Privacy News Highlights

21–28 February 2009



CA – Canadian Government Plan to Collect Biometric Info from Visitors. 3

CA – Federal Privacy Commissioner Grilled Over Response Time. 3

CA – Joint Exit Controls Weighed at Border 3

CA – Yukon’s Top Doctor Questions Proposed Blood-Testing Legislation. 3

CA – PEI Information Commissioner Chides Environment Department 4

US – Consumers Unwilling to Sacrifice Convenience for Security, Gartner Says. 4

US – Washington DC: Criminal, Other Records Available Online. 4

US – Federal Court: Defendant Must Decrypt PGP-Protected Laptop. 4

CA – Canadian Anti-Spam Bill in Senate. 5

UK – Fight Against Terror ‘Spells End of Privacy’ 5

UK – Parents Urged to Guard Children’s Data from ContactPoint 5

EU – Art 29 WP Issued Opinion on Children’s Personal data. 6

EU – Party Wants Bigger Reach on Breach Notification. 6

U – Easing Government Information Overload. 6

WW – Australian Web Censorship Plan Heads Towards a Dead End. 6

CH – Switzerland - Task Force to Defend Financial Privacy Tradition. 7

CA – Private Member’s Bill to Renovate Access-To-Information Law.. 7

CA – Dire Diagnosis for Access to Information in Canada: Marleau. 7

UK – Gov Forced to Publish ID Card Reviews Report 7

US – Utah Bill Advances to Senate. 8

EU – Government to Retain DNA Samples of Innocent 8

CA – Ontario Coroner will Share Files With Children's Advocate. 8

UK – Memo Reveals Multiple Breaches of ID Card Database. 8

UK – 2009 February Report of the Auditor General of Canada. 9

US – FTC Report: ID Theft Remains No.1 Fraud Complaint 9

SW – Swedish Parliament Passes Copyright Bill 9

CA – Privacy Commissioner Enters Net Neutrality Fray. 10

CA – Ontario Judge Orders Disclosure of Facebook Profile. 10

AU – Cops May Tap Facebook, Email 10

WW – Facebook Tries to Become a Democracy. 10

EU – Google Defuses Street View Privacy With User Photos. 11

WW – Does Cloud Computing Mean More Risks to Privacy? Report Says “Yes”. 11

WW – Survey: Majority Concerned about Privacy. 11

PH – Philippines Govt Consults Security Experts on Data Privacy. 11

US – New Homeland Security CPO Named. 12

US – Leibowitz to be Named FTC Chair 12

US – Republican Asks White House for E-Mail Policy. 12

US – New Legislation Could Criminalize RFID Security Testing. 12

UK – Council Staff Making “Serious Security Breaches” of Key Government Database. 13

US – PCI Council Ranks Security Risks, Milestones. 13

CA – GovSym Raises Notion of Central IT Security Agency. 13

WW – Study: Stealing Money or Data Is Not Always the Aim of Hackers. 13

US – Consensus Audit Guidelines Released. 13

US – Consortium Releases Consensus Security Audit Guidelines. 14

EU – Richard Thomas: Surveillance State Makes Suspects of Us All 14

EU – Rotterdam Police Pilot High-Res Surveillance to Reduce Retail Theft, Robberies. 14

US – FCC to Telecoms: Explain Privacy Protection or Pay Up. 14

EU – Push to Abolish Restrictions on Wiretapping VOI calls. 15

US – DHS Committee: Collect more Info on People to Protect Their Privacy. 15

US – Proposed Legislation Would Require Retention of Internet Use Data for Two Years. 15

US – The Internet Safety Act Launches a New Battle on Privacy. 15

WW – Exiting Workers Taking Confidential Data With Them.. 16





CA – Canadian Government Plan to Collect Biometric Info from Visitors

The federal government is quietly working on a controversial plan to collect biometric information from visitors to Canada, immigration department officials have revealed. If all goes as planned, the new program will start in three to four years. “The idea will be that we will take biometrics from people who are coming temporarily to Canada and need a visitors’ visa – temporary workers, students and visitors,” Claudette Deschenes, assistant deputy minister in the immigration department told members of Parliament. “Those who don’t need a visitor’s visa to enter Canada will be taken at the port of entry.” Deschenes said the immigration department is working with the Canada Border Services Agency and the RCMP on the project, which is currently in the planning stage. [Source]


CA – Federal Privacy Commissioner Grilled Over Response Time

Local MP Guy Lauzon was busy on Parliament Hill earlier this week pushing the Privacy Commissioner of Canada to improve the customer service and response times when responding to taxpayers. During a meeting of the Standing Committee on Access to Information, Privacy and Ethics, Lauzon grilled Privacy Commissioner Jennifer Stoddart on the Commission’s unacceptable response to inquiries. “You mentioned that you have a 12-month target and if an investigation is completed before 12 months, you’ve met the target. The number you had that wasn’t meeting that target was considerable,” said Lauzon. “I just can’t imagine that you would build in a target that would go out that long.” Lauzon argued that the Privacy Commission should have a target that is much more customer service oriented. “Have it built into the system, as an example, if your target was to do 80% or 90% of your claims within 90 days, those harder cases - and we had those cases that went on for three months or whatever - could be longer,” Lauzon argued. [Source]




CA – Joint Exit Controls Weighed at Border

Canada has quietly begun talks with the United States on implementing a form of exit controls between the two countries, the president of the Canada Border Services Agency has revealed. “We have had ongoing discussions with our colleagues to the south in our sister agency in the United States on the possibility of implementing a program that would basically, at the land border, see our entry system used as their exit system and vice versa,” Stephen Rigby told a parliamentary committee. [Source]


