Biometrics

US – Customers Worry About Defunct Registered Traveler Program Data Security

Customers of the suddenly-defunct Verified Identity Pass (VIP) registered air travel service Clear have expressed concern about the security of the data they provided to the company. Membership in the Clear service allowed customers to navigate security at US airports more quickly than most other travelers. The company blamed its hasty decision to cease operation on its inability to “negotiate a settlement” with its main creditor. VIP issued a statement assuring customers that their data are being protected as required by Transportation Security Administration (TSA) standards and that it would “take appropriate steps” to destroy the collected data, but did not provide any specific information about the method it would use. Customers had provided the company with a virtual treasure trove of personal data, including SSNs, credit card numbers, driver’s license numbers, iris scans and fingerprints. In a move already proving unpopular, the company said that because of its current financial situation, customers who have signed up for the US $199 a year service would not receive refunds. The company has more than 260,000 customers. [Source] [Source] [Schneier editorial]

CA – Canadians Support Biometrics: Immigration Department Poll

Canadians support the idea of using fingerprints and other biometric information to identify those coming to Canada or to prevent abuse of government programs, according to a public opinion poll conducted for the immigration department. However, respondents were also more likely to agree with biometric information being collected from non-Canadians than from Canadian citizens. The poll comes as the Ministry of Immigration and Citizenship is planning to start fingerprinting applicants for temporary resident permits in 2011. The highest level of support, 84%, was for using biometrics to conduct criminal checks on non-Canadians. Canadians also support biometrics to verify the identity of non-Canadians applying for a visa, as well as being included in Canadian passports, used at the border, and to supply airlines and other countries with confirmation of identities. The government also tested the idea of collecting biometric information from people who use government programs or access government buildings. The poll found that 84% of respondents agreed with using biometrics to prevent abuse of government programs, while 76% agreed with it being used to facilitate access to them. The lowest level of support, 74%, was for requiring biometric information to enter major government buildings. While there was some concern about how the government might use the information, 64% believed the government would only use it for the purpose for which it was collected. A majority also supported sharing biometric information with countries like the U. S., Britain, Australia and New Zealand. The poll also revealed divisions among Canadians. Those most likely to support using the technology were also more likely to believe immigration has a negative impact. Those most likely to oppose biometrics were immigrants and those whose parents had immigrated to Canada. [Source] [Source]

Canada

CA – Information Commissioner Marleau Quits

Canada’s fourth and current Information Commissioner, Robert Marleau, has announced his retirement from public life effective June 29, 2009. Marleau has put forward some important recommendations to help start fixing the broken access to information (ATI) system. A House of Commons committee is about to release its recommendations for reform. The current government campaigned on a commitment to ATI reform. And then today, Marleau quit for “entirely personal and private” reasons. Assistant Commissioner Suzanne Legault is his interim successor. [Source] [Ottawa’s information czar quits suddenly Openly scolded Tories for being too secretive] [Farewell Bob Marleau, we barely knew ye!

No really - we really, barely knew ye at all!] [Murray Langdon: Marleau is leaving. I find it entirely suspicious]

CA – B.C. Brokers Call for Legislative Ban on Credit Scoring

The Insurance Brokers Association of B.C. (IBABC) has asked the B.C. government for legislative changes that would prohibit insurers’ ability to collect information for the purpose of credit scoring. “Our position is that we don’t want credit scoring to be an underwriting factor in B.C., and the best way to ensure that is to prohibit it by statute,” Trudy Lancelyn, deputy executive director of IBABC, said. IBABC observes on its Web site that Alberta’s superintendent of insurance in December 2008 issued a notice that insurers could be fined up to Cdn$25,000 for requiring a customer to consent to a credit report as a condition of obtaining a policy premium quote. In Ontario, brokers have asked their provincial government to issue a ban on using credit scoring for the purpose of underwriting home insurance. Ontario insurers are currently not allowed to use credit scoring in auto insurance. Canadian privacy legislation requires consumers to provide informed consent for the use of information beyond that which is required to fulfill specified purposes. “But some financial institutions collect blanket consent to share information with their other operational divisions and for undisclosed purposes,” IBABC says. IBABC has urged the B.C. government “to increase consumer protection by aligning and strengthening the Personal Information Protection Act regarding [the issue of] blanket consent.” The association also seeks to “amend” sections 107, 108 and 110 of Part 6 (Credit Reporting) of B.C.’s Business Practices & Consumer Protection Act, which currently allow insurance credit scoring. [Source]

CA – Ontario Privacy Office Defends Role Jury Snooping Investigation

Comments in a recent article about Ontario’s Information and Privacy Commissioner investigating jury record checks are fundamentally misinformed. In light of alleged unauthorized record checks, our goal is to find out how the courts, Crown attorneys and the police have treated prospective jurors’ information and whether public officials have complied with Ontario’s privacy laws. We, therefore, initiated our investigation by focusing on the practices of these public officials, through site visits -- to date, Windsor and Thunder Bay, Barrie to follow -- and a provincewide survey of Crown attorneys’ offices. Our investigation will continue to expand in scope. For example, before we issue our report, we will be seeking information from court administrators, Crown attorneys and representatives of the police and the defence bar on the issues raised by the matter. For the lawyer who was quoted to suggest that our investigation is an “incompetent whitewash” and a “coverup” is completely unsubstantiated and without foundation. KEN ANDERSON, Assistant Commissioner, Privacy Office of the Information and Privacy Commissioner of Ontario, Toronto [Source]

Consumer

UK – Spy Society: Astonishing Amount of Data Gathered on Every One of Us

The Daily Mirror recently exercised the Freedom of Information Act in an effort to discover the amount of data amassed on the average British citizen. A 35-year-old reporter-investigator filed requests for held data with 46 organisations. The information returned—from government agencies, schools, doctors, and others—resulted in a two-stone, 3,000-sheet tower of paper. “The sheer volume of information I got back--and what it contains--will stun anyone already worried about how private your personal data really is,” writes Matt Roper, whose every grocery store purchase, projected number of kids, university grades, exercise habits and physicians’ treatment records from the 1970s were among the data deluge. [Source]

E-Government

UK – Think-Tank Proposes Decentralised Data Storage

The government should abandon its plans for large centralised IT projects, and hand control of personal information back to citizens, according to a new paper from Tory think-tank the Centre for Policy Studies (CPS). The paper, entitled It’s Ours: Why We, Not Government, Must Own Our Data, said that the government will spend about £16.5bn on IT in 2009/10, equivalent to 1.4% of gross domestic product, but that only around 30% of these IT projects will actually succeed. The CPS proposes that the state should remain as “the default holder of personal data”, but that citizens should be able to opt out of central control if they wish. For example, citizens could choose to use services such as Google Health to store health records and communicate with their GPs, removing the need for an NHS database. “This approach requires all public services to use open data standards to ensure that data can be easily transferred from one provider to another, in the same way that customers can today transfer their accounts from one bank to another,” the report said. “The potential benefits of this approach are substantial. They include estimated savings on government IT expenditure of 50%, more flexibility, better public services, greater security and privacy over data, and far less intrusion by the state into the everyday lives of its citizens.” [Source] [The paper: It’s Ours: Why We, Not Government, Must Own Our Data]

UK – Govt Must Let Go Of Britain’s Data, Says Report

Government IT should put users back at the centre of systems, in order to improve services and cut costs, according to a new report from a right-wing think tank. Echoing the Conservative Party’s calls to scrap big databases like the National Identity Register, the Centre for Policy Studies has produced a report saying the government must ditch its Transformational Government plans and abandon the idea of centralised IT projects. Transformational Government is an idea that grew out of the 2006 Varney report, which has lead to the current government trying to tie together services, databases and IT to improve public services. The Centre for Policy Studies report - unsubtly called “It’s Ours: why we, not government, must own our data” - has called such systems a failure. Citing a previous study, author Liam Maxwell claimed that only 30% of such IT projects succeed, and as such, the government should stop rolling out “expensive and failing centralised IT projects.” Maxwell wrote that smaller, localised projects were more successful. “This is the approach that has been increasingly effective in the private sector,” he claimed. For example, he suggested Britons use private, third-party services such as HealthVault or Google Health to hold records, rather than develop an NHS database - which is currently happening as part of the £12 billion National Programme for IT. He admitted that approach does not work for all government databases, saying: “it is not proposed, for example, to allow criminals to control their police records.” Maxwell called on the government to put data back in the control of citizens, comparing it to Amazon. If people want a book, they must make sure their address and credit card details - private, key data - is accurate and up-to-date. Amazon can communicate that to its partners, but people can go in and change it or delete it when they wish. “Amazon is happy for the person who makes the changes to personal data to be the person that knows about that person best - us,” Maxwell noted. The report also called for localised services, for example, letting a GP choose the best system for their office, rather than be forced to learn how to use a centralised system. For the systems which the Government can’t pass off, Maxwell said it should consider service oriented architecture (SOA) for designing systems, and also look to cloud computing so it no longer needs to invest in so much infrastructure. “The market is now providing the IT systems needed for government, systems which are better centred on the needs of us, as public service users, rather than on government as a fumbling middleman, and which are far cheaper to run,” Maxwell noted. [Source]

