Privacy News Highlights
12–31 December 2009
Contents:
WW – Google Blocks Facial Recognition in Image Searches
CA – Federal Court blasts CSIS, Axes Security Certificate as “Unreasonable”
CA – Supreme Court Ruling Widens Defamation Defence: Speech over Privacy
CA – Ontario Investigates Medical Data Breach
CA – Canada Examining 3D Body Scanners for Airports
CA – Study Shows Online Shoppers Wary
US – IAB and AAAA Update Contract Guidelines, Specify Who Owns Data
US – Preliminary Approval for Countrywide Breach Settlement
US – White House Task Force Makes Agency Info Sharing Recommendations
US – Report: US Gov’t Uses Data Brokers to Launder PII
WW – Facebook Sues Alleged Spammers
US – Proposed Legislation in NJ Would Beef Up Penalties for Unsolicited Text Messages
US – Studies: Healthcare Providers Concerned About EMR Privacy
AU – New Guidelines Permit Health Information Sharing
WW – Privacy Concerns Could Limit Benefits from Real-Time Data Analysis
CA – IPCC Expects Health Sector to Encrypt All Health Information on Mobile Devices
US – Military Drone Video Feeds Will Not be Encrypted Until At Least 2014
EU – French Senators Want to Apply Data Protection Act to U.S. Web Giants
EU – German Employee Data Storage Plan Criticized
EU – Google Convicted in French Copyright Case
UK – Hospital Keeps Secret DNA File
US – Texas to Destroy Baby Blood Taken Without Consent
AU – Two Years for Abuse of New Medical ID
US – Health Workers Push Web-Based Invisible Bracelet
US – Heartland Will Pay AMEX US $3.6 Million to Settle Breach-Related Charges
US – Stolen Laptop Holds Military and DoD Employee Information
US – Mass. Supreme Court throws out Lawsuit Against BJs over ‘04 data breach
UK – School Admits Loss of 1,000 Student and Staff Personal Details
WW – RockYou Hacker: 30% of Sites Store Plain Text Passwords
UK – Credit Card Provider Suffers Breach, Personal Data Lost
AU – Australian Gov’t to Streamline Online Authentication
CN – China to Require Internet Domain Name Registration
US – San Jose Cops Will Wear Body Cameras
WW – Google to Comply with Swiss Court on Street View
US – EPIC Files FTC Complaint Over Facebook Privacy Changes
US – Privacy Policy Clause Insufficient to Reveal Poster’s Identity, US Court Rules
US – Group: Online Ad Networks Mostly Comply With Privacy Rules
WW – Firefox Addon PrivacyChoice Opt-Out Keeps Ad Networks Away from Web Habits
KY – Data Protection Law in the Works
HK – Hong Kong Commission to See Funding Increase
US – White House Names Howard A. Schmidt as Cybersecurity Coordinator
US – Netflix Sued for Violating Customer Privacy
PH – Motor Vehicle RFID System Opposed
WW – Cloud Security Alliance Releases Updated Guidance
WW – A Dozen Cyber Threats for 2010
WW – You’ve Got Mail — From Santa
US – Einstein and Citizens’ Privacy: Philip Reitinger
CA – Groups Mull Use of GPS to Help With Alzheimer’s
CA – Telecom Regulatory Policy CRTC 2009-657
US – House Ethics Committee Data Leak Prompts Security Policy Changes
US – Passport Snoopers Still on The Job - Memos Show 11 Admonished Only
US – Digital Strip Searches at Airports: Privacy Advocates Allege a Coverup
US – Real ID Act Postponed by Department of Homeland Security
US – Pennsylvania Walmart Sued for Videotaping Employees, Customers in Bathroom
US – Supreme Court to Decide Privacy of Employee Texts
EU – Garante: Monitoring Employees’ Internet Activities is Unlawful
Biometrics
Google has blocked part of a service it launched last week due to privacy concerns, reports the New Zealand Herald. Called Googles, the platform lets users search using images rather than words. But the company confirmed that it has blocked facial recognition from the search function until it can “understand the implications...” “We need to understand how this tool affects people’s privacy and we cannot change that decision until we do,” said Google Vice President Marissa Mayer. “We are blocking out people’s faces if people try to use Google Googles to search for information about them.” [NZ Herald]
Canada
In a major test of the country’s new secrecy-shrouded special advocate regime, Justice Richard Mosley of the Federal Court on Dec. 14 quashed an “unreasonable” security certificate and condemned Canada’s spy agency for failing to voluntarily disclose secret evidence inconsistent with its allegations that an Arab man poses a risk to national security. Justice Mosley’s ruling breaks new ground on several fronts. It marks the first time that a security certificate case has been decided on the merits by a judge since Parliament replaced the old security certificate regime struck down two years ago by the Supreme Court of Canada with the controversial special advocate system that kicked in Feb. 22, 2008. His 185-page ruling addresses novel procedural and factual issues; canvasses the murky state of knowledge about the Bin Laden network; and sheds considerable new light on the behind-the-scenes work of Canada’s special advocates -teams of two security-cleared lawyers who have been working behind closed doors to challenge the credibility and reliability of the government’s secret evidence against five Arab men who were held under security certificates post 9-11. The judge found CSIS and the Ministers of Immigration and Public Safety breached their duty of candour to the court. Almrei marks the second of five security certificate cases against Arab nationals to collapse. The case against Adil Charkaoui imploded after the government threw in the towel by refusing to allow the court and SAs to review some of its secret evidence. Reasons: In the matter of Hassan Almrei, [2009] F.C.J. No. 1579. [Source]
In a judgment welcomed by media organizations as an important extension of press freedom, the Supreme Court of Canada has widened the legal protections from lawsuits over reporting on issues in the public interest. The court ruled in favour of the Citizen and other media organizations by creating a new defence from defamation claims based on “responsible communication” of issues of public importance. Journalists or Internet bloggers who are sued for libel or slander will no longer have to prove in court the absolute truth of every allegation in a report. Instead, they can rely on the new defence if the issue is of public importance and they took proper steps to verify the information. The court said Canada’s defamation law must better balance freedom of expression against the need to protect a person’s reputation and privacy. The required elements to claim a defence of “responsible communication in the public interest,” according to the Supreme Court: “The defence of public interest responsible communication is assessed with reference to the broad thrust of the publication in question. It will apply where:
