Biometrics

NZ – Govt Biometrics Bill Raises Concerns

New Zealand Privacy Commissioner Marie Shroff would like to know more about how the government will protect the biometric data it will begin collecting should a bill currently in parliament pass. The bill would let Immigration New Zealand collect biometric data from all who arrive in the country, the report states. It would also allow the information collected to be shared with other countries. The aim is to prevent unauthorized individuals from entering, but some cite potential privacy threats. “The more information the state has about you, the more they can track...and control you,” said Michael Bott of the Council for Civil Liberties. [Source]

UK – Fingerprint Technology to Control Methadone

A pharmacy chain has started using fingerprint technology to make sure that methadone doesn’t get into the wrong hands. Co-op stores across the country have installed scanners to help them identify patients who are picking up the heroin substitute. It is being used in pharmacies where there are a large number of methadone users to cut costs and improve security. Storing the fingerprints for future use, they claim it is an added safeguard to ensure that the potentially dangerous substance isn’t given out to the wrong people. [Source]

HK – Theme Park Must Justify Need for Biometrics

Hong Kong officials say the Ocean Park theme park will need to justify its use of biometrics for verifying annual pass holders’ identities. The park is exploring the use of fingerprints or retinal scans. “Is ticket fraud really that serious?” asked Human Rights Monitor Director Law Yuk-kai, adding that some organizations are technologically advanced but have “a backward mindset when it comes to...privacy protection.” Disneyland has used biometrics since 2006, but privacy commissioner Roderick Woo Bun deemed it acceptable due to the fact Disney offers guests the alternative to produce photo identification, instead. [Source]

Canada

CA – Commissioners: Rethink Internet-Monitoring Bills

Canada’s privacy commissioners are urging the government to rethink two bills they say would infringe on the privacy rights of Canadians. The bills would give police greater latitude to monitor individuals’ Internet, wireless and telephone traffic. From their semi-annual meeting in St. Johns, Newfoundland, federal and provincial privacy commissioners stressed the need for government officials to carefully consider the legislation. “The current proposal will give police unprecedented access to Canadians’ personal information,” said federal Privacy Commissioner Jennifer Stoddart. Newfoundland and Labrador Information and Privacy Commissioner Ed Ring said the government has not demonstrated the need for new powers that would threaten citizens’ privacy. [Source]

CA – More Whole Body Scanners Coming

The Canadian Air Transport Security Authority (CATSA) will order more digital body scanners for Canadian airports. The scanners have been controversial worldwide due to the revealing images they produce of air travelers. A seven-month-long trial at B.C.’s Kelowna International Airport failed to meet anticipated results, the report states. Despite this, the agency plans to purchase seven more of the $200,000 machines by the end of March. CATSA recently submitted a privacy impact assessment to the federal privacy commissioner’s office. A spokesperson for the privacy commissioner said: “We are going to encourage CATSA to explore less intrusive methods of screening.” [Source]

Consumer

US – Federal Trade Commission to Host Privacy Roundtables

The Federal Trade Commission has announced a series of roundtables on consumer privacy, beginning December 7. These discussions will explore many issues, including consumer information collection, information management practices, new business practices, and the adequacy of existing privacy laws. Roundtable participants will include individuals from a wide range of related fields, including privacy and technology experts. The meetings are open and public comments are encouraged. EPIC has supported the FTC’s privacy mission, but has also said that the agency needs to do a lot more to safeguard consumer privacy. For more information, see EPIC FTC page.

US – Study: Web Shoppers Will Exchange Privacy for Security

A Ponemon Institute report shows that when it comes to online transactions, Web users will exchange some privacy for enhanced security. The majority of Internet users who responded to the poll indicated they would be willing to have online vendors verify their computers’ identities to help prevent transactional fraud. The security firm ThreatMetrix funded the study. About 70% of survey respondents said they were in favor of authentication as long as their personal information would not be collected. Larry Ponemon said the findings are “consistent with the value consumers place on convenience and their desires to have a more secure, trusted transactional experience online.” [Source] See also: [Designing Effective Interfaces for Usable Privacy and Security]