UK – UK Government Commits to Cloud Computing for Public Sector

The Government has asked all public sector bodies to make future IT purchases consistent with cloud computing so that it can move all its digital services into a private, secure ‘cloud’ called ‘G-cloud’ for government bodies. In its Digital Britain report the Government said that it wanted the public sector to reap the benefites of scalable, speed of provisioning and flexible pricing that it says cloud computing can bring. While it consults with an IT trade body the Government has told all departments to make sure that all IT procurement from now on is compatible with cloud computing. It is not the report’s recommendation, though, that the Government run its business over public cloud networks. [The Digital Britain report] [Source] SEE ALSO: [Security experts call for cloud kitemark Regulation and education alone not enough to ensure security in the cloud]

US – White House Seeks Public Input on Classified Records Policy

President Obama wants advice on how the government should keep its secrets. A month ago, he issued a memorandum directing national security advisers to recommend ways to improve the rules by which records are classified and later opened to the public. Starting today, tech-savvy citizens as well as federal officials will be able to weigh in on the complicated debate. [Washington Post]

US – Vote-Getting 2.0

Depending on your political persuasion and certain other factors, in the future, your presence in the area of a candidate’s political rally might result in the delivery of an ad to your mobile phone encouraging you to attend. ClickZ explores a practice that, until now, has been enshrouded in secrecy: voter file-based ad targeting. Campaigns combine voter registration data provided by Secretaries of state with demographic data purchased from commercial data collection entities. Both national political parties have used it, and California’s pro-Proposition 8 group, Yes on 8, received awards for its use of targeted voter ads. [Source]

E-Mail

AU – Spam Blacklist Bids Top $1m

One of the largest spam blacklists in the world, developed in Australia, is up for sale and the creator has already received offers of more than $1million. Proposals have come from all over the world and “dubious” organizations have been especially keen on the acquisition. [Australian IT]

Electronic Records

US – Top Court Won’t Review Prescription Privacy Law

The U.S. Supreme Court this morning refused to hear an appeal requested by two companies that want a New Hampshire prescription privacy law overturned. The high court rejected without comment the request of Verispan and IMS Health, who argued that a law prohibiting companies from using physicians’ prescribing records to boost drug sales violates their First Amendment rights to free speech. The Supreme Court’s refusal means a 1st U.S. Circuit Court of Appeals decision to uphold the law stands. Last week, the companies asked the 2nd U.S. Circuit Court of Appeals to block implementation of a similar law in Vermont. [Source]

US – CDT’s Health Privacy Project Releases Paper on De-identification of Health Data

CDT’s Health Privacy Project has released a paper advocating the need for stronger standards for “de-identified” personal health information when used for medial research, to promote public health, or other specialized purposes. The paper notes that stronger standards are needed to ensure the “de-identified” data cannot be re-identified in order to maintain patient privacy and build trust in the health care system. CDT’s paper makes several policy recommendations on how to strengthen current de-identification standards found in the Health Insurance Portability and Accountability Act Privacy Act and increase the use of anonymized data for many health care purposes. [Health Privacy Project De-identification Paper] [CDT De-identification Paper Press Release, June 25, 2009]

US – Group Advocates Electronic Medical Records

Accessing your own medical records should be as easy as checking your online bank account, a new health-data group contends, and Monday it launched a website to promote better access. The site, HealthDataRights.org, was established by a group that is boosting greater personal use of electronic medical records. Only 15% of physicians track the records electronically, said James Heywood, a group founder. “We want to move toward a world in which patients have complete access to their medical information,” he said. “Patients have the right to help themselves.” Heywood is chairman and co-founder of Patients Like Me, a social networking health site. He said a major roadblock in many states are laws that make it cumbersome for doctors to turn over information to patients. [Source]

CA – Report on Use of EHR Data for Health Research - Current Governance Challenges

Report for the Office of the Privacy Commissioner of Canada by Donald J. Willison Sc.D., Associate Professor, Dept. of Clinical Epidemiology & Biostatistics, McMaster University (June 24, 2009) Paper commissioned by the PCC - examines current challenges in governing research use of health information and potential approaches to addressing these issues in the context of the common interoperable EHR. [Source] [Report] See also: [UVic’s Protti Champions eHealth File Sharing]

US – Arizona Study: ‘Deinstallation’ of EMRs Could Be a Trend

The state of Arizona and the Phoenix area have experienced a high adoption rate for electronic medical records, but this has been followed by a “deinstallation” of the technology, according a report by HealthLeaders-InterStudy. Physician groups in Phoenix are canceling their EMR contracts as a result of training, functionality or affordability issues. This is especially prevalent among smaller physician groups, the report says. The report said “deinstallation” due to financial issues is not unique to physician groups or to Arizona. For example, in areas like Miami, where the economic downturn is threatening the profitability of hospitals, adoption of EMRs has been slow because of a lack of funding for such capital projects. The uptake of EMR technology in the Phoenix area and throughout Arizona has been credited to a 2005 executive order by then-Gov. Janet Napolitano that all healthcare providers install EMRs by 2010. The market’s top hospital systems, Banner Health and Catholic Healthcare West, have installed EMRs, as have several other hospitals in Phoenix. “Because the Phoenix area has been a real leader in EMR uptake, this is the first market in which we are seeing this deinstallation issue arise, but it likely will not be the last,” said Chris Clancy, market analyst with HealthLeaders-InterStudy. “There’s a physician shortage in Phoenix, so with overcrowded waiting rooms, it’s difficult for doctors and their staffs to carve out ample time for training on EMR technology.” [Source] [Press Release]

Encryption

WW – Encryption Gets “Gentry”fied

Forbes reports that IBM researcher Craig Gentry has made a cryptographic breakthrough that has big implications for privacy. Actual implementation of so-called “fully homomorphic encryption” is years away, according to IBM research arm president Charles Lickel. But the method, which allows computer systems to analyze encrypted data without having to decrypt it, shows promise for companies that handle and store individuals’ data, the report states. It could also help alleviate privacy concerns associated with cloud computing, a Computerworld report states. “[Fully homomorphic encryption] would give us new confidence that you can secure the world’s infrastructure and bring intelligence to it without exposing data to greater risks,” Lickel said. [Forbes]

US – Nevada Law Requires PCI DSS Compliance

As of January 1, 2010, companies doing business in the state of Nevada that accept payment cards must be compliant with the Payment Card Industry Data Security Standard (PCI DSS). Nevada is the first state to require compliance. The law also requires that companies retaining personal data, including Social Security numbers (SSNs), driver’s license numbers or account numbers together with passwords must use encryption if they send the information outside of the company. [Source] See also: [MasterCard increases PCI compliance requirements for some merchants]

US – PCI Security Standards Council Seeking Feedback from Public

The PCI Security Standards Council, which establishes technical standards for the payment-card industry, has invited broad feedback from both its membership and the public in order to understand the best course to take for creating a new security standard next year. “We want feedback,” says Bob Russo, the council’s general manager, asking for all criticisms, comments and suggestions related to the existing Data Security Standard 1.2 or any other council endeavors, to help chart a course for future direction. At the community meetings in the fall, the council expects to share a report the council has commissioned from consultancy PricewaterhouseCoopers to examine the impact that a variety of technologies could have on the existing PCI standards. The technologies getting a look include tokenization (creating a substitute for the real payment data), chip-to-pin technology and end-to-end encryption. [Source] [Source] SEE ALSO: [Q&A: No alternative to PCI, security council chief insists] [Price Tag for End-to-End Encryption: $4.8 Billion]

US – Heartland CEO Moving Forward With an Eye to Improving Industry Security

Analysts have been favorably impressed by Heartland Payment Systems. CEO Robert Carr’s response to the company’s massive security breach disclosed earlier this year. Instead of hiding, as many CEOs in similar positions have done, Carr has maintained his visibility and is taking steps to improve the overall climate of data protection in his industry. Carr says that the PCI DSS does not go far enough. At Heartland, Carr is implementing end-to-end encryption, an initiative that is expected to be complete by the end of the third quarter. The company is also “pushing for development of an industry-wide standard for encrypting data while being transmitted over networks,” and is co-founder of the Payments Processing Information Sharing Council that will allow payment processors to share information about threats and vulnerabilities. [Source] [Source]

EU Developments

EU – EDPS: Data Protection Showing Good Improvement

The European Data Protection Supervisor (EDPS) has issued his second general report measuring progress made in the implementation of data protection rules and principles by Community institutions and bodies, as laid down in the Data Protection Regulation. The report shows that Community institutions have overall made good progress in meeting their data protection requirements. A lower level of compliance is observed in Community agencies, but the EDPS will be monitoring this closely and will encourage further compliance. As regards implementation of data protection rules in Community institutions, the report highlights the following main results:

§ the EDPS is satisfied that all but one institution now have an inventory of processing operations involving personal data, which allows a more systematic approach to implementation;

§ the EDPS notes an increase in the number of institutions which have completed the process. By the end of 2008, at least six institutions could claim that all processing operations had been notified to the DPO, compared to only two institutions in the beginning of 2008;

§ only two institutions have so far managed to notify all existing processing operations that present specific risks to the EDPS for prior checking. There is however a positive indication that in most institutions all identified processing operations will have been notified to the EDPS by end-2009.

