Biometrics

WW – State of the Art Biometrics Excellence Roadmap Technology Assessment

The FBI commissioned a report that was prepared by Mitre - as a roadmap top the development of biometrics technology. The report is in three volumes, two of which are presently available. Volume 1 presents the technology assessment portion of the State of the Art Biometrics Excellence Roadmap (SABER) study which was conducted over a 10 month period in 2007-2008. The study included an extensive survey of biometric technologies, current products, systems, independent performance evaluations, and an overview of select research activities. The team visited representative federal, state, and local booking environments, a state detention facility, and saw large surveillance systems used for security and gaming. The site visits provided a valuable perspective on the constraints and challenges that must be considered for the FBI to fully realize the Next Generation Identification (NGI) system. The proposed roadmap recognizes FBI’s leadership in fingerprint technology as a solid foundation for expansion, and seeks a pragmatic course using cost-effective supporting technologies. Volume 2 presents the technology assessment portion of the State of the Art Biometrics Excellence Roadmap. Volume 1 and Volume 2

CA – Ontario Court Approves Biometric Punchclock

Arbitrator finds a new biometric timekeeping system involving the collection of fingertips causes an almost negligible privacy infringement: less than half a fingertip image taken, no physical intrusion, scan converted into a mathematical representation. Agropur (Natrel) v. Milk and Bread Drivers, Dairy Employees, Caterers and Allied Employees - 2008 CanLII 66624 (ON L.A.) [Decision]

Canada

CA – Guidelines for Processing Personal Data Across Borders

The federal Privacy Commissioner has released “Guidelines for Processing Personal Data Across Borders.” The Office of the Privacy Commissioner of Canada (OPC) has developed these guidelines to explain how PIPEDA applies to transfers of personal information to a third party, including a third party operating outside of Canada, for processing. The guidelines do not cover transfers of personal information for processing by federal, provincial or territorial public sector entities. Nor do these guidelines deal with any specific rules governing transfers for processing that may be found in provincial private sector privacy laws. However, organizations not governed by PIPEDA for commercial activities within a province need to be aware that PIPEDA applies to transborder transfers. Summary of Key Findings:

§ PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.

§ PIPEDA does establish rules governing transfers for processing.

§ A transfer for processing is a “use” of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.

§ The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.

§ Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.

§ No contract can override the criminal, national security or any other laws of the country to which the information has been transferred.

§ It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada.

§ Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities. [Guidelines] [Source]

CA – Ontario Commissioner: Return Policies Do Not Breach FIPPA

The Liquor Control Board of Ontario (LCBO) does not breach the Freedom of Information and Protection of Privacy Act (FIPPA) by requiring customers to provide certain personal information when returning goods. That’s the ruling of Ontario’s Information and Privacy Commissioner, Ann Cavoukian, who investigated the LCBO’s practices in this area after receiving a customer’s complaint. The LCBO collects the names, addresses and telephone numbers of customers returning goods in order to help prevent fraudulent returns. Cavoukian says although she sympathizes with the complainant, “there is significant evidence in support of the collection of minimal pieces of personal information as a necessary measure in the prevention of fraud.” [Press Release] [Report: Reviewing the Return Policies of the Liquor Control Board of Ontario: Privacy Investigation Report PC07-100 – and A Review of the Literature Relating to Fraudulent Returns: Practices Used by Retailers to Combat Fraud]

CA – Judge Overturns Alberta Commissioner Privacy Ruling

A judge has overturned a 2008 decision of Alberta Information & Privacy Commissioner Frank Work. The ruling concerned an Edmonton bylaw requiring pawnshops and secondhand shops to collect the personal information of those selling their goods. Last February, Work ruled the city had not taken reasonable steps to protect the privacy of these customers’ personal information. Justice Joanna Veit recently upheld the bylaw, stating that the information commissioner’s “decision interferes with the ability of the municipality to legislate in relation to pawnshops and with the ability of a municipal police force to carry on its law enforcement action.” [Source] [Court decision] [Original Alberta Commissioner Decision]

CA – Manitoba Offers Enhanced Photo ID for Travellers to U.S.

Manitoba is introducing enhanced photo identification that citizens can use instead of a passport to travel over land or water into the United States. Air travellers still need a passport, but the new identification card will be valid ID for those entering the U.S. by road or water. The wallet-sized cards will be available on a voluntary basis for $30 to Manitobans who hold a valid driver’s licence, beginning Feb. 2. The card will be $50 for those who don’t have a driver’s licence. The card is not a substitute for a driver’s licence but contains an RFID chip that can be read by customs and immigration authorities. [Source]

CA – Nightclub Case Headed to Court

The federal privacy commissioner says certain data collection and retention practices of the Canad Inns’ hotel chain violate Canada’s privacy laws. The company digitally photographs the IDs of its nightclub patrons and stores the information for a month. Commissioner Jennifer Stoddart says that, in doing so, the company is violating PIPEDA. The company refused Stoddart’s request for it to cease, desist and destroy the information, saying the practice is part of the club’s security initiatives. The federal court in Winnipeg will hear the case on May 12. [Source]

CA – Ontario Privacy Commissioner Ann Cavoukian Rolls Out the “Big Guns”

Ontario’s Privacy Commissioner Ann Cavoukian rolls out the “big guns” to prove her point about using technology to protect privacy: The Privacy By Design Challenge. Dr. Ann Cavoukian, has been urging governments and businesses for many years to embed privacy into the design of new technologies. Now, she’s bringing in the big guns of the technology world to prove her point. Among the 10 speakers at the Privacy by Design Challenge in Toronto January 28, are leading executives from major companies such as Intel, IBM, Microsoft, HP, Sun Microsystems and Facebook, as well as emerging companies such as Peratech and Privacy Analytics, which are leading with innovative privacy technologies. The focus of the conference is on the emergence and growth of privacy-enhancing technologies (PETs), which the Commissioner believes will pave the way for ensuring the future of privacy. The Commissioner, who is co-sponsoring the conference with the Toronto Board of Trade, selected January 28 as the date for this event in order to commemorate International Data Privacy Day. [Source]

Consumer

US – New Tool Will Help Online Advertisers Develop Stronger Privacy Practices

CDT has released a new assessment tool to help online advertising companies develop strong, appropriate privacy protections for the users they serve. Released to coincide with Data Privacy Day 2009, the “Threshold Analysis for Online Advertising Practices,” is the result of extensive consultation among CDT, Internet companies and public interest advocates. It notes a series of simple tests companies can use to determine whether online advertising activities may trigger the need for additional privacy protections. The document also provides suggestions on how companies can begin putting those protections in place. [Threshold Document Press Release, January 28, 2009] [Threshold Document]

