Privacy News Highlights
21–30 November 2009
Contents:
US – DHS Announces “Global Entry” Biometric Identification System for U.S. Airports
CA – E-passports Won’t Include Fingerprints
CA – U.S.-Canada to Share Refugees’ Biometric Info
EU – Growing Outrage Over Dutch Fingerprint Database
CA – Privacy Boss, Police Clash Over New Law
CA – Facebook Photos Cost Woman Her Sick-Leave Benefits
CA – Yukon to Unseal Adoption Files
UK – Information Commissioner: Fines Not Effective Deterrent, Need Jail Sentences
UK – ISPs and Public Believe Government Data Safeguards Inadequate
US – Harvard Research: Projections of Savings from Health IT are Baseless
EU – Viviane Reding Picked to Re-Write EU Data Protection Laws
EU – Advertisers Say New Cookie Law Met by Browser Settings
EU – Ireland: Concern Over Abuse of Data if Homeless Services Outsourced
US – 2009: The Year of the Mega Data Breach
US – Confidential 9/11 Pager Messages Disclosed
UK – Police Arrest So They Can Boost DNA Database, Warns Watchdog
US – Texas Gov’t Taking Newborn DNA Samples
CA – New Brunswick to Track Prescription Drug Use
AU – NSW Health to Review Privacy Policy for Insurers’ Lawyers
US – Nevada Ambulance Driver: Selling Patient Records Big Business
US – 1.5 Million Insurance Customers’ Personal Data Lost in Breach
US – Medical ID Theft Way Up and Expected to Worsen
WW – Google Books Settlement 2.0: Evaluating Privacy - EFF
AU – Police to Have Power to Strip-Search At Random
US – TSA Behavior Detection Officers Will Be Watching You
EU – German DPA Concerned About Google Analytics’ Data Protection Compliance
IN – India to Set up Automatic Monitoring Of Communications
US – Ad Industry Last-Ditch PR Campaign in Favor of Self Regulation
WW – ‘Fingerprinting’ RFID Tags: Researchers Develop Anti-Counterfeiting Technology
WW – Survey: Four in 10 Workers Have Stolen Corporate Data
US – Obama Wants Computer Privacy Ruling Overturned
UK – T-Mobile Says Staff Sold Phone Records to Rivals
US – Postal Service to Resume North Pole Santa Letters
AU – Secret Personnel Records Back at DFAT
Biometrics
The Department of Homeland Security has proposed to make permanent Global Entry, a program the agency says will “streamline the international arrivals and admission process at airports for trusted travelers through biometric identification.” Under the proposed system, pre-registered international travelers can bypass conventional security lines by scanning their passports and fingerprints at a kiosk, answering customs declaration questions, and then presenting a receipt to Customs officials. The DHS announcement follows the recent news that Clear, a Registered Traveler program, had entered bankruptcy, raising questions about the possible sale of the biometric database that was created. In 2005, EPIC testified before Congress that the absence of Privacy Act safeguards for Registered Traveler programs would jeopardize air traveler privacy and security. The agency is taking comments on the proposal. For more information, see EPIC Air Travel Privacy, EPIC Biometric Identifiers, EPIC Automated Targeting System, and EPIC Whole Body Imaging.
The federal privacy watchdog has rejected Passport Canada’s plan to embed fingerprints and iris scans in electronic passports. In a review of the project, the Office of the Privacy Commissioner told the passport office not to include new biometric information on a radio frequency chip encoded in e-passports. E-passports will feature a digitized picture of the passport holder as well as their name, date of birth, location of birth and passport number, said a Passport Canada spokesman. A national roll-out of the e-passport is expected to begin in 2011.The privacy commissioner’s review raised concerns about whether the chip is “adequately protected against unauthorized interception,” such as skimming and eavesdropping. The watchdog noted an e-passport hacking case in the U.K.. “If the data can be readily copied and replicated, electronic passports may do more to facilitate identity theft than to prevent it,” said Jason Gratl of the B.C. Civil Liberties Association. NDP privacy critic Bill Siksay called it the “ultimate big brother scenario” and said Canadians deserve to have more information. Richard Rosenberg of the Freedom of Information and Privacy Association said he is concerned Canadians won’t be able to check the accuracy of the information on the chip and risk being unfairly blacklisted like many travellers on the no-fly list. [Source]
Seeking to enhance its efforts to crack down on fraudulent refugee claims, the Harper government announced it has struck a deal to share fingerprint information on asylum seekers with the United States. Public Safety Minister Peter Van Loan made the announcement following a bilateral summit with U.S. Homeland Security Secretary Janet Napolitano. Under the protocol, the U.S. will join a biometric data-sharing initiative Canada had already launched last summer with the U.K. and Australia. Canada’s privacy commissioner, Jennifer Stoddart, had expressed a series of concerns about the biometric data sharing when the plan was first announced in August. Ms. Stoddart’s office questioned Ottawa about the need to collect fingerprints and sought assurances the personal information gathered would not be used for secondary purposes. “While we are still reviewing their response, on the surface of it, it appears they have addressed most of our concerns,” said Anne-Marie Hayden, a spokesperson for the privacy commissioner. “They have advised us that under the protocol, biometric information will only be used for immigration and nationality issues. They have also told us that biometric matching information will only be one of many elements considered when assessing a file.” The privacy commissioner’s office is still awaiting a response, however, on how Citizenship and Immigration Canada “plans to address our concerns about how refugees, a very vulnerable population, will be notified about the collection and use of their biometric information,” Ms. Hayden said. The information-sharing pact is part of a broader government initiative to introduce biometrics into Canada’s immigration and refugee screening system -- a plan that continues to raise red flags for privacy advocates. [Source]