CA – Yukon’s Top Doctor Questions Proposed Blood-Testing Legislation

The Yukon’s chief medical officer has added his voice to growing opposition to proposed legislation that would force some people to have their blood tested for HIV and other blood-borne diseases. Dr. Brendan Hanley said the Yukon government’s proposed mandatory testing and disclosure act, as is, could infringe on privacy and medical ethics - a view that comes less than a week after Tracy-Anne McPhee, the territory’s privacy commissioner, said the act does not protect the privacy of Yukoners. Under the proposed law, a person would have to have their blood tested if their bodily fluids come into contact with an emergency worker or a victim of crime. The legislation could also allow a doctor to access a person’s medical file to see whether that person has any blood-borne diseases. The territorial government introduced the act in December, at the urging of police, nurses, paramedics and other emergency workers. Officials have said the act would also help victims of sexual assault and other crimes. But while the legislation could alleviate emergency workers’ anxieties, Hanley said there may be better ways of achieving that goal without resorting to mandatory blood testing. Hanley said he believes his concerns are being taken seriously, adding he’s heard the bill may be deferred from the legislature’s spring session to the fall session. [Source]


CA – PEI Information Commissioner Chides Environment Department

P.E.I.’s acting information commissioner has rejected the Environment Department’s argument that it has its own guidelines about releasing records to the public. Commissioner Judy Haldemann told CBC News that she ruled the department doesn’t have the final say in what documents can be released. She also chided department officials for questioning why an applicant wanted details on an environmental assessment on a private project. The department maintained the applicant had no pressing need for the information. Haldemann said the guidelines for releasing information are in the province’s Freedom of Information and Protection of Privacy Act. “There’s nothing in the FOIPP Act that says you have to give a reason or makes any mention of a reason for requesting access to information,” she said. [Source]




US – Consumers Unwilling to Sacrifice Convenience for Security, Gartner Says

Although consumers claim to be concerned about security, they have little tolerance for sacrificing convenience to safeguard that security, according to Gartner. Despite widespread security concerns, consumers continue to rely on service providers to protect their safety and persist in using unsafe password management practices, preferring to maintain the status quo rather than exploring new security methods. “The survey findings serve to confirm our belief that there is a limited business for identity providers to manage general-purpose consumer identities and passwords to be used to access sites across multiple business contexts, such as financial services, government and healthcare,” said Avivah Litan, vice president and distinguished analyst at Gartner. “Instead, it is more likely that these providers will have some success managing identities for limited use on multiple sites within a specific business.” Gartner analysts said providers have a duty to provide a compelling justification for consumers to adopt additional security measures; a change in perception could precipitate an increase in sales. Additional information is available online in the Gartner report “Consumers Don’t Want to Change the Ways They Manage Online Passwords“ [Source]




US – Washington DC: Criminal, Other Records Available Online

D.C. Superior Court officials are promoting a Web site that gives the public access to a variety of court records, including those in civil, criminal, domestic violence, tax and probate cases. The records are available on computers in the public reading room at the courthouse. The information is posted here. It can also be found at the court’s main home page by clicking an icon that says “Remote Access to Superior Court Dockets.” The court has been working for months to make information available online as part of its efforts to improve public access to records. [Source]




US – Federal Court: Defendant Must Decrypt PGP-Protected Laptop

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age. In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted. “Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,” Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested. Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. The Fifth Amendment says nobody can be “compelled in any criminal case to be a witness against himself,” which Magistrate Judge Jerome Niedermeier ruled in November 2007 prevented Boucher from being forced to divulge his passphrase to prosecutors. Originally, the U.S. Department of Justice asked the magistrate judge to enforce a subpoena requiring Boucher to turn over “passwords used or associated with” the computer. In their appeal to Sessions, prosecutors narrowed their request and said they only want Boucher to decrypt the contents of his hard drive before the grand jury, apparently by typing in his passphrase in front of them. At issue in this case is whether forcing Boucher to type in that PGP passphrase —which would be shielded from and remain unknown to the government— is “testimonial,” meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or provide fingerprints, blood samples, or voice recordings, unlocking a partially-encrypted hard drive is no different. Barry Steinhardt, director of the ACLU’s technology and liberty program, said on Thursday that the opinion reached the wrong conclusion and that Boucher “should have been able to assert his Fifth Amendment rights. It’s not the same thing as asking him to turn over the Xeroxed copy of a document.” [Source] [Background]




CA – Canadian Anti-Spam Bill in Senate

An anti-spam bill is under the consideration of the Canadian Senate that is likely to include jail term and fines for spammers on the approval of the Senate. The anti-spam bill, known as S-220, and titled as “An Act Respecting Commercial Electronic Messages (the Anti-Spam Act)” would allow the Internet Service Providers (ISPs) to refuse, filter and block spam e-mails. The S-220 is proposing to consider the phishing attacks also. In his speech on February 5, 2009, Senator Yoine Goldstein said that the objective of the proposed bill is to reduce spam as it is impossible to completely eliminate it. Goldstein’s anti-spam bill proposes penalties ranging from a fine of up to $500,000 or a jail-confinement of two years to $1.5 Million or a jail-term of five years in case of repeated spamming offences. The bill also proposes that the involved company may have to pay an additional fine equalizing the profits made by a spamming operation. [Source]


EU Developments


UK – Fight Against Terror ‘Spells End of Privacy’