A. The publication is on a matter of public interest, and:
B. The publisher was diligent in trying to verify the allegation, having regard to:
(a) the seriousness of the allegation;
(b) the public importance of the matter;
(c) the urgency of the matter;
(d) the status and reliability of the source;
(e) whether the plaintiff’s side of the story was sought and accurately reported;
(f) whether the inclusion of the defamatory statement was justifiable;
(g) whether the defamatory statement’s public interest lay in the fact that it was made rather than its truth (“reportage”); and
(h) any other relevant circumstances.” [Source]
Ontario’s privacy commissioner is investigating a data breach affecting more than 83,000 flu clinic patients following the disappearance of a USB drive containing personal health information, according to CTV. The affected individuals attended flu clinics in the Durham region, east of Toronto during a period from October through December, and officials believe the device was lost on health department property, not taken intentionally. Durham Regional health officials notified the commissioner’s office of the incident. A commission spokesperson said the investigation will focus on how the device was lost and what can be done to prevent similar incidents in the future. [CTV.ca]
Transport Canada is actively examining ways to implement full-body scanners at airports, a spokesperson said Wednesday. “We are working with CATSA (the Canadian Air Transport Security Authority) to implement various screening techniques and millimetre-wave technology is one of them,” said Maryse Durett, who added that “Canada will make its own decision” on the scanners based on its own 2008 trials in Kelowna and won’t be hurried by other governments.” [Source]
Consumer
The results of a public opinion survey show that among industry sectors, online retailers score lowest when it comes to consumer trust. The Calgary Sun reports that the Angus Reid poll found fewer than half (47%) of respondents trust that their personal information is protected while shopping online. The security firm Symantec commissioned the poll. Meanwhile, Alberta’s information and privacy commissioner is reminding consumers to look for the “https” on sites they visit. “The S is the signal that it is a secure site,” said privacy commission spokesman Wayne Wood, who added that the lock icon also indicates a site is secure for financial transactions. [Calgary Sun]
The Interactive Advertising Bureau (IAB) and Association of American Advertising Agencies (AAAA) have updated a model contract for online media buys that that would limit advertisers’ and publishers’ ability to use data “owned” by one or the other. The new voluntary terms will be open for public comment through January 29. “The data uses section was very generic,” said the IAB’s Jeremy Fain. “It just said, ‘We don’t have an opinion on this, everything’s owned by everybody, and everything can be owned by everybody.’” Fain added that behavioral targeting and other developments have created the need for new guidelines. The modified terms restrict retargeting and advise against profile creation. [MediaPost] [Guide]
A US federal judge has granted preliminary approval to a proposed settlement that would have Countrywide Financial Corp. provide free credit monitoring to as many as 17 million people whose personal information was compromised. The settlement also provides up to US $50,000 in reimbursement for each instance of identity fraud that can be traced to the breach and for which the victims were not reimbursed otherwise and in which they lost something of value. The suit has its origins in data theft committed by former Countrywide analyst Rene Rebollo Jr., who downloaded thousands of customers’ information every week for two years and sold it to Wahid Siddiqi. Siddiqi pleaded guilty to fraud earlier this month; Rebollo’s trial is scheduled to begin in January. [ABC News]
E-Government
A White House task force has recommended that government agencies focus on ways to share sensitive information more effectively before addressing data security issues that accompany data sharing. There are presently more than 100 classifications for sensitive data among government agencies. The recommendations say agencies should standardize terminology and data handling procedures and then work on IT security issues. Agencies can share data even if their security policies are not aligned as long as they are clear with each other about how the information should be handled. [NextGov]
Coming out of Columbia Law School is an article about commercial data brokers and their ability to provide information about individuals to the US government despite 4th Amendment or statutory protections. Quoting: ‘The Supreme Court has held that the 4th Amendment does not protect information that has been voluntarily disclosed to a third-party or obtained by means of a private search. Congress reacted to these holdings by creating a patchwork of statutes designed to prevent the government’s direct and unfettered access to documents stored with third-parties; thus, the government’s access is fettered by various statutory requirements, including, in many cases, notice of the disclosure. Despite these protections, however, third-parties are not restricted from passing the same data to other private companies (fourth-parties), and after the events of September 11, 2001, the government, believing that it needed a greater scope of surveillance, turned to the fourth-parties to access the personal information it could not acquire on its own. As a consequence, the fourth-parties, unrestricted by Fourth Amendment or statutory concerns, delivered — and continue to deliver — personal data en masse to the government.’” [Buying You: The Government’s Use of Fourth-Parties to Launder Data about ‘The People‘]
Facebook has filed a lawsuit against three men and their associated companies for allegedly using phishing attacks to gain access to Facebook accounts and then using the compromised accounts to send spam. The lawsuit alleges that the defendants, Jeremi Fisher, Philip Porembski, and Ryan Shimeall, launched at least four spam attacks in the last few years. The men are facing charges under the CAN SPAM Act, the Computer Fraud and Abuse Act and California anti-fraud and anti-phishing laws. [CNet] [The Register] [SCMagazine]