More than 3,000 people in the Netherlands have signed a petition demanding that the government overturn a law enabling it to store the fingerprints of all Dutch citizens in a central electronic database. Since September 21, everyone applying for a Dutch passport is obligated to provide four fingerprints for storage in a database that is accessible to municipal authorities, the national intelligence service AIVD and the Justice Department. A group, calling itself Het Nieuwe Rijk (The New Empire) launched the online petition and has also distributed brochures in Amsterdam, Rotterdam, The Hague and Utrecht, comparing the move to administrative methods used by Nazis during World War II to persecute Jews. On September 20, the European Court of Human Rights (ECHR) rejected an emergency suit by several Dutch civil rights groups to block the law pending a final legal decision. The ECHR ruled that storing data centrally would not result in ‘irreparable damage’. The court did not however rule out the possibility that it might issue a different decision in a new case once all ongoing procedures in the Netherlands are completed. The Hague-based national privacy watchdog CPB has repeatedly expressed concern over the plan for a central fingerprint database for 17 million Dutch nationals, calling it a ‘disproportional measure’ to reduce passport fraud. The CPB does not object to storing fingerprints with municipalities for this purpose, but says merging all databases into a single one to which several authorities would have access infringes upon individual privacy. A central database ‘containing biometric data brings serious and possibly unnecessary risks for citizens’ personal lives, against which they cannot arm themselves,’ the CBP said in a report on the passport law. The watchdog has also highlighted the fact that its European counterparts already warned against the risks of a storing biometric data centrally in 2004. The Netherlands is the only country in the European Union that plans to establish a central electronic fingerprint database. In other European countries, people provide two fingerprints that are stored only in a chip in their passports. [Source]
Canada
Alberta’s privacy commissioner is raising concerns about changes that will allow first responders to share patient information, but Calgary’s police chief said Friday they’re a necessary protection for the public. The proposed legislation is designed to allow police and paramedics to share information at the scene of an incident without a patient’s consent. The government introduced the Emergency Health Services Amendment Act in response to concerns from police that another piece of legislation--the Health Information Act--was preventing paramedics from sharing information vital to criminal investigations. The chief said police began having problems when EMS services were transferred from municipal authority to the province last spring. Provincial freedom-of-information legislation historically permitted police and paramedics to exchange information, Hanson said, but the transfer of EMS services to the province brought the agencies under the authority of the more restrictive Health Information Act. In a statement Friday, Alberta privacy commissioner Frank Work said law enforcement agencies haven’t demonstrated why the loss of privacy in the amendments are justified. “This bill may leave ambulance attendants wondering what their priorities should be ... treating victims or gathering evidence for police,” Work said. [Source]
A Canadian woman on sick leave for depression says she lost her benefits after her insurance agent found photos of her apparently having fun on Facebook. Nathalie Blanchard said she was diagnosed with major depression and was receiving monthly sick-leave benefits until payments dried up this fall. When Blanchard called her insurance provider, Manulife, to find out why, she says she was told the Facebook photos showed she was able to work. [SiliconValley.com]
The Yukon government is getting ready to open up adoption records it has kept secret for decades, making it easier for adopted children and their birth parents to find each other. Parents or adopted children who want their adoption files kept confidential have until the end of April to make that request. The Yukon is following the lead of provinces like Ontario, Alberta, Manitoba, Newfoundland and Labrador and British Columbia, which have all opened up adoption records in recent years. [Source]
Consumer
The U.K. Information Commissioner has called for tougher penalties over the reckless misuse of data, after police officers were found to have wrongly handed over sensitive data to dangerous individuals. In a response to a government consultation, Information Commissioner Christopher Graham argued that the maximum penalty of two years’ jail time should be the standard for sentences handed out after individuals breach confidentiality, under section 55 of the Data Protection Act. Such a penalty was vital “if the law is to provide an effective deterrent against the illegal trade in personal data”, which was “widespread and organised”, he wrote in his response. Exceptions should be made for journalists and artists, he stated, when there is a “reasonable belief” that obtaining and disclosing the information was in the public interest. Graham also highlighted a number of serious misuses of data outside the police. There were significant dangers of criminals accessing utility bill information, as well as medical records where he said the risks would “only become greater” as health records are linked nationally. Graham insisted that jail time was the necessary penalty for instances such as these. He added: “In many cases a fine alone will be looked on by the offender as little more than a business expense or simply as a risk worth taking.” [Source]
E-Government