Privacy rights of innocent people will have to be sacrificed to give the security services access to a sweeping range of personal data, one of the architects of the government’s national security strategy has warned. Sir David Omand, the former Whitehall security and intelligence co-ordinator, sets out a blueprint for the way the state will mine data - including travel information, phone records and emails - held by public and private bodies and admits: “Finding out other people’s secrets is going to involve breaking everyday moral rules.” His paper provides the most candid assessment yet of the scale of Whitehall’s ambitions for a state database to track terrrorist groups. It argues that while the measures are essential, public trust will be maintained only if such intrusive surveillance is carried out within a strong framework of morality and human rights. Safeguards must include appropriate oversight and means of independent investigation and redress in cases of alleged abuses of power. [Source]


UK – Parents Urged to Guard Children’s Data from ContactPoint

Parents of pupils at independent schools are being encouraged to ask for their children’s details to be “shielded” on the Government’s child protection database, amid fears over its security. The Independent Schools Council (ISC), which represents 1,280 fee- paying schools, has written to its members describing the new database, ContactPoint, as an “unjustified interference in the privacy of the majority of children and their carers”. David Lyscom, chief executive of the ISC, wants schools to write to all parents warning them that ContactPoint “will put some children at risk through data theft or loss”. The ISC also warns parents that the database will contain such poor-quality data that it may create a “misleading or unhelpful” impression of their child.[Source]


EU – Art 29 WP Issued Opinion on Children’s Personal data

The European Union Article 29 WP has issued several new documents: [Source]


EU – Party Wants Bigger Reach on Breach Notification

In a revised “Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive“ (WP 159) on changes to the EU Privacy and Electronic Communications Directive, the Article 29 Working Party has again called for widespread data breach notifications. Currently, the European Parliament and European Commission plan to extend the rule only to telecom companies. The Working Party wants the rule extended to "Information Society Services," saying that such an extension is necessary due to the proliferation of such services--online banking, electronic health records and e-commerce, for example--in the daily lives of European citizens "and the increasing amounts of personal data processed by these services."  [Source] [revised opinion]


Facts & Stats


U – Easing Government Information Overload

More efficient management of the increasing influx of information may be an untapped opportunity for government and education cost savings, according to a new survey of the U.S. public sector conducted jointly by Xerox Corp. and Harris Interactive. Findings indicated that 58% of surveyed U.S. government and education workers said they spend nearly half of their average workday filing, deleting or sorting paper or digital information. Other responses from the survey suggest taking steps to ease information overload will help speed up work processes, reduce employee stress and ultimately save time and money for government and education agencies. The survey, which polled government and education workers across the U.S., revealed that workers see paper as a facilitator of information overload and are looking to technology to help manage it. When considering a technology investment to bring them into the digital age, almost half (42%) ranked improved efficiency as the number one priority for doing so. For those surveyed that have started the digital migration, 63% somewhat to strongly disagree that their organization is completely digital, leaving room for improvement down the line. [Source]




WW – Australian Web Censorship Plan Heads Towards a Dead End

The Government’s plan to introduce mandatory internet censorship has effectively been scuttled, following an independent senator’s decision to join the Greens and Opposition in blocking any legislation required to get the scheme started. The Opposition’s communications spokesman Nick Minchin has this week obtained independent legal advice saying that if the Government is to pursue a mandatory filtering regime “legislation of some sort will almost certainly be required”. [Source]




CH – Switzerland - Task Force to Defend Financial Privacy Tradition

Swiss Finance Minister Hans-Rudolf Merz has launched a special task force to try to defend banking secrecy in the face of mounting international pressure. Merz will enlist the help of bankers, diplomats, economists and legal experts to help ward off attacks. Last week, Switzerland controversially handed over confidential client data to a United States tax evasion probe. On Wednesday UBS, Switzerland’s largest bank, paid $780 million in fines and agreed to hand over details of 250-300 customers to avert criminal proceedings relating to a tax evasion investigation. Merz was heavily criticised for his part in the climb-down that sidestepped legal proceedings in Switzerland. Merz has now responded to a cascade of recent international pressure. The US has demanded details of another 52,000 UBS clients, the European Union has waded into the debate and European leaders have vowed to launch a global crusade against tax havens at April’s G20 summit in London. [Source] [Escalating war on financial privacy dividing Europe]




CA – Private Member’s Bill to Renovate Access-To-Information Law

MPs were given a new blueprint to renovate the country’s antiquated access-to-information law on the eve of a scathing report from the federal information watchdog describing a system in sorry disrepair. A New Democrat MP introduced a private member’s bill Wednesday that would adopt measures Prime Minister Stephen Harper promised more than three years ago to adopt, but has yet to act on. The bill is based on a comprehensive package drafted in 2005 by then-information commissioner John Reid - reforms that would make more files accessible to the public, expand the commissioner’s oversight powers and introduce measures to help ensure federal agencies comply with the act. NDP MP Pat Martin said Wednesday there is more of a need than ever to scrutinize government activities given the billions of dollars in federal stimulus spending on the books. “This whole thing is based on the premise that people have a right to know what their government is doing.” [Source] [Source]