[EDPS general report] [Source]

UK – You Can’t Ban Parents From Taking Pictures, Schools Told

Parents who want to take photos of their children in school plays or at sports days can once again snap happily away. The privacy watchdog says authorities that have banned parents taking shots for the family album are wrongly interpreting the rules. Relatives wanting to take pictures at nativity plays, sports days or other public events are often told that doing so would breach the Data Protection Act. But the Office of the Information Commissioner has said this interpretation of the law is simply wrong. It decreed that any picture taken for the family photograph album would normally be acceptable. This guidance can now be used by parents and grandparents to challenge ‘barmy’ rulings relating to the upcoming school sports day season. The guidance, sent to education authorities across the country, says: ‘Fear of breaching the provisions of the Act should not be wrongly used to stop people taking photographs or videos which provide many with much pleasure. ‘Where the Act does apply, a common sense approach suggests that if the photographer asks for permission to take a photograph, this will usually be enough to ensure compliance.’ [Source]

EU – Privacy Regulator to Step Up Spot Checks on EU Bodies

The European Data Protection Supervisor (EDPS) will conduct more compliance spot checks of EU bodies and agencies. Peter Hustinx made the announcement on the release of a report measuring agencies’ compliance with data protection laws. The EDPS said that while over the past year EU bodies have made good progress, there is room for “further compliance.” In particular, the EDPS noted that community agencies have lower levels of compliance. “The EDPS will increasingly proceed with on-the-spot inspections in institutions or agencies in view of checking the reality and encouraging compliance.” [Source] [EDPS Report]

EU – Social Networking Big Boys Must Bow to EU Data Laws

Social networking sites are legally responsible for their users’ privacy, Europe’s privacy watchdogs have confirmed. A committee of data protection regulators has said that the sites are ‘data controllers’, with all the legal obligations that brings. Users of the sites are also data controllers with legal obligations when they are posting on behalf of a club, society or company, the opinion said. The committee of Europe’s data protection regulators, the Article 29 Working Party, has published its opinion on the legal status of social networking operators such as Facebook and MySpace. It has said that the sites cannot escape their legal obligations just because content on them is often produced and posted by users. [Source] [The opinion]

Facts & Stats

US – FTC Issues Final Order In CVS Caremark Data Security Case

The Federal Trade Commission has approved a final consent order settling claims that CVS Caremark violated customers’ privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company’s pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data. The FTC opened its investigation into CVS Caremark following media reports from around the country that its pharmacies were throwing trash into open dumpsters that contained all sorts of personal information -- including patient records, credit card information, employment applications, and account data. At the same time, HHS opened its investigation into the pharmacies’ disposal of health information protected by HIPAA. The FTC and HHS coordinated their investigations and settlements. [Source] [FTC Order]

Filtering

US – U.S. Formally Opposes China’s Demand for Pre-Installed Filtering Software on PCs

The US government has officially opposed China’s mandate that filtering software be installed on all PCs sold in or shipped to that country. While China maintains that the filtering software is aimed at preventing children from viewing pornography, others see it as a means to allow government censorship of the Internet. The software, known as Green Dam Youth Escort, has also met with criticism for being unsophisticated and for possibly containing stolen code. Some US companies have been chastised for providing Chinese authorities with information about users of their services and they are pleased with the government’s stance which they say takes aim at censorship in China. [Source] [Source] [Source]

CN – China Says Web Filtering Software Launch Unchanged

China is sticking to its planned launch of a controversial Internet censoring software in about one week, despite Washington’s concerns over the move’s possible impact on trade and access to information. Chinese officials say the Internet filtering is an effort to block access to violent and pornographic material. However, Internet users have ridiculed the system and some are circulating petitions appealing to the government to scrap it. [Washington Post] [PC makers race to comply with China’s Web filter] and [NYT: China Limits Online Access to Health, Sex Material] and [Expert: China’s Green Dam software is unsafe]

WW – Companies Appeal to China to Drop Web Filter Plan

Global business groups have made an unusual direct appeal to Chinese Premier Wen Jiabao to scrap an order for PC makers to supply controversial Internet filtering software, citing security and privacy concerns. Just days before the deadline to comply with China’s order, the letter from 22 chambers of commerce and trade groups representing the world’s major technology suppliers adds to pressure on Beijing to halt the plan following an official protest by Washington. [Washington Post] [China filter software faces tough sell in digital bazaar]

Finance

US – California Bank Clients’ Privacy Shield Survives Final Legal Challenge

A California law that lets customers keep banks from sharing information with affiliated companies about their savings accounts and buying habits survived a final legal challenge this week. Without comment, the U.S. Supreme Court denied a hearing to the American Bankers Association, which had argued that the 2004 financial privacy law conflicted with a federal law setting nationwide standards for regulating consumer credit reports. The California privacy law, the broadest of its kind in the nation, allows customers to veto a bank’s attempt to share certain types of information with affiliated companies. The law was blocked in court until last fall, when the Ninth U.S. Circuit Court of Appeals in San Francisco let its major provisions take effect. The court said federal law prohibits states from limiting distribution of a bank’s consumer reports - which prospective lenders, insurers and even employers can examine - but does not prevent other types of regulation. That means consumers can stop banks from sharing such information as their credit card statements, which a bank-affiliated retailer might use to target advertising based on someone’s buying patterns. Consumer rights groups argued that customers needed those protections because of a 1999 federal law that repealed a ban on bank ownership of insurance companies, brokerage houses and other financial institutions. “These new financial supermarkets could easily create dossiers on our buying, earning, borrowing and investment histories ... and sell or share this information for purposes such as marketing or profiling,” the organizations said in a letter to the Obama administration in March, urging support for the California law. Gregory Taylor, lawyer for the American Bankers Association, said the law imposes financial burdens on California banks and makes it harder for them to provide useful information to customers. Unrestricted information-sharing between bank affiliates “allows institutions to match up products that their consumers may want with a product offered in different areas of their institution,” such as insurance, Taylor said. [Source]

US – U.S. May Drop Case Against UBS

The U.S. Justice Department might drop its case against Switzerland’s largest bank, reports the New York Times. The DoJ filed suit against UBS in February to force the bank to release the names of 52,000 Americans suspected of tax evasion. Such a release would violate Swiss banking secrecy laws, opening up UBS officials to prosecution in that country. The DoJ case is set to be heard in a U.S. District Court in Miami on July 13, but a U.S. official told the NYT it could be dropped before then. The two nations signed an information-sharing tax treaty last week. [Source]

FOI

AU – Curtis Will Propose Breach Notification Law

Australian Privacy Commissioner Karen Curtis wants mandatory breach notification requirements for Australian organisations. Curtis will propose to the Australian Law Reform Commission (ALRC) that current privacy laws be modified to include the reporting requirement. “In the event of a security breach that involves the disclosure of personal information, it would be good privacy practice for organisations to tell affected individuals in a timely manner so that individuals can take any necessary steps to protect their personal information,” Curtis said. “I will suggest that the ALRC consider the issue of mandatory reporting as one of a range of options it could look at.” [Source]