US – EPIC, Civil Society Celebrate International Privacy Day

EPIC and civil society organizations around the world celebrated International Privacy Day with a call to governments to sign on to the Council of Europe Privacy Convention, which was opened for signature on January 28, 1981. The object of the Privacy Convention, known as “Convention 108,” is to strengthen data protection for individuals with regard to automatic processing of personal information relating to them. The Convention remains timely. As one source noted, “In addition to being the first legally binding international instrument in the area of data protection, this Convention has withstood the test of time by being adaptive and fairly rigorous. Today the principles of this agreement are being examined for their applicability to the collection and processing of biometric data.” One scholar recently wrote that “It is not too difficult for the data protection laws of quite a few non-European countries to meet the requirements of Convention 108” and suggested “The opening up of Convention 108 to non-European countries is one way of sidestepping the cumbersome process of developing a new UN convention on privacy” and concluded that “this approach deserves serious consideration by Asia-Pacific and other governments that already have privacy laws of international standard, or are considering introducing them.” 41 countries have ratified the Convention 108. Civil society groups will continue their efforts to press for adoption of the Convention among the countries that have not yet ratified. On International Privacy Day, EPIC also honored eminent Italian jurist Stefano Rodotà with the “International Privacy Champion” award. EPIC said that Professor Rodotà has profoundly influenced the public’s understanding of human rights in the age of the Internet and described Professor Rodotà as “a powerful advocate for the rights of the citizen.” [EPIC, Council of Europe Privacy Convention] [COE Privacy Convention – Text] [Graham Greenleaf, “Accession to Council of Europe privacy Convention 108 by non-European states“] [International Privacy Day Campaign] [Net Dialogue, INITIATIVE: COE’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data] [EPIC, “Privacy and Human Rights“] [Statement of Senator Patrick Leahy on “Data Privacy Day”] [Facebook Fan page, Stefano Rodota]

E-Government

UK – Private Sector Could Get Citizens’ Information

Proposed amendments to the 1998 Data Protection Act (DPA) would give government officials the authority to share information collected on citizens with private-sector organisations. “It would allow for information to be shared with banks or other financial institutions,” said Rosemary Jay of the law firm Pinsent Masons. Officials would not have to notify citizens if their information was shared. Justice Secretary Jack Straw said the proposed change will help ease people’s dealings with government and its agencies, the report states. Some see it differently. Liberal Democrat Shadow Justice Secretary David Horwarth said the changes were “more building blocks of [government’s] surveillance society.” [Source] See also: [UK: Legal Eye: Does Home Office online surveillance go too far?]

UK – 440 MoD Data Storage Devices Lost or Stolen in 2008

The UK Ministry of Defence (MoD) says that during 2008, 440 desktop computers, laptops, hard drives and memory sticks were lost or stolen. This brings the total number of devices reported missing in the last five years to over 1,640. Despite new cyber security rules established last summer, 2008 marked the highest number of missing devices since 2003. The lost devices contained personal information, including bank details, driver’s license and passport numbers of nearly half of those serving in the armed forces. All persons known to be affected by the breach have been contacted and cautioned to keep a close watch on their account activity. [Source]

UK – Children’s Database Presents Privacy and Security Concerns

Privacy advocates and parents have expressed concern about the number of people who will have access to a new “ContactPoint database that will hold personal details of all 11 million children under the age of 18 living in England. The data will include names, addresses, dates of birth, parent information, doctors’ names and school information. The database will be accessible to nearly 400,000 local officials, charity workers, youth workers, career advisers and education and health professionals. If children have been in contact with social workers or youth workers, that information will be noted in their records. [Source] [Source] [Source]

US – Thrift Shop MP3 Player Contains US Military Data

An MP3 player purchased at an Oklahoma thrift store was found to contain US Army files. The man who bought the device, who is from New Zealand, paid US $9.50 for the device. When he connected it to his computer, he found it contained 60 files that include names and personal information of US soldiers, information about equipment at various bases and a mission briefing. The files containing a warning that the release of the information they hold is prohibited by federal law. In November, the US Department of defense banned the use of portable data storage devices. [Source] [Source]

AU – NSW Government Reports Data Breach

The New South Wales, Australian government is reporting that cyber criminals have broken into a website, jobs.nsw.gov.au, used to advertise public service jobs. They allegedly accessed information that allowed them to send spam to the database of job seekers, possibly with the intention of spreading malware or stealing sensitive personal information. The site has been offline since last week. Job seekers upload data potential employers would want to see - employment history, dates of birth, addresses and other information. The spammed email is spoofed so that it appears to come from a NSW government web address. [Source]

US – Alabama Bail Bond Companies Accessing Sheriff’s Database Without Authorization

According to Mobile (Alabama) County Sherriff Sam Cochran, three area bail bond companies have been accessing law enforcement databases to gain an advantage over competitors. Agents at the three companies managed to obtain login credentials that allowed them to access information about inmates’ relatives and solicit their business. Search warrants have been served on the three companies, and seven computers were seized. Two of the computers were logged on to the law enforcement website when deputies entered the establishments. Investigators are still trying to determine how the bail bond companies obtained the login information. The investigation was prompted by complaints from other companies. Law enforcement authorities figured out which companies were accessing the database by planting false contact information. [Source]

E-Mail

WW – Spam Rises 150% In Two Months

The number of junk e-mails being sent to computer users around the world has risen more than 150 per cent in two months. In November, the level of spam fell dramatically after the plug was pulled on McColo, an American company accused of providing the gateway for much of the world’s junk e-mails. However, in just a few weeks, the world’s biggest spam gangs appear to have regrouped, as spam e-mails have now almost recovered to the same levels as before McColo was shut down. [Australian IT] See also: [“We’re worried” about Canadian spammers - Q&A with Facebook’s privacy chief Chris Kelly]

Electronic Records

US – Privacy Issue Complicates Push to Link Medical Data

President-elect Barack Obama has promised to make all medical records electronic by 2014 in order to cut costs and reduce medical errors, among other benefits. And congressional leaders have earmarked $20 billion in funds from the multi-billion dollar economic stimulus package to be used for health information technology (HIT). But privacy issues continue to complicate the plans, and so far stakeholder groups have been unable to agree on safeguards for protecting Americans’ electronic medical information. “Until people are more confident about the security of electronic medical records,” Senator Sheldon Whitehouse (D-RI) told the Times, “it’s vitally important that we err on the side of privacy.” [NYT Source] See also: [Privacy Groups Want Strong Security Measures for Electronic Health Records]

US – Patient Advocates Urge Congress to “ACT” on Health Privacy

EPIC and more than 25 members of the Coalition for Patient Privacy at a news conference on January 14, 2009 in Washington, DC urged Congress to include critical privacy safeguards for the medical record network that may be included in the economic stimulus plan. The Coalition partners are recommending that lawmakers “ACT” on privacy and provide Accountability for access to health records, Control of personal information, and Transparency to protect medical consumers from abuse. [Coalition for Patient Privacy] [Coalition for Patient Privacy Press release] [Coalition letter to Congress] [EPIC’s page on Medical Privacy] See also: [Future of Privacy Forum Issues Recommendations for the Administration]

US – Health IT Stimulus Bill Contains Critical Privacy, Security Provisions

CDT applauds the critical privacy and security protections Congress included in the health information technology (health IT) portions of the American Recovery and Reinvestment Act of 2009, the proposed economic recovery bill. Before billions are spent building a nationwide health IT network, privacy and security concerns must be addressed upfront to ensure the public trust and widespread adoption of the network. CDT believes it is critical for privacy and security provisions to remain in the legislation and looks forward to working with Congress to ensure a comprehensive privacy framework is in place to protect health information. [CDT Press Release] See also: [UK: NHS constitution ends era of ‘doctor knows best’]