Two New Jersey state legislators are sponsoring a bill that would impose hefty fines on people and/or organizations that send unsolicited text messages. Of particular concern to Sens. Joseph Vitale and Sean Kean are messages sent to the elderly and disabled and messages that cause people to exceed their monthly text message allotment, incurring additional costs from their providers. An unsolicited ad is defined as one that is sent without prior consent of the recipient that urges the recipient to rent or purchase services or merchandise. First time offenders would be fined up to US $10,000 and repeat offenders fined up to US $20,000. If the violator knew or should have known that the recipient was an elderly or disabled person, the maximum fine increases to US $30,000. [MSNBC]
Electronic Records
USA Today reports on the results of two studies published in the January issue of the Journal of the American Medical Informatics Association that show U.S. physicians like the idea of electronic medical records, but have concerns about the privacy implications. A survey of 1,000 Massachusetts doctors found that the majority (71 percent) were either somewhat or very concerned about the potential for privacy breaches. In a separate study involving 56 psychiatrists, psychologists, nurses and therapists, the majority of respondents said they would be less willing to record highly confidential information in a patient’s electronic health record than on a paper record, the report states. [USA Today]
Australian Federal health and privacy authorities this week announced new guidelines that will let doctors share certain health information with a patient’s blood relatives, reports the Sydney Morning Herald. Under the new guidelines, physicians may override patients’ wishes and inform blood relatives about genetic disorders if there is a risk to the health of relatives, the report states. A National Health and Medical Research Council official said doctors may only disclose such information to relatives “...in situations where they reasonably believe that disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of the patient’s relative.” [SMH.com.au]
Society will be unable to take full advantage of real-time data analysis technologies that might improve health, reduce traffic congestion and give scientists new insights into human behavior until it resolves questions about how much of a person’s life can be observed and by whom, a Carnegie Mellon University computer scientist contends in a commentary published December 18 in the journal Science. In a “Perspectives” column, Tom M. Mitchell, head of the Machine Learning Department in Carnegie Mellon’s School of Computer Science, notes that data-mining techniques, once used for scientific analysis or for detecting potential credit card fraud, increasingly are being applied to personal activities, conversations and movements, such as information that can be deduced about an individual by monitoring that person’s smart phone. “The potential benefits of mining such data range from reducing traffic congestion and pollution, to limiting the spread of disease, to better using public resources such as parks, buses, and ambulance services,” Mitchell wrote. “But risks to privacy from aggregating these data are on a scale that humans have never before faced.” Technical means can help limit threats to privacy and misuse of data, Mitchell said. One approach is to mine data from many different organizations without ever aggregating the data into a central repository. “Perhaps even more important than technical approaches will be a public discussion about how to rewrite the rules of data collection, ownership, and privacy to deal with this sea change in how much of our lives can be observed, and by whom,” Mitchell wrote. “Until these issues are resolved, they are likely to be the limiting factor in realizing the potential of these new data to advance our scientific understanding of society and human behavior, and to improve our daily lives.” Mitchell pointed out that the use of real-time data from individuals already has begun. In many cities, anonymous location data from smart phones is being used to provide up-to-the-minute reports of traffic congestion. [Science Daily] [Technology bares privacy issues, prof says]
Encryption
Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, has directed the province’s health sector not remove from their premises any personal health information on mobile devices – unless this very sensitive information is encrypted, as required in a health order issued in 2007. This follows the loss last week of a USB key containing the health information of almost 84,000 patients who attended H1N1 flu vaccination clinics in the Durham Region. In addition to immediately launching an investigation into the incident, the Commissioner contacted Ontario’s Ministry of Health and Long-Term Care as well as Ontario’s Chief Medical Officer of Health, Dr. Arlene King, and is working with them to reinforce the importance of safeguarding health information. Dr. King is issuing a message to all Medical Officers of Health today urging them to cease storing or transferring health information that is not protected with strong encryption. [Source] [Privacy body probes why health files lost]
An encryption expert giving a presentation at a conference in Berlin, Germany says he has broken the GSM algorithm used to protect the privacy of cell phone calls. Karsten Nohl said he undertook the project to demonstrate that the algorithm provided insufficient security. The industry group that developed GSM said Nohl’s actions were illegal. The encryption technology in question makes mobile phones and base stations change radio frequencies quickly over 80 channels. The algorithm is used to encrypt about 80% of the world mobile phone calls. [NY Times] [The Register] [CNet]
According to US Air Force officials, encryption of video feeds from the US military’s unmanned Predator and Reaper aircraft will not be complete for at least five more years. Earlier this week, reports emerged that Iraqi insurgents had managed to access the drones’ unencrypted video surveillance feeds with a piece of off-the-shelf software that cost less than US $30. The military has known of the vulnerability for more than a decade, but said the advantage of having the information the drones provided outweighed the risk of unauthorized access. [Washington Post]
EU Developments
LesEchos.fr reports that the two senators who gave birth to a bill to amend the French Data Protection Act last November came up yesterday with a new proposal which they will submit to Viviane Reding, the new EC Commissioner in charge of data protection. The senators would like the EC Directive to be modified so that European data protection laws apply to foreign Web sites that target a French audience, such as Google, eBay and Facebook. (Article in French)