The internet access industry and members of the public have rejected the Government’s plans to retain details of citizens’ internet access, saying that safeguards for internet users’ privacy were inadequate. The Government conducted a consultation on its plans to which 54 organisations and 167 members of the public responded. Of the 221 submissions, 90 were in blanket opposition to the extension of the state’s surveillance powers to include more details of what use was made of telecoms networks and when. Of the remaining 131, just over a quarter said that they believed Government safeguards were good enough to protect internet users. Half said they were inadequate. An interconnection facility that represents over 300 ISPs in matters of public policy, Linx, has published its full submission to the consultation. It says that the Government’s proposal is not an attempt to “maintain” surveillance capability but to massively extend it, placing a burden on its members. It also said that the proposed safeguards could not be said to be adequate because even current safeguards are problematic. [Source] [Summary of responses]
Electronic Records
The increased computerization in U.S. hospitals hasn’t made them cheaper or more efficient, Harvard researchers say, although it may have modestly improved the quality of care for heart attacks. The findings, published in the online edition of The American Journal of Medicine, contradict claims by President Obama and many lawmakers that health information technology (health IT), including electronic medical records, will save billions and help make reform affordable. “Our study finds that hospital computerization hasn’t saved a dime, nor has it improved administrative efficiency,” said lead author Dr. David Himmelstein, associate professor at Harvard Medical School and former director of clinical computing at Cambridge Hospital in Massachusetts. “Claims that health IT will slash costs and help pay for the reforms being debated in Congress are wishful thinking.” The study uses data from the most extensive survey ever undertaken of hospital computerization. Data from approximately 4,000 hospitals for the years 2003 to 2007, including those on a list of the “100 Most Wired,” were analyzed for evidence of increased quality, cost savings or improvements in administrative efficiency. The data came from the authoritative Healthcare Information and Management Systems Society (HIMSS) Analytics annual survey of hospital computerization; Medicare Cost Reports that virtually all hospitals submit annually to the Centers for Medicare and Medicaid Services (CMS); and the 2008 Dartmouth Health Atlas, which compiles CMS data on costs and quality of care. Although the researchers found that U.S. hospitals increased their computerization between 2003 and 2007, they found no indication that health IT lowered costs or streamlined administration, even in the “most wired” institutions. While U.S. hospital administrative costs increased slightly, from 24.4% in 2003 to 24.9% in 2007, hospitals that computerized most rapidly actually had the largest increases in administrative costs. (By way of comparison, older studies have estimated administrative costs in Canadian hospitals at 12.9%). The study found no evidence of lagged effects, e.g. lower costs in 2007 resulting from information technology introduced in 2003. Modest quality gains were noted in the treatment of heart attacks (acute myocardial infarction) in more-computerized hospitals, but even these small improvements may merely represent better documentation rather than actual gains to patients. Himmelstein said a report from the Congressional Budget Office in 2008 signed by Peter Orszag, now Obama’s budget director, expressed skepticism about claims by the RAND Corp. and others that health IT could generate $80 billion annually in savings. [Source]
EU Developments
Viviane Reding, the European Commissioner who for the past five years has championed consumer rights in the telecommunications and IT arenas, has been picked to take charge of a re-write of the European Union’s 15-year-old data protection laws due to start next year. Her most important achievement was to re-write Europe’s telecom laws. The so-called telecom package of laws was finally adopted last week after two years of often tortuous negotiations. In her new role as Commissioner for Justice, Fundamental Rights and Citizenship she will have to perform a similar modernizing task by bringing Europe’s key data protection law, the 1995 data protection directive, up to date. Commission President Jose Manuel Barroso announced how he wants to allocate dossiers in his next five-year term in office. His team comprises one Commissioner from each of the 27 member states of the E.U., who were selected by national heads of government over the past month. If approved in her new position Reding, who comes from Luxembourg, will assume the title of Commission vice president, reflecting her seniority in the E.U.’s executive body. It will be her third term in office. Prior to the telecoms job, she held the position of culture and media commissioner under former Commission president Romano Prodi. [Source]
Advertising trade bodies have claimed that a new law passed this week by the European Parliament will not require website publishers to ask permission to put cookies on a user’s computer. They argue that browser settings will imply consent. The European Parliament today voted to approve the European Commission’s Telecoms Package of reforms. Part of that package of reforms was a change to EU law on the use of cookies. The now-adopted text says that cookies can be stored on a user’s computer, or accessed from that computer, only if the user “has given his or her consent, having been provided with clear and comprehensive information”. An exception exists where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user. The Interactive Advertising Bureau (IAB) Europe and publishers’ trade body the European Publishers’ Council (EPC) have said that they believe that the law says that browsers’ settings will indicate a user’s permission to use cookies. [full article]