CA – Dire Diagnosis for Access to Information in Canada: Marleau

The Information Commissioner of Canada, Robert Marleau, tabled a Special Report in Parliament, documenting serious flaws with the administration of the Access to Information Act, Canada’s freedom of information legislation. The report, entitled Report Cards 2007-2008 and Systemic Issues Affecting Access to Information in Canada, is based on an assessment of how well a sample of 10 federal institutions performed in responding to information requests during fiscal year 2007-2008. Main Findings on Institutional Performance: Most institutions surveyed performed below average for various reasons including excessive workload, lack of resources and inefficient processes. The most significant finding attests to the fact that the 30-day period intended by Parliament to be the norm in responding to information requests is increasingly becoming the exception. The report shows a trend toward greater use of time extensions and for longer periods of time, a trend which is not matched by a proportional increase in the number of information requests. “Our analysis has confirmed what Canadians have been hearing

and experiencing for a while now, when trying to obtain government-held information,” Mr. Marleau said. “There are major delays, particularly with extensions, with some institutions routinely taking months to respond to information requests. Canadians expect and deserve far greater efficiency and accountability from their government.” [Source] [Speaking Notes] [Special Report] Coverage: [Watchdog blasts Tories for secrecy obsession Information chief challenges Ottawa to ease ‘stranglehold’] [Right-to-know law ‘has no teeth’] [Access-to-information throttled from top: Commissioner] [‘Serious flaws’ in federal info-sharing: watchdog]


UK – Gov Forced to Publish ID Card Reviews Report

The Office of Government Commerce (OGC) will not be able keep the contentious reports on its identity cards scheme confidential anymore, as the Information Tribunal has upheld the Information Commissioner’s decision to publish the ID cards Gateway Reviews. In its new ruling, the Information Tribunal rejected OGC’s appeal to stop the disclosure of the controversial reviews, which the government stated would threaten the security of the nation. The decision comes after an anti-ID cards activist Mark Dziecielewski used the FOI Act to urge the government to publish the reports that was backed the Information Commissioner in 2006. [Source]


US – Utah Bill Advances to Senate

Lawmakers and public interest groups have reached a compromise on a bill to strengthen privacy protections on some government records, reports the Salt Lake Tribune. HB 122 passed the Senate Government Operations Committee yesterday after substantial modifications were written into the legislation. Now it moves to the full Senate. The bill aims to restrict public access to some government records. [Source]




EU – Government to Retain DNA Samples of Innocent

The UK government is planning to get around a European court ruling that condemned Britain’s retention of the DNA profiles of more than 800,000 innocent people by keeping the original samples used to create the database. A damning ruling last December criticised the “blanket and indiscriminate nature” of the UK’s current DNA database - which includes DNA from those never charged with an offence - and said the government had overstepped acceptable limits of storing data for crime detection. Last month the home secretary, Jacqui Smith, said she would publish a white paper setting out “a more proportionate, fair and commonsense approach”, but she has not given any indication whether DNA samples already obtained would be destroyed. However, Home Office sources said the government, which was given three months to respond to the ruling, has “no plans” to destroy samples of DNA. The revelation raises questions about the extent of the government’s response to the court’s findings and prompted fresh criticism last night of its “surveillance state” ambitions. [Source]


Health / Medical


CA – Ontario Coroner will Share Files With Children's Advocate

The chief coroner's office is willing to provide Ontario's child advocate detailed information on the 90 deaths of children in the child welfare system in 2007, with names removed to protect privacy. Irwin Elman, in his annual report to the legislature this week, said his inability to access this information makes it difficult to do his job. Privacy laws prohibit the coroner from releasing background reports on these deaths, said deputy chief coroner Dr. Bert Lauwers. But Lauwers, who heads the chief coroner's pediatric death review committee, which examines all child deaths in the province, said he is prepared to give Elman the reports with names removed. [Source]


Horror Stories


UK – Memo Reveals Multiple Breaches of ID Card Database

The database that will take a central role in the national identity-card scheme has been breached more than 30 times since 2006. The breaches of the Customer Information System (CIS), which is run by the Department of Work and Pensions, were revealed in a DWP memo to housing benefit and council tax benefit staff on 15 January. CIS is designed to give local authorities access to citizens’ data, including HMRC tax-credit information. In 2006, it was decided that the ID card project would use CIS for biographical information, to avoid having to create a new, monolithic database of the UK’s inhabitants. In the DWP memo, the government department said that desktop access to CIS had helped to “significantly improve service delivery” to citizens, but noted that a series of checks had identified that some local-authority staff were committing serious security breaches using the system. On Wednesday, a spokesperson for the Department of Work and Pensions said that 33 such breaches had been identified since 2006, but said the breaches were not necessarily intentional. [Source]


Identity Issues


UK – 2009 February Report of the Auditor General of Canada

Identity information is essential to delivering federal services. The AG estimates that there are at least 9 large databases in the federal government that include establishing identity as an important aspect of delivering services to clients and in which most adults in Canada can expect to be included at some point in their lives. Four federal institutions manage these nine databases. Their audit examined identity information databases of the Canada Revenue Agency, Elections Canada, Passport Canada, and Service Canada. They found that there is no integrated federal approach to managing identity information...Initiatives pursued by federal institutions over the past 10 years to jointly use and manage identity information have resulted in duplication, frequent reconsideration of the same problems, and incomplete solutions to the underlying needs. [Source]