US – Istockphoto Seeks Profit from Others’ Legal Worries

iStockphoto, a Getty Images subsidiary that licenses photos and other content for relatively low cost, is hoping to benefit by reassuring customers concerned about violating others’ intellectual property rights. The company has begun promoting a legal guarantee under which it will cover up to $10,000 in legal expenses in cases involving trademark, copyright, or other intellectual property rights, and privacy rights. [CNET]

E-Government

US – Administration Announces Cloud Computing Initiative, Privacy Umbrella Missing

Chief Information Officer Vivek Kundra announced the launch of “Apps.gov“, a website where federal agencies can obtain cloud-based IT services. The initiative is aimed at “lowering the cost of government operations while driving innovation.” Currently, the administration’s main goal is to increase the size and scale of cloud computing, but key concerns, such as security and privacy, have received little attention. In March, EPIC filed a complaint with the FTC urging the agency to open and investigation into Cloud Computing services, such as Google Docs, to determine “the adequacy of the privacy and security safeguards.” Subsequently, thirty-eight computer security researchers and privacy academics sent a letter to Google’s CEO, asking Google to uphold privacy promises made to users of Google Cloud Computing services. The FTC investigation is ongoing; no response has been received from Google. For more information, see EPIC’s page on “Cloud Computing“.

US – Thoughts on Identity from the Gov 2.0 Summit

By Heather West, Center for Democracy & Technology: Last week, the federal government announced a pilot project to develop digital identity solutions for federal websites, working with OpenID and Information Cards technologies. This will allow government agencies to authenticate the public (for low and no security uses) and provide personalization and services. Online industry leaders have signed up as identity providers, and will allow citizens to use their existing identity online to interact with the government. Even six years ago, one third of online users logged in to government sites. The proliferation of online services and websites surely means that the identity program is something that agencies will be quick to take advantage of. Using a federated identity solution will allow agencies to stop developing and investing in independent solutions and instead use a plug-and-play system for identity. However, linking identities across the .gov web – let alone with the commercial web – carries new issues to be addressed. [Source] [Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo, Wave Systems Pilot Open Identity for Open Government]

US – Man Draws Six Month Sentence for Unauthorized Background Checks

An Illinois man has been sentenced to six months in jail for abusing his position as director of a county emergency dispatch agency to conduct unauthorized background checks. Steven R. Cordes ran the checks as a favor to his girlfriend, who was concerned about the people with whom her teenage daughter was spending time. He pleaded guilty to official misconduct. He will pay US $4,666 in restitution to the company he worked for and will serve 30 months probation following his release from jail. [Source] [Source] [Source]

E-Mail

CA – York U: Google Ordered To ID Email Authors

York University has won court orders requiring Google Inc. and Canada’s two largest telecommunications companies to reveal the identities of the anonymous authors of contentious emails that accused the school’s president of academic fraud. The university took the extraordinary measures after an email was circulated alleging that president Mamdouh Shoukri “perpetrated an outrageous fraud” when publicly touting the appointment of a new dean. Last month, York sought similar orders compelling Bell and Rogers to disclose the contact information of the customers who accessed the account, a motion that went unopposed by the telecom giants. This week, Justice George R. Strathy of Ontario Superior Court released his reasons for granting the orders, saying it was a reasonable balance between protecting freedom of speech and protection from libel. The school now has the identities of five or six people who allegedly had access to the Gmail account. Justice Strathy said the information is only to be used for the purpose of commencing litigation. [Source] See also: [Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google | details of breach]

Electronic Records

US – Privacy Experts Face Off Over Patient Control, Policy Safeguards

Privacy advocates presented ideas for protecting electronic personal health information before the Health IT Policy Committee on Friday. National Health IT Coordinator Dr. David Blumenthal said: “We understand that we have to get this issue as right as humanly possible in order for the benefits of electronic health technologies to be realized.” Some lobbied that providers must obtain patient consent any time they want to share their data, while others felt a comprehensive set of rules for sharing patient data would be the best approach. The CEO of the Indiana Health Information Exchange demonstrated how his organization handles patient privacy. [Source]