A homeless support group has expressed concern that the out-sourcing of services for homeless people in the Dublin area could result in the abuse of personal and confidential information. Trust, the homeless support group, said the move by Dublin City Council to privatise or outsource these services was a “cynical cost-saving exercise”, which would leave those least able to cope much worse off. The move also had implications for the sharing of sensitive personal information relating to homeless people across private or voluntary organisations, Trust said. Alice Leahy, the group’s co-founder, said sensitive information relating to homeless people has to date been handled by community welfare officers. Under the new system, personal information would be placed on a shared database, she said. This step formed part of a wider trend in “harvesting information” of the most intimate and invasive nature. She has asked the Data Protection Commissioner to investigate whether the system will be in breach of State data protection laws. The move to outsource or privatise services could lead to “corners being cut”, Ms Leahy warned. “When services formerly provided by the State are outsourced to private organisations, they must be done within very strict budgets. “Against this background, great care must be taken to protect the people these services are meant to help in case the service providers are forced to cut corners. We find no credible evidence of specific measures designed to guarantee quality of services, or to protect the privacy of vulnerable people in the tender.” [Source]
Facts & Stats
Glance at 2009’s data breach statistics, and you might think the IT world had scored a rare win in the endless struggle against cybercrime. According to the Identity Theft Resource Center, government agencies and businesses reported 435 breaches as of Nov. 17, on track to show a 50% drop from the number of breaches reported in 2008. That would make 2009 the first year that the number of reported data breaches has dropped since 2005, when the ITRC started counting. But the decrease in data breaches is deceptive. In fact, the number of personal records that were exposed--data like Social Security numbers, medical records and credit card information tied to an individual--that hackers exposed has skyrocketed to 220 million records so far this year, compared with 35 million in 2008. That represents the largest collection of lost data on record. [Forbes] [In Pictures: The Year’s Biggest Data Disasters]
FOI
An unusual glimpse into the events of 9/11 comes from messages sent to alphanumeric pagers that were anonymously published on the Internet last week. The pager transcripts, which total about 573,000 lines and 6.4 million words, include numeric and text messages also sent to private sector and unclassified military pagers. This trove of messages is likely to become a boon for historians, a new source of concern for privacy advocates, and, depending on the details, a point of embarrassment or pride for the government agencies and corporations whose internal conversations have been divulged. The files were posted on WikiLeaks.org, which has made a speciality of disclosing confidential documents and boasts that it is “uncensorable.” The pager logs seem to represent messages transmitted on September 11, 2001 through the networks of Arch Wireless, Metrocall, Skytel, and Weblink Wireless. It’s not clear how they were obtained in the first place. [Source]
Genetics
Officers will arrest individuals for “everything” because they then have to power to take DNA samples, even if they wouldn’t have been detained under other circumstances. The Human Genetics Commission (HGC) warned the alarming practice, which was revealed by a retired senior police officer, was creating a “spiral of suspicion” over the DNA database. In a major review of the system, it said police should no longer be allowed to automatically take DNA samples for everyone they arrest and called for new rules on when it was right to do so. It suggested the growth in the programme, which is the largest of its kind in the world, stemmed from a pledge in 2000 by Tony Blair, the then Prime Minister, to have the DNA of every criminal within three years. The Commission, an independent Government advisory body, also questioned the effectiveness of the database in helping to solve crimes and called for a detailed examination of its success. A public debate and proper scrutiny of the system was needed as there was “very little concrete evidence” as to how useful the database was in investigating crime. [Source]
Each year, more than 400,000 babies are born in Texas. State law mandates that before newborns leave the hospital, his or her heel will be pricked and five drops of blood are collected. Two weeks later, their pediatrician collects another five drops of blood. The blood cards are submitted to the Texas Department of State Health Services as part of the Newborn Screening program. One or two drops are used to screen for a list of serious medical conditions. The parents are not objecting to the screening. They object to what the state is doing with the leftover blood samples. Beginning in 2002, the State began saving the leftover specimens, unbeknownst to parents and without their consent. The state said there is a legitimate reason: Research. According to court documents, the state admits some of the blood samples collected for the newborn screening program were used for other purposes, but said it was done in accordance with federal and state law. “The government still has to ask,” said Boleno. “They can’t just take it. And everyone has the right to make that decision for themselves.” Jim Harrington, an attorney for the Texas Civil Rights Project, who is representing Beleno and the other families in the federal lawsuit, said it violates the Fourth and 14th Amendments of the U. S. Constitution. “It’s a bad thing,” said Harrington. “You have to consent to give up the right. And in this case it’s your right of privacy and your kid’s right of privacy.” The lawsuit prompted change in