US – FTC Report: ID Theft Remains No.1 Fraud Complaint

Identity theft remains the top category of fraud affecting consumers, and it jumped considerably last year, according to the FTC’s annual consumer complaint report. The FTC’s Consumer Sentinel Network Complaint Data Book report for 2008 shows the number of identity theft complaints up around 20% from 2007, from 259,266 in ‘07 to 313,982 in ‘08. Identity theft represents 26% of all consumer fraud complaints, followed by third-party and creditor debt collection (9%), shop-at-home and catalog sales (4%), and Internet services (4%) and other forms of fraud. The FTC’s Consumer Sentinel Network is a database used by law enforcement to log consumer fraud complaints. The marked increase in identity theft complaints is significant in that the number of these reports had stayed mostly flat from 2006 to 2007, says Tom Rusin, president of Affinion Security Center, which provides personal data security services for consumers and businesses. Rusin says the jump may be due to several factors, including the high number of enterprise breaches last year, as well as fallout from the financial crisis. “As banks consolidate today, consumers expect to get more information [electronically] from their bank,” Rusin says. “That’s an opportunity for identity thieves to do phishing attacks.” Rusin says the report also highlights how, contrary to popular belief, identity theft isn’t just about bank card fraud; while 20% of the ID theft cases reported last year were bank card fraud, around 30% originated from document fraud, such as SSN theft and employment fraud. Many people don’t realize that document fraud is also ID theft. The FTC report also shows what bad guys do with stolen identities. While 20% was pure credit card fraud, government documents or benefits fraud accounted for 15%, employment fraud for 15%, and phone or utilities, 13%. Interestingly, 65% of identity theft victims last year did not contact the police. “This just shows that most people don’t know where to turn,” Rusin says. And Arizona is still the No. 1 state for identity theft complaints, with 149 per 100,000 people, followed by California, Florida, and Texas. [Source]


Intellectual Property


SW – Swedish Parliament Passes Copyright Bill

As expected, the Swedish Riksdag passed a controversial new measure on Wednesday designed to make it easier to investigate suspected cases of illegal file sharing. The vote came following a spirited debate between Sweden’s Minister of Justice, Beatrice Ask, and detractors of the file sharing bill, which is based on the European Union’s Intellectual Property Rights Enforcement Directive (IPRED). [The Local]


Internet / WWW


CA – Privacy Commissioner Enters Net Neutrality Fray

The Privacy Commissioner of Canada has entered the net neutrality debate with a submission to the CRTC network management hearing on the privacy implications of network management that uses deep packet inspection technologies.  The submission notes concerns with several uses of DPI, including scanning Internet traffic for certain content such as spam, copyright infringing materials, and hate content as well as for monitoring traffic loads to measure network performance.  The Commissioner expresses the need to factor privacy into the network management issue, and writes, in regard to the Canadian ISP use of DPI, that: "There is concern that the implementation of DPI for Internet traffic management has been done in a manner that is less than transparent and potentially inconsistent with an individual's/consumer's expectations. There has been some evidence in a number of jurisdictions suggesting that such technology has been used for 'unreasonable network management practices.'" [Source]


CA – Ontario Judge Orders Disclosure of Facebook Profile

An Ontario judge has ordered a party to a civil litigation case arising from a motor vehicle accident to hand over the contents of their private Facebook profile. Importantly, the judge ruled that “a party who maintains a private, or limited access, Facebook profile stands in no different position than one who sets up a publicly-available profile.” The judge seems to have arrived at that conclusion based on her understanding of Facebook: “a court can infer from the social networking purpose of Facebook, and the applications it offers to users such as the posting of photographs, that users intend to take advantage of Facebook’s applications to make personal information available to others. From the general evidence about Facebook filed on this motion it is clear that Facebook is not used as a means by which account holders carry on monologues with themselves; it is a device by which users share with others information about who they are, what they like, what they do, and where they go, in varying degrees of detail. Facebook profiles are not designed to function as diaries; they enable users to construct personal networks or communities of “friends” with whom they can share information about themselves, and on which “friends” can post information about the user.” Case name is Leduc v. Roman. [Source]


AU – Cops May Tap Facebook, Email

Fears have been raised about police in Queensland, Australia abusing new phone-tapping powers to snoop on social networking sites such as Facebook and private e-mails. A Justice Department spokesman said police had the power to access Facebook and email documents once received by the recipient. However the new powers would give police "real time access". [Source]


WW – Facebook Tries to Become a Democracy

A week after its community erupted in protest over changes to its terms of service that appeared to give it control over its users’ information, Facebook announced that all significant policy changes on the site would be subject to comments from members and, if they prove controversial, a popular vote. Most immediately, Facebook will open a dialogue with users over a set of principles, or “foundational elements for how we want to govern the site,” said Mark Zuckerberg, the company’s founder and chief executive. Users will have the opportunity over the next 30 days to comment and vote on these principles, which are posted in a document that tries to harness some of the verbal eloquence of a governing constitution. ignificantly, the company is reserving the right to roll out new features without consulting its members, so it is not clear just how meaningful all this is. But here are two of the more interesting principles Facebook is proposing to its users: Ownership and Control of Information: “People should own their information. They should have the freedom to share it with anyone they want and take it with them anywhere they want, including removing it from the Facebook Service. People should have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices. Those controls, however, are not capable of limiting how those who have received information may use it, particularly outside the Facebook Service.” Transparent Process: “Facebook should publicly make available information about its purpose, plans, policies, and operations. Facebook should have a town hall process of notice and comment and a system of voting to encourage input and discourse on amendments to these Principles or to the Rights and Responsibilities.” [Source] [Press Conference transcript]


EU – Google Defuses Street View Privacy With User Photos

Google said that users of its Google Maps Street View feature can now view user-contributed photos from Panoramio, the geo-centric photo sharing site that Google purchased in 2007. In so doing, the company manages to deflect and dissipate much of the criticism leveled against it for company-directed image acquisition. It’s one thing for Google to be capturing and publishing images of a man walking into an adult bookstore, of a woman urinating behind a car, or of one’s home without permission. It’s another thing entirely when Google’s users are responsible for the image taking and posting. Google gets far more content with far less liability and far less cost. Perhaps to encourage more user photo submissions, Google suggests that users’ photos at popular landmarks are somehow competing with one another. Panoramio photos may also be submitted to appear in Google Earth; Google limits the number of photos it accepts to those that fit its Acceptance Policy. [Source] [Source] [Google blog post]