US – Committee Approves EHR Privacy Standards

The Health IT Standards Committee yesterday endorsed a set of security and privacy standards for electronic health record systems. The approved standards require that EHR systems meet several access-control mandates by 2011, including the technical requirements of the Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules and the Advanced Encryption Standard, the report states. “Security is a balance between ease-of-use, cost and bullet-proof protection,” said the committee’s vice chairman, John Halamka, adding that the committee’s privacy and security workgroup has tried to provide “a rational glide path to increasingly constrained security.” [Source] See also: [USA: Practices must have plans for handling health data breaches]

US – EPIC Urges Appeals Court to Protect Prescription Data

EPIC filed a friend of the court brief in the Court of Appeals for the Second Circuit today, urging the judges to uphold a Vermont law that regulates companies that sell or use prescriber-identifiable data for marketing. Several data-mining companies challenged the law after it was upheld by a district court. EPIC’s amicus brief supports the district court’s conclusion. The EPIC brief argues that Vermont has a substantial state interest in privacy protection and that the data miners’ de-identification practices do not, in fact, protect patient privacy. For more, see IMS Health v. Sorrell and EPIC Medical Privacy.

Encryption

US – Heartland CEO Pushes for End-to-End Encryption

Heartland Payment Systems CEO Robert Carr told a US Senate committee that the payment card industry needs to adopt end-to-end encryption to protect consumers, financial institutions and payment processors from payment card fraud. Heartland acknowledged a data breach earlier this year that exposed millions of payment card accounts. Heartland is also installing tamper-resistant point-of-sale terminals at its retailers. Lawmakers also questioned Carr about why it took the company 18 months to figure out that payment card information was being stolen. The Smart Card Alliance says that end-to-end encryption is not the answer to protecting card data, and is instead calling for “contactless chips with dynamic cryptograms.” [Source] [Source]

EU Developments

UK – Conservatives Unveil Plans to Reduce the Surveillance State

Fulfilling earlier commitments by David Cameron, the leader of the party, the Conservatives have published plans to reduce the role of surveillance and protect the public’s right to privacy. The publication of the policy paper by Shadow Justice Secretary, Dominic Grieve, has drawn the expected criticism from the Labour Government, but most industry experts are standing behind the Conservative’s plans to reduce the surveillance state, should they get into power at the next election. According to the Conservatives, in response to an ever increasing intrusive government which relies on “expensive databases and the reduction of civil liberties”, it has set out its agenda for fewer central databases and stronger duties on government to keep the private information it gathers safe and to reduce the surveillance state. In the 11-point plan - entitled Reversing the Rise of the Database State - the measures for reducing the surveillance state include:

· Scrapping the National Identity Register and ContactPoint database.

· Establishing clear principles for the use and retention of DNA on the National DNA Database, including ending the permanent or prolonged retention of innocent people’s DNA.

· Restricting and restraining local council access to personal communications data.

· Reviewing protection of personal privacy from the surveillance state as part of a British Bill of Rights.

· Strengthening the audit powers and independence of the Information Commissioner.

· Requiring Privacy Impact Assessments on any proposals for new legislation or other measures that involve data collection or sharing at the earliest opportunity.

· Require government to consult the Information Commissioner on the PIA and publish his findings.

· Immediately submitting the Home Office’s plans for the retention of, and access to, communications data to the Information Commissioner for pre-legislative scrutiny.

· Requiring new powers of data-sharing to be introduced into law by primary legislation, not by order.

· Appointing a Minister and senior civil servant in each government ministry with responsibility for departmental operational data security.

· Tasking the Information Commissioner to publish guidelines on best practice in data security in the public sector.

· Tasking the Information Commissioner to carry out a consultation with the private sector, with a view to establishing guidance on data security, including examining the viability of introducing an industry-wide kite mark system of best practice.