US – Google Denies Report of Lobbying to Allow Sale of Patient Medical Records

Consumer Watchdog charged in a letter to Congress that Google was engaged in a “rumored lobbying effort” to allow the sale of electronic medical records in the current version of the economic stimulus legislation. Consumer Watchdog called on Congress to remove loopholes in the ban on the sale of medical records and include other privacy protections absent from the current bill such as giving patients the right to an audit detailing who had accessed their medical records and how the records were used. The consumer group said Google is pushing for the provisions so it may sell patient medical information to its advertising clients on the the new Google Health database. A Google representative said Google “categorically denied” the allegations, and found it “very unfortunate that Consumer Watchdog is spreading rumors without verifying it.” The representative referred to a Google Policy Blog, which stated: “This claim – based on no evidence whatsoever – is 100 percent false and unfounded. Google does not sell health data. In fact, one of our most steadfast privacy principles is that we don’t sell our users’ personal data, whether it’s stored in Google Health, Gmail, or in any of our products. And from a policy perspective, we oppose the sale of medical information in the health care industry. We are supportive of strong privacy protections for medical records. Consumers own their electronic medical data and should have the right to easily access their information and control who gets to see it. We also believe in data portability, and we support open standards that enable consumers to control their data and take it wherever they’d like.” [Source]

Encryption

WW – Full Encryption Drives To Become Standard on all PCs

The world’s six largest computer drive makers have published the final specifications for a single, full-disk encryption standard that can be used across all hard disk drives, solid state drives (SSD) and encryption key management applications. Once enabled, any disk that uses the specification will be locked without a password - and the password will be needed even before a computer boots. The three The Trusted Computing Group (TCG) specifications cover storage devices in consumer laptops and desktop computers as well as enterprise-class drives used in servers and disk storage arrays. “We’re protecting data at rest. When a USB drive is unplugged, or when a laptop is powered down, or when an administrator pulls a drive from a server, it can’t be brought back up and read without first giving a cryptographically-strong password. If you don’t have that, it’s a brick. You can’t even sell it on eBay.” By using a single, full-disk encryption specification, all drive manufacturers can bake security into their products’ firmware, lowering the cost of production and increasing the efficiency of the security technology. [Source]

EU Developments

UK – Home Office Signs Dotted Line, Avoids Fine

The Home Office has entered into an agreement with the Information Commissioner's Office (ICO) to better protect the personal information it holds on Britons, reports OUT-LAW.COM. The ICO found the Home Office to be in breach of the Data Protection Act for an incident involving the loss of thousands of citizens' personal data by Home Office contractor PA Consulting. Instead of paying a £5,000 fine, the office has signed a formal undertaking, promising to use encryption, to perform regular audits and to ensure that all contractors conduct business in accordance with the Data Protection Act. [Source]

WW – Data Privacy Day Spotlights Online Dangers and Defenses

As Data Privacy Day dawned, Microsoft released research indicating that people want to defend themselves online but are looking for a little help. The Council of Europe designated January 28, 2007 as the first day devoted to spotlighting computer privacy and protection issues, and it became an annual event joined last year by Canada and the United States. Microsoft, Intel and MySpace are among the technology firms joining advocacy groups and government officials in events aimed at promoting awareness of Internet privacy risks and what people can do to protect online data. Input from focus groups in the US cities of San Francisco and Dallas revealed “resignation that once information is out on the Internet it is out there forever and they don’t have control of how it is used,” Microsoft’s Lynch said. In what Lynch referred to as a “placebo effect” people trust security tools such as spam filters and anti-virus software to protect them online even though they don’t know how the technology works. The focus groups represented three age brackets: 18 to 24 years old, parents and professionals in their middle 30s to 40s, and Baby Boomers ages 60 or older. “An interesting finding was there were more similarities than differences among the generations,” Lynch said. [Source] See also: [How do you protect your privacy? Tell us and win! - OPC contest ] [The 11th Annual Report of the European Union Article 29 Woprking Party have been published on the Article 29 Working Party website]

Facts & Stats

US – ID Theft as a Stalking Tactic

A number of studies have indicated that a significant percentage of ID theft cases involve family members or someone known to the victim. In 75% of stalking cases, the stalker/offender is known to the victim. Now it appears that in a subset of those cases, ID theft may be part of the pattern of stalking. The Bureau of Justice released the results of a crime victimization survey on stalking this week, Stalking Victimization in the United States. During a 12-month period, an estimated 3.4 million persons age 18 or older were victims of stalking. The report indicated that stalking offenders committed identity theft against about 204,000 victims. Over half of these victims had financial accounts opened or closed in their names or money taken from their accounts, and 3 in 10 of these victims had items charged to their credit cards without their consent:

Any identity theft - 204,230
Opened/closed accounts - 110,850 (54.3%)
Took money from accounts - 105,130 (51.5%)
Charged items to credit card - 60,790 (29.8%) [Source]

WW – New Trend in Cyber Crime: Unprecedented Rise in Identity Theft Related Searches

Tiversa announced the findings of new research that reveals an unprecedented rise in identity theft-related searches in the fall of 2008, an overall increase of 32%. In the midst of the nation’s largest economic downturn since the Great Depression, Tiversa is finding evidence that identity thieves are on the hunt once again, continuing to find new ways to extract sensitive information to commit fraud on unsuspecting victims. The research is based on search data in an ongoing 18 month study by Tiversa, whose patent-pending technology monitors roughly 450 million users issuing more than 1.5 billion searches a day. Data shows that search intent for sensitive information is on the rise, citing keywords related to personal banking logins, passwords, tax returns, credit card, account numbers, credit reports, and medical information. [Source] See also [Internet Users Worldwide Surpass 1 Billion In December]

WW – Businesses Risk $1 Trillion Losses >From Data Theft

Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime, according to a study released yesterday by McAfee. The California-based company launched the survey after detecting a rapid acceleration of malicious software, or “malware,” last year. McAfee says malware increased by 400 percent in 2008. [Washington Post]

Filtering

US – Federal Regulator Reverses on Internet Content Filtering Plan

FTC Chairman Kevin Martin has said in an interview published by Ars Technica on Dec. 29 that he will not pursue a government-mandated content filter as part of a proposal for a nationwide free wireless broadband network. EPIC had opposed the provision and said that it would create a dangerous precedent that would encourage governments to limit access to unpopular or controversial speech. [Kevin Martin’s interview] See also: [Privacy a “Pet Issue” for Possible FTC Chair Leibowitz]

US – Chinese Filtering Circumvention Tools Sell User Data

The Berkman Center for Internet & Society reported that three of the circumvention tools being used to bypass China’s Great Firewall are actually tracking and selling the individual web browsing histories of their clients. The findings, which appeared on a blog, showed that the sites employed deceptive languages regarding the safety of their use and access and privacy policies were altogether absent. The tools, DynaWeb FreeGate, GPass, and FirePhoenix have chosen a business model of selling user data. [Hal Roberts, “watching technology,” The Berkman Center for Internet & Society]

WW – Google And Universities Offer Tool To Detect Net Filtering, Blocking

Google has launched M-Lab, which aims to bring more transparency to network activity by allowing researchers to deploy Internet measurement tools and share data. The platform launched Wednesday with three Google servers dedicated to the project, and within six months, Google will provide researchers with 36 servers in 12 locations around the globe. All the data collected will be made publicly available. [CNET]

AU – ISPs Clustered For Filtering Trials

Participants in the Australian government’s controversial mandatory Internet filtering scheme will start live trials in batches, instead of en masse. Sixteen expressions of interest for the trial have been received from small, medium and large ISPs, and the Department of Broadband, Communications and the Digital Economy is considering which providers should be invited to take part in the test. [Australian IT]