US – Canoe Suspends Targeted Ads, Citing Privacy, Technical Issues

Canoe Ventures has suspended plans to begin trialing its targeting advertising product, citing technical concerns. The Associated Press reports that Canoe--a joint venture of the nation’s largest cable television providers--will postpone the launch of its “community addressable messaging” (CAM 1.0) platform, which would target television ads to households based on demographic data. “We were trying to use twentieth-century technology to enable a twenty-first century advanced advertising product,” said Canoe CEO David Verklin. Critics fear the platform could lead to unwanted tracking of viewing habits and discrimination against lower income households. [Source] [Source]

CA – MPs, Bureaucrats Clash Over Right to Hear Unedited Tapes

A multibillion-dollar technology project is caught in a clash between MPs and bureaucrats over the constitutional rights of Parliament to demand the tapes of everything said at meetings with the high-tech industry. The last thing MPs on the Commons public accounts committee did before leaving for the summer was to order Public Works’ bureaucrats to turn over a complete set of unedited tapes of meetings held with the high-tech industry to discuss plans for GENS – Government Enterprise-Wide Network Services – the largest IT project undertaken by government in years. So far, Public Works has given MPs all the tapes, but removed some names – totalling 12 seconds – for privacy reasons. The committee wants unedited versions of those tapes by the end of month – or else. “We are going to get an unaltered version of (the tapes) if it is the last thing I do,” said Liberal MP Shawn Murphy who chairs the committee. “They are clearly wrong, wrong, wrong. ... We have the unfettered right to send for people, papers and records and that principle has been around for hundreds of years and now we have someone at Public Works who says the privacy act applies?” At stake is the principle of parliamentary supremacy and the constitutional rights of committees to demand the information they need. MPs say parliamentary supremacy trumps all other laws, such as privacy. “If the practice of a given department, whether a legal practice or administrative, can trump this committee in its access to information, then Parliament becomes a joke. It’s that simple,” said parliamentary legal counsel Rob Walsh. But Public Works lawyer Ellen Stensholt argued the department is obliged to follow the privacy act. She said the committee may have the authority to demand the tapes, but only Parliament can compel the department to comply.[Source]

Genetics

MY – Malaysian Law Mandating DNA Samples from Suspects Passes

Malaysia passed a law this week that will force criminal suspects to provide DNA samples, despite opposition complaints that the bill was aimed at legitimising evidence in the sodomy trial of their leader Anwar Ibrahim. Under the act, which parliament passed with a simple majority, courts can compel suspects to provide non-intimate DNA samples such as hair and saliva. The provision of intimate samples such as semen or blood will not be mandatory. Mr Sivarasa said the DNA will be admissible in court as evidence, but not necessarily deemed to be conclusive. Before the law was passed, suspects could only be asked to give DNA voluntarily. He said the act does not specify a punishment, but leaves it to the court to decide how to deal with people who refuse to give DNA samples. [Source]

Health / Medical

US – Vermont Data-Mining Firms Seek to Block Rx Data Marketing Law

This week an attorney for three prescription data-mining firms asked an appeals court to block the implementation of a Vermont law scheduled to take effect on July 1 that would restrict their activity. The data-mining companies gather electronic information about the drugs doctors prescribe and sell that information to pharmaceutical companies. The law, passed by the Vermont Legislature in 2007, bans all use of prescriber data for marketing purposes unless a physician allows that information to be used. Attorney Thomas Julin -- who was representing IMS Health, Verispan and Source Healthcare Analytics -- asked a three-judge panel of the 2nd U.S. Circuit Court of Appeals to block implementation of the law until the court decided whether to uphold a lower court ruling in favor of the state. The 1st U.S. Circuit Court of Appeals in Boston upheld a similar law in New Hampshire, ruling that commercial speech can be regulated without violating the First Amendment. The judges also found that the data-mining firms’ activity often led to higher drug costs because the pharmaceutical firms usually are trying to convince doctors to prescribe the newest and most expensive medicines. The data-mining firms have appealed the decision on the New Hampshire law, and the Supreme Court is expected to decide by the end of the month whether to hear the case. The Boston appeals court has put a separate case regarding a similar law in Maine on hold until the New Hampshire case is resolved (details). [Source] [Source]

IR – Ireland HIQA Pushing Mandatory Health ID from Cradle to Grave

Every person in Ireland should be issued with an identification number to track them through the health system throughout their life, experts said this week. The Health Information and Quality Authority (HIQA) said more must be done to ensure patient safety by linking information across the health and social care sector. HIQA revealed a recent study showed 94% of people wanted their medical information to be accessible by emergency medical staff with a further 86% stating their desire for health information to be joined up across the system. But it warned it is equally important to develop a system that appropriately balances patient safety and privacy concerns. In its report, HIQA also estimated it will cost just under €16m to issue 4.2 million people with a UHI card and up to E30m to set up a central authority to run the system. [Source]

US – Doctors Object to Penalties for Avoiding EHRs

Physician-delegates at the AMA Annual Meeting in June formally came out against planned penalties included in this year’s federal stimulus bill that would dock Medicare pay for physicians who do not have a qualifying electronic health record. The “adjustments” start at 1% of the physician’s Medicare fee schedule and are set to begin in 2015, after four years of available incentives for adoption. The penalties are set to increase each subsequent year to a maximum of 5%. Delegates passed a resolution calling for the Association to ask the federal government to eliminate the penalties and advocate for federal assistance with up-front and maintenance costs of EHR use.[Source]

Horror Stories

US – Malicious Attacks, Employee Theft on the Rise

Nearly 40% of data breaches reported since January were the work of hackers or employees, according to Identity Theft Resource Center (ITRC) figures released last week. That’s a 10% increase over the same six-month period last year. The report notes that although 44 states have breach notification laws in place, only one of the reporting entities had encrypted its data before the breach. “You would think if all these organizations have to notify, that they would take some steps to make sure their data doesn’t get exposed in the first place,” said ITRC co-founder Linda Foley. [Source]

WW – UBC Journalism Students Find Sensitive Data in Digital Dumps

An investigation of e-waste led to the discovery of sensitive international security and personal information on discarded hard drives in foreign nations. A team of University of British Columbia journalism graduate students traveled to Ghana, Guiyu, China and India, scouring digital dumping grounds for pieces and parts of discarded computers. The team brought hard drives collected at a Ghana dump back to Vancouver for testing, finding one with details on U.S. military contracts and others with Social Security numbers, credit card numbers and family photos, the reports states. The students created a documentary on the project which aired on the PBS program FRONTLINE. [Source]

US – TJX Reaches Settlement With States on Data Theft

Discount retailer TJX Cos. said it has reached a settlement with multiple states related to a massive data theft that occurred at the parent company of retailers T.J. Maxx and Marshall’s a few years ago. The Framingham, Mass.-based company said it will pay $2.5 million to create a data security fund for states as well as a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states’ investigations. But TJX stressed that it ‘‘firmly believes’’ that it did not violate any consumer protection or data security laws. [Source]

CA – Security on Stolen Laptops Was Inadequate: Privacy Commissioner

Alberta’s privacy commissioner has launched an investigation into the theft of two laptops from a University of Alberta lab, reports CBC News. The computers, taken from Alberta Health’s Provincial Lab Information Technology room, held personal information on 300,000 people, including names, birth dates, personal health numbers and lab reports, the report states. Alberta Health officials said in a press release that the information is behind several passwords, but that patients should monitor for identity theft. Privacy Commissioner Frank Work expressed surprise that the laptops were not encrypted. “The standard in Alberta...is encryption...,” Work said. “How can the public have faith in public bodies if they can’t [secure] personal information?” [Source]

US – Stolen Laptop Holds Cornell University Staff and Student Data

Cornell University in Ithaca, NY has notified approximately 45,000 current and former staff members, students and their dependents that a stolen laptop computer contains their unencrypted, personally identifiable information. The compromised data include names and SSNs. The theft occurred earlier this month; affected individuals were notified by email earlier this week. The data in the computer were “being used for troubleshooting.” The theft is being investigated by New York State Police. [Source] [Source] See also: [Florida - Stolen gov’t flash drive includes sensitive data on 3000]

Identity Issues

UK – Scottish Government Seek End to £1bn ID Card Plans

The Scottish Government have demanded an end to the identity card scheme. They have urged newly-appointed Home Secretary Alan Johnson to cancel the £1.1billion UK-wide project. The first cards were introduced last November for foreign nationals. People in Greater Manchester will be the first British citizens to be able to apply for ID cards later this year - though the scheme will be voluntary. In a letter to the Home Secretary, Mr Ewing said the cards were an “unacceptable threat to citizens’ privacy and civil liberties” and there was little evidence they would combat terrorism. He also branded claims that 70% of the planned cost will need to be spent anyway, to bring in biometric passports, as “a fallacy”. [Source] [Identity cards branded an ‘unacceptable threat to privacy’]