Online Privacy


WW – Does Cloud Computing Mean More Risks to Privacy? Report Says “Yes”

Companies looking to reduce their IT costs and complexity by tapping into cloud computing services should first make sure that they won’t be stepping on any privacy land mines in the process, according to a report released by the World Privacy Forum. The report runs counter to comments made last week at an IDC cloud computing forum, where speakers described concerns about data security in cloud environments as overblown and “emotional.” But the World Privacy Forum contends that while cloud-based application services offer benefits to companies, they also raise several issues that could pose significant risks to data privacy and confidentiality. “There are a whole lot of companies out there that are not thinking about privacy” when they consider cloud computing, said Pam Dixon, executive director of the Cardiff, Calif.-based privacy advocacy group. “You shouldn’t be putting consumer data in the cloud until you’ve done a thorough [privacy] review.” According to the World Privacy Forum’s report, the data stored in cloud-based systems includes customer records, tax and financial data, e-mails, health records, word processing documents, spreadsheets and PowerPoint presentations. [Source] [WPF Report] See also: [Survey: Fear Slows Cloud Computing Adoption] [Cloud computing opens a legal Pandora’s Box: Legal Expert] and [Gov’t Agencies Embrace Cloud Computing] [Is Washington ready for cloud computing?]


WW – Survey: Majority Concerned about Privacy

A survey of 4,000 Internet users has revealed that most Web surfers are concerned about the privacy of their personal information online, reports MediaPostNews. Eighty percent of respondents reported concern about exposing private details, such as age, gender, income and browsing habits. Respondents age 55 and older were overall more concerned (85.7%) than younger users (67.3%). The survey also found that fewer than a quarter of all respondents approve of their information being used to deliver more targeted advertisements. "Advertisers must take concrete actions to mitigate consumers' privacy concerns," said Chuck Moran of Burst Media, the firm that administered the survey. [Source]          


Other Jurisdictions


PH – Philippines Govt Consults Security Experts on Data Privacy

Top government officials in the Philippines recently met with global IT policy experts to obtain guidelines in the proper legislation of laws related to data protection and privacy. The forum provided a review of the Philippines’ proposed data protection legislation, where speakers presented some specific provisions in proposed laws as appropriate and requested by the drafters. These were then commented upon by the panel as well as forum participants. Speakers at the workshop were Marty Abrams and Paula Bruening, both from the Centre for Information Policy Leadership (CIPL); Claro Parlade of CyberspacePolicy Center for Asia-Pacific; Peter Cullen of Microsoft; Manuel Maisog of Hunton & Williams; Malcolm Crompton of Information Integrity Solutions; Anick Cousens of IBM; Joe Alhadeff of Oracle; and Jeff Hardee of Business Software Alliance (BSA). [Source]


Privacy (US)


US – New Homeland Security CPO Named

Mary Ellen Callahan, CIPP, has been named the new chief privacy officer at the Department of Homeland Security (DHS). DHS Secretary Janet Napolitano announced the appointment yesterday, saying: "Having a seasoned professional like Mary Ellen on the team further ensures that privacy is built into everything we do." Callahan will join the department from her role as partner at Hogan & Hartson, LLP, in Washington, DC. Privacy, security, data protection, consumer protection and e-commerce law have been her specialty areas for more than a decade. Callahan is co-chair of the Online Privacy Alliance and vice-chair of the American Bar Association's Privacy and Information Security Committee of the Antitrust Division. [Source]


US – Leibowitz to be Named FTC Chair

President Obama will appoint current Federal Trade Commission member Jon Leibowitz, a Democrat, as the next chair of the commission. Leibowitz is an outspoken critic of certain online practices, including behavioral advertising, the report states. Recently, Leibowitz wrote: "Industry needs to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our commission. Put simply, this could be the last clear chance to show that self-regulation can--and will--effectively protect consumers' privacy in a dynamic online marketplace." Jeff Chester of the Center for Digital Democracy said: "Public interest groups...appreciate that Leibowitz has called for tougher online privacy standards..." [Source]


US – Republican Asks White House for E-Mail Policy

A Republican congressman is calling on President Obama to ensure that all business-related e-mails from White House staff are appropriately preserved, including e-mails the staff sent from temporary Gmail accounts. Rep. Darrell Issa, the ranking Republican on the House Oversight and Government Reform Committee, sent a letter to White House Counsel Gregory Craig last Thursday, raising the concern that e-mails sent through personal accounts may not be retained. [CNET]


US – New Legislation Could Criminalize RFID Security Testing

Nevada is the latest state to propose legislation to regulate how RFID data is collected and used. Senate Bill 125 (SB 125), which was introduced earlier this month, would make it a felony to use RFID to collect personal identification without a person's consent. Critics say the way the bill is worded would make legitimate RFID research a crime. The opposition was in part motivated by a recent "white hat" hacker attack that exposed potential privacy and security vulnerabilities of the PASS Cards issued by the US federal government to facilitate border crossing (see Latest Anti-RFID Video is Actually Worth Watching). Defenders of the well-publicized hack liken it to a public service and say it was a valuable exercise for calling attention to previously-raised security issues. The proposed Nevada legislation would prohibit similar exercises. The bill provides two exceptions to collecting personal information by RFID: 1) if it is done in the ordinary course of business – which presumably would apply to border control agents and other government employees who work with identification systems, and 2) authorized payment card transactions. The second example would close a loophole that emerged in legislation proposed recently in New York. [Source]