Finance

CH – Swiss Government to Release Names

In an about-face, the Swiss government has decided to release certain data on American UBS clients, in breach of its own bank secrecy laws, in order to end a tax probe by U.S. authorities. The government will release the names of 300 U.S. citizens who have undeclared accounts in Swiss banks. U.S. tax officials have been probing UBS in attempts to identify wealthy Americans who are hiding billions in Swiss banks to avoid taxes. Since the probe began, the Swiss bank has stopped offering offshore accounts to U.S. clients and is now closing down all Swiss bank accounts held by Americans, the report states. [Source]

AU – Privacy Concerns Over Money Laundering Rules

Privacy advocates are wary of proposed new rules aimed at cracking down on money laundering and terrorism financing. Under the rules, real estate agents, jewelers, solicitors and accountants would be required to report financial transactions they deem suspicious to the federal government’s financial intelligence organisation, AUSTRAC. “There are concerns that more personal information than ever before will be collected from more organisations than ever before,” said one banking and finance partner. The information could then be used by other government agencies such as the Australian Tax Office and the Federal Police. [Source]

FOI

US – Obama Orders Could Open Records

Barack Obama’s first acts as president included signing three orders that could open public access to documents and records that had been closed off during the Bush administration. Obama reversed George W. Bush’s restrictions on access to records of former presidents. He also told the Justice Department to write new guidance to agencies on the Freedom of Information Act (FOIA) to improve transparency, and gave top officials in his administration four months to create a new “Open Government Directive” that he said would go beyond the requirements of the open records law. If the new rules are followed within the government, they could open scores of records that have been closed for years to the public and reporters. Some agencies, with the encouragement of the Bush administration’s legal advisers in the Justice Department, have reached deep into FOIA’s exemptions to withhold information. [Source] See also: [Robert Marleau: Follow Obama’s lead on transparency, PM told] and [Watchdog alarmed by Harper’s information clampdown]

Health / Medical

US – Court Denies Rehearing in Prescription Privacy Law Case

The First Circuit Court of Appeals denied rehearing en banc in a case which involved a recent New Hampshire law that banned the sale of prescriber-identifiable prescription drug data for marketing purposes. EPIC and 16 experts in privacy and technology had filed a friend of the court brief in the matter urging a reversal of a District Court ruling that delayed enforcement of the New Hampshire Prescription Confidentiality Act. In November last year, the First Circuit Court of Appeals upheld the ban following which a motion of en banc rehearing had been filed. [Court Order denying re-hearing] [Opinion Upholding New Hampshire Prescription Confidentiality Act] [EPIC’s Brief in Support of Prescription Privacy] [New Hampshire Prescription Confidentiality Act] [Maine’s Prescription Privacy Law] [Vermont’s Prescription Privacy Law] [EPIC’s page on IMS Health Inc. v. Ayotte]

US – Bill Would Make Prescription Data Private

Washington lawmakers have introduced a bill to protect consumers' prescription privacy. House Bill 1493 would close a loophole in the Health Insurance Portability and Accountability Act (HIPAA) that currently enables pharmaceutical companies to target drug advertising to consumers based on their prescription information. The bill would prevent pharmacists, doctors and insurance agents from sharing patients' prescription and personal information with pharmaceutical marketing firms. "The sharing of prescription information for marketing purposes without consent violates the spirit of privacy law, and destroys the confidentiality of the doctor-patient relationship," said a spokeswoman for the Washington Coalition for Prescribing Integrity. [Source]

Horror Stories

US – Card Data Breached, Firm Says

A New Jersey credit-card processor disclosed a data breach that analysts said may rank among the biggest ever reported. Heartland Payment Systems Inc. said Tuesday that cyber criminals compromised its computer network, gaining access to customer information associated with the 100 million card transactions it handles each month. The company said it couldn’t estimate how many customer records may have been improperly accessed, but said the data compromised include the information on a card’s magnetic strip – card number, expiration date and some internal bank codes – that could be used to duplicate a card. Heartland, of Princeton, N.J., processes transactions for more than 250,000 businesses nationwide, including restaurants and smaller retailers. [Source] [MasterCard, Visa warn security breach may compromise data] [Heartland Sued Over Data Breach] [Identity theft fears follow U.S. breach] [Heartland CEO Wants Info Sharing, End-to-End Encryption] [Lessons of ChoicePoint, 4 Years Later] and [Schneier on Security: Breach Notification Laws] and also: [VA Agrees To Settle For $20M For Data Theft] and [Monster.com Reports Theft of User Data]

AU – Former Employee Admits Deleting Information From Government Computer System

Anthony McIntosh has admitted he caused AU $1 million (US $661,360) worth of damage by breaking in to the Northern Territory Government computer systems and deleting information. McIntosh had worked as a contractor on the government systems before leaving his position last April under less than ideal circumstances. Last May, McIntosh admits, he broke into several government computer systems and deleted profiles of more than 10,000 public servants. McIntosh accessed the system with a former colleague’s password. [Source]

US – Monster.com Reports Another Data Security Breach

Monster.com users are being advised to change their passwords after a data security breach on the job hunting website. An intruder stole email addresses, user IDs, passwords and other personal information from the website’s database. Monster.com does not collect Social Security numbers (SSNs). While Monster.com posted a warning about the breach last week, the company does not plan to contact the affected customers individually. Monster.com suffered another breach about 18 months ago in which intruders obtained login credentials for companies looking for employees and used that access to peruse the Monster.com applicant database. Monster.com users reported receiving scam email messages after that breach. That same year, Monster.com was hit with an attack that infected some of the site’s pages so that they downloaded malware onto visitors’ computers. [Source] [Source] [Source]

Identity Issues

US – EPIC, Experts Urge Supreme Court: Protect Anonymity & Pseudonymity

On December 19, 2008, EPIC filed a “friend of the court” brief in the U.S. Supreme Court, urging the Justices to protect anonymous and pseudonymous activities. The brief was filed on behalf of 17 legal scholars and technical experts. In U.S. v. Flores-Figueroa, the Court will be asked to determine whether individuals who include identification numbers that are not theirs, but don’t intentionally impersonate others, can be subject to harsher punishments under federal law. EPIC explained that anonymous and pseudonymous behavior is a cornerstone of privacy protection in the identity management field. The brief urges the Court to not “set a precedent that might inadvertently render the use of privacy enhancing pseudonyms, anonymizers, and other techniques for identity management unlawful.” [“Friend-of-the-court,” Brief by EPIC, Legal Scholars, Technical Experts (Dec. 19, 2008)] [US Supreme Court Docket page for Flores-Figueroa v. United States] [EPIC’s Flores-Figueroa v. United States page] [Petitioner’s Brief for Supreme Court Review in Flores-Figueroa v. U.S.] [The Government’s Brief Regarding Supreme Court Review in Flores-Figueroa v. U.S.]