the Texas Legislature. House Bill 1672 allows the State to keep and use the samples for research, but requires parents be informed and given the option of having their children’s leftover blood samples destroyed after screening. The state has 60 days to destroy the blood cards after receiving the official notification form from parents. The form directs the state to destroy the card containing the dried blood spots, but does not insure any information gathered from the generic material is deleted. According to the Use and Storage of Newborn Screening Bloodspot Cards information provided to parents, identifying information linking a child to a particular bloodspot is not allowed outside of the Department of State Health Services without advance consent of the child’s parent or guardian unless otherwise provided by law. Patient privacy expert Dr. Deborah Peel said those words, “unless otherwise provided by law” create a huge loophole. “It’s not secret, it means they can share it and use it for research for public health,” said Peel. “There are many laws that allows the use of samples, like newborn blood samples for public health uses and screening and so forth. So, no, you are not protected. That allows all kinds of people to see it.” House Bill 1672 allows the stored samples to be used in research if approved by what is called an Institutional Review Board. IRB’s are supposed to safeguard privacy and protect patients, but are not open to the public. The IRB board appointed to oversee research on the stored bloodspots consists almost entirely of State employees. Harrington says that makes the process questionable. “This is not a true independent professional review board,” he said. [Source]
Health / Medical
Health Minister Mary Schryer introduced legislation on Tuesday to create electronic records for prescription drug use in New Brunswick. Schryer told the legislative assembly that this e-record system will allow doctors, pharmacists and dentists to see a patient’s prescription history. By providing this information to health providers, the minister said, the province is hoping to curtail prescription drug abuse. “This act would alert medical professionals to the possible misuse of monitored drugs, such as when prescriptions for narcotic substances are filled at multiple locations in the same day.” Schryer introduced the legislation to set up the system along with amendments to the province’s privacy legislation to make sure records are seen only by people who need to look at them. The Department of Health is planning to have the prescription monitoring program in place by early 2011. [Source]
THE NSW Health department is likely to review its privacy policies after a number of complaints about solicitors for insurers seeking irrelevant medical records from claimants, a source familiar with the department’s privacy policy said. A review of the department’s privacy manual will address the issue amid fears that the forms can lead to the incorrect provision of information by doctors, the source said. The Herald reported on Monday the story of a Randwick woman who has spent five years battling GIO General Ltd over a CTP insurance claim for injuries she suffered when hit by a car. The insurers’ lawyers want access to all her medical records to assess the claim, but she wants her doctors to release only relevant files, fearing the exposure of sensitive notes about a sexual assault. A spokesman for the Motor Accidents Authority said its standard forms require only relevant information to be released, but claims assessors can allow broader requests when a matter is referred for dispute resolution. The NSW Health source said it has become increasingly common for insurance company lawyers to request broader access than the standard authority form. “That’s the culture. They want everything,” the source, who asked to remain anonymous, said. [Source]
It’s a leak in patient privacy that could involve the FBI and now the state bar of Nevada. UMC contacted the FBI after evidence surfaced that someone within the hospital is leaking patient medical records, possibly for profit. The state bar is launching its own investigation into whether attorneys are involved and if so, how many. This investigation sheds light on a bigger issue. You’ve heard the term “ambulance chasers” for those who prey on accident victims for business. When the Las Vegas Sun presented proof that patient information at UMC is being leaked and possibly sold to attorneys, questions arose as to how often this is happening. An ambulance driver, who wishes to remain anonymous, with AMR says the problem goes well beyond the doors of UMC. “I happen to know from personal experience that it’s so much wider than that.” The driver says the buying and selling of patient records is big business. [Source]
Horror Stories
A hard drive with seven years’ worth of personal financial and medical information on about 1.5 million customers of Health Net of the Northeast Inc. was reported missing to state officials this week – six months after the drive went missing. Along with medical records, the hard drive contains names, addresses and Social Security numbers of Health Net customers from Arizona, Connecticut, New Jersey and New York. Connecticut has data breach laws requiring individuals be notified of the loss of their personal data without reasonable delay. The data loss, which occurred in May, was only reported by the insurance company to the Connecticut state attorney general’s office and the Department of Insurance yesterday. The device containing the data was an external, portable hard drive. The data had not been encrypted. [Source] See also: [US: At UMC, audits show privacy lapses are not new] See also: [Electronic health records could be a deadly target during a cyberwar]
Identity Issues
