said they are very concerned about privacy and security. [Source]

US – World Privacy Forum Issues How-To Guide to Keeping Medical Records Private

The World Privacy Forum has released a plain-spoken online guide that can help people regain some control and a measure of privacy over their health records. The guide, a year in the making, takes on the less-than-fun challenge of dissecting complicated privacy rules created by HIPAA, a 1996 federal statute that set data-privacy and security rules for key players in the American health care system. The new guide explains patient rights and provides practical advice about how to defend those rights using the law as well as basic social skills and common sense. [Source] [Patient’s Guide to HIPAA: How to Use the Law to Guard your Health Privacy]

Encryption

AU – Surveillance Questions in Victoria Raise Issues for All

The Victorian Law Reform Commission has released a Discussion Paper on Surveillance in Public Places. Chairperson of the commission, Neil Rees, said “surveillance affects all Victorians whether we are shopping, catching public transport, driving on major roads, or attending a sporting event”. The paper proposes possible reforms that could better regulate surveillance in Victoria including a new role for an independent regulator, new best practice standards, mandatory codes to govern surveillance in public places with sanctions for non-compliance including civil and criminal penalties, a licensing system for some particularly privacy invasive practices and a new statutory obligation to refrain from committing a serious invasion of privacy, modelled on the statutory cause of action proposed recently by the ALRC. [Source]

WW – Facebook Hit by New Security Concerns Over Privacy Settings

Users of Facebook could be giving away their personal information due to the way the website’s privacy settings work. A team from the University of Cambridge’s computer laboratory has showed how Facebook public profiles could be used to find out personal information despite appearing to contain only a few details. In the paper, titled ‘Eight Friends Are Enough’, the team pointed out that it was possible to reconstruct a user’s friends list in a way that could allow marketers, governments and even criminals to understand the private relationships between different people. It claimed that a search for a specific Facebook user will display every user’s name, photo and eight friendship links. Affiliations with organisations, causes, or products are also listed. The paper’s author Joseph Bonneau, said: “This is quite a bit of information given away by a feature many active Facebook users are unaware of. Indeed, it’s more information than the Facebook’s own privacy policy indicates is given away. “When the feature was launched in 2007, every over-18 user was automatically opted-in, as have been new users since then. You can opt out, but few people do - out of more than 500 friends of mine, only three had taken the time to opt out. It doesn’t help that most users are unaware of the feature, since registered users don’t encounter it.” The paper further claimed that the public listings are designed to be indexed by search engines. In the team’s own experiments, it was able to download over 250,000 public listings per day using a desktop PC and a fairly crude Python script. [Source]

EU Developments

UK – ISPs Now Required to Retain Internet Communications Data

The UK’s Data Retention (EC Directive) Regulations 2009, which took effect on Monday, April 6, 2009, require Internet service providers (ISPs) to retain Internet communication data for 12 months. The information to be kept includes websites users visited or attempted to visit; the sender, recipient, date and time of email sent; and the caller and recipient of Internet telephone calls. The regulations also require telecommunications companies to retain information about both fixed and mobile telephone usage, including callers’ locations. The new law takes the place of the Data Retention (EC Directive) Regulations 2007. Law enforcement authorities may gain access to the stored records with a warrant. The information will be made available to police and security services, as well as public bodies and quangos. One privacy advocate said: “We are facing a co-ordinated strategy to track everyone’s communications, creating a dossier on every person’s relationships and transactions.” [Source] [Source] [Source]

EU – Online Advertisers Face Tighter EU Privacy Laws

At a meeting in Brussels yesterday, the European commissioner for consumer affairs said that Web users’ rights are being abused by those who seek to profit on their data. “Consumer rights must adapt to technology, not be crushed by it,” said Meglena Kuneva at the meeting of industry professionals and analysts. Kuneva urged the online advertising industry to create a code of conduct for protecting Web users’ privacy rights, and also hinted that legislation will be necessary to help prevent abuse given that existing laws fail to address behavioral advertising activities. “The current situation with regard to privacy, profiling, and targeting is not satisfactory,” she said. [Source]

