Privacy News Highlights
01–11 September 2009
Contents:
EU – Irish School’s Fingerprint System May Breach Laws
CA – Privacy Commissioners Urge Caution on Expanded Surveillance Plan
CA – Canadian Net Hate-Speech Law Violates Charter Rights, Tribunal Rules
US – Groups Call For New Checks On Behavioral Ad Data
EU – Websites ‘Breaking Consumer Laws’ In EU
EU – Scottish Government Consults on Data Privacy to Improve Public Confidence
US – Utilities’ Smart Meters Save Money, But Erode Privacy
EU – German Court Rules Against Google’s Terms of Service
EU – Dutch Royals Win Privacy Case Against AP
US – U.S. Treasury Cashes in on SNS
AU – E-Health Submissions to be Made Public
CN – China’s Website Clampdown
EU – Google’s Plan to Digitize Books Flouts Copyright Laws, Germany Warns
US – National Coalition of Authors Urge Rejection of Google Book Search Deal
UK – Opposition Mounts Against P2P Disconnection Plan
US – Revised Bill Still Gives Obama Unprecedented Cyber-Security Powers
US – Opinion: A Casualty of the Technology Revolution: ‘Locational Privacy’
EU – Google pledges more blurring in Switzerland
US – Obama Warns Teens of Perils of Facebook
US – ACLU Lawsuit Says Student’s Cell Phone Was Illegally Searched
US – DHS Privacy Office Approves Laptop Searches Without Suspicion at U.S. Borders
EU – Study Reveals Breach, Encryption Rates
WW – Wiretapping Skype Calls: Virus Eavesdrops on VoIP
KR – Korean NIS Engages In Packet Eavesdropping
CA – York University Obtains Court Order for Bell & Rogers Subscriber Information
US – FTC To Ban Most Telemarketing ‘Robocalls’ Sept. 1
CA – Bell Ordered to Inform Customers About Data Gathering
CA – Canadian Wireless Companies Introduce New Code of Conduct
WW – OpenTV Opens Way to Behavioral Advertising on the TV
AU – Gov’t Warning System Needs Privacy Controls
US – Maine Online Privacy Statute Sent Back to Lawmakers
US – Congress Weighs Landmark Change in Web Ad Privacy
Biometrics
A CO Limerick secondary school may be forced to drop a hi-tech fingerprint student monitoring system for breaching data protection legislation. All 420 students at the mixed Salesian College in Pallaskenry have been fingerprinted for the new biometric system used for daily enrolment. A fingerprint from each hand is registered on two scanners when students arrive in the morning and return after lunch. The system cuts out an hour’s work every day compiling rolls. However, the Data Protection Commission (DPC) said the project may contravene data protection legislation. Commissioner Billy Hawkes has contacted the school for information about the new enrolment procedures. A spokesman for the commissioner said they have brought to the attention of the school to guidelines set out for any school on monitoring systems. While the guidelines do not specifically refer to finger printing, the spokesman said: “They set out the principles that have to be applied to render the collection of personal data legitimate.” The guidelines state that the introduction of a biometric system has to get the approval of parents and each student, before being introduced. School principal, Paddy O’Neill informed parents of the introduction of the system by way of a news letter during the summer holidays. [Source]
Canada
Parliament should take a cautious approach to legislative proposals to create an expanded surveillance regime that would have serious repercussions for privacy rights, say Canada’s privacy guardians. Privacy commissioners and ombudspersons from across the country issued a joint resolution urging Parliamentarians to ensure there is a clear and demonstrable need to expand the investigative powers available to law enforcement and national security agencies to acquire digital evidence. The federal government has introduced two bills aimed at ensuring that all wireless, Internet and other telecommunications companies allow for surveillance of communications, and comply with government agency demands for subscriber data – even without judicial authorization. The resolution is the product of the semi-annual meeting of Canada’s privacy commissioners and ombudspersons from federal, provincial and territorial jurisdictions across Canada, being held in St. John’s. The commissioners unanimously expressed concern about the privacy implications related to Bill C-46, the Investigative Powers for the 21st Century Act and Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act. Both bills were introduced in June. The resolution states that, should Parliament determine that an expanded surveillance regime is essential, it must ensure any legislative proposals:
* Are minimally intrusive;
* Impose limits on the use of new powers;
* Require that draft regulations be reviewed publicly before coming into force;
* Include effective oversight;
* Provide for regular public reporting on the use of powers; and
* Include a five-year Parliamentary review.