Medical identity theft is on the rise and expected to worsen. The problem has grown during the recession as more uninsured people use the coverage of a friend, relative or even a stranger to get care. Of particular concern is the fact that most of the fraud is committed by people who pay medical workers for patients’ information. In one case, a front-desk clerk at a medical clinic in Weston, Fla., downloaded the personal information of more than 1,100 Medicare patients and gave it to a cousin, who made $2.8 million in false Medicare claims.Unfortunately, some steps being taken to improve care, such as making medical records electronic and requiring patients to have photo identification, could actually worsen the problem since they make the information more easily available. “Medical identity theft is the fast-growing form of identity theft,” says Jim Quiggle, spokesman for the Coalition Against Insurance Fraud. He says individuals often don’t know that they have been victimized until the thief has distorted their medical records and run up medical bills. [WSJ]
Internet / WWW
The third in a series, the EFF has already examined the chief promised benefit (increased public access) of the proposed Google Books settlement, as well as one of the chief potential drawbacks (impaired competition). Another down-side to the proposed settlement is its lack of adequate protections for reader privacy. And although EFF has repeatedly written about the privacy problem and outlined specific steps that could be taken to address it, as have the ACLU, CDT, EPIC, library associations, and academic authors, the revised Settlement 2.0 still does nothing new to address the serious privacy concerns raised by the Google Book Search services. According to the EFF study, the products and services envisioned by the proposed settlement will give Google not only an unprecedented ability to track our reading habits, but to do so at an unprecedented level of granularity. Because the books will be accessed on Google’s servers, Google will not only know what books readers search for and access, but will also know which pages they read, how long they stayed on each page, what book they read before, and which books they access next. This is a level of reader surveillance that no library or bookstore has ever had. And it’s not just Google that might want records about your reading habits. A core concern EFF has with the proposed settlement is that under it Google need not insist on a warrant before turning over this sensitive reader information to governmental authorities or private third parties. This is hardly a hypothetical risk: between 2001 and 2005, libraries were contacted by law enforcement seeking information on patrons at least 200 times. And in 2006 alone, AOL received almost 1,000 requests each month for information in civil and criminal cases. This lack of protections for reader privacy stands in sharp contrast to the privacy protections that librarians and bookstores have been fighting for in connection with physical books for decades. Nearly every state has laws protecting the privacy of library patrons. Google has announced a privacy policy for Google Books. While it addresses some of the privacy concerns EFF and others had raised, it does not go nearly far enough. As previously explained, the privacy policy can be changed at any time, is not an enforceable obligation tied to the proposed settlement agreement. [EFF Source] [Google Books Settlement 2.0: Evaluating Privacy]
Law Enforcement
Australian police will soon have sweeping powers to search people at random, including strip-search, even if there is no reasonable suspicion those targeted have done anything wrong. The ‘‘stop and search’’ tactic is part of a law and order crackdown set to be passed by State Parliament, despite the Government conceding that the legislation breaches the Victorian Human Rights Charter. Legal experts have labelled the proposed laws, which will enable officers to strip-search children and the disabled, as draconian and a knee-jerk reaction to the problem of drunken violence. Under the legislation, police will also be given the right to move people on if they believe they may be going to cause a breach of the peace. Proposed new powers:
Can you spot terrorists by the look on their faces? For the Transportation Security Administration (TSA), the answer is yes. For the past few years, airports across the country have been using what many call “behavioral surveillance” to weed out potential hijackers among us, by covertly examining travelers’ facial expressions and body language as they go through security. Unlike those airport employees who herd us along as we remove our shoes and relinquish all liquids over three ounces (with dubious results), this new program, named “Screening Passengers by Observational Techniques,” or “SPOT,” is carried out by TSA employees who have been trained to monitor travelers’ faces and movements. As Americans head out of town this holiday season, more than 3,000 “Behavior Detection Officers” will be at 161 airports nationwide, watching our every move. The TSA boasts that the SPOT program is “derivative of other successful behavioral analysis programs that have been employed by law enforcement and security personnel both in the U.S. and around the world.” Yet, the success of the SPOT program remains highly questionable. This month the Washington Post reported that, in 2008 alone, Behavior Detection Officers across the country pulled 98,805 passengers aside for additional screenings, out of which 9,854 were questioned by local police. 813 were eventually arrested. The cost of the program, according to TSA spokesperson Ann Davis, was $3.1 million. [Source]
Online Privacy