EU – Q&A on Overseas Data Transfer

The European Commission has published a Q&A on overseas data transfers. Developed by the Data Protection Unit of the EC’s Directorate-General for Justice, Freedom and Security, the guide intends to help small- and medium-sized businesses understand European Data Protection law in this regard. The EU Data Protection Directive mandates that companies may only send personal data outside the European Economic Area if the receiving jurisdiction has an adequate level of data protection or has offered adequate safeguards for privacy protections. The guidance also discusses binding corporate rules. [Source] [Guidelines]

Facts & Stats

WW – Spam Overwhelms E-Mail Messages

More than 97% of all e-mails sent over the net are unwanted, according to a Microsoft security report. The e-mails are dominated by spam adverts for drugs, and general product pitches and often have malicious attachments. The report found that the global ratio of infected machines was 8.6 for every 1,000 uninfected machines. [BBC]

CA – Senate Anti-Spam Bill Passes Second Reading

Senator Yoine Goldstein’s anti-spam bill has passed second reading at the Senate and will now head to committee. Conservative Senators expressed some concerns with the bill and provided assurances that Industry Minister Tony Clement is developing legislative options to address spam. [Second Reading] [Source]

Filtering

CA – Canadian Private Member’s Bill Targets Cyberbullying

Finance

AU – Australian Consumers Lose Court Privacy Bid

A group of aggrieved consumers have lost a NSW Federal Court bid to sue credit risk reporting giant Veda Advantage prompting concern among privacy advocates. Federal Court Justice Kevin Lindgren collectively dismissed complaints lodged against Veda, formerly known as Baycorp Advantage, by nine consumers which have been heard concurrently since November 2006. [Australian IT]

WW – G20 Bosses Bash Banking Secrecy

From London yesterday, G20 leaders predicted an end to banking secrecy. The group called for the immediate publication of the blacklist of countries that do not subscribe to international tax information-sharing standards. The leaders said they will take action against “non-cooperative jurisdictions, including tax havens” if need be, proclaiming: “We stand ready to deploy sanctions to protect our public finances and financial systems.” The leaders have asked the Paris-based OECD to report back to them by November. French President Nicolas Sarkozy described the results as “beyond what we could have imagined...We are all happy with the results.” [Source]

WW – U.S. Consumers Snub Mobile Banking On Security Fears

A survey of 500 U.S. consumers has revealed that the majority are uncomfortable with using mobile devices for conducting financial transactions, Reuters reports. Although 76% of respondents said they regularly use online banking services via their computers, only nine percent have tried mobile banking. Respondents cited security and privacy concerns as the reason for not using mobile banking. Accounting firm KPMG conducted the study, which also found that 95% of those surveyed said the same discomfort prevents them from using cell phones when shopping online. [Source]

FOI

CA – Ontario Court Documents Will Be More Open to the Media

Ontario will relax a rigid clamp of secrecy over cases ranging from sexual offences and extortion to criminal matters involving young offenders, Ontario Attorney-General Chris Bentley said this week. Mr. Bentley said that allowing the media access to files in these cases will enhance public awareness of information that was routinely sealed in courthouses throughout the province. He said that in criminal cases involving young offenders, the media will be able to easily learn when and where specific cases are being heard - basic information that has stood as a major impediment to reporting the cases. Mr. Bentley also said that he will look into relaxing a ministry policy that prevents prosecutors and ministry staff from responding to questions from the media. [Source]

