Biometrics

UK – UK to Share Fingerprint Data with Other Countries

The UK is to share fingerprint information with Canada and Australia, with the US and New Zealand to follow soon, the Home Office has said. The collaboration is intended to make it easier to detect people with criminal histories in other countries, speed up deportations and establish previously unknown identities, the Home Office said. The new data-sharing agreement is aimed at fighting identity fraud, the Home Office said in a statement. It is a product of the Five Country Conference on immigration and border control. It said the US will be joining shortly and New Zealand is to consider legislation to join in the near future. For the first year each country will be able to share and check 3,000 sets of fingerprints with partner countries. This will let them explore the feasibility of routine information sharing, the Home Office said. Measures to protect privacy include:

· Ensuring all fingerprints are anonymous and cannot be linked to an individual unless a match is detected between countries.

· Destroying fingerprints once a match made, with no fingerprint database being compiled.

· Using encryption and other security tools to protect shared files.

The UK Border Agency published a privacy impact assessment that sets out how the arrangement will operate. [Source]

CA – Fingerprint-Sharing Plan Raises Privacy Concerns

Calling asylum seekers a “vulnerable group,” Canada’s privacy commissioner expressed concern Friday about a new government plan to share fingerprint information with Britain and Australia to combat immigration fraud. The three-country agreement was announced with little fanfare, with Canada and the two countries providing assurances that no one’s privacy would be violated and that no database for the prints would be created. The Immigration Department also said it had done a privacy assessment. But a spokeswoman for Privacy Commissioner Jennifer Stoddart said it asked the department on July 20 to give more details. The privacy commissioner also asked for a further explanation of how the government plans to use biometric information in the future and what weight it plans to attach to the data when making an assessment of a particular application, Hayden said. [Source]

US – Judge: Defunct Airport Fast Pass Company Can’t Sell Customer Data

A federal judge in New York has issued an order banning the operator of a now-defunct registered air traveler program from selling, transferring or disclosing any of the highly personal data it collected on thousands of people who signed up for the program. The order enjoins Verified Identity Pass Inc. (VIP) of New York from selling, transferring or disclosing to any third-party the data it collected while operating the Clear service, which was designed to help air travelers get through airport security checks faster. The service was one of seven approved by the TSA and had been available at 21 major airports. VIP shut the program down abruptly with no notice on June 22 because of financial reasons. The move left about 260,000 customers wondering about the fate of data collected about them, including full names, SSNs and biometric identifiers such as finger prints and iris scans. In a note on the company’s Web site, VIP informed customers that their data would be protected in compliance with TSA’s privacy and security standards. At the same time, it left open the possibility that it would sell the data to a third party if it were to be used specifically for a registered flyer program. Yesterday’s decision prohibits VIP from doing that. The judge noted that the Clear program’s membership agreement expressly forbade VIP from selling the information to third parties. As a result, the court found an immediate need for “preliminary injunctive relief” preventing the transfer or disclosure of the information. The ruling noted the circumstances under which the program closed and said there was a risk of the data being disclosed because of a lack of accountability and oversight over how the data is stored. [Source] [Source] [Source]

IS – Israel Poised to Pass National I.D. Biometrics Database Law

Israeli’s Knesset will vote on a bill this fall that would establish identity cards and an accompanying database containing the biometric information of all citizens. Proponents say the plan will increase national security, while opponents say it runs counter to security. Should the database be compromised, said Eli Biham of the Technion-Israel Institute of Technology, “they will be able to identify any Israeli anywhere...” The ID cards would be embedded with facial contour renderings and fingerprints. Last week, members of the Public Council of the Protection of Privacy urged Prime Minister Benjamin Netanyahu to seek alternatives to the plan, citing costs and privacy concerns. [Source] [

Canada

CA – OPC Outlines Facebook Changes

The Office of the Privacy Commissioner of Canada (OPC) held a press conference to discuss how Facebook will comply with privacy concerns raised in a report published last month. Commissioner Jennifer Stoddart said the company has agreed to make several changes to address issues identified in the report, which was the result of an extensive investigation of the company’s privacy practices. Stoddart said that, once the changes are implemented, Facebook users “will have a better idea of how their information is shared, and will have more control over what information is shared and with whom.” Assistant Commissioner Elizabeth Denham provided an overview of some of the specific changes. [Source]

CA – Facebook to Comply With Canadian Privacy Recommendations

After a year-long investigation followed by 30 days of negotiations, Canadian Privacy commissioner Jennifer Stoddart on Thursday announced Facebook will add “significant new privacy safeguards” to bring the California company into compliance with Canada’s private-sector privacy law. The biggest change, to be implemented across the entire Facebook network over the next 12 months, will curtail the access outside software developers have to the personal information of users. [Canwest]

US – Facebook Knows Too Much, ACLU Says In Warning of Quizzes

The ACLU of Northern California is employing a cautionary Facebook quiz to illustrate how quizzes that may seem “perfectly harmless” can release an array of data to the wider world -- including users’ “sexual orientation, photos, events, notes, wall posts, and groups.” The app, titled “What Do Facebook Quizzes Know About You?“ delivers its answer by opening a window that scrolls biographical data, attributed comments, and photos. [SiliconValley.com]

CA – How Facebook Addressed the Privacy Commissioner’s Concerns

Third party developers: The commissioner’s office was concerned about the sharing of users’ personal information with third party developers creating games and quizzes that run inside Facebook, saying the site lacked adequate safeguards to restrict these companies from accessing personal information from users and their online friends. Resolution: Facebook has agreed to alter the technology used by third party developers so that users know specifically what personal information they will be giving out when they download games or quizzes to their profile. Users will now have more control over what information they give out while developers will be required to inform users how that information will be used. Deactivation of accounts: According to the commissioner’s report, Facebook was providing users with incomplete and confusing information about how to deactivate or delete an account. When an account is deactivated, a user’s personal information remains on Facebook’s servers, whereas when an account is deleted, the information is purged from the system. Resolution: Facebook will make the distinction between deleting or deactivating an account more clear for users and will now tell users about the delete option if they decide to deactivate their account. Protecting the privacy of non-users: The commissioner’s report said Facebook needed to go to greater lengths to protect the personal information and email addresses of non-users who were invited to join the site. Resolution: Facebook agreed to include additional information about the site and its privacy policies in its terms of use statement. Facebook also confirmed it does not use or store e-mail addresses in order to track the effectiveness of its invitation technology. Accounts of deceased users: The report stated Facebook should give users a meaningful chance to consent to their profile becoming a memorial page where their friends can post comments in the event of their death. Resolution: Facebook agreed to change the wording in its privacy policy to make it easier for users to understand what happens to their account if they die. [Source] [Facebook agrees to better protect privacy]

CA – Jury Vetting Practice Used In Ontario Nine Trials

The number of Ontario trials where prosecutors used police information to vet prospective jurors is substantially higher than the government has disclosed to date. Attorney General Chris Bentley’s department has informed 9 defence lawyers in Simcoe County that Crown attorneys used the practice in past trials during which they represented defendants, a survey by the Criminal Lawyers’ Association found. Those cases are likely in addition to two trials in Barrie that were disrupted upon disclosure prosecutors had secretly obtained police information to screen jurors in murder cases. One was declared a mistrial; the jury in the other case was dismissed. The nine new disclosures of improper jury vetting are also likely over and above a 3rd murder trial in Kingston that was also suspended earlier this summer as a mistrial. Defence lawyers in that case also learned Crown attorneys had improperly obtained information on juror backgrounds from police sources, without informing defence counsel or the court. [Source]

CA – Privacy and Personal Photos at Heart of Supreme Court Case

A decision released by the Supreme Court of Canada last month raises the interesting question of how much privacy an individual may expect with respect to personal photographs taken inside his or her own home. The story began in June 2001. Agnieska Wojtanowska (Agnes) lived with Douglas Weil in a house in the Regional Municipality of Halton. On June 1, 2001 she delivered some photographs taken inside their residence to Black’s Photography to be developed. The photographs showed marijuana plants growing in the house. They also included “personal” photographs. Employees of Black’s turned copies of the developed photographs over to officers of the Peel Police Service before they gave the original photos to Wojtanowska. The Peel police then delivered the photographs to the Halton Regional Police Service. A few days later, the Halton police executed a search warrant of the couple’s house and seized the marijuana plants they found there. Wojtanowska and Weil were charged with possession of marijuana, possession of marijuana for the purpose of trafficking, and production of marijuana. The couple then brought a motion in Superior Court in Milton to exclude the fruits of the search from their trial, based on an allegation that their rights to be secure against unreasonable search or seizure guaranteed by Section 8 of the Charter were violated. Their motion was granted and a few days later, all the charges were dismissed for lack of evidence. The judge hearing the motion also ordered that the evidence seized under the warrant be returned. Apparently, not all the photos were returned, so the couple brought another motion demanding return of the photographs in the possession of the police. The presiding judge ordered that these photographs be returned to the plaintiffs immediately. She stated, “It is understandable that the applicants are dismayed about the missing photos ... as they contain personal images of the wife of a sensitive nature.” By June 2008, Weil and Wojtanowska had secured the return of all of the photographs. Understandably somewhat miffed, they sued Black’s Photography, their employees who dealt with the photographs, the Peel and Halton police, and the officers who were involved in the investigation. They claimed that the defendants had violated their Charter rights and breached their copyright interest in the photographs. The total claim exceeded $1.4 million. Weil did not want to introduce the photos in evidence at the trial against Black’s and the police, and asked the court for an order excluding them from evidence. The judge dismissed the motion by Weil and ruled that he had to produce the photographs, which could be used as evidence in the trial. Weil and Wojtanowska then applied to the court for permission to appeal that order. Justice Peter Hambly turned them down. In his decision, he wrote “The plaintiffs, having sued on the basis of the use of the photographs by the defendants, cannot now refuse to produce them to the defendants. The defendants can only properly assess the case against them by viewing the photographs. ... “The plaintiffs are clearly very sensitive about others viewing the photographs. I can understand this. ... However, they cannot both sue on the photos and refuse to produce them.” Weil and Wojtanowska appealed again. The case reached the Supreme Court of Canada on July 9. In a short 42-word decision, a three-judge panel dismissed their application for permission to appeal. Several lessons emerge from this case. With respect to criminal charges, citizens do have some expectation that personal photographs may be shielded from the prying eyes of law enforcement authorities. Suing on the basis of seizure of personal photographs is problematic. The photos have to be entered into evidence and may receive wider distribution than they would without a lawsuit. Taking “personal” photos “of a sensitive nature” to a commercial photo lab for processing or printing is not a wise idea, especially if they contain evidence of what might be a criminal activity. [Source]