German data protection authorities are investigating whether Google’s web traffic measurement system Google Analytics routinely infringes privacy laws. Google Analytics gathers, stores and collates information about website visitors. It tells web publishers how many unique visitors have been to a site, what pages they visited in what order and for how long. Such information is essential for web publishers in the creation of their sites and the management of advertising. While other measurement services are available, Google Analytics has become extremely popular because it is free to use. The data protection authorities in Germany, though, are considering action against those publishers who use the system because it uses unique identifiers of users. Zeit reported that data protection authorities are concerned in case Google combines that information with other details held by it on the owner of that IP address from other services it operates such as its search engine or email system. Though Google’s terms and conditions say that it will not tie the Analytics data to other information it gathers, the data protection authorities are reportedly concerned about another clause in the terms and conditions that allows those terms to be modified by Google. Though the use of the system without web users’ consent is at the heart of its legality, Google said that it demands that all web publishers tell site users that Analytics is monitoring the use of the site. [Source]
Other Jurisdictions
India plans to set up a centralized system to monitor communications on mobile phones, landlines and the Internet in the country, a minister told the Rajya Sabha, the upper house of Parliament. Indian laws allow the interception and monitoring of communications under certain conditions, including to counter terrorism. A pilot of the new Centralized Monitoring System (CMS) is to be started by June next year, subject to clearances by other government agencies, according to an announcement by the government’s Press Information Bureau. The CMS will have central and regional databases to help central and state-level enforcement agencies intercept and monitor communications, the government said. It will also have direct electronic provisioning of target numbers by government agencies without any intervention from telecom service providers, it added. It will also feature analysis of call data records and data mining of these records to identify call details, location details, and other information of the target numbers. The current system used by the government for call monitoring can be easily compromised because of the requirement of manual intervention at many stages, the minister said. Interception using the new system will also be instant, he added. [Source]
Privacy (US)
Madison Avenue has joined forces with Internet companies in a last-ditch attempt to stop privacy regulations over the $29 billion online-ad industry. The industry is finalizing an ad campaign to educate consumers about how digital advertising works, creating an icon that would appear on Web pages or ads alerting consumers if their activity is being tracked and deploying new technologies to police the Web for illegal activities. At issue is the practice of tracking consumers’ Web activities - from the searches they make to the sites they visit and the products they buy - for the purpose of targeting ads. The efforts follow calls from the FTC earlier this year for Web advertisers and Internet companies to do a better job explaining how they track and use information about consumers’ Web activities and creating a simple way consumers can opt out of being tracked. Meanwhile, scrutiny in Washington continues to build. Lawmakers and regulators have broadened their scope beyond the Internet and are starting to examine privacy practices for a wider swath of media and technologies, from mobile phones and newfangled interactive TV commercials to telephone pitches and the advertisements consumers receive in their mailboxes. The Future of Privacy Forum, a privacy group backed by AT&T, is in the final stages of developing a logo that would appear on ads or Web sites to alert consumers to customized ads or that their Internet browsing is being tracked. The goal is to create a symbol that will gain the same awareness as the recycle triangle, says Jules Polonetsky, director of the forum. The group has yet to settle on a particular logo but has nixed using a “T” for targeting or an eyeball. Some industry players are ramping up their own efforts. Yahoo, for instance, has started testing several ways to try to make the tracking on its sites more transparent. In one example, an eBay ad on its Yahoo Green site includes a box labeled “AD INFO” in the top right corner. Clicking on the box reveals details about how the ad appeared on the page, including who the advertiser is and that Yahoo customized the ad based on past online activity. It also provides links for consumers to opt out or learn more about privacy and online ad targeting. Yahoo’s events site includes an “about our ads“ link at the bottom of the page that takes consumer to a Web site where they can learn more about how ads are customized according to a person’s Web browsing and choose to opt out of the tracking. Other companies are cropping up to provide technology for advertisers to audit their online advertising and check to make sure it is in compliance with regulatory guidelines. Former About.com CEO Scott Meyer recently launched a company called the Better Advertising Project that provides a technology for marketers to use to monitor their online ad campaigns. Lawmakers and regulators say they are closely watching these developments. “If the industry doesn’t step up to the plate with vigorous and consistent self-regulation, they are inviting a more regulatory approach,” FTC Chairman Jon Leibowitz said in a recent interview. [Source]
RFID
University of Arkansas researchers have developed a new method for preventing the cloning of passive radio frequency identification (RFID) tags. The method prevents the production of counterfeit tags by focusing on one or more unique physical attributes of individual tags, instead of the information stored on the tags. “It is easy to clone an RFID tag by copying the contents of its memory and applying them to a new, counterfeit tag, which can then be attached to a counterfeit product--or person, in the case of these new e-passports,” says Arkansas professor Dale R. Thompson. “What we’ve developed is an electronic fingerprinting system to prevent this from happening.” The researchers determined that all RFID tags have a unique fingerprint due to variances in radio frequency and manufacturing. By using an algorithm that repeatedly sent reader-to-tag signals, the researchers found that radio frequencies in RFID tags ranged from 903 MHz to 927 MHz, and increased in increments of 2.4 megahertz. The measurements showed that each tag had a unique minimum power response at multiple radio frequencies, and that power responses were significantly different even in same-model tags. Thompson says the different minimal responses are just one of several unique physical characteristics that enabled them to create an electronic fingerprint to identify tags with a high probability of detecting counterfeit tags. [Source]