Speaking at the launch of the policy paper, Shadow Justice Secretary Dominic Grieve said the government’s approach to the Conservative’s personal privacy is the worst of all worlds: intrusive, ineffective and enormously expensive. [Source] [Policy Paper] [Coverage]

EU – 25,000 March on Berlin for More Privacy

More than 25,000 marched the streets of Berlin on Saturday to demand better data protection standards and to protest Internet monitoring. The march followed the passage of a law to give authorities more latitude in monitoring the Internet activities of citizens. Green party leader Claudi Roth said: “We have to fear a surveillance state, where everyone is a general suspect and the right of freedom, the right of privacy is breached.” Other participants pointed to recent spying and surveillance scandals at major German businesses as concerns. Organisers said the event successfully demonstrated how many people care about their privacy, the report states. [Source]

EU – Pirate Party Wants Internet Privacy

National Public Radio reports on Europe’s Pirate Party, a group that started in Sweden, but has grown to dozens of other European countries. The Pirate Party wants Internet privacy protected and copyright laws reformed, the report states. The party now has a seat in the European parliament. Swedish Pirate Party member Jonathan Rieder says two new laws, in particular, are cause for his party’s concern. One lets Swedish authorities monitor cross-border communications, another allows copyright holders to find out the IP addresses of file sharers. Party founder Rick Falkvinge said: “When somebody wants to shut down your right to communicate in private... young people in particular today, take offense to that.” [Source]

Facts & Stats

US – Ten Most-Trusted Large US Companies Named: Ponemon

The Ponemon Institute and TRUSTe have named the most trusted companies when it comes to privacy. EBay, Verizon and the U.S. Postal Service topped the list. To compile the list, the firms polled 6,000 adults about the brands they trust, and then an expert panel compared the responses to those companies’ privacy policies and practices. Other companies that made the top-ten list include: WebMD, IBM, Procter & Gamble, Nationwide, Intuit, Yahoo and Facebook. Ponemon Institute founder Larry Ponemon, CIPP, said the preponderance of technology companies on this year’s list could indicate that consumers are more comfortable with Internet commerce. [Source]

Filtering

CA – Porn Blocking Up to Schools, Parents: Ontario Premier

It is not really up to the government to block access to pornography on computers at schools and libraries, Ontario’s premier said last week, amid a push for mandatory Internet filtering software to protect children across the province. Premier Dalton McGuinty, who said he was not ready to commit to any new filters, said he believed that responsibility really should fall on parents themselves. [CTV]

WW – Web Censoring Widens Across Southeast Asia

Attempts to censor the Internet are spreading to Southeast Asia as governments turn to coercion and intimidation to rein in online criticism. Malaysia, Thailand and Vietnam lack the kind of technology and financial resources that China and some other large countries use to police the Internet. The Southeast Asian nations are using other methods -- also seen in China -- to tamp down criticism, including arresting some bloggers and individuals posting contentious views online. [WSJ]

Finance

EU – EU Poses Conditions on US Access to Bank Account Info

EU officials said that firm data protection guarantees are needed in order for it to continue sharing interbank transfer data with the United States. “If we don’t get real assurances concerning the protection of (personal) data there won’t be a deal,” said Justice Commissioner Jacques Barrot. Currently, the EU sends data from the Society for Worldwide Interbank Financial Telecommunication system (SWIFT), which facilitates daily global financial transactions involving 8,000 banks, to U.S. authorities to aid in anti-terrorism efforts. The European Commission is working on a new agreement for the data-sharing. Barrot said it will include guarantees on personal data protection. “That is an absolute condition.” [Source]

US – Car Dealers and Credit Reports

Auto dealers can run credit checks on prospective buyers without their Social Security numbers, says Consumer Reports. Two of the nation’s three largest credit reporting agencies confirmed they fulfill auto dealers’ requests using only a person’s name, address and date of birth--information contained on most driver’s licenses. While one agency said consumer consent is not necessary before pulling credit histories, another said that consumers’ permission is required. The latter opinion is consistent with Fair Credit Reporting Act provisions. An auto dealer association spokesperson said that consumers who relinquish their licenses to salespersons before test drives should specify that they do not want their credit history pulled, if that is the case. [Source]