Genetics

CA – Federal Court Raises Bar for Crown in Seizing DNA from Juveniles

The DNA of Canadian youths convicted of crimes as minor as petty theft has been improperly retained by the federal DNA data bank and potentially sent to countries where the children’s biological identities could be abused. In a scathing judgment, Judge Marion Cohen of the Ontario Court said that the existing DNA seizure law violates the youths’ constitutional right to privacy, and that numerous samples that ought to have been destroyed remain in data bank files. “Under this legislation, a 12-year-old who grabs a baseball hat off a playmate and runs away with it can be found guilty of robbery and be required, pursuant to a mandatory order, to surrender his or her DNA to the state,” Judge Cohen said. “This mandatory procedure is unfair and unreasonable.” Judge Cohen said there must be a change to the threshold for seizing DNA from young offenders. However, rather than strike down the current legal regime entirely, she rewrote it to force the Crown to prove in each case why a seizure is necessary. The order will apply to 52 offences, ranging from sexual assault to murder, and is expected to dramatically reduce the number of DNA samples taken from young offenders. Still, it was Judge Cohen’s findings about the integrity of the DNA data bank that has created shockwaves. She said that, even when the data bank destroys DNA profiles from young offenders, it keeps a portion of the original biological material that was seized. “The remaining bodily substances – which contain the entire genetic makeup of the sample providers – are not destroyed,” she said. “They are maintained indefinitely in the National DNA Data Bank, in the same manner as the bodily substances and DNA profiles of adults – which are retained indefinitely.” Toronto lawyer Ricardo Federico, a leading expert on DNA, said the ruling “is a serious, serious finding by a court. The constitutionality of the DNA data bank should be of utmost concern to everybody. This raises questions about the integrity of the entire DNA data bank.” Mr. Federico noted that the data bank sends DNA samples to scores of countries upon request as part of a little-known Interpol exchange agreement. Mr. Federico said Parliament should consider imposing a moratorium on all DNA seizures until the matter can be investigated. [Source]

Health / Medical

CA – More Abandoned Medical Records in Alberta

The revelation last week that a Didsbury-area doctors’ clinic abandoned 3,000 patients’ files when it closed has cast a spotlight on what Alberta’s Information and Privacy Commissioner feels is an all too common problem. “People’s records shouldn’t be floating around,” said Commissioner Frank Work. “They should be accounted for and secured.” Work hopes that new provincial legislation, the Health Professions Amendment Act, will help prevent such instances in the future. Under the act, medical regulatory bodies would establish standards requiring members to maintain formal plans for records storage. “We want to start consultations with pharmacists, doctors, psychologists on this and we want to do it soon,” Work said. [Source] See also: [Who Owns Abandoned Medical Records?]

Horror Stories

FBI – Thousands of PR Children Victims of ID Theft

An identity-theft ring that catered to illegal immigrants seeking to establish themselves in the U.S. stole the personal data of 7,000 public school children in Puerto Rico, officials said Tuesday. Members of the ring broke into about 50 schools across the U.S. island territory over the past two years to steal birth certificates and Social Security numbers to sell to the illegal immigrants, the FBI and other agencies announced at a news conference. The victims were largely unaware their information had been stolen - and likely would not have learned of the thefts until they became adults and tried to buy something on credit, said assistant U.S. Attorney Julia Diaz Rex. “A kid is going to have a perfect credit history,” Diaz said. “They reach 18, 20 years of age. They go buy a car and their credit is damaged.” [Source]

US – 18,000 Nashville Students’ Personal Data Put Online

The personal information of more than 18,000 Tennessee students was inadvertently posted online and remained there for three months, reports the Tennessean.com. The names, SSNs, dates of birth and some parents’ names of Metro Nashville students were posted to an insecure directory during testing by the school’s data collection provider, the Public Consulting Group Inc. The group discovered the file and removed it on March 5, but the information had already been indexed by Google’s search engine. A parent searching her daughter’s name on Google discovered the information on March 31. Google has since removed the information at the group’s request. [Source]

US – Univ. of Washington Notifies 6,000 of Data Breach

The University of Washington has notified more than 6000 employees that their personal information was compromised in a data security breach late last year. Perpetrators managed to gain access to two University Transportation Department servers containing the employees’ names and Social Security numbers (SSNs). The attacks began in early December 2008; the servers were taken offline on December 30 after a review revealed “obvious signs of compromise.” The university stopped using SSNs as unique identifiers in 2002, but the Transportation Department continued to use the numbers to process transactions. [Source] [Source]