Deutsche Welle reports that starting in January the personal behavior of more than 40 million German workers registered with the country’s national pension plan will be stored in a national data bank. The plan, known as Elena, has been called “unconstitutional” by Data Protection Commissioner Peter Schaar. In the plan the information compiled will be used to evaluate whether pension fund benefits should be disbursed to individuals. Schaar has called on lawmakers to revise the law, saying it “exceeds the limits of legitimacy,” and parliamentarian Petra Pau accused the government of “excessive collection mania.” [Source]
A Paris court ruled Friday that Google’s expansion into digital books breaks France’s copyright laws, and a judge slapped the Internet search leader with a 10,000-euro-a-day fine until it stops showing literary snippets. Besides being fined the equivalent of $14,300 for each day in violation, Google was ordered to pay 300,000 euros in damages and interest to French publisher La Martiniere, which brought the case on behalf of a group of French publishers. [SiliconValley.com]
Genetics
A Dublin hospital has built a database containing the DNA of almost every person born in the country since 1984 without their knowledge in an apparent breach of data protection laws. The Children’s University hospital in Temple Street is under investigation by the Data Protection Commissioner (DPC) since The Sunday Times discovered it has a policy of indefinitely keeping blood samples taken to screen newborn babies for diseases. Unknown to the DPC, the hospital has amassed 1,548,300 blood samples from “heel prick tests” on newborns which are sent to it for screening, creating, in effect, a secret national DNA database. The majority of hospitals act on implied or verbal consent and do not inform parents what happens to their child’s sample. The blood samples are stored at room temperature on cards with information including the baby’s name, address, date of birth, hospital of birth and test result. The DPC said it was shocked at the discovery. On four occasions the hospital has allowed scientists from a university and other hospitals to access the Newborn Screening Cards (NSCs) for research purposes. This was done on the basis of anonymity but without the consent of parents and followed approval by the hospital’s ethics committee. The DPC is now engaged in urgent discussions with the hospital, the Health Service Executive (HSE) and the Department of Health to force the hospital to comply with data protection legislation by January. The DPC could order the destruction of the records if it is not satisfied the hospital is taking the necessary actions. [Source]
Texas health authorities will destroy more than five million blood samples taken from babies without parental consent and stored indefinitely for scientific research. The Texas Department of State Health Services announced that it would destroy the samples after settling a federal lawsuit filed by the Texas Civil Rights Project. The project, acting on behalf of five plaintiffs, had sued the Texas Department of State Health Services and the Texas A&M University System. The lawsuit alleged that the state’s failure to ask parents for permission to store and possibly use the blood - originally collected to screen for birth defects - violated constitutional protections against unlawful search and seizure. The plaintiffs cited fears their children’s private health data could be misused. Under the settlement overseen by a San Antonio federal court, the blood samples collected without parental consent must be destroyed by early next year. It also requires the department to publish a list of all research projects that used the blood specimens. [Source]
Health / Medical
Under draft legislation, employers and insurance companies who use Australia’s new electronic medical identification number for any purpose other than providing healthcare benefits may face two years in jail. Beginning in 2010, all newborns as well as current Medicare and Veterans Affairs card holders will be issued the new medical ID. A privacy statement from the Australian Government’s National E-Health Transition Authority warns the information “could be an attractive source of information for those within and outside of the health industry.” [The Australian]
U.S. ambulance crews are pushing a virtual medical ID system to rapidly learn a patient’s health history during a crisis - and which can immediately text-message loved ones that the person is headed for a hospital. The Web-based registry, invisibleBracelet.org, started in the state of Oklahoma and got a boost this fall when the state’s government made the program an optional health benefit for its own employees. Now the iBracelet attempts to go nationwide as the American Ambulance Association next month begins training its medics, who in turn will urge people in their communities to sign up. For $5 a year, basic health information and up to 10 emergency contacts are stored under a computer-assigned secret number that’s kept on a wallet card with your driver’s license, a key fob or a sticker on an insurance card. It’s a complement to the medical alert jewelry that people with diabetes, asthma and a host of other conditions have used for decades to signal their needs in an emergency. And it comes as the American College of Emergency Physicians is trying to determine just what information is the most critical for medics and ER doctors to find when you’re too ill or injured to answer questions, so that competing emergency-alert technologies don’t miss any of the essentials. [Source]
Horror Stories
Heartland Payment Systems has agreed to pay American Express US $3.6 million to settle charges stemming from the 2008 Heartland data security breach. Albert Gonzalez has been charged in connection with that breach and a number of others. Because the card-issuing banks normally bear the cost of replaying compromised payment cards, Heartland is facing several suits. This is the first one that Heartland has settled. The company has also paid fines levied by Visa and MasterCard. [ComputerWorld]
A laptop computer stolen from the home of a Fort Belvoir Family and Morale, Welfare and Recreation Command contains personally identifiable information of more than 42,000 US Army soldiers, US Department of Defense employees and their families. The theft occurred on November 28. The Command learned of the theft on December 1. Affected individuals will be notified of the security breach by letter. [SCMagazine]