At the meeting in St. John’s, the commissioners and ombudspersons also passed a resolution about the need to protect personal information contained in online personal health records. The resolution emphasizes the importance of empowering patients to control how their own health information is used and shared. For example, it calls for developers of personal health records to allow patients to gain access to their own health information, set rules about who else has access, and to receive alerts in the event of a breach. Both resolutions are available on the Privacy Commissioner of Canada’s website [“Protecting Privacy for Canadians in the 21st Century” – Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials on Bills C-46 and C-47] [“The Promise of Personal Health Records” – Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials] [Source]
A Canadian law governing Internet hate speech violates Canadians’ charter rights to freedom of expression, the Canadian Human Rights Tribunal has ruled. The development could give more ammunition to those who complain that the Canadian Human Rights Commission, which refers cases to the tribunal, is engaging in censorship by attempting to restrict what people say on the Internet. [Globe and Mail]
Consumer
Privacy advocates released a series of guidelines for American legislators considering regulations on behavioral advertising, calling for greater transparency and giving Web surfers more control over how the data is used. Ten groups, including the Center for Digital Democracy and the Electronic Frontier Foundation, are pushing the debate ahead of the return of Congress in September, when certain members have hinted they’d be receptive to ideas for legislation. [CNET] [Full list of signatories]
More than half of websites selling electronic goods were breaking European laws aimed at protecting consumers, according to an EU investigation. The analysis of 369 websites selling mobiles, DVD players and games consoles in 28 European countries found that 203 of them held misleading information. [BBC]
E-Government
The Scottish government published new proposed data protection principles aimed at increasing public confidence in the handling of private data. “These guiding principles are aimed at everyone who is responsible for complying with requirements to protect personal information,” said Finance Secretary John Swinney. “I want the public to feel confident that data is secure and their privacy is safeguarded.” The proposals include guidance on identity verification, audit trails, data sharing and risk management, among other areas. Swinney called on public-sector staff to provide input for the refinement of the principles. Assistant Information Commissioner Ken Macdonald said the ICO “welcomes this initiative of the Scottish government.” [Source]
Electronic Records
Those new smart meters utilities will install soon are being touted as money-savers that will give customers more control over their electric bills. But for the utilities, the meters’ real worth lies in the information generated, including details that some customers might prefer remained secret. Already, one utility is analyzing daily readings to spot thieves who intermittently bypass the meters and steal power. And experts looking at meter data can discern the telltale signs of illicit activity, such as a marijuana “grow house.” But the new generation of smart meters that Pennsylvania utilities are required to install will produce far more data, generating readings at least hourly. The meters could record material so frequently that power flows could be interpreted like DNA to reveal unique electrical signatures of individual appliances. Some experts imagine an Orwellian future in a carbon-constrained world, where consumers are cited for excessive electricity use, or divorce lawyers comb through meter records and ask: Who used the hot tub while the spouse was away? Because they capture so much information, the meters also can reveal intimate details about activity inside a customer’s house: when they are home; when they sleep; when they eat. Last month, the Colorado Public Utilities Commission opened an inquiry into the privacy implications. Other states are expected to follow. “The real value of smart meters is the information.” [Source]
EU Developments
A German court has ruled that Google must change terms of service that could be interpreted to compromise a user’s rights, a decision the consumer advocacy group that brought the suit welcomed Monday as a victory for online transparency. The suit filed by the Federation of German Consumer Organizations charged that the terms of service for opening an account through Google Mail, Google Documents and other programs could be interpreted as giving the Internet search giant the right to review and even delete a user’s information. [SiliconValley.com]
A court ruled Friday that The Associated Press violated the privacy of the Dutch royal family by photographing them on a skiing holiday in Argentina. The judge handed down an injunction against further distribution or sale of four images of Crown Prince Willem-Alexander’s family that were made available worldwide last month and widely used by the Dutch media. [Source]