Identity Issues

CA – B.C. Taking Applications for Enhanced Driver’s Licence

British Columbians can now apply for an enhanced driver’s licence (EDL) for use in crossing into the U.S. by land or sea. The province’s new EDL is designed to make the licence a legitimate alternative to a passport at land and water ports of entry into the U.S. For those who don’t drive and young adults over the age of 12, B.C. is also offering a new enhanced identification card. The EDL program has been in the works for months but was not officially launched to applicants until Monday. The Insurance Corporation of B.C. (ICBC) is accepting appointment bookings for those interested in applying for an EDL. The appointments will begin on May 1. [Source] [ICBC’s EDL info site]

US – Michigan Lawmaker Urges Governor to Rethink RFID in Licenses

Michigan State Rep. Paul Opsommer wants the governor to rethink the state’s use of enhanced drivers licenses (EDLs). At issue, says Opsommer, is the fact that EDLs contain radio frequency identification (RFID) technology. “Michigan entering into a federal agreement to put unencrypted, long-range RFID computer chips into our driver’s licenses presents a huge privacy risk with very little benefit,” Opsommer said in a statement. The Department of Homeland Security says the cards do not pose a privacy risk. The EDLs aim to help satisfy stricter border crossing requirements resulting from the Western Hemisphere Travel Initiative. They can be used in place of passports at the Canadian and Mexican borders. [Source]

Intellectual Property

EU – French MPs Reject Controversial Plan to Crack Down on Illegal Downloaders

French politicians have unexpectedly rejected a bill that would have cut off the internet connections of anyone found to be repeatedly downloading music or videos without paying for them. The legislation would also have led to the creation of the world’s first state surveillance system on web pirates. The fiercely contested bill was rejected in a sparsely attended vote in the National Assembly. Under the proposed legislation, new powers would have been granted to music and film companies to enable them to monitor internet users and report illegal downloads to a new copyright protection agency. Anyone found to have broken the law would have been traced via their IP address and handed up to three warnings before their connection was severed for up to a year. Offenders would have had to keep paying for their internet connection despite it having been cut off. Despite the approval of the French recording industry and prominent musicians, including Johnny Hallyday, some attacked the measure. Civil liberties campaigners and members of the Socialist party said the new surveillance powers were tantamount to “the criminalisation of an entire generation”. [Source] [Source]

EU – Swedish Anti-Piracy Law Cuts Internet Traffic

An anti-piracy law in Sweden called the Intellectual Property Rights Enforcement Directive (IPRED) that took effect on April 1 appears to be responsible for a significant drop-off in web traffic in that country; the decline has been estimated at between 33 and 40 percent. The new law requires Internet service providers (ISPs) to divulge customer names associated with IP addresses believed to be used to download files illegally. [Source] [Source] [Source]

Internet / WWW

EU – Consent for Cookies Proposed

Members of the European Parliament (MEP) are considering an ePrivacy Directive amendment aimed at giving Internet users more control over firms’ tracking of their online activities. Amendment 84 would require Internet firms and non-commercial Web sites to get user consent before a cookie could be dropped on their system, the report states. Firms use cookies to, among other things, deliver targeted advertisements and content. MEP Alexander Alvaro supports the amendment and legislators are expected to vote on the measure by June. Europe’s Internet Advertising Bureau is urging legislators to reject the amendment. [Source] See also: [Behavioral Targeting] [FCC Readying for Interactive TV Debate]

CA – Essays on Deep Packet Inspection and Privacy

The Office of the Privacy Commissioner of Canada invited a series of essays on deep packet inspection and the interplay between privacy, data protection and modern network technologies. They have now published the essays online (French). The site allows readers to comment, excerpt and even vote on essays that interest or frustrate them. Contributors include Harry Abelson, Ralf Bendrath, Roger Clarke, Richard Clayton, Susan P. Crawford, Ronald Delbert, Brooks Dobbs, Bert Jaap-Koops, Danielle Keats Citron, Stéphane Leman-Langlois, Paul Ohm, Christopher Soghoian, Anil Somayaji, Maxim Weinstein, and a review of the Internet traffic management practices of Internet service providers written by the Office of the Privacy Commissioner of Canada. [Source] [website]