The Massachusetts Supreme Judicial Court has upheld a lower court’s decision to dismiss a lawsuit against BJ’s Wholesale Club over its 2004 data breach, reports Computerworld. More than 60 credit unions sued BJs in 2005, claiming that it breached its contract with the bank responsible for processing its transactions by failing to expunge magnetic stripe data, which led to the breach that affected nine million credit and debit cards. But in its ruling the high court said that BJ’s contract with Fifth Third bank “was not meant to be enforced by third parties.” [ComputerWorld]
A Birmingham school will improve security on portable devices and will train staff on data security following its loss of personal information on 1,200 students and staff members. The information was stored on an unencrypted laptop computer. The measures are part of a formal undertaking the Waseley Hills High School and Sixth Form Centre entered into with the Information Commissioner’s Office. “It is vital that personal information is handled securely, especially where so many children and young people are concerned,” said Assistant Information Commissioner Mick Gorrill. “If personal details fall into the wrong hands, individuals can experience considerable distress.” [Out-Law] See also: [UCSF Belatedly Announces September Data Breach]
News emerged last week that a hacker successfully infiltrated the database of social network RockYou.com and located the login information of more than 32 million users. “The data was all in plain text and contained third-party logins, as well,” the report states. A TechCrunch report says the hacker “took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade.” TechCrunch criticized the company for failing to notify its users of the breach. However, RockYou has since posted a security notice on its homepage. [ReadWriteWeb]
MBNA, the UK’s largest credit card provider, has confirmed that a laptop containing the personal details of its customers has been stolen from one of its third party contractors – NCO Europe Ltd – earlier this month. The information is said to include personal details, however, no PIN numbers were reported to be contained in the stolen data. Although the exact details have yet to be confirmed, it is expected that thousands of customers will be affected by this incident. Whilst the situation is monitored, MBNA has provided affected customers with free access to CreditExpert from Experian over the next 12 months. [Source]
Identity Issues
The Australian Federal Government has moved to streamline the use of authentication tools among departments and agencies. In a statement, Minister for Finance and Deregulation Lindsay Tanner said three lead agencies would be appointed in early 2010 to manage the “delivery of authentication services across Australian Government agencies”. “Along with minimizing duplication of authentication services in use by the Federal Government, the Australian Government Information Management Office (AGIMO) is currently developing solutions that provide people with the option of combining multiple accounts,” Tanner said in the statement. [IT World Canada] [The Australian]
Intellectual Property
Two different people claim to have broken the digital rights management (DRM) technology on Amazon’s Kindle ebook reader so that the files stored in the application can be used on other devices as well. One method allows the ebooks to be transferred as PDF files. Another method of cracking the DRM targets the recently-released Kindle for PC application that allows people to read books on PCs. [Computer World] [The Register] [BBC News] [H-Online] [CNet]
Internet / WWW
China has issued new Internet regulations, including what appears to be an effort to create a “whitelist” of approved websites that could potentially place much of the Internet off-limits to Chinese readers. The Ministry of Industry and Information Technology ordered domain management institutions and internet service providers to tighten control over domain name registration, in a three-phase plan laid out on its website (www.miit.gov.cn) late on Sunday. “Domain names that have not registered will not be resolved or transferred,” MIIT said, in an action plan to “further deepen” an ongoing anti-pornography campaign that has resulted in significant tightening of Chinese Internet controls. Only allowing Chinese viewers to access sites registered on a whitelist would give Chinese authorities much greater control, but would also block millions of completely innocuous sites. The rules did not specify whether the new measure applies to overseas websites, but local media reported the risk that foreign sites that have not registered could also be blocked. [Source]
Law Enforcement
18 helmet cameras are being put into use in San Jose in a test program aimed at reducing escalating violence in arrests and general public interactions. The department has been under fire for a number of alleged abuses of force. Patrol officers in the experiment will be turning on the cameras every time they talk with anyone. The cameras look a lot like bluetooth earpieces, and are attached via headband. A mini computer rides on the officer’s belt. Every shift will end with a data download. Arizona-based, publicly traded, Taser International is footing the initial cost for the experiment. The gear rings up at $1,700 per cop, plus a $99 per monthly fee per officer. That’s a heavy outlay if every officer has the equipment, but lawsuit payouts for wrongful death, incarceration or injury aren’t cheap either. The so-called “Bobbie Cam” has been in selective use in the United Kingdom since 2007, where it is claimed that violent crime has been reduced by 8%, and incidents of excessive officer force are at zero. They are particularly used in answering domestic violence calls. The ACLU has come out strongly against police cameras, seeing them as a violation of the Fourth Amendment right to privacy, but courts have held that citizens have little expectation of privacy in public spaces. Disclosure that a citizen is being recorded is required of all body camera-wearing officers. [Source]
Location
Google will comply with an expected Swiss court ruling into whether its Street View web service fails to protect people’s privacy by showing their faces and licence plates, the company and Swiss authorities said. The company is accused of failing to obscure such sensitive images from its photo mapping application sufficiently and setting cameras at a height on filming vehicles that allows them to see over fences, hedges and walls into private property. “Google commits to a final and binding Swiss court decision and to implement it also with regard to images which have already been transmitted outside of Switzerland,” Federal Data Protection and Information Commissioner (FDPIC) Hanspeter Thuer said in a statement on Friday. Google could continue taking photos of roads in Switzerland provided it gave at least a week’s notice on where photos would be taken, but would not be allowed to put the images on the Internet until the final court decision, Thuer said. A source close to proceedings said a final court decision was unlikely within the next year.[Source]