Consumer

WW – In 2020, Users Select Mobile Ads

A new OgilvyOne report predicts that by the year 2020, mobile device users will choose the types of targeted ads they receive, and an opt-in model for receiving mobile ads will be standard. “Pushing messages out to unwilling consumers is replaced with producing ideas and content that individuals will seek out and incorporate into their own world,” says the report, which was co-published by Acision. “It is the individual who will be the pivotal player in the mobile advertising domain of the future and the mobile device will be a technological representation of them,” the report states. [Source]

US – Missouri Woman First to be Charged Under New Cyber Bullying Law

A 40-year-old Missouri woman has been charged with felony cyber bullying for allegedly posting photographs and personal information of a teenager to the Casual Encounters section of Craigslist. Elizabeth A. Thrasher is the first person to be charged under a new law that was enacted after cyber bullying incident several years ago that ended with the suicide of a 13-year old girl. Missouri at that time had no law under which to charge the cyber bully. The new law took effect last year. [Source]

E-Government

US – White House Disables e-Tip Box

Following a furor over how the data would be used, the White House has shut down an electronic tip box - flag@whitehouse.gov - that was set up to receive information on “fishy” claims about President Barack Obama’s health plan. E-mails to that address now bounce back with the message: “The e-mail address you just sent a message to is no longer in service. We are now accepting your feedback about health insurance reform via http://www.whitehouse.gov/realitycheck.” The “flag” service was introduced Aug. 4, with a White House blog post saying: “There is a lot of disinformation about health insurance reform out there, spanning from control of personal finances to end of life care. These rumors often travel just below the surface via chain emails or through casual conversation. Since we can’t keep track of all of them here at the White House, we’re asking for your help. If you get an email or see something on the web about health insurance reform that seems fishy, send it to flag@whitehouse.gov.” White House press secretary Robert Gibbs said at a briefing shortly after the service launched: “We’re not collecting names from those e-mails. . All we’re asking people to do is if they’re confused about what health care reform is going to mean to them, we’re happy to help clear that up for you. Nobody is keeping anybody’s names.” [Source]

UK – Nurseries Protest Over ‘Intrusive’ Early Years Qualifications Database

UK Nurseries and early years organisations have questioned the role of a new nationwide electronic database - which will share nursery staff details and qualifications with local authorities - after one local authority threatened to pull nursery education grant funding if the information was not provided. There is no legal requirement for early years settings to submit details, but local authorities can set local requirements to do so. The Early Years Workforce Qualifications Audit Tool, which went live on the Children’s Workforce Development Council (CWDC) website last week, will share data with local authorities, the DCSF and other government agencies. But nursery owners claim it will duplicate information they already give to local authorities and question what the personal details of workers will be used for. Chair of the Childcare Corporation, Alan Bentley, said, ‘I find some of the questions asked, especially regarding ethnicity and disability, not only unwarranted but beyond an acceptable limit. It makes me wonder what the purpose of the form is.’ [Source]

US – Researchers Use Return-Oriented Programming to Manipulate eVoting Machine

Researchers from the University of Michigan, the University of California, San Diego, and Princeton University have discovered that the Sequoia AVC Advantage electronic voting machine is vulnerable to an attack that can alter voting tallies. The attack circumvents established security measures aimed at preventing unauthorized code execution. The technique is known as return-oriented programming. The machines were designed to run code only if it is stored on read-only memory chips. The researchers figured out how to get around that problem by “reassembl[ing] programming expressions already found in the targeted software in a way that gives [them] the ability to take complete control over the machine.” The machines are widely used in New Jersey, and are also used in parts of Louisiana, Pennsylvania, Wisconsin, Colorado, and Virginia; the voting machine that the researchers used were acquired legally over the Internet. [Source] [Source] [Source]

US – US Marines Bans Social Networking Sites on its Networks

An August 3 order bans US Marines from accessing social networking tools, including Facebook and Twitter, due to security concerns. The order states that the sites “are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries.” Marines are banned from accessing the sites via the Marine Corps Enterprise Network, the Non-Secure Internet Protocol Router Network or virtual private network connections. Personnel may, however, access Defense Department-sponsored social networking sites that are hosted on internal networks. Personnel are also permitted to access the sites from their personal computers while they are not working. [Source] [Source] [Source]

UK – UK Defence Department Allowing Use of Social Networking Media

In contrast to recent news that the US military is considering restricting or even banning social networking media altogether, the UK’s Defense Ministry is encouraging its troops to make use of Twitter, Facebook, YouTube and other similar services. Troops and civilian employees may post to the sites without authorization as long as they follow guidelines to “maintain personal information and operational security and be careful about the information they share online.” [Source]

US – Cookie Comment Period Ends, Commentary Continues

The White House wants to partially lift a longtime ban on federal agencies’ use of Internet cookies--bits of code that let sites track users’ movements. The public comment period on the Office of Management and Budget’s proposal ended yesterday. The Obama administration believes the proposed change would help fulfill its ‘government transparency’ aims but some privacy advocates have expressed concerns. The ACLU filed a comment saying: “The implications of allowing the government to collect and store such information are staggering.” [Source] [Source]

US – ACLU Concerned About Proposed Increase of Cookie Use on Government Sites

The American Civil Liberties Union (ACLU) is concerned about a proposal from the White House Office of Management and Budget (OMB) to allow broader use of cookies on government web sites. A policy established in 2000 allows limited use of cookies on government sites, in cases of “compelling need.” In a blog entry posted late last month, US Federal CIO Vivek Kundra and the OMB proposed a new cookie policy to “create a more open and innovative government.” The ACLU has posted comments to the suggestion, saying that “the implications of allowing the government to collect and store such information are staggering.” [Source] [Source] [NYT overview of response to Federal Government cookie use]

AU – Researchers, Gov’t Agencies Granted Data Access

As a result of many individual laws, 190 third-party organizations--including government agencies and medical research organizations--are now free to gather and share information on Australian citizens. Australian civil libertarians are leading an effort to curb access to the data, which includes medical records, banking and financial information, criminal records and demographic data, citing privacy concerns. “Data-matching has significant potential benefits in many varied contexts,” Victorian Privacy Commissioner Helen Versey said. “Depending on how it is conducted, data matching also poses privacy risks, including concerns about legitimacy and community expectations, secondary use, function creep, data quality, automated decision-making, constructive identification and profiling.” [Source]

Electronic Records

UK – Info Commissioner Reminds Doctors of Data Protection Obligations

Doctors who treat patients privately are being urged by the UK Information Commissioner’s Office (ICO) to make sure they are complying with the Data Protection Act. The privacy watchdog is launching a new initiative to ensure doctors operating privately notify with the ICO that they are handling people’s personal information. [Source]

US – Appeals Court Says Plain View Doctrine Does Not Apply to Electronic Searches

A federal appeals court has ruled that the so-called “plain view doctrine,” under which evidence may be seized if it is within plain view during a legitimate search, does not apply to electronic searches. At issue are records pertaining to a government investigation of a company suspecting of providing illegal steroids to professional baseball players. Investigators had obtained a warrant to search computers at Comprehensive Drug Testing, Inc. for records of 10 specific players. Instead, the investigators seized and examined records of hundreds of other players and other individuals. In the opinion, Chief Judge Alex Kozinski observed that the government ignored caveats in the warrant and should not be permitted to “benefit from its own wrongdoing.” Judge Kozinski also said that if the government’s argument prevailed, its prosecutors would be impelled to seize more information than they need. “The process of segregating electronic data that is seizable from that which is not must not become a vehicle for the government to gain access to data which it has no probable cause to collect.” [Source] [Source]

Encryption

UK – UK Convicts Two for Refusing to Surrender Encryption Keys

In the UK, two people have been convicted for refusing to surrender encryption keys. The details of the crimes have not been released. In October 2007, Part Three of the Regulation of Investigatory Powers Act of 2000 took effect; section 49 gives law enforcement authorities in the UK the power to demand decryption keys. According to information from the Annual Report of the Chief Surveillance Commissioner to the Prime Minister and Scottish Ministers, between April 1, 2008 and March 31, 2009 there were 26 applications for service under a notice under section 49. Of those, 17 were granted, 15 were served and two people were convicted. [Source] [Source] [Source]

EU Developments

EU – EDPS Recommends Security and Confidentiality in Human Organ Transplants

The implementation of the proposed organ donation and transplantation scheme requires the processing of personal data relating to health of the organs’ donors and receivers by the authorised organisations and healthcare professionals. In his report, published August 21st 2009, the EDPS sets recommendations in order to ensure confidentiality and security in organ processing:

· Adoption of an information security policy to ensure confidentiality, integrity, accountability and availability of the donors’ and recipients’ personal data.

· Definition of a specific confidentiality and access control policy, together with data confidentiality guarantees for the persons involved in the processing.

· Addressing security mechanisms in the national databases, based on the principle of ‘privacy by design’.

· Establishing procedures to safeguard the data protection rights of the donors and recipients, especially the rights of access and rectification and the right to information, paying special attention to the cases of donors who wish to withdraw their consent or are not accepted as donors.

· Provision of measures to guarantee integrity and uninterrupted availability of the data.

· Ensuring regular monitoring and independent audits of the security policies in place.