US – Medical ID Theft Subject of Report

The results of a government-funded study on medical identity theft call for federal government leadership in developing a national response to the growing problem. The 26-page report issued by Booz Allen Hamilton is the third and final deliverable from the yearlong study of the issue. It includes 31 recommendations, one of which calls for the government to create a public-private task force to specifically address medical identity theft. The report also says that patients must play a bigger role in the detection of medical identity theft and that making patients’ medical records more accessible to them would help in this effort. [Source] [HHS.gov ONC Commissioned Medical Identity Theft Assessments]

IN – Government Kicks Off Unique ID Project for All Citizens

With an aim to assign a unique identification number to each of the over one-billion citizens in the country, the Indian Government has formally begun the process by notifying setting up of a national authority for the purpose. The project will ensure a permanent ID card, which would have a unique number, photograph and biometric data, for every Indian, from birth till death, and would also cover children and is targeted at cutting down identity-related frauds and addressing security issues, among others, sources said. The identification number will be provided by the National Authority for Unique Identify (UID), an entity being set up under the Planning Commission. [Source]

Intellectual Property

UK – Law Will Force ISPs to Pass File-Sharing Data to Record Labels

The Government will create legislation forcing internet service providers (ISPs) to gather information on customers engaged in illegal file-sharing, and forcing them to contact repeat offenders warning them that their behaviour is against the law. The proposal forms part of an interim report, Digital Britain. The proposed legislation stops short of forcing ISPs to directly disconnect suspected file-sharers. The Government said that it would soon begin consultation on the proposed new law. [Source]

UK – UK Drops Plans For ISP Three Strikes and You’re Out Approach

UK Internet service providers will not be forced to disconnect users who repeatedly flout the law by illegally sharing music and video files, The Times has learnt. Andy Burnham, the Culture Secretary, said last year that the Government had “serious legislative intent” to compel internet companies to cut off customers who ignore warnings not to pirate material. However, in an interview with The Times, David Lammy, the Intellectual Property Minister, said that the Government had ruled out legislating to force ISPs to disconnect such users. [Times]

SE – Swedish File Sharers’ Privacy in Jeopardy

Swedish file sharers have enjoyed quite a bit of protective privacy against the police. In Sweden a file sharer is usually safe from police action as the crimes do not generally carry a prison sentence. This might change now that the police will deliver Minister for Justice Beatrice Ask with a report that recommends authority for police action even in minor file sharing cases previously punishable only by a fine. The legislation is based on the controversial Intellectual Property Rights Enforcement Directive (IPRED) and would allow police to find out email and phone call details as well as request permission for home search. Swedish Pirate Party Chairman Rick Falkvinge opposed the whole IPRED law in an interview with TorrentFreak saying, “These laws are written by digital illiterates who behave like blindfolded, drunken elephants trumpeting about in an egg packaging facility. They have no idea how much damage they’re causing, because they lack today’s literacy: an understanding of how the Internet is reshaping the power structures at their core.” [Source]

EU – Irish Internet Users Face Shutdown Over Illegal Music Downloads

Irish Internet users face having their connections shut down if they continue to download music illegally, following an agreement reached between Eircom and four major record companies in the High Court. Under a system known as “three strikes and you are out”, Eircom customers downloading music from peer to peer services will receive two warnings but will be disconnected if they continue to engage in the activity. [Irish Times]

NZ – New Zealand Govt Rejects Calls To Alter Internet Law

Calls to repeal a New Zealand law that could mean Kiwi Internet users have their connections cut if they are accused of breaching copyright have been knocked back by the Government. The new “guilt by accusation” law would result in ISPs being forced to take on the role of gatekeeper by blocking online access to anyone accused of flouting copyright laws and illegally downloading films and music. [Stuff.nz]

Internet / WWW

WW – Google’s GDrive ‘Will Make the PC Redundant’

Google is on the verge of launching a system that experts believe could make the personal computer as we know it virtually redundant. The GDrive could amalgamate all Google’s existing web-based services so that they become easier to use together. The company is about to launch the ‘GDrive’, according to industry reports, which would allow people to store almost all their data on the internet and access it from wherever they are. The GDrive would enable people to access and update all their information such as emails, photographs, music, documents and spreadsheets from any device with an internet connection. Google has already begun its offensive to convince the world of the benefits of so-called ‘cloud computing’, in which the web rather than the hard drive is used as the place where information is stored. But some believe that trusting Google with so much personal or commercial data is dangerous, arguing information is not as safe in the cloud as it is in a computer. Peter Brown, of the Free Software Foundation charity, said: “Does it matter to you that someone can see everything on your computer? Does it matter that Google can be subpoenaed at any time to hand over all your data to the American government?” [Source]

US – White House Exempts YouTube From Privacy Rules

An exemption in the privacy policy of the three-day-old Obama Whitehouse.gov Web site is attracting the notice of privacy activists and others who pay attention to the use of persistent cookies in tracking users' Web behavior. The policy exempts YouTube from the decade-old anti-cookie rule on federal agencies' Web sites. This means that YouTube can track the viewing of videos embedded on the site through the use of such a cookie. Users are instructed on how to view the video without enabling the cookie, but tests of that function by Harvard's Berkman Center for Internet and Society student fellow and CNET blogger Chris Soghoian failed. [Source] UPDATE: [Whitehouse.gov Tweaked after Criticism]

WW – 2009: The Year of Social Networks in Business

A recently released Deloitte report on key IT trends for 2009 reveals that information handling and social networking will be areas of attention in the coming year. The reports says that 2009 will be the break-out year for social networks in business operations, and that such networks will need to be developed with caution to encourage more productivity and balance control with employees’ desire for privacy. [Source]

Law Enforcement

US – Supreme Court Permits Arrest Based on Police Database Error

The Supreme Court in a 5-4 opinion held that the police may use false information contained in a police database as the evidence for an arrest. Chief Justice Roberts held that, “when police mistakes are the result of negligence such as that described here, rather than systemic error or reckless disregard of constitutional requirements, any marginal deterrence does not ‘pay its way.’” In Herring v. US, the police searched and then arrested Bennie Dean Herring based on incorrect information in a government database. He was illegally arrested and searched even though he told the officers that there was no arrest warrant, and no officer had seen or could produce a copy of the arrest warrant. After he was indicted, Herring petitioned the district court to suppress the evidence gathered incident to his unlawful arrest, arguing the exclusionary rule prevented the use of such evidence. But the district court ruled against him. Herring then appealed to the 11^th Circuit Court of Appeals, which affirmed the district court’s ruling. Herring thereafter petitioned for cert. to the U.S. Supreme Court. Justice Ginsburg, writing for four of the Justices in dissent, said that “negligent recordkeeping errors by law enforcement threaten individual liberty, are susceptible to deterrence by the exclusionary rule, and cannot be remedied effectively through other means.” EPIC filed a friend of the court brief urging the Justices to ensure the accuracy of police databases, on behalf of 27 legal scholars and technical experts and 13 privacy and civil liberty groups. The EPIC brief was cited by the Justices in dissent. Justice Ginsburg highlighting EPIC’s brief underscored that “electronic databases form the nervous system of contemporary criminal justice operations” and “[p]olice today [could] access databases that include not only the updated National Crime Information Center (NCIC), but also terrorist watchlists, the Federal Government’s employee eligibility system, and various commercial databases.” Further relying on EPIC’s brief, she also warned that the “risk of error stemming from these databases is not slim” and they were “insufficiently monitored” and “often out of date.” [Supreme Court Opinion (Jan. 14)] [“Friend-of-the-court,” Brief by EPIC, 27 Legal Scholars and Technical Experts and 13 Privacy and Civil Liberty Groups (May 16, 2008)] [U.S. Supreme Court Docket page for Herring v. US] [EPIC page on Herring v. U.S.] [EPIC’s page on the 2003 online petition urging the reestablishment of accuracy requirements for the FBI’s National Crime Information Center, the nation’s largest criminal justice database]

EU – Scotland Police Scour Facebook and Bebo for Criminals

Trainee officers at Strathclyde Police are being used to search social networking sites for pictures of people posing with weapons, mainly knives. More than 400 people, most of them teenagers, have been questioned and several convictions have been secured. “We’re looking for anyone who is brandishing offensive weapons or blades. We take the date, the time, detail of what’s in the photograph, then a copy of the photograph is printed out and thereafter it’s all sent to the gangs task force unit.” Around 40 people were arrested for posing in public places with weapons, mainly knives and machetes, and the rest were spoken to at home. [Source]