Online Privacy
The Electronic Privacy Information Center (EPIC) has filed a formal complaint with the US Federal Trade Commission (FTC) over Facebook’s recent decision to change its default privacy settings to make more information about Facebook members public; if users want to limit who can see information about them, they must make those changes manually. Facebook maintains the change is aimed at making it easier for users to control who can see their information. The complaint alleges that Facebook’s changes violate consumer protection laws. [InformationWeek] [MSNBC] [The Register] [NYT blog]
A blogger will remain anonymous thanks to a district court’s determination that a two-sentence statement in a privacy policy is not sufficient justification for revealing the individual’s identity. The U.S. District Court for the Western District of Missouri Southern Division ruled that the identity of a person who posted a comment to an online newspaper site did not waive his right to anonymity despite a privacy policy clause stating that posters’ information could be disclosed. “It cannot be said that the anonymous poster was aware he or she may be waiving the rights to free speech,” the court said in its ruling. [Out-Law]
Despite concerns from some privacy groups and U.S. lawmakers about behavioral advertising, most large advertising networks generally comply with a set of privacy and data-handling standards adopted by the Network Advertising Initiative a year ago, the NAI said in a report released last week. The NAI’s first annual audit of its members privacy and data-handling practices found “no compliance deficiencies” in most areas of the group’s guidelines. The group’s 38 members had appropriate mechanisms in place for Web users to opt out of targeted advertising, they complied with rules for the collection and use of personal data, and they had reasonable security measures in place to protect the data, NAI’s report said. NAI members encountered a couple of compliance problems, however. Ten NAI members did not disclose the length of their data retention periods for data used in behavioral advertising, as required in the guidelines. In addition, several members had weak programs to encourage their online partners to give customers notice and choice about behavioral advertising, the report said. The NAI “found that the evaluated members largely lack robust programs for enforcing contractual notice requirements, or for otherwise ensuring that notice is present where data is collected or used for behavioral advertising,” the report said. “NAI staff believes that member companies must take additional steps to help implement Web site publication of notice and choice mechanisms.” The 10 members that were not disclosing their data retention periods have either come into compliance or plan to do so shortly, the NAI said. NAI will work with member companies to develop a “comprehensive partner notice implementation plan” in the coming months, the report said. [Source] [NAI Annual Compliance Report]
Ad networks and Web sites constantly track your behavior as you surf the Web, recording what sites you visit, what pages you visit on sites, and what kind of content you like to view. If you’d like to keep your personal Web preferences to yourself, get the free Firefox addon PrivacyChoice Opt-Out, which lets you stop more than 100 companies from tracking your behavior. PrivacyChoice Opt-Out protects your privacy by letting you opt out of privacy-invading ad networks and sites. Privacychoice.org also makes another Firefox add-in, TrackerWatcher, which lets you get similar privacy information about sites you visit as you surf the Web. [Source]
Other Jurisdictions
The Cayman Islands government is developing the framework for a data protection law. “The law will impose requirements on ‘data controllers’ to handle personal information fairly and lawfully,” said Information and Communications Technology Authority (ICTA) Chairman David Archbold. “Personal data may only be collected, used, stored and accessed for specified purposes, and must always be adequately safeguarded. Data controllers will be accountable for complying with these principles and liable for breaches, such as unauthorised use or disclosure,” Archbold said, adding that a government working group is reviewing laws from other jurisdictions to aid the process. The group is expected to submit recommendations to the Cabinet Secretary and Attorney General in early 2010. [Cayman News Service]
After informing superiors that his office was losing staff and unable to perform its mission under current budget constraints, the Office of the Privacy Commissioner for Personal Data may see an increase in funds for 2010, the Standard reports. The Secretary for Constitutional and Mainland Affairs has proposed raising the commission’s budget from HK$5 million to HK$9 million, and may amend the existing privacy ordinance to give the office more than 45 days to investigate complaints. “With the current resources, to have a preliminary investigation on all the cases within 45 days is like a mission impossible,” said Commissioner Roderick Woo Bun. [The Standard]
Privacy (US)
President Obama will name Howard A. Schmidt as the new White House cybersecurity coordinator. Schmidt will oversee the government’s strategy for protecting computer systems, the report states. Schmidt was a cyber-adviser for the Bush administration, and has also held chief security roles with Microsoft and eBay. Currently, he is president of the nonprofit Information Security Forum. [Washington Post] [NY Times]
An Ohio woman is suing Netflix for invading her privacy. The suit stems from a contest in which Netflix offered US $1 million for the best new system for improving its movie recommendations for customers. Netflix provided the contestants with information about the viewing habits of nearly 500,000 customers without the customers’ consent. The suit alleges that the data provided to the contestants were insufficiently anonymized. The plaintiff, who is identified only as Jane Doe in the suit, is a closeted lesbian and maintains that the information about her viewing habits could reveal her identity. The suit also aims to prevent Netflix from launching a second, similar contest. [The Register] [Home Media Magazine]
RFID