Finance
State revenue agents are finding social networking sites a convenient means of tracking down those who owe taxes. Increasingly, those who owe are helping investigators collect funds due by posting information about themselves online. The report cites a recent case in Minnesota, where agents collected several thousand dollars from a man who included his new employer’s name on his MySpace page. “These new supplements are often far more efficient than the older ones, such as reading the local newspaper or making inquiries at barbershops and church meetings,” said Jim Eads of the Federation of Tax Administrators. [Wall Street Journal]
Health / Medical
PUBLIC submissions on a controversial plan to adopt Medicare-based numbers as healthcare identifiers will be published by the federal Health Department, following a backdown under consumer pressure. Consumer groups have been protesting government secrecy and lack of consultation surrounding development of an electronic system of sharing patient records nationwide and, in particular, a refusal to release the results of previous consultations and reports. Parties who contributed responses to the Healthcare Identifiers and Privacy discussion paper have now been contacted by email, seeking permission to post the submissions on the health website. It is expected that the submissions will be posted later this week. Meanwhile, it appears the health ministers are well aware of the political sensitivities - a privacy impact assessment on IHIs conducted in 2006 but subsequently buried confirms fears that the matter has the potential to “spark considerable community concern”. [Source]
Identity Issues
News Web sites in China have begun requiring new users to register their true identities before allowing them to post comments – a move rejected by Internet companies and users in the past. [Guardian] See also: [China Sets New Rules For Music Sold Online]
Intellectual Property
Google Inc.’s plan to digitize millions of books would violate German copyright law and the country’s privacy protections for Internet users, the German government said in a U.S. court filing. Germany opposes a proposed settlement, which Google reached with the Authors Guild and Association of American Publishers Inc. among others in October 2008, because Google could digitize books by German authors without their consent, according to filing dated Monday. It was signed by Johannes Christian Wichard of Germany’s Justice Ministry. Mr. Wichard said the deal would allow Google to flout German copyright laws. “The decision of this court with respect to this settlement will have the dramatic and long-range effect of creating a new worldwide copyright regime without any input from those who will be greatly impacted,” he said. [Source]
A coalition of authors and publishers is urging a federal judge to reject the proposed settlement in a lawsuit over Google Book Search, arguing that the sweeping agreement to digitize millions of books ignores critical privacy rights for readers and writers. The group of more than two dozen authors and publishers, represented by the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), and the Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley, School of Law (Samuelson clinic), have filed an objection to the settlement. The coalition is concerned that Google’s collection of personal identifying information about users who browse, read, and make purchases online at Google Book Search will chill their readership. “Google Book Search and other digital book projects will redefine the way people read and research,” said Lethem, winner of a National Book Critics Circle Award. “Now is the moment to make sure that Google Book Search is as private as the world of physical books. If future readers know that they are leaving a digital trail for others to follow, they may shy away from important intellectual journeys.” [Source]
The heads of the UK’s largest ISPs have co-signed a letter of protest against the proposal to disconnect suspected illegal file-sharers from their broadband service. The signatories of the open letter to The Times acknowledged the creative industry’s concerns about illegal sharing of copyrighted material. Nevertheless, they said the government’s latest proposals on how to reduce this are “misconceived, and threaten broadband consumers’ rights and the development of new, attractive services.” [CNET]
Law Enforcement