The EDPS also made a series of recommendations on cross-border exchange of organs for transplantation from different Member States and certain third countries, to ensure that the transfer of data to and from organs third countries performed safely, but also quickly and efficiently. [Source] [Source]

EU – Hustinx Wants Enhanced Patient Privacy

The European Data Protection Supervisor (EDPS) is recommending amendments to the data protection provisions in the organ donation and transplantation directive. EDPS Peter Hustinx says that the existing provisions are too vague. In a report to be issued this week, Hustinx will recommend enhancements to help ensure the protection of patients’ data, such as the adoption of information security policies, implementation of regular monitoring and audits and the addition of security mechanisms to national databases, the report states. Hustinx will also recommend provisions for the cross-border exchange of patient data.

EU – Privacy Body to Investigate Passport Copying Practice of Hotels

The Dutch privacy authority will launch an investigation into hotels’ practice of photocopying guests’ passports. The practice is against the law, but a Dutch newspaper reported yesterday that some hotels still do it, sometimes at the request of police. Dutch Data Protection Authority Chairman Jacob Kohnstamm said that hotels should only be recording certain details from the travel documents, such as names and arrival and departure dates. One privacy expert said the photocopying practice opens people up to identity fraud. “Most people wrongly assume their details will be looked after properly,” said Jos Meekel of Hoffmann Bedrijsrecherche. [Source]

EU – CNIL Announces Legal Discovery Standards

In guidelines published this month, the French data protection authority (CNIL) opined on the proper handling of global data transfers in discovery activities related to litigation. Companies that participate in the U.S. Safe Harbor or binding corporate rules may find transfers to be a bit easier than others under these guidelines. However, the CNIL has also warned that the document collection process should include measures to anonymize data. [Source]

EU – Opt-in Requirement Not a “Death Knell”

A new law set to take effect on September 1 will require brands to get customer consent before sharing their addresses with third parties for marketing purposes unless there is an existing relationship or the source of the third-party communication is clearly stated on the direct-mail envelope. The new rules “do not mark the death knell for the list broking industry,” said Susan Singleton of Singletons Solicitors, “but clearly will make it much harder to engage in direct mail in Germany. Violators will face fines up to 300,000 Euros. [Source]

WW – Facebook Tightens Ad Guidelines

Facebook moved to enhance user privacy this week by curtailing the potential for behavioral ad targeting. The company updated its guidelines for advertisers to prohibit third-party information sharing and the inclusion of users’ data in ads, among other specifications. Facebook’s Nick Gianos said in a blog post that the changes are designed to “protect user experience and better guide developers and ad networks” and that “all ads within applications...must comply with the Advertising Guidelines.” “When we see ads that undermine trust, abuse users or otherwise violate policy,” Gianos wrote, “we take action to stop them.” [Source]

Facts & Stats

WW – Employers Blocking Social Networking Sites More Often

According to research from ScanSafe, companies are increasingly blocking social networking sites. 76% of the company’s customers block sites like Facebook, a 20% increase over the last six months. 58% block access to webmail, 52% block access to shopping sites, and 51% block access to sports sites. Social networking sites can expose companies to malware and can also drain employees’ productivity. [Source] [Source]

WW – IE8 Has Blocked 80 Million Instances of Malware

According to one test, Microsoft’s Internet Explorer 8 (IE9) browser blocked 81% of malware-infected websites. Other statistics indicate that IE8’s Smart Screen Filter has delivered more than 70 million malware blocks over the past four months. When the totals are combined with the pre-release version of IE8, the figure rises to 80 million - an average of one block a week for every 40 users. Approximately one of every 200 downloads was blocked as potentially malicious. The Phishing Filter in IE7 and IE8 has delivered 125 phishing attack blocks. [Source] [Source]

AU – 69% Had Breach; 65% Kept it Quiet: Ponemon Study

A Ponemon Institute survey released this week reveals that two in three Australian organisations experienced a “serious data breach” in the last 12 months. The study, commissioned by a data encryption firm, polled nearly 500 Australian IT security professionals. Of the 69% that admitted to a breach, 65% did not disclose the incident, the report states. The study’s authors speculate that this figure will “add to the demand for Australia to adopt data breach notification laws similar to those in the U.S.” Mandatory breach notification is something the Australian Law Reform Commission and federal Privacy Commissioner have recommended. [Source]

Filtering

CN – China Will Not Enforce Green Dam Mandate

China has backed off from a mandate issued in May requiring that Internet filtering software known as Green Dam-Youth Escort be installed on or accompany all PCs sold in or shipped to that country. Green Dam was designed to prevent children from accessing inappropriate content on the Internet, but the software was also found to block sites the Chinese government might view as politically inflammatory, such as Falun Gong. In addition, California software company Solid Oak plans to take legal action over the filtering software because it maintains Green Dam contains stolen code. [Source] [Source] See also: [Malaysian Government Plans for “internet filter” subject of considerable debate]

Finance

CA – Feds Probe Mortgage Brokerages

The federal privacy commissioner is auditing a number of mortgage brokerages because of concerns about the security of borrowers’ personal financial information. The audit, which industry sources say began this month, is looking into the potential misuse of consumers’ information to carry out fraud such as identity theft. While slightly more than half of all mortgages in Canada are sold by staff of the big banks, the broker channel, made up of about 16,000 brokers, is responsible for about 30% of mortgage activity, according to the Canadian Association of Accredited Mortgage Professionals (CAAMP). In the year up to March, total mortgaging activity in the country (including renewals) was about $235-billion. “There is tremendous fraud going on in the broker industry,” said the chief executive of Mortgagebrokers.com, a Toronto-area mortgage broker. The privacy commissioner’s probe is “much needed,” he added. [Source]

CA – Financial Client Info Transfer Raises Concerns

A securities industry trade association is drafting a proposal that would allow departing brokers of signatory firms to take certain client information with them when they go, reports the Wall Street Journal, but some say such an agreement comes with privacy concerns. At issue, they say, is the need for a secure transfer of such information in order to avoid violating the Personal Information Protection and Electronic Document Act (PIPEDA). Representatives from the Investment Industry Association of Canada --the organization drafting the proposal--will meet with the Office of the Privacy Commissioner of Canada next week to discuss the concerns. [Source]

WW – Familiar, Not Necessarily Compliant with PCI DSS

The results of a National Retail Federation (NRF) poll reveal that while small businesses are largely aware of the Payment Card Industry Data Security Standard (PCI DSS), many can’t demonstrate their compliance with the standard. Surveyors polled 220 small retailers. David Hogan of the NRF says the fact 86% of respondents are familiar with the standard but 55% could not demonstrate compliance means that the PCI Security Standards Council needs to help small merchants understand the requirements. Council spokesperson Troy Leach said they are already working on that and will roll out additional resources by year’s end. [Source]

UK – Taxman Wins Right to See Details of 500,000 Offshore Bank Accounts

The names and bank details of up to 500,000 wealthy Britons holding money in offshore saving accounts will be passed to the UK HM Revenue and Customs after the tax authority won an important court ruling last month. The Special Commissioners, the UK’s top tax court, ordered more than 300 UK and foreign banks to hand over details of an estimated 500,000 British taxpayers with accounts in the Channel Islands, British Virgin Islands and other tax havens. The ruling is an important boost for HMRC, which believes the details will allow it to recover £500 million over four years. [Source]

UK – EDPS Warns EU Bank on Data Processing: Clarification of Terms Needed

The European Data Protection Supervisor (EDPS) has issued an opinion on proposed changes to an EU Regulation on European Central Bank (ECB) data transfer activities. The central bank requested EDPS feedback on the changes, which would permit the ECB to share statistical data with the European Statistical System “provided that it is necessary for the efficient development, production or dissemination of European statistics. EDPS Peter Hustinx said that while “the EDPS welcomes that the proposed amendments contain a specific reference to the data protection legal framework,” they need to also clarify the scope of the expression “statistical information.” [Source] [Opinion]

FOI

CA – Nova Scotia Information Requests Will Cost Less

The Nova Scotia government has lowered its fee for an application under the Freedom of Information and Protection of Privacy Act to $5 from $25. “We’re quite happy about the decision,” said Darce Fardy, president of the Right to Know Coalition of Nova Scotia, whose group lobbied political parties during this spring’s election campaign to reduce the fee. Now Mr. Fardy wants the government to move on his organization’s other request; dropping the $15 per half-hour processing fee to $5. His group also wants wait times for the information to be shortened. “To get through the application and appeal process can be more than a year, and costly to boot,” Mr. Fardy said Friday. [Source]

US – Removal of records concerns banks

Iowa Secretary of State Michael Mauro says he might ask the state legislature to appropriate funds for redacting Social Security numbers from online records. Last week Mauro removed hundreds of documents from the Web after discovering the SSNs of corporate officials were available. The take-down has slowed the loan-approval process. An Iowa Bankers Association spokesperson said bankers are working with the Secretary of State to find a quick resolution. “There are two sides to this thing,” said Mauro. “Certainly we don’t want to slow down commerce, but...everyone is concerned about protecting their privacy, too.” [Source]

Genetics

UK – DNA Evidence Can Be Fabricated, Scientists Show

Scientists in Israel have demonstrated that it is possible to fabricate DNA evidence, undermining the credibility of what has been considered the gold standard of proof in criminal cases. The scientists fabricated blood and saliva samples containing DNA from a person other than the donor of the blood and saliva. They also showed that if they had access to a DNA profile in a database, they could construct a sample of DNA to match that profile without obtaining any tissue from that person. “You can just engineer a crime scene,” said the lead author of the paper, which has been published online by the journal Forensic Science International: Genetics. “Any biology undergraduate could perform this.” The planting of fabricated DNA evidence at a crime scene is only one implication of the findings. A potential invasion of personal privacy is another. Using some of the same techniques, it may be possible to scavenge anyone’s DNA from a discarded drinking cup or cigarette butt and turn it into a saliva sample that could be submitted to a genetic testing company that measures ancestry or the risk of getting various diseases. Celebrities might have to fear “genetic paparazzi,” said the Genetics and Public Policy Center at Johns Hopkins University. [NYT Source]