US – Wisconsin Supreme Court Upholds Identity Theft Charge

The Wisconsin Supreme Court has issued a decision affirming a decision of the Court of Appeals that had reversed a ruling by the Jefferson County Circuit Court that dismissed an identity theft charge against a former City of Jefferson EMS technician. The court’s ruling allows the Jefferson County District Attorney to proceed with identity theft charges against Christopher Baron. According to the criminal complaint, Christopher Baron hacked into the work computer of his boss, Emergency Medical Services Director Mark Fisher, and sent several e-mails that he found in Mr. Fisher’s e-mail account to about ten people. The forwarded e-mails appeared to have come from Mr. Fisher and suggested that Mr. Fisher was using an apartment owned by the EMS Department to conduct an extramarital affair. The day after Baron sent those e-mails, Mr. Fisher committed suicide. Wisconsin law criminalizes the unauthorized use of an individual’s personal identifying information or documents to obtain credit, money, goods, services, employment, or any other thing of value or benefit; to avoid civil or criminal process or penalty; or to harm the reputation, property, person, or estate of the individual whose identity has been used. Baron was charged with six criminal counts, including a charge of identity theft that alleges that Baron used Mr. Fisher’s identity without Mr. Fisher’s consent with the intent to harm Mr. Fisher’s reputation. Baron moved to dismiss that charge, arguing that he had a First Amendment right to disseminate truthful information about a public official, even if his intent was to harm that official’s reputation. The trial court agreed with Baron’s argument and dismissed the identity theft charge. The Court of Appeals reversed that ruling, and the Supreme Court agreed to review the case. The Supreme Court affirmed the Court of Appeals’ holding that the identity theft statute was constitutional. The Court held that while the statute, as applied to Baron’s conduct, constituted a content-based regulation of his speech, the statute was constitutional because it was narrowly tailored to promote the State’s compelling interest in preventing identity theft. The court noted that the statute did not chill Baron’s right to free speech because he could have disseminated the information about Fisher without pretending to be Fisher. The statute does not punish Baron for criticizing a public official, the court held, but punishes him “for intentionally using an individual’s person identifying information with the intent to harm the individual’s reputation.” Attorney General J.B. Van Hollen, whose office handled the appeal, praised the Supreme Court’s decision. “Citizens have a fundamental constitutional right to criticize public officials, so long as they do not disseminate information they know to be false or act with reckless disregard to the truth,” Van Hollen said when the state filed its brief last September. “There is no constitutional right, however, to damage someone’s reputation by assuming that person’s identity without their consent. Wisconsin’s laws protect all individuals against identity theft, not by limiting expression, but by prohibiting conduct.” [Decision] [Source]

US – New FTC Rules Require Written ID Theft Plans

In an attempt to combat identity thieves, the FTC, with the assistance of various federal agencies and the National Credit Union Administration, has issued regulations known as Red Flag Rules that require financial institution creditors and other entities to develop written identity theft prevention programs. The deadline to comply with the Red Flag Rules (which now has been twice delayed) currently is scheduled for Aug. 1. Millions of companies could be affected by these rules. By the Red Flag Rules’ definition, “financial institutions” and creditors with “covered accounts” must develop and implement a written identity theft prevention program. Generally speaking, entities should create a Red Flag program that:

§ Includes reasonable policies and procedures for detecting, preventing and mitigating identity theft. This enables the entity to identify relevant patterns, practices and specific forms of activity that are “red flags” - signaling possible identity theft.

§ Is approved by the entity’s board of directors or officer responsible for company management.

§ Detects theft “red flags,” such as documents that appear to be forged or altered, suspicious changes of address and patients/customers demanding records with unusual urgency or frequency.

§ Takes timely action and responds appropriately to any red flags that are detected to prevent and mitigate identity theft.

§ Educates and trains company personnel on the Red Flag program and the procedures.

§ Is updated periodically to reflect changes in the risks of identity theft.

Noncompliance with the rules could result in civil monetary penalties and enforcement by the FTC. Compliance with Red Flag Rules should not be too burdensome for most providers. [Source] [Red Flags and Privacy: FTC Insights from Joel Winston]

EU – France Bureaucrats Propose Registration of Web Pseudonyms or “Handles”

The French Law Commission is considering ways of obliging internet users to register their pseudonyms, or ‘handles,’ with a government agency in order to control “abuse.” Details were presented this week. Yesterday, at a French Senate symposium called “Rights and Freedoms in the Numerical Society” organised by State Secretary in charge of the Numeric Economy Nathalie Kosciusko-Morizet, Senator Yves Détraigne presented his idea that although people should have the right to be anonymous on the internet, this right should be repertoried and managed by public authorities. Détraigne is the co-author of the recent French Senate report “Privacy in a world of numerical memory. For the reinforcement of confidence between citizens and the computer society.” The report was ordered by the Law Commission. One of the principles it defends is the right to be anonymous on the internet, and that people may separate their real identity from their internet identity. Détraigne explained things a little more precisely. “People should have the right to be anonymous on the internet by using a pseudonym, but it should be a pseudonym that they couldn’t use freely, just like that, without any rules.” He went on to explain that the public authorities would be “the interface, the guardian” of secret identities. More details are contained in the report. It explains the importance of internet users being able to “hide their real identities” at a time when “Identity-theft is often pointed out and states reinforce methods to identify individuals.” It goes on to propose the implementation of a system in which “each individual would have the right to create his own alternative personality, distinct from that of the individual who uses it. In order to avoid that this right be used to commit offences, these alternative identities would be confided to an official body which would control it. In cases where offences are committed, the justice system could ask it for the real identity of the person.” [Source]

Intellectual Property

EU – Fight Over German Filtering Law Sends MP into Pirate Party

Germany’s Bundestag has approved a bill that would roll out a national filtering system designed to warn people off child porn. That action may have helped push a Social Democrat into the Pirate Party. After seeing Swedish voters send the Pirate Party to the European Parliament, the German branch of the group has now gotten a seat in the lower house of that nation’s parliament, the Bundestag. But the seat didn’t come about through an electoral triumph; instead a member of the Social Democrats, Jörg Trauss, changed allegiances, claiming his decision was driven by his former party’s support for a mandatory Internet filtering scheme. But the situation is complicated by the fact that the filtering would target child porn, and Trauss is under investigation for possession of that material (he claims it was for investigative purposes). The legislation in question would implement a scheme that’s somewhat similar to the one under consideration in Australia. The system would rely on a blacklist of sites, maintained by the German Federal police force. Access to blacklisted sites would trigger the ISP to send the user to a warning page, indicating that the site contains illegal child porn. Users will, apparently, still have the option of clicking through. [Source]

Internet / WWW

US – EFF Files Lawsuit Over FBI Surveillance Docs

A high-tech watchdog group filed a lawsuit against the Justice Department demanding the public release of the surveillance guidelines that govern investigations of Americans by the FBI. The protocols took effect in December 2008 and detail the bureau’s procedures and standards for implementing the attorney general’s guidelines on approved surveillance strategies. The Electronic Frontier Foundation’s complaint comes after DOJ failed to respond to a Freedom of Information Act request for a complete copy of the document. FBI General Counsel Valerie Caproni has acknowledged that “the expansion of techniques available [to the bureau] has raised privacy and civil liberties concerns.” Investigations can include the electronic collection of information from online sources and computer databases, as well as the use of grand jury subpoenas to obtain telephone and e-mail subscriber information, EFF said. Other recent policy changes allow the FBI to engage in free-ranging investigation of Internet sites, libraries, and religious institutions, the group said. “Americans have the right to know the basic surveillance policies used by federal investigators and how their privacy is – or is not – being protected,” EFF senior counsel David Sobel said. [Source] [EFF complaint to the U.S. District Court for the District of Columbia].