FOI

CA – Commissioner Cavoukian Launches Information Drive for Right to Know Week

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is a launching a multi-level information drive during Right to Know Week to help Ontarians understand their rights under provincial freedom of information legislation. To help mark Right to Know Week in Canada (Sept 27-Oct 3), she is:

§ sending teams to three Ontario cities on Monday, September 28, to set up information tables, where the teams will hand out IPC publications and answer questions from the public;

§ promoting these information tables through radio advertisements and a news release;

§ posting information to a special Right to Know section of her website (www.ipc.on.ca) about individuals right to know what governments are doing, plus information about Ontario’s two freedom of information (FOI) Acts; information on how to file FOI requests to provincial and local government organizations across Ontario; details on how to file an appeal to the IPC if you are not satisfied with the response you receive from a government organization; and lots more, including an FOI quiz that focuses on your rights; and

§ arranging for presentations by her staff to media students at a number of Ontario universities and community colleges on the public’s right to know, and on how journalists can make good use of freedom of information laws. [Source]

Genetics

WW – ‘What Happens with the Genetic Data?’

In part two of a three-part Genetic Future series exploring genetic data privacy, lawyers Daniel Vorhaus and Lawrence Moore discuss what happens with customers’ genetic data when a personal genomics company goes out of business. They examine how a bankruptcy court might handle a proposed sale of the company’s genomic database. In part one, the authors explored how personal genomics companies address the sale of customers’ data, if at all, in their privacy and confidentiality policies. [Source] See also: [DNA fingerprinting turns 25]

Health / Medical

US – HHS Harm Standard Offers HIPAA-Covered Entities Breach Notification Loophole

New rules from the US Department of Health and Human Services (HHS) exempt organizations that are subject to HIPAA from notifying consumers of data security breaches if they use encryption or data destruction or if the incident does not meet the harm standard described in the new rules. The rules describe the standard by asking the entities to determine if the breach poses a “significant risk of financial, reputational or other harm to [an] individual.” If the harm standard is not met, entities are not required to notify affected individuals even if they do not employ encryption. [Source] [Source] [Source]

US – Heywood: Forget Medical Privacy

Wired reports on one business leader’s efforts to give patients more control over their health records. Jamie Heywood, founder of PatientsLikeMe.com, a health portal where individuals with chronic diseases share information, says physicians’ and hospitals’ tight rein on medical records is making us sicker. PatientsLikeMe anonymizes and sells the data patients proffer on the site to medical researchers and drug developers. Heywood is pushing a Declaration on Health Data Rights, which includes the tenet: “We the people have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost.” [Source]

Horror Stories

US – Spyware Intended for Girlfriend Ended Up on Hospital Network

An Ohio man will plead guilty to federal charges after spyware he sent to a woman ended up on a hospital computer system. Scott Graham intended the spyware to be installed on the computer of a woman with whom he had been in a relationship, but instead, she opened the email at work, infecting the computer systems at Akron Children’s Hospital. The spyware sent more than 1,000 screen shots to Graham’s email; the stolen data included confidential patient information and email and financial data of four other hospital employees. Graham will plead guilty to one count of illegally intercepting electronic communications and will pay US $33,000 in damages to the hospital. He will face a maximum prison sentence of five years. [Source]

US – Gonzalez Guilty Plea Settles Two of Three Indictments

Albert Gonzalez has pleaded guilty to 20 charges of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft in connection to data thefts at TJX, BJ’s wholesale club, OfficeMax, Barnes & Noble and other retailers. The cyber heists netted Gonzalez and his accomplices tens of millions of credit and debit card numbers. The plea settles charges from an indictment handed down in Massachusetts and one handed down in New York. The deal he agreed to with prosecutors could have him in prison for up to 25 years. He is still facing charges in New Jersey for allegedly stealing payment card information from Heartland Payment Systems and several other companies. A defense attorney maintains that Gonzalez was not the ringleader in that case. [Source] [Source] [Source] [Source] [Source]