EU – Quarter-Million Welsh Added to DNA Database Since 2001

Recent figures released by the Liberal Democrats show that Welsh authorities have uploaded more than 250,000 DNA records, including those of more than 58,000 children, into a national genetic database. Supporters of the database say it helps curb crime in the country of three million, but opponents claim statistics don’t support that notion. “Our DNA database is the largest in Europe yet our crime rates are remarkably similar,” said Liberty Policy Officer Anita Coles. South Wales West AM Peter Black said: “Many people whose information has been stored were never even charged, let alone convicted of a crime. What is more concerning is how many young adults and children are on the database.” [Source]

Health / Medical

US – Rule Expands Health Data Breach Notification Responsibility to Web-Based Entities

The US Federal Trade Commission has issued a final rule on health care breach notification. The rule will require web-based businesses that store or manage health care information to notify customers in the event of a data security breach. Such entities are often not bound by the requirements of the Health Insurance Portability and Accountability Act (HIPAA); this rule addresses that discrepancy. [Source]

US – HIPAA Security Rule Enforcement Transferred to OCR

Health and Human Services Secretary Kathleen Sibelius has transferred to the Department of Health and Human Services’ Office for Civil Rights the authority to interpret and enforce the Health Insurance Portability and Accountability Act security standards. The authority previously rested in the Office of E-Health Standards and Services within HHS’ Centers for Medicare & Medicaid Services. The transfer of enforcement authority means that OCR will be responsible for enforcement of both the HIPAA privacy and security rules. According to HHS, OCR will now determine when the HIPAA security standards do not preempt contrary state law provisions; issue subpoenas requiring witness testimony and production of evidence for investigations or reviews related to failure to comply with the HIPAA security standards; and impose civil money penalties for violations by covered entities. According to HHS, the transfer of authority to OCR should be seamless since OCR frequently worked with the Office of E-Health Standards in resolving issues where HIPAA privacy and security concerns overlapped. [Soruce] [Notice]

US – Pfizer Will Make Clinical Trial Networking Site

Pfizer said it will team with information technology company Private Access to create a Web site where patients can find out about clinical trials of new drugs, and where physicians, researchers and drug companies can look for test subjects. The New York drugmaker said patients will be able to post personal health information at the site, and using privacy options, they will be able to make the information visible only to researchers who are focused on conditions that interest them. Pfizer said that will make it easier for patients to find out about relevant trials, and for researchers and doctors to find the patients they need. Patient Access CEO Robert Shelton described the site as a “privacy-enhanced search engine for personal health information.” The phased roll out of the site will start later this year. The companies will bring in additional partners, including trial sponsors, patient advocacy groups, and technology providers. They said the site will encourage social networking about the trials. [Source]

BR – Brazilian e-Cards Inform Partners of Possible STD

You’ve got mail – and possibly an STD. The Brazilian Health Ministry has created a website to let people inform partners they’ve got a sexually transmitted disease via an emailed virtual postcard. The official in charge of the ministry’s STD and AIDS programs notes that many people have a hard time telling partners they’re infected. Mariangela Simao said in a statement this week that the emails may help people “to tackle these diseases directly and with minimum exposure.” One of the cards shows a young man reclining in his underwear. It reads: “Hi! I don’t know if this is the best way to tell you, but I’ve learned that I have an STD.” The card suggests the recipient see a doctor. [Source]

AU – Secret Report Reveals e-Health ID Findings

A Privacy Impact Assessment (PIA) conducted by the firm Galexia in 2006 warned government officials that Australians would view individual healthcare identifiers (IHIs) as a national identity “product.” The firm also noted “significant privacy compliance hurdles” associated with using the Medicare Consumer Directory Management System as a source for individual numbers, the report states. The Australian obtained the unpublished PIA after controversy erupted over National E-Health Transition Authority plans to roll out IHIs sooner than planned. Members of the newly formed Consumer Centred E-Health Coalition say the public needs to know the government’s E-Health data protection and governance plans before assigning IHIs. The privacy commissioner disagrees. [Source]

AU – No Escape from Identity Scheme for Medicare

Australians may not be able to opt out of the planned national healthcare identity scheme despite assurances that those who do will still have access to treatment under Medicare. Federal Privacy Commissioner Karen Curtis says “it is not clear how an individual will be able to exercise that option” under proposals on the national health ministers’ agenda. [Australian IT]

Horror Stories

UK – Lost USB Stick Contains Nearly Three Times as Many Records as First Reported

The UK Home Office has acknowledged that there were more data on a lost USB stick than was previously declared. The memory device, lost by PA Consulting, held 377,000 records, nearly three times the number reported earlier. The additional 250,000 records hold information about the Drug Intervention Programme. The remaining records contain information about prisoners and those with criminal offenses. The device has not been found. [Source] [Source]

US – Stolen Laptop Holds Army National Guard Data

A laptop computer belonging to an Army National Guard contractor was stolen on July 27; the computer holds personally identifiable information of approximately 131,000 current and former Army National Guard members. The compromised data include names, Social Security numbers (SSNs), and incentive payment amounts. Affected individuals will be notified by letter. [Source] [Source]

US – Radisson Hotel Announces Data Breach

Radisson Hotels and resorts has posted an open letter to its guests, informing them “that between November 2008 and May 2009, the computer systems of some Radisson hotels in the US and Canada were accessed without authorization.” The compromised data include names, and credit card numbers and expiration dates. Radisson learned of the breach after hearing about fraudulent activity from credit card companies and processors. [Source] [Source] [Source] [Open Letter]

US – Prison Sentence for Personal Data Theft Through LimeWire

A Seattle man has been sentenced to 39 months in prison for using the LimeWire filesharing network to steal personal information, including tax returns and bank statements. Frederick Eugene Wood searched LimeWire users’ hard drives for specific terms, like “statement” and “account,” then downloaded the documents and used the information to commit identity fraud. Investigators found personal data belonging to 120 people on Wood’s computer. His wallet contained eight driver’s licenses, each bearing a different identity. [Source] [Source] [Source]

US – Data Security Breach Compromised PII of 27,000 US Commerce Dept. Employees

\According to a letter sent to employees of the US Commerce Department, a National Finance Center employee sent an unencrypted Excel spreadsheet containing employees’ personal information to a co-worker via email. The compromised information includes names and Social Security numbers (SSNs). The event occurred in mid-July. The Commerce Department is working out details of an agreement with a private company to monitor for potential cases of identity fraud and affected employees have been advised to set up alerts with credit agencies. [Source]

US – UMass Discloses Breach 11 Months Later

University of Massachusetts at Amherst officials say they have taken steps to shore up information security practices since learning last fall of a breach that exposed the personal information of alumni. The university announced the breach earlier this month. A UMass spokesperson said the notification was delayed due to an ongoing investigation. The breach affected servers containing Social Security numbers and some credit card information of a “large number” of undergraduate and graduate students who attended the school between 1982 and 2002, the report states. UMass officials say there is no evidence that personal information was stolen. [Source]

CA – Cavoukian: Smart Grid Privacy a “Sleeper” Issue

The recent Toronto Hydro security breach that exposed the information of 179,000 customers has Ontario’s Information and Privacy Commissioner warning that a Smart Grid could present privacy risks. Ann Cavoukian told the Toronto Star that although she believes the Grid is a good idea, the privacy issue has so far been “a sleeper; it’s not top of mind.” Cavoukian also said that the Hydro breach should prompt all utilities planning network upgrades to ensure their policies protect private information. A presenter at last week’s Black Hat security conference demonstrated the ease with which a smart meter could be hacked. [Source]

US – Federal Eye: Personal Data Mishandled at Commerce Dept

Commerce Department employees have been notified that their sensitive personal information was exposed last month. The names and Social Security numbers of 27,000 were on an Excel spreadsheet that a National Finance Center employee sent to a co-worker via unencrypted e-mail, the report states. The department is making arrangements to track for identity theft resulting from the breach and is urging employees to monitor their credit reports. [Source]

UK – Workers Illegally Accessed Identity Database Details

Nine Cardiff and Glasgow local authority workers have been sacked for illegally accessing personal details stored in what is expected to become the government’s national identity database. The Customer Information System database contains information on 92 million citizens and about 200,000 government workers have access to it. Although nine workers were called out, dozens are said to have accessed details on celebrities and others without justification. Critics of the database say the breach is demonstrative of the security threat posed by those who have access to the database, while the DWP says it shows the systems’ auditing and monitoring controls are working. [Source]

Identity Issues

CA – ID-Scanning to Comply With Privacy Laws

Controversial technology that collects bar patrons’ personal information will remain in use after B.C.’s privacy commissioner worked out a compromise with the technology’s owner. Privacy commissioner David Loukidelis ruled in July that a system made by TreoScope to collect and store customers’ names, photos, birthdates, genders and driver’s licence numbers as part of the BarWatch program violated privacy laws. But on Friday, he said the software can remain in bars and clubs providing it does not retain the driver’s licence numbers, and erases data within 24 hours after it’s collected. However, bars will be able to keep the information of violent customers in the system and share that data with other establishments. [Source]

Intellectual Property

CA – Authors, Groups Want Privacy Guarantees

National Public Radio reports on the privacy concerns associated with Google’s plan to create a massive digital library. Authors and advocates such as the Electronic Frontier Foundation and American Civil Liberties Union of Northern California want the company to guarantee reader privacy protections, such as deleting their personal data and browsing histories after one month’s time and committing not to release users’ information unless presented with a warrant, the report states. And because privacy policies can change, the groups want Google to make such privacy guarantees in a copyright settlement to be finalized this fall, if approved. [Source]

UK – Internet Cut-Off Threat for Illegal UK Downloaders

People who persist in swapping copyrighted films and music will have their internet connections cut off under tough new laws to be proposed by the UK government today. The measures also include taking the power to target illegal downloaders away from regulator Ofcom and giving it to ministers to speed up the process. [Guardian]