EU – Police Find Dope Farm Using Google Earth

Swiss police said they stumbled across a large marijuana plantation while using Google Earth, the search engine company’s satellite mapping software. Police said the find was part of a bigger investigation that led to the arrest of 16 people and seizure of more than one tonne of marijuana as well as cash and valuables worth $780,000 US. The plantation was hidden inside a field of corn. [Source]

Offshore

BU – Bulgaria Interior Ministry Wins “Big Brother” Nod

Bulgaria’s Interior Ministry has been awarded the “Big Brother Award 2008” for what organisers said was its “widely varied activities” in violating the privacy rights of Bulgarian citizens and the protection of personal data. Big Brother Awards 2008 were given out by the Access to Information Programme to recognise the government and private sector organisations that have done the most to threaten personal privacy. The ministry was given the award for its contributions to introducing Ordinance 40, which was supposed to facilitate electronic communication data retention but saw one of its core paragraphs scrapped by the Supreme Administrative Court . The ministry also won the award for sending out an online publication, demanding personal data of participants in its online forum be handed over, and for creating records of participants in civil protests in Sofia on January 15 2009. The Big Brother Award 2008 for the private sector went to electricity distribution company Chez, for its efforts in collecting property notary deeds from its customers, a practice that continued according to Access to Information Programme, despite a ruling against it by the Commission for Personal Data Protection. The award ceremony took place on January 28. None of the winners were present at the ceremony to collect the statuette. [Source]

Online Privacy

WW – Internet Threat to Minors Overblown: Study

Worries that the Internet and social networking services like MySpace pose a threat to child safety may be overblown, a report by industry, academics and technology experts suggests. The report, released last week, suggests that the biggest threats to children’s safety online may come from other children, and that their own behaviour could contribute to the trouble they encounter. “Minors are not equally at risk online,” the report said. “Those who are most at risk often engage in risky behaviours and have difficulties in other parts of their lives.” It is the product of the Internet Safety Technical Task Force, created last February by 49 state attorneys general to address what many of them said was the growing problem of sexual predators soliciting children online. “The risks minors face online are complex and multifaceted and are in most cases not significantly different than those they face offline, and as they get older, minors themselves contribute to some of the problems,” the study said. The Task Force includes executives from social networking services like Facebook and News Corp.’s MySpace, as well as other technology and media companies including Yahoo Inc., Verizon and Time Warner Inc.’s AOL. The findings, if accepted by the law-enforcement community, would be important for Facebook and MySpace. Both social networking sites have large numbers of younger members, and parents have expressed concern over strangers approaching their children on those sites. Released by the Berkman Center for Internet & Society at Harvard University, the report suggests that the biggest threats to children’s safety online come from other children. “Youth report sexual solicitation of minors by minors more frequently, but these incidents, too, are understudied, underreported to law enforcement, and not part of most conversations about online safety,” the task force said. Online sexual predators are a concern, but the task force said that many of the studies it reviewed were based on law-enforcement cases that predated social networking sites. They said bullying and harassment, especially by peers, are the most frequent problem minors face both online and elsewhere. [Source]

WW – Search Engine Ixquick.com Completely Stops Recording IP Addresses

Ixquick announces it has stopped recording users’ IP addresses completely. With this new policy Ixquick further enhances its longtime leadership on privacy. Privacy on the Internet is increasingly under attack, as searches and visits are routinely recorded and combined into personal and behavioral profiles by the major search engines. While you are searching the internet, these engines register the time of your searches, the terms you used, the sites you visited and your IP address. In many cases this IP address makes it possible to trace the computer, and in turn the household, that carried out the search. Previously Ixquick deleted the privacy details of its users within 48 hours. As of Data Protection Day 2009 IP addresses are not recorded at all anymore. The technical need to store IP addresses for 48 hours - blocking automated use of Ixquick’s servers - has been overcome by recent technological developments. “At Ixquick we feel people have a fundamental right to privacy,” says CEO Robert Beens. [Source]

US – Napster Warns Subscribers Best Buy Will Have Access to All Personal Data

Napster subscribers using the service after Feb. 17 will be giving the gift of data to Best Buy. In an “important announcement” sent to subscribers, Napster warned that its October 2008 acquisition by the retailer means “any personal or other data that you share, or have shared, with Napster may also be shared with Best Buy and/or its affiliated companies.” Napster and Best Buy, which paid $121 million for the music service, promise to abide by privacy policies but the message doesn’t spell out how the data might be used by Best Buy or its affiliates, which could include the UK’s Carphone Warehouse. Using the account after Feb. 17 means you’ve agreed to the change, so anyone who wants to avoid the conflation of information needs to cancel by then. [Source]

UK – British Govt. Tackling Internet Privacy

Internet companies that monitor customers’ e-mail messages to customize their marketing efforts may be violating privacy rules, the British government says. A spokeswoman for the Department for Business, Enterprise and Regulatory Reform said such online actions, dubbed targeted advertising, will now be closely regulated in order to protect customers’ privacy. “The possible use of targeted advertising has raised some concerns and the U.K. authorities are working to ensure that any technology introduced to the market is lawful, appropriate and transparent,” the unidentified business department spokeswoman said. “Future developments involving targeted advertising will be closely scrutinized and monitored by the enforcement authorities.” The technological marketing technique works by companies scanning customers’ e-mails for key words or phrases. Those words or phrases are then used to individually customize advertisements for each person based on assumed interests. The Telegraph said future security efforts are aimed at preventing such monitoring efforts without customers’ approval. [Source]

WW – Mozilla Wants to Watch Firefox Users

Mozilla Labs, the research arm of Mozilla Corp., wants 1% of Firefox users to allow it to watch how they use the browser – and the Web in general. “We need to know how people are using our products and using the Web,” said Aza Raskin, the head of user experience at Mozilla Labs. “That’s where Test Pilot comes up. It will give us a view into what people are actually using, while protecting their privacy.” Still in the planning stages – a complete road map has not yet been proposed, -- Test Pilot will use a Firefox add-on to collect browsing and usage data, and provide tools to answer feedback questions. At the outset, users submit only a limited amount of demographic information, such as their technical level and geographic location, and as experiments and tests are offered, they can choose which ones to participate in. The program will be completely optional to Firefox users, and privacy will be maintained. Only aggregated anonymized data will be collected by Mozilla. “One of the great things about Firefox and Mozilla is that you don’t have to take [our word] on faith,” said Raskin. “There are no secrets with open source. In Test Pilot, the source [code] and the data will be open. That’s a huge step forward, because everything you send has to be, and will be, published in human-readable format.” Mozilla Labs plans to launch the first version of Test Pilot in the next few weeks. More information about the program can be found on Mozilla Labs’ Web site. [Source]

Other Jurisdictions

SG – Singapore’s Privacy Laws to be Reviewed

Singapore’s Minister of Information, Communications and Arts said at a Parliamentary session on Monday that a review of the nation’s data protection regime is ongoing and that an Inter-Ministry Committee is looking into developing a data protection model that can best address Singapore’s privacy concerns, commercial requirements and national interest. “The government recognises the importance of data protection and the need to protect personal data. At the same time, we also appreciate the impact of data protection on businesses and the general public,” said Minister Lee Boon Yang. Dr Lee said that the complexity of the issue means the review will take some time. [Source]

Privacy (US)