US – ACLU Asks Court to Open Secret Government Filing

The U.S. Department of Justice has secret reasons for ordering that an Internet service provider keep quiet about a subpoena seeking information about the ISP’s customers. The DOJ, defending against a lawsuit by the ACLU, filed a classified justification of its gag order on the unnamed ISP, telling the court that not even the ACLU or the ISP could see the reasons for the gag order, the ACLU said. The ACLU, in court filings, asked a U.S. judge to let its lawyers see the DOJ’s defense of the NSL subpoena. “We obviously can’t respond meaningfully to arguments that we’re not even allowed to see,” Myers said. Last December, the U.S. Court of Appeals for the Second Circuit found that the NSL program’s gag provisions violate the First Amendment of the U.S. Constitution guaranteeing free speech. However, the circuit court allowed some gag orders to remain in effect under court oversight, and the ACLU’s case is back in U.S. District Court for the Southern District of New York. “The blanket of secrecy that cloaks the FBI’s activities invites abuse of the intrusive NSL surveillance power,” she added. [Source]

WW – Malicious Insiders Could Hurt Cloud Computing

A Symantec security expert has warned companies offering services in the cloud that malicious insiders could render security controls useless. Guy Bunker, chief scientist at Symantec, said that cloud service administrators had “god-like status” when it came to accessing confidential data. He said that there were already low-key legal cases being taken against cloud service providers, where administrators had access to data. Bunker said: “This isn’t just cases in the cloud - we’ve seen this in enterprises where somebody within the organisation who has access to the data has decided to take it and sell it on to somebody else.” Bunker was speaking at a Symantec-held event about how businesses should cope with cloud computing in terms of security. The Symantec expert also said that enterprises often didn’t know what their sensitive information was or even where it was, and that the cloud compounded the issue. He said: “The reality moving forward in two to three years is that there will be a much shorter relationship [between businesses and cloud computing vendors].” Other speakers suggested that there was no possible international regulatory solution when it came to securing cloud computing, and that the best hope was for businesses to organise a technical standards body. John Carr, secretary of the UK’s Children Charity Coalition for Internet Safety, suggested that there should be a ‘kitemark’ - a technical standard for cloud computing. He said: “Only the businesses can do that. I seriously doubt there is any governmental institution that can get even close.” [Source]

Law Enforcement

CA – Judge Blasts Police for ‘Excessively Intrusive Search’ of Harkat’s Home

Police must return everything seized from the Ottawa home of terrorism suspect Mohamed Harkat and his wife during an “excessively intrusive search into the most intimate details of their private life,” a Federal Court of Canada judge has ruled. “This court cannot condone the type of intrusive search undertaken by the Canadian Border Service Agency,” Mr. Justice Simon Noel said. “Mr. Harkat may have a diminished expectation of privacy, but that does not give the state a ‘carte blanche’ to unreasonably intrude on what privacy is left to him.” Mr. Harkat was named in a 2002 security certificate as being inadmissible to Canada on grounds of national security. He remained in detention until 2006, when he was released on strict bail conditions that included CBSA being permitted to search his home. During the search of his residence on May 12, 2009, 16 police and three canine units spent six hours searching for explosive devices, currency or weapons. Police seized several boxes of floppy discs, CDs, videotapes and printed records - including documents protected by solicitor and client privilege. Judge Noel said that any future search must be authorized and supervised by a Federal Court judge - and only after lawyers for the CBSA and special advocates appointed to protect Mr. Harkat’s interests have made submissions during a closed hearing. The ruling was the latest in a series of embarrassments suffered by police in the Harkat case. Several weeks ago, Judge Noel revealed that the Canadian Security Intelligence Service concealed for seven years the fact that a secret source in the Harkat terrorism case had failed a polygraph test. “We now have a new head of CSIS and there needs to be a serious look at senior management because we have a culture of destroying evidence,” said Norman Boxall, a lawyer for Mr. Harkat. “There is a serious problem. It may be that there is a lack of direction at senior management levels.” [Source]

Location

WW – Gartner: Firms Still Playing Catch-Up With Privacy

Even though most enterprises have created a position to oversee privacy in their IT operations, many of those programs miss the target, often owing to budget shortfalls, according to an industry analyst. “Privacy programs tend to be underfunded,” Gartner’s Arabella Hallawell said here at the research firm’s annual Information Security Summit. In a 2008 survey, 65% of businesses reported that they had a dedicated individual or office to promoting privacy, which Hallawell admitted was higher than she expected. In the same survey, however, only 40% of businesses said they have distinct privacy funding provisions in their budgets. Privacy issues, concerning data relating to both employees and clients, are complicated by a patchwork regulatory environment affecting firms. In the absence of a federal law, more than 40 states have developed their own widely varying statutes, ranging from notification requirements to specific standards on how information like social security numbers can be used. To navigate that tangle of regulations, Hallawell advises enterprises to form -- and fund -- dedicated privacy operations that incorporate multiple sectors of a company’s operations. Hallawell said that security auditors increasingly advise firms in all industries that their privacy policies are too weak.”We’re hearing that loud and clear from our clients,” she said. “Privacy is an immature function.” She added, “Many organizations might have someone who’s in theory in charge of privacy, but, particularly in the U.S., that’s tended to reside in the legal department.” She also recommended against housing the privacy apparatus within the information security department. Subsuming privacy within the security apparatus risks lowering the profile of an issue that needs attention of sales, marketing, human resources and other segments of a company’s operation. “While security and privacy share a heritage, they are separate disciplines,” she said. In addition to the dedicated privacy officer (or, better still, a team devoted to privacy), Hallawell said she advises clients to form a privacy council, a big tent that would draw representatives from across a company’s operations. She also advised companies to go the extra mile and codify the body with a formal charter to ensure that employees would take the privacy operation seriously, and actually show up to the meetings. [Source]

Offshore

BC – BC Ferries Security Upgrade Features 800 Surveillance Cams

BC Ferries officials unveiled a dramatic security upgrade for their fleet this week, from security cameras to bomb-sniffing dogs. Ferries chief operating officer Mike Corrigan says the enhanced security is intended to dissuade potential terrorists during the 2010 Winter Olympic Games. “You can never say you can ultimately stop it, but what you can say is that you reduce the risk of it happening through detecting and deterring,” Corrigan said. “In some ways, it really is Big Brother is watching from a B.C. Ferries perspective.” A total of 800 surveillance cameras have been installed, at every terminal and on every ship. The company is also purchasing two remote submarines to check for underwater threats. A central operations centre has been set up in Victoria, which will monitor all cameras and track all the ships. [Source] [Source]

Online Privacy

WW – Facebook Testing New Control for Shielding Updates

Facebook is testing new privacy controls that will allow the online hangout’s roughly 200 million users to decide who should see each of their personal updates. In a Wednesday announcement, Facebook said the option will enable users to customize their postings for specific groups of friends. For instance, a person may want to share certain things - like how they’re feeling about the weather - with everyone while limiting the audience able to read other developments - like a wild night of partying. The additional privacy controls initially will only be available to some Facebook users. [Source]

WW – New Facebook Blog: We Can Hack Into Your Profile

FBHive, a new blog devoted to the discussion of all things Facebook, has debuted with the revelation that its creators have discovered a hack that can expose some crucial profile data. FBHive says it can bring up all the “basic information” that a user has entered into their profile, even if they have elected to keep that information private. [CNET] [Facebook Hack Beats Privacy Settings]

EU – EU Lays Out Web Privacy Rules

EU regulators have laid out operating guidelines for Facebook, MySpace, and other social-networking Web sites to ensure they comply with the privacy laws. A panel of European privacy regulators that advises the European Commission issued an opinion, which was released Tuesday, that describes how EU privacy laws apply to social-networking sites. The opinion stated that the sites should place default security settings at a high level and allow users to limit data disclosed to third parties. [WSJ]

EU – Facebook Hires Lobbyists to Push Privacy Agenda

Facebook is hiring lobbyists to push its agenda on Internet privacy and data sharing in Brussels and Washington, as the social networking site attempts to increase its influence with authorities around the world. The move to create a dedicated European lobby team comes after the company hired Timothy Sparapani, a former lawyer with the American Civil Liberties Union, as the second member of its Washington operation. Sparapani had previously been linked to campaigns critical of Facebook’s targeted advertising systems. [Guardian]

Other Jurisdictions

CR – Committee Favors Data Protection Law

The Costa Rican Legislative Assembly’s Legal Matters Committee has voted in favour of a data protection bill--the Law on Individual’s Protection against Personal Data Treatment. The law aims to protect rights to “self determination of disclosure on personal or business life and other personal rights,” and sets standards for data handling. A provision of the law gives individuals the right to information on data gathering efforts. The law is expected to establish the “basic principles to serve as the backbone to data protection in the country.” [Source]

Privacy (US)

US – Senate Votes to Block Detainee Photos

The Senate overwhelmingly passed a measure to block the release of photos depicting US soldiers abusing detainees in Iraq and Afghanistan. The legislation will now be sent to the House, but it’s unclear whether Democratic lawmakers will support it. The photo ban was previously included as an amendment in a $106 billion Iraq/Afghanistan supplemental spending bill, which the Senate also passed last week. In a joint statement, Graham and Lieberman said, “Passing this bill is essential to protecting our fighting men and women.” “Each one of these photos would be tantamount to a death sentence to those serving our nation in the most dangerous and difficult spots like Iran, Afghanistan and elsewhere.” Graham and Lieberman’s bill prohibits the release of the abuse photos for three years. Either the secretary of defense or Obama has authorization to extend the ban for an additional three years. [Source]