UK – Proposal Would Require UK ISPs to Suspend Internet Connections

The UK government is considering establishing a policy that would require Internet service providers (ISPs) to suspend the Internet service of customers who are downloading copyrighted material in violation of copyright law. Earlier versions of the proposals recommended a graduated response to subscribers found to be violating copyright laws; under those recommendations, subscribers would be notified that their activity was illegal, and if they persisted, their Internet connection would be slowed. The added disincentive of suspending subscriber’s Internet connections was proposed when copyright holders complained that the earlier version did not go far enough. The proposal would need to be approved by British Parliament before it takes effect. UK ISP Talk Talk says the new proposal probably “breach[es] fundamental rights.” Other ISPs are unhappy about the possibility as well. [Source] [Source] [Source] [Source]

Internet / WWW

US – Webhost and Mobile Carrier Drop Mitnick Due to Attacks on His Accounts

AT&T has informed Kevin Mitnick that it no longer wants him as a customer; it seems that his status as a “celebrity hacker” makes his account an inviting target for script kiddies and the cellular provider no longer wants to direct its resources toward protecting his account from attacks. AT&T made the decision to boot Mitnick after he hired legal representation to complain that his private information was not being adequately protected. Several weeks ago, Mitnick’s webhost, HostedHere.net, notified him that it was ending their business relationship. The webhost described Mitnick as “a high profile target.” [Source]

Law Enforcement

UK – One Crime Solved Per 1,000 London CCTV Cameras: Study

“Only one crime was solved for each 1,000 CCTV cameras in London last year, a report into the city’s surveillance network has claimed. The internal police report found the million-plus cameras in London rarely help catch criminals. In one month CCTV helped capture just eight out of 269 suspected robbers. David Davis MP, the former shadow home secretary, said: ‘It should provoke a long overdue rethink on where the crime prevention budget is being spent.’ He added: ‘CCTV leads to massive expense and minimum effectiveness. It creates a huge intrusion on privacy, yet provides little or no improvement in security. The Metropolitan Police has been extraordinarily slow to act to deal with the ineffectiveness of CCTV.’” [Source] [Source] [Source]

CA – Prosecutor: Officer’s Misuse of Police Databases ‘Unprecedented,’ Hearing Told

An Ottawa police officer is accused of using police information databases to gain information for personal purposes. Twenty-eight year-old Const. Dan Bargh ran more than 100 unauthorized database checks on colleagues, lovers and family members, among others. Citing the charges during a disciplinary hearing yesterday, prosecutor Lynda Bordeleau said: “These counts include a significant number of breaches. It’s kind of unprecedented.” The officer remains on active duty, the report states. A final judgment is expected on November 13. [Source]

Location

US – EFF: Build Privacy into Location-Based Services

An Electronic Frontier Foundation (EFF) report warns that Americans’ locational privacy is in jeopardy and suggests that corporations could gain a competitive edge by doing more to protect it. Citing transit cards, EZ Pass, Wi-Fi networks and other location-based services, the EFF says “a regime in which information about your location is collected pervasively, silently and cheaply” is worrying. The report says that modern cryptography can strip identifiable data from such services, and that companies could reduce liability and gain a competitive advantage by building privacy enhancements into their products and services. [Source] [EFF Report: On Locational Privacy, and How to Avoid Losing it Forever] See also: [EFF: Technology Can Help in Absence of Privacy Laws]

WW – Tweets Will Soon Come With a Dateline

Coming soon: datelines for Tweets. The New York Times reports that Twitter will soon begin including location information within the tweets of users who have activated the new feature. The company says it will not retain location data for a long period of time, according to the NYT report. Among its uses, Twitter co-founder Biz Stone said the feature will be useful for tweeters following events such as earthquakes or concerts. “There will likely be many use cases we haven’t even thought of yet,” Stone said, “which is part of what makes this so exciting.” [NYT Source]

Offshore

UK – U.K. Launches Privacy Initiative: Business Case for Privacy Investment

The Information Commissioner’s Office has embarked on research to determine the business case for proactively investing in privacy protection. Watson Hall is conducting the three-month study, which will also determine the role and value of personal information for organizations that handle it. Public comment is welcome. [Source] [Discussion Document] [Consultation][Project website] [ICO appoints consultants to put a value on privacy protection - Press Release, ICO, 7th August 2009] [Privacy by Design report, ICO ]

Online Privacy

US – Google Ordered to Disclose Blogger’s Identity

In a landmark case, a New York court ordered Google to provide information leading to the identity of a blogger who posted defamatory comments about Canadian model Liskula Cohen. The blog was removed from Google’s Blogger.com in March, but Cohen pursued the case to determine the blogger’s identity. After the court made its ruling, Google surrendered email addresses and IP addresses associated with the blogger. [Source] [Source] [Outed Blogger Who Flamed Model Angry at Google] [Groups Say Ruling Could Set “Dangerous Precedent” ] See also: [Another Blogger under Scrutiny]

WW – Google Opt-Out Village Offers “Total Privacy”

The San Francisco Chronicle reported yesterday on a new mountainside village that may or may not be a boon to California’s real estate market. Google Inc. has sequestered a 22-acre plot of land where privacy-sensitive Internet users can now live in complete privacy. “If you want to keep your information private, all you have to do is move to our 22-acre Opt Out Village and not speak to anyone from the outside world,” Opt Out Village Director John Carter told the Onion News Network, which first reported on the enclave. “It’s very simple,” said Carter. An opt-out button on the Google “fun” page sets the moving process in motion. [Source]

EU – ISP Gives Same Default Password to All Subscribers

A European ISP has been assigning the same default password to all new subscribers every month. While the password changes each month, subscribers of the Dutch branch of Tele2 who sign up for service in the same month all have the same password; when users login for the first time, they are asked if they want to change their password, but they are not required to change it. The passwords have also been easy to guess. The company is considering making it mandatory for subscribers to change their default passwords. [Source] See also: [US: Weak Passwords Allow Congressional Web Site Defacements]

CH – Swiss Official Demands Shutdown of Google Street View

Google launched the Swiss version of its Street View mapping service last week, but on Friday federal Data Protection Commissioner Hanspeter Thür demanded the company shut it down until it can come into compliance with Swiss law by obscuring the identities of those captured in the images, reports the New York Times. Street View offers 360-degree online views of cities worldwide. InformationWeek reports that Google representatives were surprised by the commissioner’s demand and that company representatives met with data protection officials yesterday to discuss compliance objectives. [Source]

WW – Social Networks Leak Personal Information: Study

Online social networking sites leak personal information, a new study has found, raising the possibility that users of such sites can be tracked everywhere they go online. The study, “On the Leakage of Personally Identifiable Information Via Online Social Networks,” indicted that, as a consequence of this leakage, third-party aggregators can potentially link social network identifiers to past and future Web site visits, thereby identifying a person and his or her online activities. The study notes that while the privacy policies of the third-party aggregators typically declare the sharing of non-indentifying information, they don’t make it clear that an identity can often be derived from supposedly non-identifying information. The study looked at twelve social networking sites: Bebo, Digg, Facebook, Friendster, Hi5, Imeem, LinkedIn, LiveJournal, MySpace, Orkut, Twitter, and Xanga. Many social networking sites provide privacy controls to limit information disclosure, but the report found that between 55% and 90% of users – Wills suggests it’s closer to 70% on the lower end – of social networking services keep the default privacy settings for allowing strangers to view profile information and 80% to 97% keep the default privacy settings for viewing friends. [Source] [ACLU Demo]

WW – Facebook Rolls Out Real-Time Search

Facebook has rolled out a vastly improved search engine that returns real-time results and the status updates of members who have chosen to make their information public, putting the site into more direct competition with Twitter. By positioning itself as a real-time search engine where anyone can search what Facebook users are saying, the social networking site could steal market share and potential advertising dollars from Twitter. The announcement came hours after Facebook announced it would acquire FriendFeed, a social aggregation service with features similar to Twitter, for a reported $50m in cash and stock. Twitter has proven its value largely through its search function. By searching for keywords such as ‘Iran’ or ‘election’ during the recent political unrest in Iran, anyone on the web could see what users around the world were saying about the subject. Yet with 250m active members, Facebook is the vastly larger site. Until now, however, Facebook’s search function had been pilloried as inadequate. Results did not include status updates, and finding even basic features like applications or the company pages was tedious. The upgrade also aids Facebook’s ambition of making the site more public. But as Facebook becomes more public, it will test its users’ appetite for exposure on the web. It has begun asking users to re-evaluate their privacy settings, and is encouraging them to make information publicly available. Privacy advocates have expressed concern that some users might not understand their information is being made public. [Source]

US – Few Consumers Care About Web Privacy: Study

The advertising network Fetchback compared the rate of users’ opt outs before and after it began offering a link to more information about the ads, finding that slightly fewer users opted out when given more information about the ad modules. The company collected two weeks’ worth of data. CEO Chad Little says the results indicate that fears about making it easier for consumers to opt out might be overblown. “You’re so focused on [the potential downside] you don’t actually think about how it opens communication,” Little said. The opt-out model has been discussed as one possible way to protect privacy and give consumers more control in the behavioral advertising environment. [Source]

WW – Popularity Outweighs Facebook Privacy Fears

One glance at Bryan Floyd’s Facebook page and you’ll know his email address, his cellphone number and that his favourite movie is Orgazmo. Floyd recently restricted access to his profile to his friends on the networking site and had no idea his information was open to the public before. “I didn’t really care, I guess,” he said. Floyd’s openness might come from a need to be liked, psychologists at the University of Guelph say. On Facebook, “our identity is created by what other people are saying about you,” said Amy Muise, who conducted the research with Emily Christofides. “The more you disclose and the more others can engage with you on Facebook, the more ... visible and social you are.” Their study found undergraduates ages 17 to 24 who disclose a lot of personal information on Facebook are driven by the desire to be popular. [Source]