US – Bush Administration Asks to Suspend Wiretap Suit

In one of its last officials acts, the Bush administration has asked a federal judge to suspend a legal challenge to a government surveillance program while it appeals an adverse ruling. U.S. District Judge Vaughn Walker earlier this month reinstated an Islamic charity’s lawsuit alleging it had been the target of government wiretaps set up without a court’s approval. The judge said that lawyers for the Saudi Arabia-based charity could have access to a top-secret document that they claim is a telephone log showing government eavesdropping. In papers submitted to a federal court in San Francisco, government lawyers asked to delay turning over the document until an appeals court considers their request to dismiss the lawsuit, which was filed by the U.S. branch of the now-defunct Al-Haramain Islamic Foundation. [Source]

US – Florida Settles Privacy Lawsuit; Drivers Get $1 Each

The Florida Legislature will spend $10.4-million to settle a class action lawsuit over allegations that the state illegally sold drivers’ personal information to marketing firms over a four-year period in violation of a federal law barring the practice. The state made $27-million each year on the deal, according to the lawsuit. Drivers who held a license, car registration or state-issued ID from June 1, 2000, through Sept. 30, 2004, will get a one-time credit of $1 when they register or renew a registration between July 1, 2009, and June 30, 2010. The four South Florida motorists who sued will get $3,000 each, and five law firms that pursued the case for more than six years will divide $2.85-million in legal fees, which is separate from credits paid to consumers. The personal information that was sold includes a driver’s photo, Social Security number, driver ID number, name, address, phone number and medical condition. [Source]

US – NIST Releases Draft Guidelines for Data Protection

The National Institute of Standards and Technology (NIST) has released preliminary recommendations for federal agencies’ protection of personally identifiable information (PII). The draft is open for public comment until March 13. The recommendations include guidance on storing PII, developing an incident response plan in the event of a breach and training employees on data protection, among others. Scott Larson of computer forensic consulting firm Stroz Friedberg says he thinks there has been increased concern about how federal agencies are storing, accessing and mining for data, the report states. [Source]

US – 9th Circuit Ruling Bolsters Class Action Suit Against AOL

Thousands of California residents can sue AOL in their home state for invasion of privacy despite agreements they signed requiring all legal disputes to go before “courts of Virginia” and be guided by Virginia law. A federal appellate court has cleared a path for a class-action lawsuit to proceed against AOL. On July 31, 2006, AOL placed on a public Web site 20 million search inquiries by 658,000 of its members over a three-month period. The data included addresses, phone numbers, credit card numbers, Social Security numbers, passwords and other personal information. They revealed members’ “personal struggles with various highly personal issues, including sexuality, mental illness, recovery from alcoholism, and victimization from incest, physical abuse, domestic violence, adultery, and rape,” according to the class-action suit on behalf of affected members nationwide. Hundreds of searches were by people planning to kill themselves or by others seemingly contemplating murder, according to readers of the material. The suit, which followed less than two months after the incident, was filed in Oakland federal court, alleging violations of federal electronic privacy law and, on behalf of the California subset, state law requiring businesses to protect customers’ personal information. It seeks an unspecified amount of monetary damages. AOL persuaded U.S. District Judge to throw the suit out because of the clause in the membership agreements mandating that legal disputes go before a Virginia court, where class actions are not allowed. But on Friday, a three-judge panel of the 9th U.S. Circuit Court of Appeals reversed that decision for the as-yet-undetermined number of California residents who are part of the class and sent it back to Armstrong for further proceedings. [Source]

RFID

US – RFID Privacy Remains a Washington State Issue

Washington State is again visiting the issue of privacy and RFID with its new state legislature with three bills sponsored and introduced by State Representative Jeff Morris. Washington State House Bill 1006 requires that items issued or sold to a consumer by either a government agency or business containing and containing an RFID tag must be visibly labeled with a “universally accepted symbol.” House Bill 1011 prohibits intentionally scanning a personal identification device on a remote basis unless that person provides written or electronic consent. The business or government agency receiving consent must then notify that person that they have consented to have their electronics information collected and stored. A series of exceptions are granted for medical and emergency situations when a person is unable to consent. The legislation also requires the state attorney general to make annual recommendations back to the legislature on “other personally invasive technologies that may warrant further legislative action.” House Bill 1044 provides the duty to the Board of the Washington State Department of Information Services to develop privacy standards for RFID. The legislation requires several minimums including a privacy impact assessment for any state agency seeking to implement RFID, ensure “technical and organizational measures are being taken to mitigate…privacy or data protection risks,” and make sure the type of RFID equipment has “appropriate” security for the application. Any state agency deploying RFID must certify that they are in compliance with the privacy standards. [Source] See also: [New York introduces RFID privacy Assembly Bill 276 - “radio frequency identification right to know act”] See also :[RFID: Passports/drivers licenses cloned easily - youtube Video demo shows you how]

Surveillance

ON – Ontario Court Decides Against Workplace Video Monitoring

Installation of a secret camera in an employee’s office, with no credible or reliable explanation for its installation, results in finding of constructive dismissal against the employer. [Decision] [Colwell v. Cornerstone and Krauel]

EU – WADA Faces Court Challenge in Belgium

A group of Belgian athletes is challenging the rule requiring athletes to notify drug testers of their whereabouts, contending it violates privacy. If the case is successful in Belgium, it could undermine the work of the World Anti-Doping Agency and be used as a precedent to contest the ruling in other courts around the world. Athletes are obligated to give their whereabouts up to three months in advance. Out-of-competition tests are essential in catching cheats since many illegal substances can become untraceable by the time competition starts. To perform such tests, WADA needs to know at all times where and when athletes can be traced. Under the latest WADA code, athletes must specify one hour each day where they can be located for testing. “It gives WADA a pass to invade the privacy of athletes.” [Source]

Telecom / TV

CA – Technology Straining Paper-Era Privacy Laws

Something about the image of Big Brother sifting through cellphone records of 7,000 law-abiding citizens touched a nerve in Mr. Justice Michael Quigley of the Ontario Superior Court. In a ruling several weeks ago, Judge Quigley denied police the fruits of their “high-tech fishing expedition” - uncovering a series of cellphone calls that potentially linked several suspected jewellery store robbers. It was a classic clash between privacy and new technology, and Judge Quigley was intent on applying aging provisions to a scenario never anticipated by those who drafted them. The police theory that precipitated the seizure had been simple. Reasoning that the robbers had probably used cellphones to execute their $500,000 heist, officers obtained a warrant to seize records for every call placed through two local transmission towers over the course of a critical, two-hour period. In ruling the seizure unconstitutional, Judge Quigley observed that admitting the information would mean approving “an astonishingly intrusive ‘snooping’ technique available to police - instead of encouraging the police to respect the legal parameters set by the Criminal Code and the Charter that limit their actions.” The problem faced was an obligation to use laws written at a time when communications tended to involve pens, paper, file folders or a single telephone call. “The courts are really struggling with how to reconcile the realities of technology with our own expectations about what it means to live private lives without the intruding eye of government,” says Scott Hutchison, an expert in both privacy and new technology. Mr. Hutchison said exotic legal dilemmas of this nature are arising with increasing frequency. Are utility power consumption records fair game for seizure? Is there a privacy right in the heat that emanates from your home, which police can potentially monitor for signs of marijuana grow operations? “What really has to happen is a complete rethinking,” Mr. Hutchison said. “We cannot continue to talk about [electronic] file folders, e-mail and documents as if they were the same thing as paper folders, paper documents and letters. They have completely different properties, and our expectations around them are completely different. We can’t simply take all the old cases dealing with searches and staple them onto the technology world.” He argues that the definition of what constitutes a “reasonable” search has got to change: “The real issue is not making electronic information off limits, but making sure that access is regulated using the same values as we apply to regulate real-world searches.” [Source]