After receiving a hailstorm of criticism for his first version of the Cybersecurity Act of 2009, Sen. Jay Rockefeller revises the legislation to encounter even more criticism. In both versions, the controversy rests on the president’s ability to shut down private Internet networks in the case of a national emergency. Sen. Jay Rockefeller’s revised Cybersecurity Act of 2009 is creating as much controversy as his original effort in April did. Both versions give the president unprecedented authority to shut down private Internet networks in the case of a cyber-security emergency. The original draft bill gave the president the broad authority to designate various private networks as a “critical infrastructure system or network” and, with no other review, “may declare a cyber-security emergency and order the limitation or shutdown of Internet traffic to and from” the designated the private sector system or network. In the revised version that language was dropped, but the vague substitute wording still allows the president to declare a cyber-security emergency and gives the White House broad authority over “non-governmental” networks in times of national emergency (as declared by the president). The bill also grants the federal government the authority issue to cyber-security mandates for designated private networks and systems, including standardized security software and testing, and licensing and certification of cyber-security professionals.The legislation also calls for a public-private clearinghouse for cyber-threats and vulnerability information under the authority of the Department of Commerce. The Secretary of Commerce would have the authority to access “all relevant data concerning such networks without regard to any provision of law, regulation, rule or policy restricting such access.” In another section of the bill, though, the president is required to report to Congress on the feasibility of an identity management and authentication program “with appropriate civil liberties and privacy protections.” Nojeim complained the bill is “not only vague but also broad. Its very broad language is intended to confer broad powers.” He also speculated that the bill’s vague language and authority may prove to be powerful incentive for the private sector to improve its cyber-security measures. “The bill will encourage private sector solutions to make the more troubling sections of the bill unnecessary,” Nojeim said. [Source]
Location
It’s time for a serious conversation about how much of our privacy of movement we want to give up. That’s according to Adam Cohen in a New York Times editorial about the privacy we forfeit when using devices and services that track our movements, such as cell phones, E-Z Passes, MetroCards and surveillance cameras, among others. Cohen cites a recent Electronic Frontier Foundation report that warns of the loss of locational privacy. He says entities should: avoid collecting location-based information whenever possible; erase location data as soon as its purpose has been served; and give consumers advance notice of the information collection and the chance to opt out. [Source] [EFF Report]
Offshore
Online Privacy
Google said this week that its Street View service will blur some pictures from Switzerland even more after a Swiss official said the images were violating the country’s strict privacy laws. The blurring of people’s faces and license numbers will be significantly improved, said Peter Fleischer, Google’s global privacy counsel, who said that Switzerland’s Federal Data Protection Commissioner, Hanspeter Thuer, is now assessing Google’s proposals. Last week, Thuer demanded that Google take off the Internet any Street View images of Switzerland because he said it was failing to obscure people’s identities on the mapping service and was therefore in breach with privacy laws. Many faces and license numbers in the service weren’t blurred or were done so inadequately, he said. Thuer subsequently met with Google to discuss the problem. Fleischer said the changes in the images of faces will first be introduced in Switzerland and subsequently in other countries. License numbers will only be more blurred in Switzerland because the letters and numbers are bigger than on other countries’ license plates, he said, adding that the improvements can be done within a few weeks. [Source]
President Barack Obama warned American teenagers on Tuesday of the dangers of putting too much personal information on Internet social networking sites, saying it could come back to haunt them in later life. The presidential words of advice follow recent studies that suggest U.S. employers are increasingly turning to sites such as Facebook and MySpace to conduct background checks on job applicants. [Washington Post]
Other Jurisdictions
Privacy (US)
A middle school honor student who was expelled after authorities searched his cell phone and found evidence of what they claimed were “gang-related activities” now has a lawyer: the ACLU. The Mississippi ACLU this week filed a federal civil rights lawsuit, arguing that the 2008 cell phone search was illegal and the expulsion wrongful. The lawsuit claims that the gang activities were simply photos showing the student, then-12-year-old Richard Wade, dancing in the bathroom of his own home, and a friend, also at Wade’s home, with a BB gun held across his chest. According to the ACLU press release, Wade, then a 12-year-old at Southaven Middle School, had his phone confiscated and then searched by his football coaches, the class principal, and a police sergeant after he read a text message received from his father during football class. The school bans cell phone use by students, and lets teachers and coaches take the phone away and turn it into the main office, where parents can pick it up after paying a fine. But a statement by school authorities cast the policy in a somewhat different light: “School system officials earlier cited the district’s policy on the use of cell phones during school hours and said ‘students know that if they break the rules, their cell phone will be confiscated and that school officials reserve the right to look through the cell phone to see if they were cheating on a test or conducting illegal activities related to gangs or drugs.’“ The ACLU argues that the search of the phone and the subsequent expulsion of Wade violated his constitutional rights. [Source] See also: [US: School Wants Access to Students Facebook, MySpace Accounts]