UK – Information Commissioner Starts Drop-In Sessions on Social Networking Site

The Information Commissioner’s Office (ICO) is entering the digital world of social networking site Habbo to launch ‘WTMI - Way Too Much Information’ - a new teen-friendly campaign to raise awareness of the risks that come with putting too much personal information online. The virtual hotel allows its residents, known as Habbos, to develop their own personal world, make new friends and interact with each other. The ICO has joined the site’s popular InfoBus - a virtual forum for counselling and advice - to host a series of special drop-in sessions to offer advice on protecting your personal information online. [Source]

US – Online Safety and Technology Working Group Members Appointed

CDT’s John Morris has been appointed to the “Online Safety and Technology Working Group,” run by the National Telecommunications and Information Administration. The working group was created under the “Protecting Children in the 21st Century Act.” The 30-member working group will report on industry initatives to promote online safety through educational efforts, as well as study the effectiveness of various safety tools and practices. The group will issue a report to the Commerce Department within a year of its first meeting. Morris was a member of the Internet Safety Technical Task Force in 2008 that convened at Harvard, following an agreement between state Attorneys General and MySpace. That Task Force also looked at online child safety issues. [Federal Register Notice on Working Group]

Law Enforcement

US – New Senate Bill Proposes Mandatory Security Standards and Certifications

A new bill, sponsored by Senators John D. Rockefeller IV and Olympia J Snowe, would see the introduction of a new cyber security czar, the National Cybersecurity Advisor, who would report directly to the White House. Included in the bill is the granting of authority to the National Cybersecurity Advisor to isolate computer networks that are part of the critical network infrastructure, including those in the private sector, should there be a cyber attack. The bill would also see the introduction of mandatory security standards, developed by the National Institute of Standards and Technology, applied to both private and public sector organizations that control parts of the critical network infrastructure. Included in the bill is the proposal that a licensing and certification program be introduced for cyber security professionals. Critics point out that the new cybersecurity bill would give the federal government extraordinary power over private sector Internet services, applications and software. The Cybersecurity Act of 2009 would, for example, give the President unfettered power to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network on national security grounds. The bill would grant the Commerce Department the ability to override all privacy laws to access any information about Internet usage in connection with a new role in tracking cybersecurity threats. The bill would also give the government unprecedented control over computer software and Internet services, threatening innovation, freedom and privacy. [Source] [Source] [Source] [Source] [Source] See also: [EU Calls For Development of Strategy to Protect European Cyber Space]

Offshore

MY – Malaysia Privacy Act to be Introduced

A personal privacy protection act will be promulgated to provide necessary checks against crimes and the intrusion of privacy, said Malaysian Home Minister Datuk Seri Syed Hamid Albar. “The matter has been discussed in the Cabinet. I believe when the new Cabinet is formed, it will delve into the act which will provide protection to individuals against the risks to privacy and the risks of falling victims to crimes,” he said. At present there is no specific law which provided the protection against personal interference. However, offenders were liable under Section 509 of the Penal Code which provided criminal penalties for denigrating any person or intruding upon the privacy of any person. If convicted, the offender can be jailed up to five years or fine or both. [Source]

Online Privacy

WW – An “Extraordinarily Anonymous Process”

According to a Ponemon Institute study, American consumers rank Facebook among the top 20 most trusted companies for privacy. In an interview with CIO, Facebook Chief Privacy Officer Chris Kelly discusses the philosophy and methods behind his company’s privacy offerings. “Overall, we think privacy is fundamentally about user control of information...,” Kelly says, and admits that the company would like to see a greater number of users take advantage of the privacy settings. Kelly also describes Facebook’s approach to targeting advertising, asserting that its method doesn’t compromise users’ privacy interests. “It’s an extraordinarily anonymous process,” Kelly says. The interview is one part of a CIO special feature on social networks and privacy. [Source] [Source]