US – Cyber Thieves Stole Payment Card Data >From Indiana Bank Customers

Investigators say that cyber thieves stole debit card numbers from customers of People’s Saving and Trust Bank in Boonville, Indiana. The numbers were used in fraudulent transactions across the country. The bank will reimburse customers for losses incurred as a result of the data theft if they fill out police reports. The banks’ systems were not breached; the information was stolen from a third-party company. Customers whose accounts have been compromised are being urged to close those accounts. [Source] [Source]

US – Heartland Hearings Begin

Preliminary hearings have begun in the case against Heartland Payment Systems. Two class-action suits have been filed--one on behalf of consumers affected by the Heartland data breach, and another on behalf of more than 30 financial institutions from 22 states. It is anticipated that Heartland will file a motion to dismiss the suits. The company has already filed to have discovery stayed. An attorney for the plaintiffs anticipates that a dismissal motion would not be argued until January. [Source]

Identity Issues

US – School District’s System Scans IDs, Compares to Sex Offender Database

A new security system installed at all Martin County public schools scans visitor identification cards for comparison against a national database of sexual offenders. The V-Soft system, by Houston-based Raptor Technologies, collects names and date-of-birth information each time it scans a government-issued identification card. The system then compares the names and birth dates against Raptor’s national sex offenders’ database. It sends an e-mail alert to designated district staff, administrators and law enforcement officers assigned to each school, if it finds a confirmed match. [Source]

WW – How Much Are You Worth on the Black Market?

Ever wondered how much your online identity is worth to a cybercriminal? A new tool from Symantec Corp. will perform the calculation for you. The Norton Online Risk Calculator, unveiled within a microsite to coincide with the launch of Norton 2010, calculates your net worth on the black market by asking a few questions about your personal Internet use. It takes a few minutes to answer the questions, after which you get three results: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft. [Source]

Intellectual Property

EU – French Legislators Approve Revamped Three-Strikes Anti-Piracy Bill

By a 285 to 225 vote, French legislators have approved a law that would put in place a system that could be employed to cut off Internet access of persistent illegal downloaders. A similar bill was passed earlier this year, but its constitutionality was successfully challenged. The law would allow a new anti-piracy agency, Hadopi, to sever users’ Internet connections, but would require an order from a judge. Violators would face maximum penalties of a 300,000 Euro fine and two years in jail; penalties for families whose children download are less stringent. The law would also require that people with wi-fi connections prevent those connections from being abused. The legislation was approved by the legislature’s lower house; it now goes before the upper house. [Source] [Source] [Source]

UK – Musicians Oppose UK’s Plan to Cut Filesharers Off from Internet

Members of the music industry say they “vehemently oppose” the UK’s proposal to boot illegal filesharers off the Internet. The Featured Artists Coalition (FAC), which represents musicians, song writers, and producers, acknowledged that filesharing takes a bite out of their profits, but cautioned that “what’s going on is a huge paradigm shift.” FAC noted that filesharing can actually encourage people to buy music for themselves and attend concerts. Members are concerned that fans will become disenchanted with the music industry and say that “the sensible thing to do is to see how we can monetize all this filesharing activity.” [Source] [Source]

UK – UK Music Industry Ready For Climbdown on Internet Piracy Demands

The UK music industry is preparing to back down from its demands that people caught downloading songs illegally be disconnected from the internet after a revolt by leading musicians. UK Music, the body that represents the British music scene, will release a statement today clarifying its stance on file-sharing. It has been forced to drop any mention of cutting off internet connections, to ensure unity across the industry. [Times Online]

Internet / WWW

AU – Australia’s Internet Industry Association Issues Draft eSecurity Code

Australia’s Internet Industry Association (IIA) has published a draft of an eSecurity Code aimed at protecting citizens from online threats. The voluntary code of practice makes numerous suggestions, including having ISPs notify subscribers whose computers are infected with malware and in some cases, disconnect those computers from the network. Under the plan as drafted, ISPs would first notify the subscribers and offer them help cleaning the malware from their machines. Recommendations to cut off Internet access would be made only when customers have refused to take action against known problems or if their computers are being used to conduct malicious activity that consumes substantial resources. [Source] [Source]