US – Strip Search of Arizona Teen Ruled Illegal

In an important ruling on the rights of students, the U.S. Supreme Court ruled that the Safford Unified School District’s strip search of a middle school teenage girl accused of having prescription-strength ibuprofen was illegal. In its 8-1 ruling with Justice Clarence Thomas as the lone dissenter on the main question, the justices held that school officials violated the law when officials at Safford Middle School ordered then-13 year old Savana Redding to remove her clothes and shake out her underwear because they were looking for over-the-counter pain relievers. Also before the court was an appeal of the 9th U.S. Circuit Court of Appeals ruling that Savana and her mother could sue the assistant principal who ordered the strip search for damages, but not the two staff members who followed the assistant principal’s instructions. Today’s ruling split 7-2 on the question of whether school personnel had qualified immunity, granting Wilson and the two school officials qualified immunity, but remanding the question as to whether Savana and her mother could sue the district. Justices Ruth Bader Ginsburg and John Paul Stevens dissented from the granting of qualified immunity. [Source] [Lehrer Q&A with Marcia Coyle on Strip Search Ruling] [NYT: Supreme Court Says Child’s Rights Violated by Strip Search]

US – U.S. Landlord Had Hidden Cameras Peeping on Female Tenants

A suburban Philadelphia landlord has admitted setting up spy cameras and secretly recording women tenants for nearly a decade. Thomas Daley put cameras behind mirrors and in ceiling fans in bedrooms, bathrooms and living rooms at five apartment buildings. Prosecutors say it began in 1989 and continued until September 2008. Norristown police were tipped off when a tenant found one of the cameras. Daley pleaded guilty to more than 30 counts, including invasion of privacy. The 46-year-old will be sentenced later. He faces 10 to 151 years in prison. Defence attorney Tim Woodward says Daley never showed the videos to anyone else and “is extremely remorseful.” [Source]

US – GOP Congresswoman Refuses to Complete Census Form

Rep. Michele Bachmann, R-Minn., says she won’t fill out the 2010 Census form and officials say that would violate the law but prosecution is not likely. Bachmann made the assertion in a Fox News Channel interview, repeating an assertion first made last week. Bachmann says she will only give the Census Bureau the number of people living in her home. The other questions are an invasion of privacy, she said. Even though the U.S. criminal code cites penalties for refusing to fill out the questionnaire, the Census Bureau said it is “not a prosecuting agency” and refusing to answer its questions is not likely to result in a fine, the newspaper reported. Bachmann cites the U.S. Constitution for her stand. [Source]

Privacy Enhancing Technologies (PETs)

AU – Medicare the Base for E-Health IDs

PATIENTS’ medical records will be linked across health providers using the present Medicare number and card, under the $98 million Unique Healthcare Identifier (UHI) program being developed by the National E-Health Transition Authority. Few details of the planned UHI service have been revealed to date, despite the January 2010 deadline for completion of the project’s design and build. The spokeswoman said NEHTA would release a third, independent, Privacy Impact Assessment report on the UHI scheme when it was completed; neither of the two previous PIAs have been made public. [Source]

RFID

EU – Commission Investigates Right to ‘Chip Silence’

The European Commission has expressed concern about the privacy implications of personally-identifying technologies such as radio frequency identification (RFID) chips. It said that it is important to discuss whether or not people should be able to disappear from networks. “The Commission will launch a debate on the technical and legal aspects of the ‘right to silence of the chips’, which expresses the idea that individuals should be able to disconnect from their networked environment at any time,” said a Commission consultation paper. The consultation will form part of an action plan published by the Commission outlining how it will legislate and regulate the coming phenomenon it calls the ‘internet of things’. This is the name it gives to the increasing automatic communication between devices and tags that are forming complex networks around citizens. Its first objective is to create a set of principles which it wants to underlie the ‘internet of things’. It wants to make sure that privacy and data protection are considered from the outset in the building of any systems, and wants to ensure change is measured. It will produce statistics on the use of RFID chips starting in December of this year, it said. [Source] [Communication from the Commission]

WW – RFID-Enabled Phones Could Let Credit Card Companies Track Users

An Ericsson executive says all new mobile phones sold in 2010 will include an RFID chip that will allow owners to open their car or house door with their phone. The executive says the chip might also be used by credit card companies to track the location of cardholders to cut down on fraud. Håkan Djuphammar, VP of systems architecture for Ericsson, said credit card companies could make use of mobile user location data and IP mapping to determine if the owner of a card is in the same location where a card transaction is taking place. He said the chips could also be used to create real-time traffic maps and updates by determining the speed of a driver passing by mobile phone base stations. Djuphammar said selling the information of mobile phone users to credit card companies and others would be a “win win” situation for all parties concerned. Djuphammar did not mention whether users will be able to turn the chip off or otherwise opt out of the sale of their data. [Source]

Security

US – Defence Secretary Gates Approves Creation of New Cyber Command

U.S. Defence Secretary Robert Gates formally ordered the creation of a new military cyber command that will coordinate the Pentagon’s efforts to defend its networks and conduct cyberwarfare. A three-page memo signed by Gates orders U.S. Strategic Command to begin plans to set up a subcommand and be prepared to provide an implementation plan by Sept. 1, and begin initial operation no later than October. [Washington Post] SEE ALSO: [British Government Plans to Create Cybersecurity Agency]

US – Cyber Security Czar Front-Runner No Friend of Privacy

Former Republican Congressman Tom Davis, reportedly President Barack Obama’s top candidate for cyber security czar, voted repeatedly to expand the government’s internet wiretapping powers, and helped author the now-troubled national identification law known as REAL ID. Citing White House sources, Time magazine identified the former head of the Government Reform Committee as the president’s number one candidate for the new position. Davis’ reputation as a tech-smart moderate who knows his way around D.C. makes him an attractive pick for the administration, the magazine reported. But an examination of Davis’ record in Congress shows that he’s been on the wrong side of key privacy issues, including the controversial REAL ID Act, which aims to turn state driver’s licenses into a de facto national identification card linked by shared databases and strict federal authentication standards. [Source]

Smart Cards

UK – Ex-Microsoft CTO: Scrap ID cards and Big Brother Database

The government should scrap two key IT projects and recast them in a way that fits a truly digital Britain, says Microsoft’s former national technology officer for the UK. Jerry Fishenden, who last week left Microsoft after 12 years, said the national ID cards scheme and the Interception Modernisation Programme, otherwise known as the government’s Big Brother database, reflected an out-of-date understanding of what the digital world was truly about. Fishenden said the privacy and security of personal data on the web was the crucial issue facing society as more and more information is stored in digital format [Source]

Surveillance

UK – Secret Police Cams: Licence Plate Recordings up 1000%

Secret police surveillance cameras in Devon and Cornwall read and stored 64 million vehicle number plates last year. The staggering figures mark a near-1,000% increase compared to 2007 and equate to 80 records a year for each of the 800,000 registered vehicles in the Westcountry. Records - even for innocent motorists - are kept on a police database for a minimum of two years. Westcountry MPs complained that the network of fixed roadside cameras had been expanded “by stealth”. Devon and Cornwall Police said the cameras were essential in the fight against crime - denying criminals the use of the roads and catching a range of offenders from drug dealers to uninsured drivers. The force has refused to say how many automatic number plate recognition (ANPR) cameras it operates or where they are installed, for operational reasons. A Freedom of Information Act request has shown that Devon and Cornwall Police captured the equivalent of two every second and a near 10-fold increase on the 6.7 million records created in 2007. Hits on so-called “vehicles of interest” - ranging from those with no insurance to those linked to known criminals - rose from 157,500 in 2007 to 1.16 million last year. In 2008/09, the cameras were directly responsible for recovering more than 30 stolen vehicles, along with offenders, and seizure of more than £80,000 cash. So far this year, they had been helped detect on average 15 crimes a month. Mr Melville added that since its introduction, more than 2,000 vehicles had been seized from uninsured drivers. “Every one of those vehicles had the potential to injure someone for life.” He believed that the public knew about ANPR and that information was compared against databases. [Source]