WW – Secret, Stubborn Cookies

Researchers from the University of California, Berkeley have reported that more than half of the Internet’s websites are using Adobe Flash cookies to track users’ behavior and interests, but these cookies are mentioned in just four privacy policies, though other suites mention the use of “tracking technology.” Flash cookies differ from regular cookies because they are unaffected by browser privacy controls. Flash cookies are even being used to re-establish cookies for users after those users delete the more familiar cookies. The researchers’ report was submitted earlier this week as a comment on the deferral government’s proposal to re-establish the use of cookies on federal websites [Source] [Study]

WW – Quantcast Casts Out Flash Cookies in Wake of Report

In the wake of research published about Flash cookies, online tracking company Quantcast has stopped its practice of recreating customers’ cookies with Flash after users deleted the regular cookies. The researchers showed that some websites were circumventing customers’ wishes not to be tracked by creating the flash cookies, which are not affected by browser privacy settings. Quantcast made the change to its practices on Tuesday afternoon after the research was published. According to the report, more than half of 100 sites scrutinized for the research used Flash cookies. Adobe has provided instructions for managing Flash cookies on its website. [Source] [Source] [Coverage] [Study: Flash Cookies and Privacy]

UK – Office of Fair Trading to Investigate Targeted Ads and Pricing Online

The Office of Fair Trading (OFT) announced it will investigate behavioural targeting provider Phorm. The agency will look into how the company uses the personal information of Web users to target adverts, the report states. Regulators say they want to understand more about the techniques’ potential for consumer harm. Phorm’s WebWise product lets Internet providers deliver highly targeted advertisements to users based on their Web browsing activities. The controversial service has prompted investigations among other European regulators, such as the UK Information Commissioner’s Office and the European Commission. Some say the OFT inquiry could lead to an industry code of practice. [Source]

Other Jurisdictions

SA – South Africa Privacy Law Gets Cabinet Nod

The South African Cabinet has approved the Protection of Personal Information Bill to go before Parliament. The draft law has been nine years in the making and will have a profound impact on business, lawyers say. A Cabinet spokesman said the Bill was drafted by the South African Law Commission and seeks to protect the constitutional right to privacy as far as processing of personal information is concerned. The length of time was due to the initial discussion paper drawing more than 5 000 responses that had to be collated and examined. A key aspect of the privacy law will be the adequate funding and staffing of the Information Commission, which will be set up to guide companies on what will be considered as private information. The Bill will now go before the Parliamentary Portfolio Committee on Justice, where public hearings will be held, and then to the National Council of Provinces. Thereafter, it will be approved by the National Assembly and then signed into the statute books by the president. “At best, we can expect this to become law by the end of the first quarter of 2010,” Michalson says. [Source]

HK – Public Consult Open on Privacy Law Review

The Hong Kong Constitutional & Mainland Affairs Bureau is reviewing the Personal Data (Privacy) Ordinance and has launched a three-month public consultation to seek feedback on its proposed changes to the law. Among the proposals, the bureau recommends that the privacy commissioner be granted powers to “assist aggrieved data subjects who would like to seek compensation and to take their cases to court.” The review will also consider whether certain information--such as biometric data--should receive special attention in the ordinance. Secretary for Constitutional & Mainland Affairs Stephen Lam said that the review is necessary in light of the technological developments of the past decade. [Source]

HK – Commissioner Weighs in on Consent

Privacy Commissioner for Personal Data Roderick Woo Bun says Hong Kong’s Personal Data (Privacy) Ordinance does not give parents authority to give consent on behalf of a minor. The commissioner stated his opinion in a letter to Secretary for Education Michael Suen Ming-yeung this week. At issue is schools’ desire to implement voluntary drug tests by seeking students’ or guardians’ consent. “While it is doubtful whether all students have the requisite capacity to give genuine consent, the Personal Data (Privacy) Ordinance does not give parents or guardians the authority to give consent on behalf of a minor,” Woo said, adding that new legislation would be necessary to accomplish this. [Source]

US – Airlines to Require More Passenger Data

Airlines this week will begin requiring some people making reservations for domestic flights to submit their dates of birth and genders as part of a screening process aimed at keeping boarding passes out of the hands of suspected terrorists, the Transportation Security Administration said. The agency said the screening would all play out behind the scenes, meaning there should be no additional delays for passengers at airport terminals. The change will be phased in starting Saturday. Not all airlines are fully participating yet and might not request the data. The TSA said it would be up to individual airlines or travel agents to decide how to collect the required information at the time a reservation is made. [Source]

Privacy (US)

US – PhD in Privacy

Carnegie Mellon University will establish a PhD program in usable privacy and security. The National Science Foundation awarded the university’s CyLab a five-year, $3 million grant to create the CyLab Usable Privacy and Security (CUPS) Doctoral Training Program. Carnegie Mellon Associate Professor Lorrie Cranor says the program will “offer PhD students a new cross-disciplinary training experience that helps them produce solutions to ongoing tensions between security, privacy and usability.” Cranor is part of Carnegie Mellon’s Institute for Software Research and its CyLab, which is one of the world’s largest university-based cybersecurity education and research centers. [Source] [Home]

US – Florida to Shell Out $1.5 Million

Pending legislative approval, the state of Florida will pay the federal government $1.5 million to settle privacy violations. The state violated federal rules intended to protect the privacy of motorists when it sold personal information from vehicle registrations and driver’s license records to mass marketers between 2000 and 2004, the report states. Although state law at the time called for motorists to opt out if they didn’t want their information sold, federal law required that motorists opt in to the information release. [Source]

US – Parent Group Challenges Privacy Policy

A 300-strong group of parents want the Sioux Falls school district to change its approach toward students’ privacy. The Parents Action Committee says the district’s policy of selling students’ personal information is an invasion of privacy. A father on the committee--Kevin Kunkel--said although the district lets parents opt to keep their student(s) off the sold lists, it is not doing enough to make that clear. Kunkel also expressed concern about how the information is protected once it leaves the schools. The Sioux Falls school board says the practice is permitted by law, but that it is open to reviewing the issue. [Source]

US – Suit Alleges Facebook Violates California Privacy Laws

A handful of Facebook users filed a civil suit against the company in a California court. The suit alleges that the social networking site violates California privacy law and gives the wrong impression about how users’ personal information is being used. Specifically, the suit alleges that Facebook shares members’ personal information with third parties and employs data harvesting and mining techniques that are not adequately explained to members. The suit seeks damages and asks for a jury trial. Facebook maintains that the suit has no merit and plans to fight it. [Source] [Source]

Privacy Enhancing Technologies (PETs)

US – How You Can Self-Destruct Your Messages

A Big Brother vision has inspired researchers in Seattle to create the world’s first self-destructing e-mails. Vanish, a free program developed by Roxana Geambasu and Professor Hank Levy of The University of Washington, puts an expiry date on digital messages. Eight hours after being sent, Vanish e-mails become unreadable - even to the person who wrote them. Levy says his software is a response to the fact that the digital world has forgotten how to forget. “Storage is now incredibly cheap and there’s really no need to delete data any more,” he explains. “Personal data last for a long time.” Vanish, like encryption programs, scrambles text into a string of nonsensical letters and numbers. Then comes the clever bit: Vanish splits the digital key to decode the message into 10 pieces. These fragments are then hidden in plain sight, on 1.5m randomly selected computers - part of a network of machines spread across more than 200 countries. Not only does this make it almost impossible for hackers to locate the key fragments; it gives Vanish messages their limited lifespan, because as users log off from this network and their computers refresh their memories, the number of key fragments online decreases. After eight hours, on average, enough fragments will have been erased for the message to be unreadable - to the writer, the recipient or a court. At the moment, Vanish requires both parties in an e-mail or chatroom to install the program and to use the Firefox web browser to communicate. You can then use any webmail service or social network to compose a message, highlight the text you want to keep private, choose “Create Vanish message” from a pop-up menu and send the message as usual. At the other end, recipients see only a page of scrambled text until they select “Read Vanish message”. That doesn’t mean your message is totally secure. You are still trusting the recipient not to make a copy of the e-mail during its eight-hour existence; and, Levy says, Vanish will not render you invisible to the authorities. “There are government agencies that are big enough to threaten this,” he says. “It’s mainly meant for individuals and individual privacy.” The makers of Vanish are not standing still, however. The next version will allow users to increase the lifespan of e-mails in multiples of eight hours, allowing users to create messages lasting a day, a weekend or a month. [Source] [Source] [Try Vanish Free at University of Washington]

WW – Squash Web bugs with Ghostery

Ghostery is a Firefox add-on that detects the presence of web bugs and tells you what they are and where they come from. If you have a keen knowledge of Javascript (and the ability to read obfuscated code, in many cases) you can read the script source yourself, but most people will be more than satisfied by the basic reports Ghostery provides on web bugs, including links to the privacy policy of the company responsible and estimates of how prevalent the bug is. Furthermore, Ghostery gives you the option to block selected or all the web bugs it finds, effectively preventing them from collecting any data about you. Blocking every web bug might be a little too aggressive for most people’s tastes (and the option is turned off by default), but even if you never block an external script, Ghostery still provides a valuable service: showing you the seamy underbelly of the web so you can make your own decisions about what happens to your data. [Source]

CA – Big Honour for Canadian Privacy Researcher

A Halifax University professor has been internationally recognized for her research and development of a Web privacy software platform. Dawn Jutla received the IT Software Award at the World Technology Summit and Awards in New York last month. Previous winners include Google founders Larry Page and Sergey Brin. Jutla says the software enhances the system of checks and balances on the Web by letting users adhere to a set of privacy preferences during e-commerce or other information exchanges, and also lets them compare privacy policies, the report states. “Any organization or individual that requires privacy services would be able to use our platform,” Jutla said. [Source]