UK – Council Staff Making “Serious Security Breaches” of Key Government Database

Staff at 30 local authorities have made “serious security breaches” of a government database that will form a key part of the National Identity Scheme. The breaches of the Department for Work and Pensions (DWP) Customer Information System (CIS), which will store biographical data about citizens carrying identity cards, have been occurring since 2006. The DWP said in a statement that routine checks had unearthed the security breaches.[Source]


US – PCI Council Ranks Security Risks, Milestones

Businesses shouldn’t let financial pressures put PCI-security compliance on the back burner, and the PCI Security Standards Council has devised has devised a 12-step program to help merchants get there. To help with that challenge, the council is about to introduce a prioritized list of its standards set down as milestones to be reached in order, with each milestone ranked so the most critical security measures are implemented first. The goal is to guide businesses down the path to compliance with the payment card industry data security standards that have been set up to prevent loss of sensitive personal information such as credit card numbers and PINs. At the top of the priority list is getting rid of unnecessary sensitive data so if the system is compromised, there is no sensitive data to steal. “This will reduce the impact of a breach,” he says. The second milestone is to harden perimeter security by such means as tightening firewall rules and locking down wireless access points. [Source]


CA – GovSym Raises Notion of Central IT Security Agency

Canada needs a central government authority for assessing IT security threats and coordinating effective risk management across the country, attendees of IT World Canada and Symantec’s GovSym public sector conference were told last week. Speaking as part of a panel discussion on cyber-crime and threat detection, the notion of a new intra-government organization was proposed by Ken Holmes, senior economic advisor at Public Works and Government Services. Holmes said such an organization would not only facilitate information sharing but conduct audits and reviews of plans or budgets related to cyber-security challenges. This organization could also serve as a central information and training centre where various government departments can share or exchange resources, he said. [Source]


WW – Study: Stealing Money or Data Is Not Always the Aim of Hackers

It is usually believed that hackers often hack websites to seek financial gain, but a recent study of 57 Web-site hacks revealed that many times hackers hack websites for other reasons. The study found that stealing money or data is not always the aim of hackers. The study found that 24% of the hacks were carried out to deface sites instead of seeking money or any financial gain or causing monetary losses to the companies. The researchers found that most of the Web-site defacements, which they analyzed in their study, “were of a political nature, targeting political parties, candidates and government departments, often with a very specific message related to a campaign, while others had a cultural aspect, mainly Islamic hackers defacing Western Web sites.” In the study, the researchers wrote, “While financial gain is certainly a big driver for Web hacking, ideological hacking cannot be ignored.” [Source]


US – Consensus Audit Guidelines Released

A public-private consortium has released a list of 20 key actions organizations should take to prevent cyber attacks. The Consensus Audit Guidelines (CAG) are expected to serve as a best-practices model for computer security. “This is the best example of risk-based security I have ever seen,” said Alan Paller of the SANS Institute. James Lewis, a senior fellow at the Center for Strategic and International Studies (CSIS) in Washington said: “This will definitely make the federal government a harder target.” The CAG are one part of a larger CSIS effort to implement recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency. [Source] [Consensus Audit Guidelines]


US – Consortium Releases Consensus Security Audit Guidelines

A consortium of security experts from government and industry has released the Consensus Audit Guidelines (CAG), a list of 20 controls that government and private industry organizations must implement to protect against and mitigate the effects of cyber attacks.  For each control, the CAG details attacks that it stops or mitigates, how to implement and automate the control, and how to determine whether the control is implemented effectively.  The CAG consortium includes the organizations that know how actual attacks are being executed (NSA Red and Blue teams,US-CERT, DC3, DoE Nuclear labs, and more.) The CAG is available for public comment through March 23, 2009. [Source] [Source] [Source] [Source] [Source]




EU – Richard Thomas: Surveillance State Makes Suspects of Us All

Every Briton could be “a suspect” if ministers persist in extending state surveillance powers, the Government’s privacy watchdog has warned. Information Commissioner Richard Thomas said “creeping surveillance” had gone “too far, too fast” and threatened to undermine the fundamental values of British society. He added that current government proposals to log everyone’s phone, email, text and internet records on a database would be a “step too far”. Mr Thomas also hit out at new data-sharing powers contained in a Coroners and Justice Bill which is before Parliament - saying they should be “narrowed” - and raised further concerns about the scope of the national DNA database, the growing use of CCTV cameras, and the impact of the new ContactPoint database with details of all the nation’s children. Mr Thomas said he was particulary worried about plans - due to be announced soon - for new powers which will enable the Government to store on a huge new database the computer, phone and other electronic records of all British residents. He suggested this would lead to unacceptable intrusion and added: “We’ve got to have a much clearer distinction between those who are suspects and everybody else. “I think we’re at risk of making everybody a suspect if we go too far down this road.” [Source]


EU – Rotterdam Police Pilot High-Res Surveillance to Reduce Retail Theft, Robberies

