Canada

CA – Hutterites Need Driver’s Licence Photos: Top Court

The Supreme Court of Canada ruled 4-3 that a Hutterite community in Alberta must abide by provincial rules that make a digital photo mandatory for all new driver’s licences as a way to prevent identity theft. The case involved the Hutterian Brethren near Lethbridge, Alta. The group had argued a 2003 regulation enacted by the province requiring photographs on the licences breached their charter right to freedom of religion. The top court rejected the claim. “The goal of setting up a system that minimizes the risk of identity theft associated with drivers’ licences is a pressing and important public goal,” said Chief Justice Beverley McLachlin, writing for the majority. “The universal photo requirement is connected to this goal and does not limit freedom [of] religion more than required to achieve it.” [Source]

CA – Barwatch Wants Meeting With BC Privacy Commissioner

Barwatch administrators have called for a meeting with British Columbia’s information and privacy commissioner, David Loukidelis, following last week’s halt to the controversial nightclub security program. Loukidelis ruled that Barwatch’s data collection process went too far following a complaint by a patron who was denied access to a popular club after refusing to have his driver’s license scanned and his photo taken at the door. Barwatch scanners were installed and data collection policies established more than two years ago following a spate of violence at a number of Vancouver venues. [Source] [Victoria bars stop scanning IDs after privacy decision]

CA – Toronto Police to Look Into Hacked Hydro Bills

Toronto police and Ontario’s privacy commissioner have both been called in after someone hacked into 179,000 electronic Toronto Hydro bills this month. The e-bills are sent monthly and include basic customer information such as an account number, home address and name. They do not include banking or prepayment information. As such, Ontario information and privacy commissioner Ann Cavoukian doesn’t consider the e-billing information itself a serious privacy breach, but believes it could allow those in possession of it to contact customers by phone or e-mail to try to draw out further details about banking information. An investigation by her office and the Toronto police has begun. [Source]

CA – Centre Urges Wider Probe into Juror Vetting

A Centre for Constitutional Rights report calls for a wider probe into juror-vetting practices that resulted in the declaration of two mistrials in recent months, reports the Toronto Star. The Ontario Information and Privacy Commissioner commissioned the report as part of her own investigation in the practice, which involved police accessing confidential databases to help Crown prosecutors stack juries. “Potentially, the rights of thousands of prospective jurors have been breached,” the report says. Meanwhile, Ontario’s chief prosecutor has expanded his investigation into the matter. [Source]

E-Government

US – White House Seeks Public Input on Use of Persistent Cookies

The White House wants public input on its use of persistent cookies. Since 2000, federal agencies have had to obtain special clearance in order to use them, but “in the ensuing time, cookies have become a staple of most commercial Web sites with widespread public acceptance of their use,” said federal Chief Information Officer Vivek Kundra and Michael Fitzpatrick of the Office of Management and Budget in a blog post. The Obama administration wants public feedback on whether it should update the cookie-prohibition policy and, if so, what principles should guide cookies’ use. [Source]

US – Massachusetts Addresses PII Collection by Courts

In response to criticism by lawyers who have said state courts unnecessarily collect too much personal information from individuals filing documents, the Massachusetts state court system has drafted guidelines that would give citizens the option of withholding certain information. The non-binding rules, which affect civil and criminal court documents and are available to the public, go into effect September 1 and would apply to information such as Social Security numbers. A spokesman for the Massachusetts Attorney General’s Office said the rules were drafted even though no known cases of identity theft have occurred using court documents. [Source]

UK – UK Government Advice Urges Tweeting

New UK government guidance has been published urging civil servants to use the micro-blogging site Twitter. Launched on the Cabinet Office website, the 20-page document is calling on departments to “tweet” on “issues of relevance or upcoming events”. [BBC] [Source]

E-Mail

WW – Spam and Malware at All-Time Highs: Report

Spam and botnets have hit their highest levels ever, according to McAfee’s second-quarter Threats Report, released Wednesday. McAfee’s Avert Labs says spam recorded in the second quarter shot up 80 percent compared with the first quarter of the year. [CNET] [Q2 Report]

Electronic Records

US – Workgroup Wants Encryption, Audits, Access Controls

A federal advisory panel workgroup has created 37 technical standards for protecting patients’ privacy in the electronic health record (EHR) environment. The standards call for encryption, strong access controls and audits. The Health Information Technology Standards Committee’s Privacy and Security Workgroup released the standards to the full committee last week, calling for a staggered implementation. Deborah Peel of the Coalition for Patient Privacy says the fact patient consent management tools would not be rolled out until 2015 is “a stunning defeat for consumer protection.” The committee will forward full recommendations to the Department of Health and Human Services later this year. [Source]