RFID

WW – RFID Mail Tracking Expands to 21 Countries

This month 21 countries will begin using RFID to track international mail in a system that is scheduled to expand into more than 100 member countries of the Universal Postal Union (UPU). RFID tags are being slipped into thousands of test letters that are sent to measure international delivery times and monitor compliance with the performance standards set by the UPU, which is the UN agency charged with coordinating mail operations among national postal authorities around the world. The UPU created the system to monitor international mail, but national postal services can use the same infrastructure to record additional mail flow through their systems and to track transport containers and other assets. The UPU approved the project rollout after a successful trial that tracked international mail among Saudi Arabia, the United Arab Emirates and Qatar. Separately, earlier this year Saudi Arabia announced plans for an RFID system to track home delivery (see Saudi Post Updates RFID System for Carriers). RFID market intelligence firm IDTechEx has predicted the postal industry will eventually become the second-largest market for RFID systems after the retail supply chain. [Source] [Source]

The European Union published a report on its BRIDGE pilot project that is testing RFID and complementary technologies in the pharmaceutical supply chain. The report concludes that full, cross-border supply chain tracking with RFID is feasible within the EU and provides recommendations for pharmaceutical manufacturers, distributors, transporters, wholesalers and pharmacies. The full report is available free at www.bridgewp6.eu and www.bridge-project.eu. For background on the BRIDGE project see Europe Launches Initiative to Drive RFID Adoption. [Source]

Other RFID News:

The Great Wolf Lodge indoor water park in Concord, North Carolina, has deployed Smart Band RFID Wristband System for guest room access and cashless payments. This is the seventh Great Wolf location to utilize the technology. [Press Release]

Lega Pro, Italy’s top professional soccer league, will begin using RFID-enabled ID cards this season for automated ticketing and cashless payment transactions at stadiums. Telecom Italia announced it received a contract to provide the Fan ID Card to all 90 clubs affiliated with Lega Pro. [Source]

Two service providers to the automotive dealer industry, MyDealerLot and AutoAlert, jointly announced an RFID-based customer recognition system. Several Mercedes-Benz dealerships are piloting the new Service Drive Concierge (SDC) system, which uses RFID to alert dealer sales staff when customers pull into the dealership. The alert function can be used to create services, and system software performs sales analytics. [Source]

Infiniti Research, a market research company in Cologne, Germany, has released RFID in Healthcare Industry 2008-2012, a 17-page report that forecasts the worldwide market. Infiniti also said RFID sales in all markets last year were $5.3 billion and will grow to $9.2 billion in 2012. [Source]

Impinj announced that its Monza RFID tag chips and Indy RFID reader chips will be part of Coca-Cola’s new Freestyle soft drink dispensing system. RFID is a key enabler of the widely-publicized Freestyle, which will offer consumers over 100 flavor choices, all dispensed from a single spout. It will also allow Coca-Cola to collect analytics about the consumption and popularity of different drinks. Learn more about Freestyle here, here, and here.

IBM Releases New Version of RFID Software: IBM’s has launched new middleware which can apply business intelligence to input from RFID tags, wireless temperature, pressure and other sensors, bar codes and other technologies. [Source] [IBM Press Release]

Security

US – Employees, Especially Temps, Cause Breaches

The majority of data breaches result from inadvertent employee error, say experts. BBC News reports on the results of a study that found unintentional data loss to be the most frequent cause of cyber breaches (14.4% per year). IDC and the security firm RSA analyzed 11 categories of risk at 400 organizations in various industry sectors across the U.S., UK, France and Germany. Of the employee-caused breaches, they found 52% to be accidental and 19% deliberate. Temporary employees, the study found, are more likely to be culpable. “It’s likely contractors may be less well-trained in organizational policy...” said RSA’s Chris Young. [Source]

WW – More Insider Security Incidents Are Accidental Than Deliberate: Study

According to research from RSA, more security incidents arise from incompetence than from malicious insider attacks. Although security spending is focused more on stemming the threat of deliberate insider attacks than on preventing accidental breaches, 52% of the 400 survey respondents said they perceived insider incidents as accidental; just 19% perceived them to be deliberate. [Source] [Source]

US – NIST Releases Security Standards for Federal Systems

The National Institute of Standards and Technology (NIST) has published the final version of SP 800-53, Revision 3, “Recommended Security Controls for Federal Information Systems and Organizations.” The document is the first major revision of guidelines for implementing the Federal Security Management Act (FISMA) since 2005. Among the changes in this updated version are “A simplified, six-step Risk Management Framework; Recommendations for prioritizing security controls during implementation or deployment; and Guidance on using the Risk Management Framework for legacy information systems and for external information system services providers.” The new version of 800-53 solves three fatal problems in the old version - calling for common controls (rather than system by system controls), continuous monitoring (rather than periodic certifications), and prioritizing controls (rather than asking IGs to test everything). Those are the three drivers for the 20 Critical Controls (CAG). In at least five agencies, contractors that previously did 800-53 evaluations are being re-assessed on their ability to implement and measure the effectiveness of the 20 Critical Controls in those agencies. One Cabinet-level Department has proven that implementing the 20 Critical Controls with continuous monitoring reduced the overall risk by 84% across all departmental systems world-wide. [Source] [Source] [Source]

NZ – iPods, USB Drives are ‘Security Risks’

Security is threatened at more than 20 government agencies that allow staff to use their own iPods, flash drives and other devices, the privacy commissioner says. Marie Shroff said two thirds of 37 agencies surveyed allowed staff to use portable storage devices (PSDs) that put confidential or personal information at risk. PSDs such as USB sticks, iPods, iPhones, Blackberrys and cellphones could store and transfer large volumes of information. They could easily be lost or stolen, exposing organisations to risks of major data breaches, she said. The devices could be “potentially major security risks” if they contained unsecured sensitive data. In May, the commission surveyed government use of PSDs including police and defence forces, ministries, State Services and Crown Law and found “real gaps in procedure and practice”. Of the 37 agencies, 95% made PSDs available to staff and three-quarters had policies to control their use. But less than half had procedures for deleting data and just nine agencies made encryption mandatory. Ms Shroff said agencies holding classified or sensitive information had tighter controls over the use of PSDs than other agencies. “However, it is worrying that agencies that hold the largest amounts of personal information had fewer controls.” The commission recommended that agencies should have a policy on PSD use. They should also make staff aware of the need to report losses or theft, and how to delete data. Encryption should be used for all PSDs likely to store personal information, and strict limits on personal PSDs should be enforced. [Source]

US – Hackers Turned Doorknob, Walked in

Forbes reports on the ease with which hackers responsible for some of the largest data breaches to date were able to infiltrate the breached entities’ networks. On Monday, a federal grand jury indicted three individuals for their roles in the Heartland Payment Systems data breach involving 130 million credit and debit cards. The same hackers are accused of breaching the Hannaford Brothers supermarket chain, among other businesses. A member of the Payment Card Industry security standards council told Forbes that the companies should not have been vulnerable to the pedestrian techniques used by the hackers. “The way these guys got hacked there’s no way they would have satisfied [PCI standards.]” [Source]

Smart Cards

US – Some D.C. Residents Criticize New Identity Cards

They are supposed to make your wallet a bit thinner and give you everything you need to check out a book at the library or visit a recreational center or a public building. But as the District government starts rolling out the highly touted DC One Card, some residents are rebelling against the first-in-the-nation initiative to put their identity on one piece of plastic. The furor over the cards became especially heated this week in Ward 3 after some residents were told they needed to obtain one to gain access to the new Wilson Aquatic Center. Department of Parks and Recreation officials say they are urging residents to obtain a DC One Card to gain entry to the pool. But residents will still be admitted at no charge if they show a valid driver’s license instead of a DC One Card. After receiving numerous complaints about the card, D.C. Council member Mary M. Cheh (D-Ward 3) fired off a letter Monday to City Administrator Neil O. Albert asking for answers. “Residents have raised concerns that the DC One Card is an unnecessary layer of bureaucracy,” Cheh wrote. City leaders say the idea behind the cards is a simple one: to track who is using facilities while making it easier for residents to access services. “If I just want to have a swim, what do they need to know about me?” Loikow asked. “They don’t need to know every rec center I have ever been to. They just need to know I have a bathing suit and can take a swim without drowning.” [Source]

Surveillance

UK – A Request to Snoop On Public Every 60 Secs

UK Councils, police and other public bodies are seeking access to people’s private telephone and email records almost 1,400 times a day, new figures have disclosed. The authorities made more than 500,000 requests for confidential communications data last year, equivalent to spying on one in every 78 adults, leading to claims that Britain had “sleepwalked into a surveillance society”. An official report also disclosed that hundreds of errors had been made in these “interception” operations, with the wrong phone numbers or emails being monitored. The figures will fuel concerns over the use of the Regulation of Investigatory Powers Act by public bodies. The latest figures were compiled by Sir Paul Kennedy, the interception of communications commissioner, who reviews requests made under the Act. They relate to monitoring communication “traffic” – such as who is contacting whom, when and where and which websites are visited, but not the content of conversations or messages themselves. Sir Paul found that last year a total of 504,073 such requests were made. The vast majority were made by the police and security services but 123 local councils made a total of 1,553 requests for communications data. Some councils sought lists of the telephone numbers that people had dialled. Amid growing unease about surveillance powers, ministers issued new guidelines last year about their use. Despite the promised crackdown, the 2008 figure is only slightly lower than 2007’s 519,260 requests. In April, the Home Office said it would go ahead with plans to track every phone call, email, text message and website visit made by the public, in order to combat terrorists and other criminals. [Source]

CA – Alberta Court Rules Marijuana Grow-Op Detector Violates Privacy

Alberta’s top court says police use of a digital recording amp-metre without judicial authorization, to determine if there is a marijuana grow operation in a home, violates the homeowner’s privacy rights. In a split, 2-1 decision released this week, the Alberta Court of Appeal ruled that Calgary police should not have requested Enmax to install the device to create a record of when electrical power was being consumed at Daniel James Gomboc’s southwest home in January 2004, before obtaining a warrant. “It has been famously said that, ‘The state has no business in the bedrooms of the nation,’” wrote Justice Peter Martin, who ordered a new trial for Gomboc. “The actual prohibition is much broader: in our society, absent exigent circumstances, the state has no business in the homes of the nation without invitation or judicial authorization.” [Source]