WW – Study Challenges BT Claims of ‘Anonymous’ Data

University of Cambridge researchers this week unveiled the results of a project showing how Facebook public profiles could be used to find personal information, opening users’ to potential misuse by marketers or fraudsters. The results come on the heels of a University of Texas at Austin study highlighting the de-anonymization possibilities on social networks. These results potentially debunk social networks’ claims that data shared with behavioral targeting companies is “anonymous.” The findings come as no surprise to some. “When you leave a data trail behind you, there is always some potential that with some level of work, somebody can tie that to your real identity,” said Jules Polonetsky of the Future of Privacy Forum. [Source] [Source] [Facebook Giving A Bit Too Much Away] [paper: Eight Friends are Enough: Social Graph Approximation via Public Listings]

WW – Google using IP addresses to localise search

Google will refine its search results using information gleaned from users’ IP addresses. In the past, there has been debate about whether IP addresses constitute personal information. Data deemed personal is protected under the EU Data Protection Directive. One privacy law consultant says that Google’s use of IP addresses for this purpose does not necessarily qualify it as personal data. “If all it uses is ‘Barnsley’ or ‘Glasgow’ it’s not personal data,” said Chris Pounder of Amberhawk Consulting. “If a particular person searches for a particular topic at a particular time from a particular remote geographical area it might identify them, but this should be seen on a case-by-case basis.” [Source]

UK – Human Chain Foils Photography Efforts, Temporarily

Neighbors in a Cambridgeshire village formed a human chain around a Google Street View car, prompting the driver’s hasty retreat and a fresh round of debate about the company’s online mapping service. Residents in Broughton, on seeing the car’s approach, surrounded it to prevent what they view as an invasion of privacy. Google Street View offers online, 360-degree views of streets and buildings in nine countries, so far. The Broughton incident prompted some Street View proponents to send Tweets encouraging other enthusiasts to descend on the village and take pictures of their own. [Source] See Privacy Commissioners’ Fact Sheet: Captured on Camera – Street-level imaging technology, the Internet and you] [PDF version] See also: [Toronto’s Google Street View goes live within ‘weeks’]

Privacy (US)

US – Privacy a Priority for Senate Subcommittee

Online privacy is a priority for the Senate Communications, Technology & Internet Subcommittee. Senator John Kerry (D-MA) discussed the committee’s main concerns at the National Cable & Telecommunications Association’s convention in Washington earlier this week. The senator said privacy is “looming as a larger and larger issue,” and that the committee would hold at least one hearing to better understand this issue that has “grown under the radar...” “A lot of data is being collected in ways that people are completely unaware of,” Kerry said, adding that even the opt-in model has come into question as a sufficient protection. [Source[

US – FTC Publishes Red Flags Web site

The FTC has launched a Web site to help creditors and financial institutions come into compliance with the Red Flags Rules. The FTC will begin enforcing the rules on May 1. They went into effect last November. The site offers articles and guides for helping create identity theft prevention programs, a key requirement of the rules. The site also details which entities must adhere to the rules, which were created to reduce instances of identity theft. [Source] [FTC Press Release] [FTC October 2008 Enforcement Delay] See also: [Doctors Want Red Flags Suspension] And also: [FTC Releases Annual Report]

US – Judge to Decide if Hannaford Breach Liability Case Will Go to Trial

A federal judge will soon decide if Hannaford Bros. can be held liable for damages stemming from a data security breach late 2007 and early 2008. The attackers stole details of more than 4 million credit and debit cards. Attorneys for Hannaford have asked that the lawsuit be dismissed, while attorneys for the plaintiff want the judge to certify the case as a class-action lawsuit and allow it to go to trial. The plaintiff’s legal team maintains that Hannaford knew of the breach for at least three weeks before disclosing it last March. Hannaford’s lead attorney said that none of the plaintiffs suffered any actual damages; those whose cards were used to make unauthorized transactions were reimbursed by their issuing banks, and that the inconvenience of time the affected customers spent cancelling compromised cards and obtaining new ones does not merit a lawsuit. [Source]