WW – Twitter: Your ‘Tweets’ Belong To You

Twitter has modified the terms of service that govern the proper user of the microblogging and social-networking site to state unequivocally that messages posted belong to their authors and not to the company. “Twitter is allowed to ‘use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute’ your tweets because that’s what we do. However, they are your tweets and they belong to you,” wrote Twitter co-founder Biz Stone in a blog post announcing the modifications. There has been controversy over the question of who owns the messages, photos, videos and other material that people post to social media and social-networking sites like Twitter, Facebook, MySpace and YouTube. For example, Google and Facebook got into hot water when critics complained about what they perceived as terms of service that claimed ownership of the data end users store in Google Apps and Facebook profiles. The revised Twitter terms also state that end users allow Twitter to make posted messages available to external applications that use the Twitter API (application programming interface). However, Twitter is still hammering out a set of guidelines for developers on the proper use of the API. [Source] See also: [Tweet airs Obama’s private ‘Jackass’ remark]

Law Enforcement

UK – Chief Constable Sued Over Data Stolen >From a Police Computer

A victims campaigner has launched legal proceedings against the Chief Constable and two loyalist bandsmen over the gathering of information on Catholics from a police database. Lawyers for Mark Thompson, director of the Relatives for Justice group, confirmed writs have been served in his High Court claim for damages. Mr Thompson is suing the Police Service and Co Antrim men Aaron Hill (24) and Darren Richardson (31) who were both convicted of collecting information likely to be useful to terrorists. Hill, a former PSNI civilian member of staff from Mainebank, Randalstown, admitted carrying out checks on the police computer system for more than two years before being detected. It was estimated that around 100 names were searched, with nearly 70 people warned to step up their personal security because their details had been accessed. With Hill also found guilty of misconduct in public office, his original suspended sentence was increased to nine months in prison on appeal in June. [Source]

US – Facebook Fights Virginia’s Demand for User Data, Photos

The state of Virginia has backed away from its attempts to force Facebook to divulge the complete contents of a user’s account to settle a dispute over workers’ compensation, narrowly avoiding what promised to be a high-profile privacy battle in federal court. On Monday, the Virginia’s Workers Compensation Commission said it was no longer going to levy a $200-a-day fine on the social-networking site for refusing to comply with a subpoena from an airline that previously employed a flight attendant named Shana Hensley. [CNET]

Location

US – Massachusetts Supreme Court Requires Warrant for GPS Tracking

Today, the Massachusetts Supreme Judicial Court ruled that police must obtain a warrant before using GPS devices to monitor vehicles, as it constitutes a seizure under the Massachusetts Constitution. The court also imposed time limits on GPS monitoring, ruling that warrants will expire fifteen days after they are issued. A concurring opinion raised the issue of whether the use of a GPS is a “seizure” or a “search.” EPIC filed a “friend of the court” brief (pdf) in the case, urging the court to adopt a warrant requirement. For more information, see EPIC Commonwealth v. Connolly. [Source]

CA – GPS on Seniors Raises Privacy, Cost Issues

Not all groups that work with seniors agree with an Alberta judge’s recommendation to use GPS wrist or ankle devices to track elderly people who might wander at night. Earlier this month, Provincial Court Judge Ronald Jacobson released his inquiry report into the death of Sydney Salter, 88, in December 2007. The man, who suffered from dementia, had wandered into the parking lot of the Lethbridge retirement home where he lived and died of hypothermia. Jacobson suggested that health professionals study the idea of putting tracking devices on “cognitively impaired” patients if they can’t be kept in secure facilities at all times. The Alzheimer Society of Canada has said such an idea raises issues of privacy, as well as cost. “It’s invasive, it’s intrusive and it’s not ethical. It’s just not right,” said Luanne Whitmarsh, chief executive officer of the Kerby Centre, which works with Calgary seniors. She also worries that the technology would be used as a replacement for care. Mary Anne Jablonski, Alberta’s minister of seniors and community, said there needs to be more research before the province would consider the idea. “There would have to be strict, strict regulations on how a GPS would be used for a person and who would have to make that decision.” Jacobson has asked the Alberta government to study his recommendation with findings to be released in the new year. [Source] [Source]