CA – Activists Turn Tables on Watchers

Vancouver surveillance cameras were themselves under the lens on Sunday. The Vancouver Public Space Network, Simon Fraser University’s Surveillance Project and about two dozen volunteers took photographs of video surveillance cameras and noted their locations in the central business district and the Downtown Eastside. The organizers, who hope to spark public debate about the use of surveillance cameras in public areas, will create online maps showing where the cameras are situated. [Source]

CA – Commissioner Concerned About License Plate Readers

Canada’s privacy commissioner has expressed concern about automated license plate readers used by the RCMP to monitor British Columbian roads. Assistant Commissioner Chantal Bernier described the readers’ use as a “broad surveillance technique” that could undermine the privacy of law-abiding Canadians by capturing the data of all who pass through a reader’s field of view, rather than specifically monitoring individuals suspected in a crime. The RCMP have ordered 60 readers to be used in police vehicles. The system is intended to identify stolen cars, check for outstanding warrants or driving prohibitions, and help find missing children during Amber Alerts. [Source] See also: [License Plate Scanners Gaining Popularity with U.S. Law Enforcement]

NZ – Intelligence Service May Be Spying on Academics

New Zealand’s Tertiary Education Union (TEU) has requested that the country’s privacy commissioner investigate the possibility that an Auckland University professor is being surveilled by the New Zealand Security Intelligence Service (NZSIS) over criticisms of the country’s free-trade policies. Dr. Jane Kelsey became concerned after seeing her name in reports given to members of parliament, but her request for disclosure resulted in a file containing only three pages. Further disclosure, the commissioner’s office ruled, could compromise NZSIS operations. [Source]

US – Balloon Surveillance Backlash at Border

Ontario residents continue to express displeasure about the presence of a surveillance balloon poised over the St. Clair River at the Canada-U.S. border. A U.S. company is floating the 15-metre, $1 million-camera-clad balloon to test its viability for use by the U.S. government in border security efforts. Some Ontarians have dubbed it the ‘Port Huron Hindenburg.” The balloon monitors an area between Sarnia, Ontario and Port Huron, Michigan. Canada Justice Minister Rob Nicholson commented on the upset this week, saying: “We always have to be careful with any technology and respect other people’s privacy. There’s no question about that.” Sarnia residents are organizing a “Moon the Balloon“ protest. [Source]

Telecom / TV

US – FTC Rules Outlawing Those Annoying Robocalls Hit Sept. 1

Nearly a year after announcing the plan, new FTC rules prohibiting most robocalls are set to take effect Tuesday, Sept. 1. With the rules, prerecorded commercial telemarketing robocalls will be prohibited, unless the telemarketer has obtained permission in writing from consumers who want to receive such calls. Hopefully the rules will go a long way to helping consumers eat dinner in peace without being interrupted by amazingly annoying telemarketer blather or in this case prerecorded blather. [Source]

WW – Palm Criticised Over Pre Privacy

Palm has responded to claims that its recently-launched Pre smartphone abuses owners’ privacy. The company issued a statement after one owner discovered his phone was sending data every day back to Palm. The information included the current location of the phone and how long each application was used for. In its statement, Palm said it took users’ privacy “seriously” and said it gave phone owners ways to turn features on and off. The discovery was made by software developer and Pre owner Joey Hess, who found that his phone was reporting his location over a secure connection back to Palm. It also sent back information about application crashes - even those not seen by a Pre owner. Also in the daily update sent to Palm was a list of the third party applications installed on the phone. In its privacy policy, Palm does explain that it will gather geographical data to help with location-based services. However, commentators were puzzled as to why it needed to gather so much data and why owners were not told about what it had gathered. Mr Hess found a way to disable the reporting by editing the phone’s software. Palm issued a statement about Mr Hess’ discovery and said it “offers users ways to turn data collecting services on and off”. [Source]

US Government Programs

US – ACLU Seeks Records About Laptop Searches at the Border

The ACLU has filed a lawsuit demanding records about the U.S. Customs and Border Protection (CBP)’s policy of searching travelers’ laptops without suspicion of wrongdoing. The lawsuit was filed under the Freedom of Information Act (FOIA) to learn how CBP’s policy, issued last year, has impacted the civil liberties of travelers during the first year of its implementation. “Traveling with a laptop shouldn’t mean the government gets a free pass to rifle through your personal papers,” said Catherine Crump, staff attorney with the ACLU First Amendment Working Group. “This sort of broad and invasive search is exactly what the Fourth Amendment’s protections against unreasonable searches are designed to prevent.” In its policy, CBP asserts it is free to read the information on travelers’ laptops “absent individualized suspicion.” CBP claims the right to search all files saved on laptops, including personal financial information, family photographs and lists of Web sites travelers have visited, without having reason to believe a traveler has broken the law. Additionally, CBP’s policy extends to suspicionless searches of “documents, books, pamphlets and other printed material, as well as computers, disks, hard drives and other electronic or digital storage devices.” The policy covers all persons, whether or not they are U.S. citizens, crossing the border. The ACLU made an initial FOIA request for the CBP’s records in June. Today’s lawsuit seeks to enforce that request. Among the documents being sought by the ACLU are records pertaining to the criteria used for selecting passengers for suspicionless searches, the number of people who have been subject to the searches, the number of devices and documents retained and the reasons for their retention. [ACLU FOIA request] [More information] [Source]

US – Gov’t Tightens Oversight of Laptop Border Searches

The Obama administration on Thursday put new restrictions on searches of laptops at U.S. borders to address concerns that federal agents have been rummaging through travelers’ personal information. The long-criticized practice of searching travelers’ electronic devices will continue, but a supervisor now would need to approve holding a device for more than five days. Any copies of information taken from travelers’ machines would be destroyed within days if there were no legal reason to hold the information. [Source] [DHS Directive Announcement] [CBP Border Search of Electronic Devices Containing Information] [ICE Border Searches of Electronic Media] [Privacy Impact Assessment: Border Searches of Electronic Information]

US Legislation

US – Mass. ID Theft Rules Amended, Deadline Extended

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has amended its data security regulations. In a media release, the OCABR announced that the rules will facilitate a risk-based approach to data security, which is expected to help the small-business community, in particular. In creating written security programs, businesses will be able to take into account their size, industry type and identity-theft risk, among other characteristics. The OCABR also modified the regulations to make them technology neutral. The new effective date is March 1, 2010. A public hearing on the changes will take place Tuesday, September 22. [Source]

US – New Bill Could Limit Searches on Property Tax Information Online

The Wisconsin assembly is considering a bill that would limit searchable tax data. AB 349 would prohibit Web users from searching Oneida County tax records by a property owner’s name. The bill intends to protect personal privacy by shielding Social Security numbers (SSNs), said Brandon Strand, a spokesperson for the bill’s sponsor--State Senator Jim Holperin. “A lot of time when deeds, etc., get posted online, they also post individuals Social Security numbers and other personal information,” Strand said. Opponents of the bill, including the county’s land information director, say the mandate would increase costs. [Source]

US – New Florida License Requirements Nettle ACLU

Beginning in January, Florida residents applying for or renewing a driver’s license will be subject to new identity-verification requirements. Applicants will be required to submit proof of identity, a Social Security number and proof of their residential address, the reports states. The ACLU says the requirements hold the potential for government-induced privacy invasions, but state officials say the rules will bring Florida licenses into compliance with federal standards intended to help protect citizens from identity theft. [Source]

US – Maine Enacts Comprehensive New Law Restricting Marketing to Minors

Maine’s new Act to Prevent Predatory Marketing Practices Against Minors will take effect on September 12 and “businesses would be well-advised to evaluate their current marketing practices and age-verification mechanisms.” The law places restrictions on marketers’ activities related to minors, prohibiting the collection of personal information without parental consent, among other restrictions. “For businesses,” the blog states, “the implications...are far-reaching.” Individuals may bring a private right of action against violators. [Source] [Text of Law]

Workplace Privacy

US – Employers Using Social Networking Sites to Vet Candidates

45% of employers polled for a Harris Interactive study said they use social networking sites to help vet prospective employees, reports the New York Times. That’s double last year’s number. The study polled 2,667 managers and human resource employees, 35% of whom admitted to not making an offer based on information found on a candidates’ online profile. CareerBuilder.com commissioned the study. Employers’ discovery of candidates’ provocative photos, references to drug and alcohol use, derogatory remarks about previous employers and poor online communication skills were among the top deal-breakers. [NYT Source] [Study] See also: [Facebook, Twitter skills now wanted in workplace]

US – Failed to Give Notices to Fired Workers and Rejected Applicants; Pay FTC Fines

Two companies that fired workers and rejected job applicants based on background checks without informing them of their rights under the Fair Credit Reporting Act (FCRA) have agreed to settle Federal Trade Commission charges that they violated federal law. The settlements require the defendants to pay $77,000 in civil penalties and bar future FCRA violations. [Source]

US – CA Supreme Court Rules on Workers’ Privacy

The California Supreme Court has ruled that Pasadena-based Hillsides, Inc. did not violate the privacy of two employees by outfitting their office with a surveillance camera. The employees filed a lawsuit claiming the camera was an “egregious violation of prevailing social norms” and was “highly offensive.” But the high court disagreed in a unanimous ruling, stating, “We appreciate the plaintiffs’ dismay over the discovery of video equipment...hidden among their personal effects...” but since the surveillance did not take place until after hours, their privacy was not violated. [Source]

CA – Background Check Data to Stay in Canada

A bus company has switched to a Canadian background check provider due to privacy concerns about its use of a U.S. firm. A Saskatoon woman had refused to allow First Student Canada to conduct a mandatory check due to privacy concerns about how her personal information would be handled over the border. First Student said this week that changing providers is something they’ve been considering, and the concerns raised prompted them to make the switch. “I think it’s a good move,” said Stephanie Sydiaha, the driver who refused the check. “...I’m glad that the information isn’t going to be available to American authorities.” [Source]

+++