Encryption

WW – APEC Summit Discusses Progress on Privacy

During a Data Privacy Subgroup meeting of the Asia Pacific Economic Cooperation (APEC) Forum on Tuesday, members discussed progress on a number of privacy-related legislative fronts. The Hunton & Williams privacy blog cited pending privacy legislation in Malaysia, Vietnam, Thailand and the Philippines; review and reform of existing privacy law in Hong Kong and New Zealand; and the formation of a government authority for privacy and transparency in Chile. [Source]

Full Story

Filtering

WW – Netgear And Opendns to Block Porn from the Cloud

Netgear is about to ship routers designed to allow parents to block content on any device using the home’s wired or wireless network. The new routers, which will be available in early September, will be equipped with firmware that configures them to use OpenDNS’ domain name server to look up the actual IP address of any site someone tries to visit. If that site isn’t on the blocked list, it will be displayed. However, if a parent has blocked that site, the user will instead be sent to a page that informs them that the site they tried to access is blocked. [CNET]

Finance

WW – EU & US: Criticism Grows over Banking Data Deal

The EU is about to enter talks with the US on giving it access to banking data in its fight against terrorism. German politicians from across the political spectrum are up in arms, and members of the European Parliament say they will try to scupper any deal that violates data privacy. US anti-terror officials want to be able to continue examining Europeans’ financial transactions, and it appears likely that the European Union is going to comply. This Monday, foreign ministers of EU member states gave their approval for the European Commission and Sweden (current EU president) to negotiate an agreement with Washington that would allow it to scrutinize European citizens’ banking data. However, there is a growing wave of criticism from across the political spectrum in Germany and from the European Parliament. German Data Protection Commissioner Alexander Dix has called the plan to share banking data with the US “unacceptable” and urged Germany’s federal government to oppose it. On Monday, he told the Berliner Zeitung that he suspected that the EU wanted to push through the plans now because, once the Lisbon Treaty has been ratified, any agreement would require the backing of the European Parliament. On Monday, Günter Gloser, a top official at the German Foreign Ministry, said that data privacy would play an important role in the negotiations with Washington. “In the preliminary talks, the German federal government was very precise about the framework the commission should stick to during the talks,” he told reporters. Berlin wants all the issues of legal protection to be clarified before a deal is concluded, he said, so that citizens can defend themselves should US authorities accuse them of being involved in terrorist activities. [Source]

US – Red Flags Rule Enforcement Deadline Extended

The Federal Trade Commission has again extended the enforcement deadline for the Red Flags Rule, according to an agency press release. Creditors and financial institutions now have until November 1, 2009 to come into compliance with the rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003. Meanwhile, the commission will redouble efforts to educate businesses affected by the rule on what they must do to comply. The Red Flags Rule requires entities to implement programs for identifying, detecting and responding to harbingers of identity theft, or “red flags.” [FTC Announcement] [FTC Red Flags Website] [Enforcement FAQ]

Health / Medical

UK – Davis Criticises Tory Privacy Decisions

Former UK shadow home secretary, David Davis, has launched an attack on his own party’s decision to back the transfer of people’s health records to Google. Writing in The Times, Mr Davis said that when he found out the Tories were backing the data transfer to Google, “my heart sank”. Mr Davis is a vocal privacy campaigner and resigned from the shadow Cabinet last year in order to force a by-election and cause a wider debate on the issue of the erosion of civil liberties. Speaking about the Google data transfer, he said: “The policy described was so naive I could only hope that it was an unapproved kite-flying exercise by a young researcher in Conservative HQ. “If not, what was proposed was both dangerous in its own right, and hazardous to the public acceptability of necessary reforms to the state’s handling of our private information.” Mr Davis said: “Google is the last company I would trust with data belonging to me”. He cited information from human rights watchdog Privacy International, which recently gave Google the lowest possible assessment following the company’s deal with China to limit its citizens’ access to certain internet sites. [Source]