The Department of Homeland Security has released a Privacy Impact Assessment involving electronic device searches at U.S. borders. The 51-page assessment proposes some revisions to the Bush-era policies currently in place--such as increasing the amount of information available to travelers about the searches and setting search time limits--but the ability for border agents to search such devices without suspicion remains unchanged. DHS says exempting them from customs inspection would create a “dangerous loophole.” Lillie Coney of the Electronic Privacy Information Center feels this amounts to rights of U.S. citizens “magically disappearing” at the border. “That’s a big problem,” Coney said. [Source] [PIA]
Security
The majority of French organizations polled for a new Ponemon Institute study revealed they have experienced one or more data breach incidents in the past year. Reuters reports that 67% of 414 IT professionals admitted they had experienced a breach. Eighteen percent said they have experienced five or more breaches. The study was commissioned by PGP Corporation. Ninety-two percent of the breaches were not disclosed. Despite the fact 71% of respondents indicated that data protection was either “very important” or “important,” 45% said that they have no encryption strategy. [Source]
Surveillance
Hackers and law enforcement have another weapon to spy on people: a virus that can eavesdrop on voice conversations that go over computers instead of a regular phone line. The capability has been shown in a new “Trojan horse” virus that records VoIP calls through the popular Skype service. [Source] See also: [Ebay To Sell Skype To Private Investors: Report]
Human rights groups in South Korea argue for checks to be put in place against excessive invasions of privacy. As evidence surfaces of “packet eavesdropping” by the National Intelligence Service (NIS) involving detailed monitoring of Internet activity of a suspect’s family members during an investigation, observers are commenting on what they are calling excessive invasion of privacy. In an emergency press conference held on the situation regarding Internet monitoring and NIS eavesdropping at the main conference hall of the Korean Federation of Trade Unions headquarters in Seoul, policy committee member of the Solidarity for Practice of the South-North Joint Declaration announced that during his trial last September where he was being investigated for charges of producing materials that aided the enemy and violating the National Security Act, he learned that the NIS had engaged in “packet eavesdropping” of Internet lines in his home and office for two months since June. [Source]
Michael Geist: “There has been considerable discussion in recent weeks regarding the prospect of court orders mandating ISPs or other intermediaries disclose identifying information about anonymous individuals (Google model case, Ottawa city hall blog). Overlooked, however, is a recent order obtained by York University requiring Bell and Rogers to disclose subscriber information. Neither ISP opposed the order, which included some novel requirements in return for ordering the two companies to disclose the names of customers associated with particular IP addresses. First, York University was required to pay the ISPs to compensate them for providing the information - Rogers gets $600, while Bell gets $300. Second, the court added a condition that required notification of the customers identified by Bell and Rogers so that they could apply to the court to vary or vacate the order. Despite constituting only three paragraphs, the order raises some very interesting issues including the questions about why a university would seek this order, the compensation to the ISPs, and the attempt to factor in a response from the identified subscribers.” [Source]
Telecom / TV
Americans tired of having their dinners interrupted by phone calls touting car warranties or vacation packages will soon get some relief. Violators will face penalties of up to $16,000 a call. Calls that are not trying to sell goods and services to consumers will be exempt, such as those that provide information like flight cancellations and delivery notices and those from debt collectors. [SiliconValley.com]
Canada’s privacy commissioner, fresh off forcing Facebook to change how it handles users’ data, is ordering Bell Canada to change how it informs internet customers of its network-management practices. In a report dated Aug. 13 and made public on Friday, assistant privacy commissioner Elizabeth Denham told the company it must change its service agreements and the Frequently Asked Questions section of its website to notify customers that it collects and retains their personal information through use of its deep-packet inspection technology. [CBC]