Upwards of 20 downtown Rotterdam, Netherlands, shops have deployed IQeye megapixel cameras to combat store robberies. The new camera system follows a series of other measures taken in response to an increase in robberies in this commercial district. The Tobacco Shop Vivant in Rotterdam’s West District was the first store to install IQeyes. From there in late 2008, 17 more stores in Vreewijk and the Prince’s Square districts installed the smart megapixel camera system. The surveillance solution will be evaluated over a period of several months to see if it delivers the desired results for both the retailers and the police. Should the results be favorable, the retail surveillance system could potentially be deployed to hundreds of shops in the area. The camera feeds are directly connected with Rotterdam Police Dispatch through Milestone Systems’ XProtect video management software. When a shopkeeper experiences a robbery attempt or perceives trouble, he presses a button that activates the strategically placed megapixel cameras and a live feed is directly transmitted to the police control room. The robbers are filmed in high resolution providing razor-sharp images. In addition to the live feed feature, the IQeye 702s are continuously recording to a 16 GB CF memory card in the camera itself using IQrecorder software, so the shopkeeper has a record of all incidents. [Source] [Information Commissioner Richard Thomas warns of surveillance culture]


Telecom / TV


US – FCC to Telecoms: Explain Privacy Protection or Pay Up

Federal regulators have proposed to impose more than $12 million in fines on 600 telecoms that failed to file paperwork in 2008 explaining how they protect their customers’ private information. At issue are annual reports that phone companies, internet telephony concerns, and calling-card companies need to file explaining how they protect individuals’ phone records, cellphone location data and personal information from data brokers and over-the-line private investigators. The Federal Communications Commission tightened the privacy requirements and expanded the number of companies covered in 2007, but many companies seem to have failed to get the memo or take it seriously. That’s why the agency is proposing such widespread and newsworthy fines. The National Cable and Telecommunications Association opposes the stricter limits on sharing and selling customers’ phone records. But on February 13, a federal appeals court rejected the industry’s attempt to continue sharing your phone records with outside companies in order to craft marketing pitches to you. [Source] [FCC fines telcos for blowing off data protection reports]


EU – Push to Abolish Restrictions on Wiretapping VOI calls

European prosecutors are eager to abolish the legal and technical hurdles to wiretapping Internet telephone calls to better fight organized crime. As early as next week, the European Union’s judicial-cooperation agency Eurojust will receive an official request by Italian judicial authorities, who want to listen in on computer-to-computer phone calls between criminals who are increasingly turning to Voice over Internet Protocol programs such as Skype. When requested, The Hague, Netherlands-based Eurojust would facilitate meetings between judicial representatives from the 27 EU member states. These representatives would then meet to identify ways for prosecutors to deal with VoIP calls. They would have to take into account the various data-protection rules and civil rights, not to mention the 30 different legal systems in Europe. Such proceedings can take “between a few months and several years,” depending on the complexity of the issue. [Source]


US Government Programs


US – DHS Committee: Collect more Info on People to Protect Their Privacy

A Department of Homeland Security advisory committee strongly urged the agency today to proactively start collecting more data about individuals so that, when people request records about themselves, DHS can verify who they are. That might sound drastic, but it could be the end product of concerns that were almost unanimously voiced by members of DHS’s Data Privacy and Integrity Advisory Committee at its regular meeting. The committee came to the conclusion that it seemed more could be done to safeguard privacy. One committee member called DHS’s process of requiring a signed Privacy Act waiver “insufficient” to protect individuals’ own privacy interests. Several members suggested DHS use the same technology and methods to verify the identity of requesters that private credit reporting agencies use when an individual requests his or her credit report. For example, one committee member suggested DHS ask requesters to verify a requester’s identity by answering questions such as, “When did you last cross a border into the U.S.?” At heart, the members appeared concerned that individuals requesting access to information the government has on them aren’t really who they appear to be -- that they are instead identity thieves intent on keeping the information they get for years. [Source]


US – Proposed Legislation Would Require Retention of Internet Use Data for Two Years

US legislators have introduced a bill that would require extensive logging of Internet use.  The proposed legislation aims to help police with investigations.  All ISPs and wireless access point operators would be required to retain logs of users' activity for a minimum of two years.  The law would apply not only to large ISPs, but also to private homes that have wireless access points or wired routers that use the Dynamic Host Configuration Protocol as well as small businesses, libraries, schools and government agencies. [Source]


US Legislation


US – The Internet Safety Act Launches a New Battle on Privacy

Two Republicans from Texas: Sen. Jon Cornyn and Rep. Lamar Smith have filed almost identical bills in the House and Senate with the same name: Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act. Most people refer to it as simply the “Internet Safety Act.” The bill would require almost everyone who provides Internet access to retain all records for two years. Right now, that includes big Internet service providers (ISPs) such as Verizon or Comcast, the coffee shop that offers free wireless access, and me because I have an Internet router set up at home that is accessed by several people. Another section of the bill says that anyone who “knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography” can be tried under the law. More than a few ISPs worry that this broad wording includes the mere act of providing services such as e-mail might “facilitate access” to illegal material. Marc Rotenberg points out that there are other groups that would love to see this legislation go ahead, such as music and movie companies. He notes that “such a bill would ‘create new risk’ for Web surfers and peer-to-peer users, spawning legal fishing expeditions and lawsuits.” He called the legislation a “terrible idea.” [Source] [Internet Safety Act: Welcome, Big Brother]


Workplace Privacy


WW – Exiting Workers Taking Confidential Data With Them

As layoffs continue apace, a survey by the Ponemon Institute released yesterday shows what many companies fear: exiting workers are taking a lot more with them than just their personal plants and paperweights. Of about 950 people who said they had lost or left their jobs during the last 12 months, nearly 60 percent admitted to taking confidential company information with them, including customer contact lists and other data that could potentially end up in the hands of a competitor for the employee's next job stint. [CNET]