Horror Stories

US – Network Solutions Hack Compromises 573,000 Credit, Debit Accounts

The Washington Post’s Brian Krebs reports that a data breach at Internet domain administrator and host Network Solutions has compromised personal and financial data for more than 573,000. The breach, discovered in June, was the result of hackers planting rogue code on the company’s Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers. Compromised data was captured between March 12, and June 8, 2009, when the breach was discovered. Network Solutions is working with law enforcement authorities on an investigation. [Source]

US – TJX Agrees to $9.7 Million Settlement Over Breach

TJX., owner of the T.J. Maxx and Marshalls discount clothing chains, agreed to pay $9.7 million in a settlement with 41 U.S. states over a computer breach that left millions of consumers vulnerable to identity theft, Pennsylvania’s attorney general said. The settlement resolves claims that TJX failed to take sufficient steps to protect consumer information, Pennsylvania Attorney General Tom Corbett said today in a statement. The deal will create a $2.5 million national fund to investigate future data-security breaches, the statement said. “This multi-state investigation was triggered by the largest computer security breach ever reported,” Corbett said. “Every time someone swiped a credit card or debit card at a store operated by TJX, their information was funneled directly to hackers.” [Source]

CA – B.C. Bank Accidentally Emails Insurance Claim List to Media

An employee at Coast Capital Savings inadvertently emailed a list of the insurance claims of 464 clients to about 75 Metro Vancouver media outlets. The email attachment included names, postal codes and the amounts of property insurance claims, but no social insurance numbers, addresses or account numbers. A letter would be sent out to all the affected clients, said Coast Capital’s chief risk officer. Coast Capital is doing a comprehensive security review to make sure such a thing cannot happen again. [Source]

WW – Network Solutions Launches Damage Control Effort

Following disclosure of a data breach that may have compromised the credit card data of more than 573,000 patrons of small commercial Web sites, Internet domain administer and host Network Solutions has initiated a crisis response effort. Reaching out to its clients affected by the breach, Network Solutions has offered assistance in helping sites notify those customers whose credit card data may have been compromised, including offering credit monitoring services. Network Solutions spokesperson Susan Wade said, “Unfortunately, something like this could happen to any online business, so we’re just letting our customers know that we’re there for them, we will help them as much as we can, and we take this issue very seriously.” [Source]

Internet / WWW

US – L.A. Still Plans Move to Cloud

Despite the hullabaloo when it emerged earlier this month that the city of Los Angeles might move its applications to Google Apps, city officials are pressing on with migration plans, reports Computerworld. The city’s technology council is reviewing the contract and, if approved, the city council will vote on the project, possibly as soon as next week, the report states. A Google spokesperson said that company engineers have spent several months addressing officials’ privacy and security concerns. A spokesperson for Mayor Antonio Villaraigosa said the city council will only approve the project if those concerns have been properly tended to, the report states. [Source]

Online Privacy

US – Can Privacy and Consumer Protection Coexist Online?

A new report by Emory University professor and Technology Policy Institute (TPI) fellow Paul Rubin is skeptical of a law that would impose stricter regulations on the data collection and monitoring activities of behavioral advertisers. Rubin says that in the 10 years that online companies have been tracking consumer behavior “...nothing bad has happened.” He says the TPI report shows legislation could have a detrimental effect on consumer choice online. Congressman Cliff Stearns, (R-FL) says federal legislation restricting online advertising will probably be filed this year, and that lawmakers should proceed with caution. [Source] [TPI “report“]

UK – Cambridge U Study Finds Widespread Privacy Failings in Online Social Networks

A new Cambridge University study of 45 online social networking sites has documented widespread privacy abuse, ranging from deceptive policies, needless data collection, failure to use encryption and third-party data sharing. The study also concludes many social networking sites avoid privacy disclosures out of a fear that mentioning the word “privacy” causes subscribers to withhold information. “Sites want users to be relaxed and having fun, but when privacy is mentioned users feel less comfortable sharing data,” Co-researcher Joseph Bonneau said. “Even sites with good privacy feel that they can’t promote it, so users have no idea of what they’re getting.” [Source] [Full report with original dataset]

US – CDT Releases Privacy Recommendations Report for Google Book Service

CDT has released a report analyzing the privacy risks associated with the proposed expansion of Google Book Search. The report urges Google to commit to a strong privacy regime for the new service in advance of the settlement fairness hearing this fall. The tentative settlement between Google and publishers, the result of a copyright infringement lawsuit, would dramatically alter the way the public obtains and interacts with books. The report asks the court to approve the settlement but to retain oversight in order to monitor implementation of a privacy plan. [CDT’s Report on Google Book Service]