Security
Over four in 10 workers in the financial centres of the US and UK have admitted taking information from a previous job to the next one, according to a survey carried out for an information security company. The company asked 600 workers at London’s Canary Wharf and New York’s Wall Street about their attitudes to company data and found that 41% had taken data from one job to another. A third of workers would take corporate data to help a family or friend get a job. The survey revealed that the most popular kinds of information to be stolen are customer and contact details, followed by business plans and proposals, then by product details. It found that 13% of workers were prepared to take passwords and usernames so that they could access information at a later date The survey also contained bad news for IT departments within companies. While last year just 29% of workers said it was easy for them to take sensitive data from their company, that number rose this year to 57%. The favoured medium for stealing information was the USB memory stick. Printing out information was the next favourite, followed by emailing it. Most data thieves did not even have a specific use for the data they took. While 20% said they would use it in a new job and 27% said that they would use it as a bargaining tool to get a new job, 64% said that they took data ‘just in case it was useful’, the survey said. [Source]
Surveillance
The Obama administration is seeking to reverse a federal appeals court decision that dramatically narrows the government’s search-and-seizure powers in the digital age. Solicitor General Elena Kagan and Justice Department officials are asking the 9th U.S. Circuit Court of Appeals to reconsider its August ruling that federal prosecutors went too far when seizing 104 professional baseball players’ drug results when they had a warrant for just 10. The 9th U.S. Circuit Court of Appeals’ 9-2 decision offered Miranda-style guidelines to prosecutors and judges on how to protect Fourth Amendment privacy rights while conducting computer searches. Kagan, appointed solicitor general by President Barack Obama, joined several U.S. attorneys in telling the San Francisco-based court that the guidelines are complicating federal prosecutions in the West. The circuit, the nation’s largest, covers nine states: Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon and Washington. The government is asking the court to review the case with all of its 27 judges, which it has never done. If the court agrees to a rehearing, a new decision is not expected for years, and the August decision would be set aside pending a new ruling. Either way, the U.S. Supreme Court has the final say. The controversial decision, which the government said was contrary to Supreme Court precedent, outlined new rules on how the government may search computers. [Source]
Telecom / TV
Customers’ records have been illegally traded by employees of T-Mobile, according to the mobile operator. The Information Commissioner’s Office has reported that millions of records were involved. The ICO reported earlier that “substantial amounts of money” have been paid by brokers for the data, which includes the expiry date of agreements customers have with a mobile phone company. The information is used by competitors to offer people deals towards the end of their existing contract. T-Mobile, part of Deutsche Telekom, said that it had contacted the ICO about the data breach. The company told news agency Reuters that it did so after employees passed the information to third parties “without our knowledge”. The ICO is preparing a file for prosecutors. It has raided a number of premises under search warrant, it said. Information Commissioner Christopher Graham said that the news is evidence that tough jail sentences are needed for those who make a business out of the illegal trade in personal data. [Source]
US Government Programs
Wide-eyed children around the world will be hearing from Santa’s “elves” at the North Pole after all. During Christmas seasons for decades, these dedicated elves responded to thousands of letters addressed to “Santa Claus, North Pole.” All that was ending with a U.S. Postal Service decision to discontinue the program based in the small Alaskan town amid privacy concerns. The elves from Santa’s Mailbag vowed to fight the decision, while North Pole residents voiced outrage. A reversal of the Postal Service move was announced Friday. The letters will now be answered under tightened privacy rules implemented nationwide by the Postal Service in response to security concerns that arose in a similar program in Maryland last year. [Source]
Workplace Privacy
The Community and Public Sector Union has called for two independent inquiries into the Department of Foreign Affairs and Trade’s system of secret personnel files. DFAT staff have expressed concern that the department has quietly re-established a system of secret personnel files similar to a highly controversial system, known as the “X-files”, that was abolished 20 years ago. The confidential personnel files have been used by DFAT management in determining promotions, postings and placements within the department. According to correspondence seen by The Canberra Times, several DFAT officers recently inadvertently discovered that the department’s management had allowed the creation, maintenance and long-term retention of confidential personnel files, including files under their own name. [Source]
+++