A petition has been filed before the Philippines Supreme Court in opposition to a Land Transportation Office plan to equip motor vehicles with radio frequency identification (RFID) tags. The Inquirer reports that opponents of the plan, including Militant party-list representatives and a public transportation union, have filed a temporary restraining order to give the court time to consider their case. The petition claims the tags represent an overreach of Constitutional powers and are a threat to motorist privacy. If the plan is not halted, vehicles will be outfitted with the RFID tags starting in January. [Inquirer.net]
Security
The Cloud Security Alliance (CSA) has released the second version of its guidance for secure adoption of cloud computing services. The nonprofit alliance formally launched in April with the goal of promoting best practices for cloud computing security. The group released the first version of its guidance at the 2009 RSA Conference. The new version, “Guidance for Critical Areas of Focus in Cloud Computing - Version 2.1“, provides more specifics in several areas and more actionable advice, said Jim Reavis, Cloud Security Alliance co-founder and executive director. The evolution will eventually get to the point where the industry can have audits and certification of cloud providers, he said. The CSA’s guidance, which dozens of contributors helped develop, outlines key issues and provides advice across 13 domains, including incident response, encryption and key management, identity and access management, and legal and electronic discovery. It’s designed to help organizations understand what questions to ask cloud providers, current recommended practices, and pitfalls to avoid. [Cloud computing data security starts with internal strategy, experts say] [How to justify information security spending on cloud computing] [SearchSecurity.com]
Blogger Bob Sullivan has identified a dozen top threats to data privacy and security for computer users in the coming year. Among the threats Sullivan lists are: a resurgence of e-mail Trojan horses, diminished anti-virus effectiveness, fake anti-virus software, social networking fraud, botnets, spam, Mac attacks, cell phone hacks, SEO-based attacks, Windows 7 vulnerabilities, URL shortening services and the Gumblar worm. “Serious threats abound, and bad guys are mostly still outpacing good guys in our virtual world,” Sullivan writes, adding that 2010 will likely be slightly less secure online than 2009. [MSNBC]
Surveillance
Old St. Nick – the pudgy, wrinkled fellow that kids write letters to and visit at the mall during holiday season – is steadily being replaced by Cyber Santa Claus. Instead of waiting for kids to see him in person, Santa chats online. He texts. He tweets. He e-mails. He sends cell-phone pictures and makes videos. Santa’s transformation is being ushered in by companies that seek to keep up with the Internet’s growing influence, particularly with children. They’ve made St. Nick accessible, instantaneous and omnipresent.
Some web sites / services discussed in the article: Portable North Pole; ChatWithSanta.com; TextSanta.net, and; SantaMessage2U. [Source]
Einstein is an intrusion detection - and soon an intrusion prevention - system the government is deploying to safeguard government IT systems. Some cybersecurity experts contend Einstein has the potential to intrude on the privacy of individual Americans, a concern Philip Reitinger dismisses. Reitinger, deputy undersecretary of the Department of Homeland Security’s National Protection and Programs Directorate and director of the National Cybersecurity Center, says the only purpose of Einstein is to protect government networks. “To that end, it is not our intention to go out and seek things like personally identifiable information,” Reitinger said in a two-part interview. Besides Einstein, other subjects Reitinger addressed in the interview conducted by GovInfoSecurity.com included:
· Balancing incentives with regulations to get the private-sector operators of the nation’s critical IT infrastructure to provide adequate system safeguards.
· Need to develop metrics to measure the security of IT systems.
· Importance of the recently opened National Cybersecurity & Communications Integration Center. [Source]
One day this month, just before the first snowstorm of the season, 73-year-old Maria del Carmen Serrano wandered away from her Montreal apartment and walked nearly five kilometres across town. She never came home. It was the third time the woman, who had Alzheimer’s disease, had strayed, but this outing was fatal. Ms. Serrano was found three days later in the snow, dead from exposure. Her death has sparked a discussion about whether a GPS bracelet that uses tracking technology might have saved her life. Montreal police, who mobilized dozens of officers to hunt for Ms. Serrano, say they are studying the idea of providing such devices to those with Alzheimer’s and others at risk. In September, an Alberta inquiry into the freezing death of an 88-year-old man urged health-care officials to consider GPS wrist or ankle devices to track elderly people with dementia. The man wandered from his retirement home in the middle of the night. But privacy concerns have been raised, and Alzheimer’s groups caution against seeing GPS systems as a panacea. Such devices are already being marketed in Canada. “It can give a false sense of security,” said Sylvie Grenier, director-general of the Alzheimer Society of Montreal. “A bracelet with a GPS device will never replace the vigilance of a family.” [Source]
Telecom / TV
The Canadian Radio-television and Telecommunications Commission (“CRTC”) has issued a new rule governing the use of Internet traffic management practices (“ITMPs”) by Internet Service Providers (“ISPs”). While the CRTC Decision deals primarily with the technical aspects of ITMPs, the CRTC found it appropriate to establish privacy provisions in order to protect personal information (“PI”) of subscribers; the Decision directs all primary ISPs not to use PI collected for the purposes of traffic management for other purposes and not to disclose such information. The CRTC also directed all primary ISPs, as a condition of providing wholesale services to secondary ISPs, to include, in their service contracts or other arrangements with secondary ISPs, the requirement that the latter not use PI collected for the purposes of traffic management for other purposes and not disclose such information. The CRTC noted that ISPs use aggregated information collected for the purposes of network planning and engineering, and expects that they will continue to rely on aggregated information for such purposes. [CRTC]