AU – Plan for Secrecy Laws Out in the Open

The public has been invited to comment on a Discussion Paper proposing reforms to Federal secrecy laws. Published by the Australian Law Reform Commission, the Discussion Paper follows a review of secrecy laws currently on the federal statute book to ensure a consistent Government approach to protecting Commonwealth information. Requested by the Attorney General, the report, Review of Secrecy Laws, lists 65 proposals, although they are not the final recommendations of the Inquiry. “The key focus of the ALRC’s proposed reforms is on achieving much greater clarity for the Public Servants and others who handle Commonwealth information,” Professor Croucher said. “This involves creating a new general secrecy offence applicable to Commonwealth officers; substantially consolidating the scattered specific offences, based on a common set of principles; and imposing a rationalised penalty structure.” In the Inquiry, the ALRC identified and considered 507 secrecy provisions across 175 pieces of legislation, including 358 distinct secrecy offences carrying a range of criminal penalties. Professor Croucher said they had proposed a decrease in the use of criminal sanctions in an attempt to “shift the system towards a more open and pro-disclosure culture.” She said the Commission would like to see prosecutions limited to unauthorised disclosures in which it was alleged harm had been caused, or was likely to be caused, to a compelling public interest such as national security, defence, law enforcement operations or the physical safety of a person. However, Professor Croucher said it was important to fit in with related laws, including Freedom of Information, privacy and whistleblower protection, which were also currently under review. Comments on the Paper will be received until 7 August 2009 with more information available from www.alrc.gov.au [Source] [ALRC discussion paper] [ALRC Media Briefing] [ALRC Media Release]

UK – Government Surveillance Response ‘Inadequate’, Say Lords

The Government’s response to a Parliamentary report on the monitoring and legislation surrounding surveillance is “inadequate” and it has “paid insufficient attention” to the report’s recommendations, a follow up report has said. The House of Lords Select Committee on the Constitution produced a report earlier this year which made a series of recommendations on how the law and Government behaviour should change in order to protect citizens and their privacy as data gathering and surveillance becomes more pervasive. The report said that there should be judicial oversight of surveillance, and that the increasing monitoring of citizens was breaking the bond of trust between the Government and the people. The Government rejected most of the report’s recommendations and claimed that its current and planned policies give an effective balance between personal privacy and state security. The House of Lords Committee has hit back, saying that the Government’s response fails to understand or address the scale of the problem. “We regret that the Government have not agreed to a number of important recommendations which sought to assist the executive in promoting the responsible and proper use of data processing, including data sharing, together with other modes of surveillance,” its response said. “The Government have paid insufficient attention to a number of fundamental points and criticisms made in the Report.” The Lords’ analysis of the Government response accused it of seeming to agree with the Lords without outlining any effective action. Much of the Government’s response rested on its recommendation that Government departments use privacy impact assessments (PIA) to ensure that policies do not harm people’s privacy. The Lords’ analysis was scathing about how much good such reports could do. The Lords called for privacy regulator the Information Commissioner’s Office (ICO) to be allowed to inspect private sector bodies, as well as public sector ones, without their permission. The Government rejected that idea, saying that the Secretary of State could order such inspections. The Lords now say that the Government should make public when this has happened in the past to prove its efficacy. The Lords had also called on Government to create primary legislation outlining its surveillance and data processing regime. The Government rejected that call, and the Lords now say that such matters are too important to be left to the discretion of the administration. [Source] [The analysis]

CA – Rights Group Slams Victoria Police Over Plan to Wear Cameras

Victoria police officers will be wearing new body-mounted video cameras on Canada Day and will be conducting liquor searches, while the transit service is banning possession of alcohol from its buses. As a result, B.C.’s civil liberties association is advising people to consider launching class-action lawsuits to fight what it considers illegal searches. “The spectacle of transit employees patting down bus riders and pawing through their purses, bags, and satchels is disturbing,” BC Civil Liberties Association president Rob Holmes said in a statement. BC Transit spokeswoman Joanna Morton said bus drivers will not be searching people, but they will be asking police officers to remove drunks or people carrying alcohol from buses. [Source]

Telecom / TV

CA – Secret Police Wiretaps Prompts Questions Over Privacy

Bob McMynn knows first-hand how Canada’s laws allow police to eavesdrop and use emergency wiretaps without a judge’s approval. He says Section 184.4 of the Criminal Code helped to save his son Graham’s life after a group of young men abducted the then 23-year-old university student at gunpoint in April 2006, in what turned out to be a kidnapping for ransom. CBC News has learned that McMynn’s case is just one of at least 267 cases between 2000 and 2008 where major police forces across the country used warrant-less wiretaps. The information was obtained through freedom of information and access to information requests. Some forces - including Toronto, London and Winnipeg - released only partial information, citing secrecy provisions in the Criminal Code, and the Quebec provincial police never responded. “There might be a lot more instances in which it is being used and that’s what’s troubling,” says James Stribopoulos, a professor at Osgoode Hall Law School in Toronto. “I think people would be alarmed to know, there are no checks on the exercise of that power.” [Source]

US Government Programs

US – DHS to Cut Police Access to Spy-Satellite Data

Homeland Security Secretary Janet Napolitano has announced that she will kill a controversial Bush administration program to expand the use of spy satellites by domestic law enforcement and other agencies. Napolitano said she acted after state and local law enforcement officials said that access to secret overhead imagery was not a priority. Rep. Jane Harman (D-Calif.), head of the Homeland Security subcommittee on intelligence, said the previous administration failed to develop legal controls and other procedures to regulate the use of some of the world’s most powerful spy technology, now largely restricted to foreign surveillance. [Source]

US – White House Seeks Public Input on Classified Records Policy

US Legislation

US – Napolitano Endorses PASS ID Bill - PASS ID Would Kill Parts of Real ID

Homeland Security Secretary Janet Napolitano has endorsed the Pass ID legislation in the Senate that would repeal parts of the controversial Real ID Act of 2005. Napolitano said at a news conference June 25 news that she intends to turn her attention immediately to Pass ID starting July 6 after she returns from a weeklong European trip. Napolitano, as governor of Arizona, had a mixed record on Real ID. In June 2008, she signed legislation passed by the Arizona State Legislature to prohibit the state from complying with Real ID. However, in August 2007, Napolitano was one of the first governors to reach an agreement with the Homeland Security Department to produce an enhanced driver’s license that would also serve as a substitute for a U.S. passport at the U.S.-Mexico border. These licenses, which are now being produced in Washington State, New York and Vermont, are designed to comply with Real ID. The National Governors Association has praised Pass ID, saying it would reduce costs, offer greater flexibility to states, eliminate the need for costly new data systems and strengthen privacy protections. However, the American Civil Liberties Union said risks to privacy are still a major concern under Pass ID. [Source]

Workplace Privacy

US – Check Your Policy! No Privilege When E-Mailing Lawyer from Work

Stengart v. Loving Care: Lessons for employers: Courts continue to adapt long-standing legal principles to navigate around fast-moving technological advances. In Stengart v. Loving Care, the court essentially held that the property interest of an employer, when properly articulated in a policy manual, outweighs the attorney-client privilege. This decision emphasizes the provisions of an employee handbook and tips the balance in favor of employers. [Source]

AU – Australia AFL Off-Season Drug-Testing Attacked

Off-season illicit drug testing is designed to protect the AFL “brand” at the expense of player privacy, academics claim. But the AFL and drug experts have defended the policy, which is backed by the AFL Players’ Association. In a paper for an international sport studies conference, the academics say the AFL’s Illicit Drugs Policy is convoluted and contradictory. They also criticise the NRL policy. Victoria University Associate Professor Bob Stewart said the AFL’s illicit drug regime was too punitive and an unnecessary breach of player privacy. He said by trying to take the moral high ground and testing off-season, it was more punitive than the World Anti-Doping Agency and International Olympic Committee. “When you read between the lines, it’s to protect the (AFL) brand,” he said. [Source]

US – Password-Protected Comments Off Limits to Boss, Jury Rules

In a time when chat rooms, social networking and online forums are commonplace, how far can a company go in monitoring them for negative comments from discontented employees before they are guilty of “cybersnooping”? A case decided last week, involving two servers at the Houston’s Restaurant in Hackensack, posed that question, and a federal jury in U.S. District Court in Newark found there were clearly limits. The jury sided with servers Brian Pietrylo and Doreen Marino, concluding that Houston’s managers violated state and federal electronic communications laws when they entered into a private MySpace page on which workers criticized the company. On seeing the site, the restaurant managers fired the two servers for violating company rules that demand employees exhibit professionalism, teamwork and a positive mental attitude. The jury awarded them a total of $17,000 in back pay and damages. Several attorneys said the key issue was really one of privacy, and whether the servers could reasonably expect the postings to remain off limits to their employer. If the comments had been made in an open forum or using the company e-mail system, the company would have committed no violation by reviewing the contents, attorneys said. Moreover, they added, the company could legally respond as it did. [Source]