Privacy (US)

US – Bill Gates Critical of U.S. Privacy Policy

In a speech delivered to a gathering of government and IT executives in New Delhi on Friday Microsoft founder Bill Gates offered criticism of the United States’ approach to privacy, blaming concerns over the aggregation of too much personal information for inefficiencies in healthcare, immigration and other national policies saying, “It has always come back to the idea that ‘The computer knows too much about you.’“ The New York Times reports that Gates was in India to meet with Nandan Nilekani, minister in charge of the country’s national identity card project. Microsoft is hoping to play a role in the program, the Times said. [NYT Source]

RFID

PK – Enhanced Driver’s Licences Coming

Pakistan’s National Database and Registration Authority (NADRA) will implement enhanced driver’s licenses. The authority hopes the RFID-enabled licences will help with identity verification and privacy concerns, the report states. The licences will hold drivers’ personal information and traffic histories. The data will be stored on a central server and police officers will access it using handheld devices. Currently, NADRA is presenting the licences to local governments. [Source]

Security

US – Privacy Concerns Surrounding Government Cybersecurity System: CDT Report

The Center for Democracy & Technology today released a report outlining a series of privacy and legal questions that surround the government computer monitoring system known as “Einstein.” The report calls on the Administration to release information about the legal authority for Einstein, the role of the nation’s top spy agency, the National Security Agency, in its development and operation, and the impact of Einstein on the privacy. [CDT’s Report on Einstein Cybersecurity System]

Smart Cards

Surveillance

US – Obama Stimulus Buys $8M in Airport Spy Cameras

Five domestic airports will share nearly $8 million worth of new surveillance cameras, thanks to the Obama administration’s stimulus package, the Department of Homeland Security announced this week. Cincinnati/Northern Kentucky International, Ronald Reagan Washington National, Spokane International, Gerald R. Ford International and Boise, Idaho airports will split $7.7 million for advanced closed-circuit surveillance systems, according to DHS chief Janet Napolitano. [Source]

US Government Programs

US – Citing Privacy Concerns, Senate Seeks Legal Justifications for Cybersecurity Plan

The Senate Intelligence Committee is demanding that the Obama administration supply it with the legal justifications it has produced for conducting government cybersecurity operations, or face losing funding for the projects. “During the next three years, the executive branch will begin new and unprecedented cybersecurity programs with new technology,” the senators write in a report released Wednesday, which accompanies the senate’s version of the FY2010 Intelligence Authorization Act, which will be voted on at an undetermined date. These new technologies - which go beyond standard firewall and anti-virus protection products, the senators write in their report - pose new legal and “significant potential privacy implications,” which makes “congressional and Executive oversight particularly important.” The report mentions privacy concerns about e-mail or other electronic communications intended for personnel in one government agency or department but that is forwarded to another department - such as the Department of Homeland Security or an intelligence agency - as part of a cybersecurity program intended to protect government networks. [Source] [Report]

US – Privacy Group Wants U.S. to Detail Computer Monitoring Program

The Center for Democracy and Technology has issued a report on the federal government’s upgraded cyber-monitoring program, Einstein 3, and wants answers from the Obama Administration about the system’s privacy implications. The CDT wants information about the legal authority to use Einstein, which can purportedly read the content of e-mail, and it also wants to know what role the National Security Agency will play in Einstein’s use. “While its predecessor merely detected and reported malicious code, Einstein 3 is to have the capability of intercepting threatening Internet traffic before it reaches a government system, raising additional concerns.” The CDT’s report cited articles suggesting that Einstein 3 will be deployed within telecommunications service provider networks. [Source] [CDT Report]

US – GAO Releases Report on EHR Security

The U.S. Government Accountability Office (GAO) has released the following reports, testimony, and correspondence: LETTER REPORT: Electronic Health Records: DOD and VA Efforts to Achieve Full Interoperability Are Ongoing; Program Office Management Needs Improvement. [GAO-09-775] [Highlights]

US Legislation

US – Lawmaker Urges Regulations For File-Sharing

A senior U.S. lawmaker said on Wednesday that it may be time for the government to regulate companies that provide online file-sharing services after a number of people managed to access FBI files, medical records and Social Security numbers. House Oversight and Government Reform Committee Chairman Edolphus Towns said during a hearing on the safety of P2P software that he was astonished at privacy breaches involving LimeWire, operated by the Lime Group. [Washington Post]