US Government Programs
US House of Representatives chief administrative officer Daniel P. Beard has recommended that legislative aides undergo new cyber security training and that the legislature take additional steps to protect sensitive data. The recommendations are the result of a six week review prompted by the inadvertent leak of an Ethics Committee document. The new security policies will be clear in their insistence that all House data remain on House equipment, that the data must be encrypted when they are stored on mobile devices and that they cannot be sent over any public system. Beard is also seeking to implement a requirement that the House’s wireless Internet service be password protected. In addition, legislative employees who travel out of the country will have their wireless devices, including laptops, checked both before and after trips. [Washington Post] [SCMagazine]
The nine people who pleaded guilty to snooping into the passport files of famous celebrities and politicians such as then-Sens. Barack Obama and Hillary Rodham Clinton were not the only workers at the State Department who peeked into confidential documents. The Washington Times has learned that at least eleven other State Department workers also have been caught snooping into passport files. But these workers have avoided criminal charges and appear to have kept their jobs. According to investigative memos released to The Times through an open records request, the additional workers glanced through the files out of boredom, “dumb curiosity” and “just being nosy.” They were admonished by the department for their behavior but not prosecuted. For example, one State Department official in Washington accessed secret passport files more than 40 times, but faced no criminal charges because the statute of limitations had expired, according to the memos, which were obtained through the Freedom of Information Act. Nine individuals have pleaded guilty in connection with the passport snooping scandal; the most recent two cases involved guilty pleas or sentences this month. Former State Department employee Karal Busch, 28, of District Heights, Md., received two years’ probation for looking up the passport files of at least 65 actors, musicians, models and others. Debra Sue Brown, 47, of Oxon Hill, Md., pleaded guilty in federal court in Washington last week to unauthorized computer access for looking up more than 60 celebrities and their families, including actors, comedians and athletes, as well as personal friends. Authorities said she said her sole motivation was “idle curiosity.” [Source]
While thousands of holiday travelers are being digitally strip-searched at U.S. airports, privacy advocates are mounting a fresh effort to fight the technology. The Electronic Privacy Information Center has just filed suit against the federal government to uncover details of the use of the crime-fighting tool, the “millimeter-wave portals,” as federal officials call them. Privacy advocates fear the spread of these devices. [Village Voice]
US Legislation
With most states unable to meet the Dec. 31 deadline that would require them to issue enhanced drivers’ licenses through the ReaL ID Act, the U.S. Department of Homeland Security (DHS) pushed back the deadline to May 10, 2011 in an announcement Friday, Dec. 18, while still remaining committed to the legislation. Forty-six of the 56 states and territories told the DHS they can’t meet the deadline, announced Deputy Press Secretary Matt Chandler. [Source]
Workplace Privacy
A Pennsylvania Walmart Supercenter videotaped employees and customers in a unisex bathroom, several former and current Walmart employees alleged in a lawsuit filed this week. Several employees discovered an “off-the-shelf” video camera in a store bathroom March 31, 2008, according to the court filing. The unisex bathroom, which also served as a changing room, was used by employees and customers. Customers and employees were not notifed of the surveillance, according to the court filing. According to the court filing, the camera was installed by Walmart’s loss-prevention unit. The camera was used to monitor employees for possible theft and it is unclear how long the surveillance took place, McLain said. None of the plaintiffs, however, were accused of stealing from the store. A store manager acknowledged the existence of the surveillance camera only after employees produced a photo of the camera, McLain said. The retailer’s “Security and Privacy” policy states that at “some stores and clubs [Walmart] may record your presence on security monitors for safety and security purposes,” according to court documents. Three of the plaintiffs were terminated after complaining to store management about video surveillance, McLain said. Of the remaining plaintiffs, one worker has quit and three men continue to work at the store. Walmart declined to comment on the three terminations. The lawsuit, which is seeking more than $50,000 in damages, was filed after the parties failed to reach an out-of-court agreement, McLain said. Among its allegations, the suit claims violations of federal and state wiretapping laws, invasion of employees’ and customers’ privacy, wrongful discharge and violation of worker and civil rights practices. [Source]
The U.S. Supreme Court this morning decided to hear a case on the privacy of employee text messages sent on employer-provided devices. The case – City of Ontario v. Quon-08-1332--could have profound implications on employee privacy rights, according to a Baltimore Sun report. It involves an Ontario, California police officer who sent sexually explicit messages to another officer using the department-issued device. The messages were discovered during an audit, and a lawsuit claiming privacy violations followed. California’s Ninth Circuit Court of Appeals ruled in favor of the sender of the messages, but dissent by a number of judges prompted an appeal to the Supreme Court. [Washington Post]
The Italian Data Protection Authority (the Garante) has prohibited the monitoring of employees’ Internet surfing activities by means of a resolution. The resolution was adopted in the case against a company that tracked and recorded an employee’s online activities for nine months. The tracking logs were created using an ad hoc software able to memorize Web sites, Web pages, numbers of connections and time spent on each page. According to the Garante, the company’s activities violated two different statutes: one related to the Italian Employees Code, and one related to the Italian Data Protection Code. In both cases, the processing was deemed disproportionate, unfair and excessively prolonged. (News in Italian)
+++