US – ACLU: Good Privacy = Good Business

Good privacy is good for the bottom line. That’s according to the COO of a mobile startup and an American Civil Liberties Union (ACLU) policy director who has created a primer on the subject. The benefits to having a progressive privacy policy and sticking to it, says Nicole Ozer of the ACLU of Northern California, range from good PR and customer loyalty to avoiding costly privacy “firestorms.” Ozer predicts that companies will begin to compete on privacy. The former chief privacy officer and now COO of Loopt says his company’s focus on privacy protections have “been a real business advantage...” and recommends that companies take privacy seriously early on in the development process. [Source] [ACLU website] [44-page primer guide for businesses]

US – Sued for Seeking a ZIP Code?

Californians have started many national trends, from surfing to solar energy, but we should be ashamed of the newest fad: class-action lawsuits against retailers asking for ZIP-codes. Like other states, California has passed laws prohibiting businesses from requesting or requiring “personal identification information” while accepting a credit-card payment. Some attorneys are filing class actions against retailers alleging that retailers can’t ask customers for any information at the time of a credit-card transaction - even ZIPcodes - without breaking the law. A class-action lawsuit was filed against Old Navy challenging this very practice. Even when customers can’t prove they were harmed, the California statute requires merchants to pay penalties of $250 for the first violation and up to $1,000 for later ones. [Source]

Security

US – Microsoft: Dramatic Rise in ‘Scareware’ Infections

“Scareware,” or programs that masquerade as legitimate security and anti-virus software and then frighten and bully users into paying for them, have emerged as the most prolific and fastest-growing threats facing PC users, according to a biannual security report released this week by Microsoft Corp. “Some of these sites and products look really professional and well-done, with trademarks and copyrighted material,” Stathakopoulos said. “If you’re in a situation where you don’t already have security software and you have not yet figured out the state of the machine, you will look for a solution, and these are solutions that come to you.” Microsoft found that in the second half of last year, seven of the top 25 malicious software families removed from Windows computers were scareware titles such as Antivirus2008, XPAntivirus, SpywareSecure, and Winfixer. The data was compiled by tracking Microsoft’s “malicious software removal tool” (MSRT), which ships detection updates along with security patches on the second Tuesday of each month to Windows users. [Source]

Surveillance

US – Obama Administration Expands Bush’s Legal Defense of Wiretapping Program

In a stunning defense of President George W. Bush’s warrantless wiretapping program, President Barack Obama has broadened the government’s legal argument for immunizing his Administration and government agencies from lawsuits surrounding the National Security Agency’s eavesdropping efforts. In fact, a close read of a government filing last Friday reveals that the Obama Administration has gone beyond any previous legal claims put forth by former President Bush. Responding to a lawsuit filed by a civil liberties group, the Justice Department argued that the government was protected by “sovereign immunity” from lawsuits because of a little-noticed clause in the Patriot Act. The government’s legal filing can be read here. For the first time, the Obama Administration’s brief contends that government agencies cannot be sued for wiretapping American citizens even if there was intentional violation of US law. They maintain that the government can only be sued if the wiretaps involve “willful disclosure” – a higher legal bar. [Source]

Telecom / TV

UK – Phorm Eyes Launch After Hard Year

Phorm says it will move ahead with plans to launch its online advertising service. The company provides ISPs with information about users’ online activities so they may deliver more targeted ads. Phorm has been at the center of controversy since it emerged last year that the company conducted trials of its technology with BT without customer consent. Regulatory inquiries followed that news, including one ongoing EU investigation of the broader behavioral advertising practise. “We have been supported or endorsed by all of the leading stakeholders,” said Phorm CEO Kent Ertugrul, adding that the company is talking to ISPs across the globe and is also exploring the mobile space. [BBC News]