Canada’s wireless phone companies will allow customers to refuse changes made part way through their contract’s term or to get out of the contract at no additional cost. The pledge is one a litany of promises contained in a new “code of conduct” governing cell phones released Tuesday by the Canadian Wireless Telecommunications Association. [National Post] [CWTA Press Release]
OpenTV will open up its TV measurement platform to third parties, which it hopes will developers will embrace for next-generation set-top boxes that track detailed information about viewers’ behavior, it said. Open TV’s platform makes it easier for operators to gather detailed data on what programs and ads viewers watch and for how long. The necessary data formats will be released later this year, OpenTV said in a statement. Operators will be able to measure the usage of personal video recording, video-on-demand and interactive applications. They can also generate new revenue from advertisers by selling ad viewership reports, down to second-by-second measurements of how long subscribers watch an ad before changing the channel or fast forwarding. This kind of detailed information on the activity of viewers can make TV and advertising more relevant, but it does open up privacy questions. OpenTV is aware of the privacy implications of its platform. The system allows collected data to be anonymized or filtered according to privacy rules, the company said. OpenTV’s software is used on 133 million devices worldwide, and is used to offer program guides, video, recording and tailor-made advertising, according to the company. Partners include Motorola and Cisco, and its customer list includes Time Warner Cable in the U.S. and BSkyB in the U.K. [Source]
A propose disaster warning system begs strong privacy regulations, according to the president of an Australian civil liberties group. A government-proposed bushfire warning system would let authorities track the movements of those in declared disaster areas using their mobile phone coordinates. The system would send location-based warnings in the event of fire, tsunamis or other disasters, and would also be used to search for victims or to identify suspected arsonists, for example. “This technology will have important uses,” said Michael Pearce SC of Liberty Victoria, “but there just has to be protection to prevent the misuse of information.” [Source]
US Government Programs
Maine Attorney General Janet Mills has asked the federal district court in Maine to dismiss a lawsuit that seeks an injunction on the state’s predatory marketing law, set to become effective later this week. On Thursday, Mills filed papers saying that her office will not enforce the law should it take effect and that “It is well established that a federal court has no jurisdiction over a challenge to a state statute when there is no credible risk of enforcement,” Mills wrote. Groups opposed to the law say its private cause of action provision means that, despite the AG’s lack of enforcement, private parties could still bring class actions, or individual suits. [Source]
US Legislation
A new Maine law banning the collection of personal information from minors online will go back to the state Legislature because of a court challenge. The law, scheduled to take effect Saturday, is likely to be amended when the Legislature reconvenes in January. Online trade associations, a coalition of Maine colleges and the Maine Press Association sued the state in U.S. District Court in Bangor to stop the law from taking effect. They argued that it was too broad and had implications for young people’s First Amendment rights. On Tuesday, the state and those groups agreed to dismiss the case. In writing the court order, Judge John Woodcock said Attorney General Janet Mills “acknowledged her concerns over the substantial overbreadth of the statute and the implications of (the law) on the exercise of First Amendment rights, and accordingly has committed not to enforce it.” [Source]
U.S. Rep. Rick Boucher, chairman of the House Energy and Commerce Subcommittee on Communications, Technology and the Internet, is drafting a bill that would impose broad new rules on Web sites and advertisers. His goal is to ensure that consumers know what information is being collected about them on the Web and how it is being used, and to give them control over that information. [Washington Post]
Workplace Privacy
The German supermarket chain Lidl has been in the news in recent months for its surveillance of employees. Now, the German state data protection authority in North Rhine-Westphalia has fined company subsidiaries for recording employees’ health details. The branches retained information on employees’ influenza, backaches, hypertension, hospitalizations and artificial inseminations, sometimes without their knowledge, the report states. The DPA imposed a 36,000 Euro fine for data protection law violations. “Lidl is not an isolated incident,” said Roland Schlapka, Permanent Representative of North-Rhine-Westphalia, Supervisor. [Source]
+++