CA – Do-Not-Call Registrants Getting Lots of Calls

The Canadian Radio-television and Telecommunications Commission (CRTC) and the federal privacy commissioner are investigating complaints surrounding an increase in telemarketing calls to those whose numbers are registered on the national do-not-call registry, reports the Globe and Mail. The registry went into effect in September. More than 2.7 million Canadians have added their names to the list to prevent unwanted telemarketing calls. Nonetheless, many have experienced an increase in calls. Some fear the CRTC practice of releasing the list, for a fee, to telemarketers is worsening, rather than helping the problem of unsolicited direct marketing calls. [Source] [NDP Demands Government Action On Do-Not-Call Boondoggle] [Clement blasts do-not-call scammers]

US – Bid to Rein in Cellphone Photography May Prove to be Tone Deaf, Critics Say

A New York congressman has introduced a bill that would force U.S. phone manufacturers to program an audible tone that plays every time the cellphone’s camera is used, in an effort to stem the voyeuristic tide of revealing, unauthorized photography. Republican Peter King introduced this month the Camera Phone Predator Alert Act, which would “require mobile phones containing digital cameras to make a sound when a photograph is taken.” One year after the bill is enacted, U.S. manufacturers would be required to equip all phones with a tone or sound that resonates within a “reasonable radius.” The tersely worded bill includes no strict definition of what a reasonable radius is, or what kind of sound would suffice. The bill also makes no mention of whether the phone should emit a sound if a user employs its video recorder, for example. Manufacturers would not be allowed to give users an option to turn off the sound. Reaction to the proposed bill has been less than warm, with many people complaining that a loud noise would negatively affect legitimate uses such as taking photos of crimes in progress. Privacy and legal experts are also not convinced the bill will pass constitutional muster, or indeed work as intended. “How effective will the legislation be? Will the target even notice [the sound]? Or do you install a bicycle bell that would truly alert the subject?” asked Queen’s University law professor Arthur Cockfield. “It seems a bit like political grandstanding to me.” But if Mr. King’s bill does succeed, the United States won’t be the first country to mandate audible alerts. Similar restrictions are in place in other countries, including Japan, where the upskirt phenomenon has been a concern for some time. Mr. King attempted to introduce the same bill in 2007, but it died in Congress. If the bill passes this time, the Consumer Product Safety Commission will be charged with enforcing the new law. [Source]

US Government Programs

US – Feds to ‘Rethink’ License Mandate

Homeland Security Secretary Janet Napolitano said that she will “rethink” a program that requires every state to issue more secure driver’s licenses by the end of the year. The new licenses, required under a 2005 federal law, aim to prevent criminals and potential terrorists from getting fake IDs. But the licenses have been opposed by many governors, who cite the cost. Added opposition comes from the American Civil Liberties Union, which says the cards are, in effect, a national ID card. “It really has taken the form of a huge unfunded mandate on states which are struggling with huge cuts right now,” Napolitano said the day after she was sworn in as head of the third-largest federal department. Napolitano, the governor of Arizona until Tuesday, noted that she had signed a bill in June barring the state from complying with the license law. Last year, the Homeland Security Department extended a May 11 deadline for states to issue new, tamper-resistant licenses. States now have until Dec. 31 to issue new licenses that require applicants to present documentation in person showing they are in the country legally. Napolitano said she will meet with governors to discuss the license program required under the Real ID law and “look at its cost compared to its value.” As Arizona governor, Napolitano worked with former Homeland Security secretary Michael Chertoff to launch an enhanced driver’s license program. The Arizona Legislature blocked the effort last year. [Source]

US – Homeland Security Promotes Employment Verification System

The Department of Homeland Security has issued a solicitation for “Marketing and Advertising Services in Support of E-Verify.” The E-Verify program was created by the U.S. DHS and the Social Security Administration to verify the work authorization status of new hires. However, the Government Accountability Office, the Social Security Administration’s Inspector General, and the CATO Institute have detailed many shortcomings of E-Verify, and have highlighted high levels of inaccuracies in the databases on which the program is based, employer misuse resulting in discrimination and unlawful termination, the lack of privacy protections as well as the program’s high costs. [EPIC’s Freedom of Information Request to DHS/USCIS] [EPIC’s Freedom of Information request Appeal to USCIS] [

EPIC’s letter to NPR Ombudsman] [EPIC, “Spotlight on Surveillance: E-Verify System - DHS Changes Name, But Problems Remain for U.S. Workers.”] [“Employment Verification - Challenges Exist in Implementing a Mandatory Electronic Employment Verification System,” United States Government Accountability Office,” June 10, 2008] [“Inspector General’s Statement on SSA’s Major Management and Performance Challenges,” Nov. 5, 2008]

US – Federal Agencies Falter on Civil Liberties

USA TODAY reports that, according to federal records, several U.S. government departments have failed to meet legal requirements designed to protect Americans' civil liberties. The departments of Defense, State and Health and Human Services have not appointed civil liberties protection officers as required by a 2007 law, nor have they submitted regular reports to Congress on how they are protecting the public's rights and privacy. An independent board assembled to enforce the requirements--The Privacy and Civil Liberties Oversight Board--is apparently defunct. Leaders of the Senate Homeland Security committee--Senator Susan Collins (R-ME) and Senator Joseph Lieberman (I-CT)--say the non-compliant agencies will be held accountable. [Source]

US Legislation

US – Privacy Stimulus for Health IT

Last night the House okayed the American Recovery and Reinvestment Act, the stimulus bill that includes $20 billion for health IT. A portion of those billions will go toward the implementation of electronic health records (EHRs) for all Americans. But citizens, senators and advocacy groups on the Hill earlier this week sounded a call that's been heard repeatedly in recent months: get the privacy safeguards in order first. The bill does include several privacy provisions, reports Computerworld, but "If you don't have adequate safeguards to protect privacy, many Americans aren't going to seek medical treatment," said Sen. Patrick Leahy (D-VT) at a Senate Judiciary Committee hearing. [Source]

US – Supreme Court Will Not Hear DoJ’s COPA Appeal

The US Supreme Court will not hear an appeal from the US Department of Justice to reinstate the Child Online Protection Act (COPA). The law has been criticized as overreaching and vague from the time it was introduced; COPA was signed into law in 1998 and was immediately enjoined by a federal judge in Philadelphia. It would have required private companies to ensure that any content they create or distribute that is deemed harmful to minors was not available to people under the age of 17 or face civil and criminal penalties. This was the third time the Supreme Court has been asked to determine COPA’s constitutionality. [Source] [Source] [Source] [Source] [Source] [Source]

Workplace Privacy

CA – Teacher Registry Would Put Disciplinary History Online

A proposed online registry to house information on teachers is unnecessary and might violate privacy law, say Alberta teachers. The online database would contain teachers’ certification statuses and disciplinary records. The aim of the system would be to prevent teachers with a history of misconduct from moving between school boards, the report states. British Columbia has already launched a similar registry. “We need to look at the privacy issue, personal privacy and (Freedom of Information and Protection of Privacy Act) considerations before we could see what the applications might be for Alberta,” said Kathy Telfer of Alberta Education. [Source]

+++