US – Cable’s Answer to Online’s Ad Success: Targeting

A consortium of the nation’s six largest cable companies--Canoe Ventures--will begin delivering targeted advertisements to television viewers nationwide beginning this summer. Initially, the companies will tailor ads using community demographics, but down the road will target ads to individual households. The companies hope to be able to charge more for advertising on their stations due to the increased effectiveness and measurability of the ads. “This is the future for measurement on television,” said Mike Eason, Canoe’s chief data officer. World Privacy Forum Director Pam Dixon says: “You’ve got to tell people you’re doing it and you’ve got to give people a way to say no...” [Source]

US Legislation

US – Bill Targets Mobile Spam

Two U.S. Senators have introduced a bill to curb mobile spam. The m-SPAM Act, introduced by Senators Olympia Snowe (R-ME) and Bill Nelson (D-FL), would prohibit sending commercial text messages to wireless numbers listed on the Do Not Call registry, the report states. “Mobile spam invades both a consumer’s cell phone and monthly bill,” said Snowe, who added that viruses, spyware and phishing attacks via mobile spam are “significant and looming” threats. Although the 2003 CAN-SPAM Act prohibits the sending of unsolicited e-mail messages to wireless devices, SMS messages are not included in its provisions. [Source]

US – NJ Supreme Court Rules on Banking Privacy

New Jersey’s Supreme Court has ruled that banks may not release a customer’s account information without a court order. The ruling upholds the decision of a lower court, which found that Bank of America erred in releasing an accountholder’s details to her ex-husband after being presented with his lawyer’s subpoena. A Bank of America spokesperson said: “We respectfully disagree with the rulings.” The plaintiff’s lawyer said the decision “goes a long way to help the privacy rights of account holders.” [Source]

US – US Takes Steps to Create Infrastructure Against Cyber Attacks

Two U.S. Senators will introduce legislation to shore up the government’s defenses against cyberattacks. Senate Commerce Committee Chairman John D. Rockefeller IV (D-WV) and Senator Olympia J. Snowe (R-ME) drafted the legislation, which would broaden the government’s jurisdiction on cybersecurity to include private systems. The bill also calls for the creation of an Office of the National Cybersecurity Adviser and a White House cybersecurity “czar” to head it. On the proposed centralized approach, National Intelligence Director Dennis C. Blair said that the program should be designed so that Americans will feel confident that it is “not being used to gather private information.” [Source] [Source]

US – Bill to Ban Database of Bad Student Behavior

Maine students, parents and educators yesterday urged lawmakers to consider banning the Department of Education (DOE) practice of collecting and storing students’ disciplinary histories in a database. “The DOE has a data collection concern that it has chosen to solve at the expense of student privacy instead of protecting that privacy,” said one supporter of the ban. But the state’s DOE Commissioner Susan Gendron said that the data collected is tied to federal education funds, which could be pulled if the state does not furnish certain information. An attorney representing the Maine Civil Liberties Union disagreed. [Source]

Workplace Privacy

AU – Facebook Discipline May Be Illegal: Expert

Firms who discipline or sack staff for comments made on Facebook and Twitter could be acting illegally, says a veteran lawyer. Stories about NSW Department of Corrective Services threatening to sack prison officers over Facebook posts and Telstra disciplining employee Leslie Nassar for Twitter comments have provoked a series of other examples. They include a reader who says he was fired from his job at a “large corporate bank” for using the word “recession” in his Facebook profile. A teacher also complained she was disciplined over comments she made about being bullied. But Steven Penning, a partner with Turner Freeman with two decades of experience in workplace law, says employers may be acting unlawfully. He said employment contracts are unlikely to cover staff use of social networking sites. “If an employer hasn’t told people in advance what the rules are, what the conditions are, then that greatly increases the likelihood that an employee can say well, I can’t be terminated for this because I wasn’t aware that this is something I was not to do.” [Source]