Online Privacy

US – Facebook Settles Beacon Suit

Facebook has settled a class-action lawsuit related to its Beacon service. Beacon, which launched in 2007, broadcast the activities members engaged in on other areas of the Web. The lawsuit alleged violations of several federal and California laws. If the settlement is approved, Facebook will shut down Beacon and will spend $9.5 million to set up a foundation dedicated to promoting online privacy. “We learned a great deal from the Beacon experience,” said Facebook Director of Policy Communications, Barry Schnitt. “For one, it was underscored how critical it is to provide extensive user control over how information is shared.” [Source] [Source] [Source] [Source] [Source]

WW – Facebook Adding Privacy Pop-Ups

A Facebook representative told the FCC that the company is about to unveil new user tools for managing how members share their online information, during a broadband workshop on online privacy. Timothy Sparapani, director of public policy, said that the company is about to add a pop-up setting that asks users if they wish to share certain types of information. There will be a moment when a user has to confirm how the data will be shared, he said. In addition, it is instituting a per-project privacy option. That allows users to change their privacy settings just before a data sharing opportunity, saying the company was forcing the privacy conversation with its own user base. But he said he thought there was only a fraction of that population that need that forcing, and that most kids are savvy about where there information is going. “Kids get it more than parents suspect they might,” he said. He says that Facebook already informs users when an application takes them to separate site and company. He says there are doom and gloom pop-ups about what could happen. “We definitely let people know in ways kids could understand that this is a choice they are making.” But he also said there were millions of applications and neither Yahoo ! nor Google nor anyone else can police all those applications launched through their sites. He said that consumers “need to read the fine print” on the policies of those applications. When an FCC staffer asked whether Facebook had any novel ideas about helping the 12-year-old consumer understand the fine print, saying they may think they are still on Facebook rather than a third party. Sparapani was not conceding that the 12-year-old didn’t know that. “We would disagree that is their understanding,” he said. But he also said the FTC or Justice should look at those apps. [Source]

WW – MIT Project Identifies Gay Students from Online Profiles

Research conducted at MIT provides a “provocative warning note about privacy.” Two students explored the revelations Facebook users make based on the “friends” they keep. They found that it was possible to predict whether a person was gay based on limited profile information combined with their “friends” lists. Hal Abelson, who co-taught the class in which the research was born, described the findings as “striking,” saying it “pulls the rug out from a whole policy and technology perspective that the point is to give you control over your information--because you don’t have control over your information.” [Source]

Privacy (US)

US – Massachusetts High Court Rules Inmate Phone Calls Are Not Private

In a 4-3 decision that could have a sweeping impact on privacy rights and grand jury investigations, the state’s highest court ruled today that prosecutors may subpoena recordings of telephone calls made from jail both by inmates and people who are being held while awaiting trial. Rejecting claims that the subpoenas violate prisoners’ privacy rights, the Supreme Judicial Court found that both inmates and pre-trial detainees have no reasonable expectation of privacy because they are clearly warned that all telephone calls are subject to monitoring and recording. The court found that prison officials have a right to record conversations because of security concerns, and that prosecutors are entitled to subpoena tapes of those calls while gathering evidence to present to grand juries. Currently, all prisoner calls are subject to monitoring or recording, except those with their lawyers. Under the ruling, prisoners’ conversations with their lawyers would remain protected by the attorney-client privilege and would not be recorded or subject to subpoenas. In her dissent, Chief Justice Margaret H. Marshall wrote that “the implications of this are profound’’ because prison officials and prosecutors are no longer constrained by privacy rights guaranteed by the Constitution from any use they may make of private telephone conversations of all inmates, even those who are detainees who have not been convicted. She raised concerns about whether prosecutors were seeking to subpoena telephone calls between inmates and their pastors, therapists, or spouses; and those between juvenile detainees and their parents. [Source]

US – Privacy Groups: Obama Has More Work to Do

Privacy interests released report cards on the Obama administration’s handling of privacy matters yesterday, revealing grades that could get a junior high schooler grounded. Grades ranged from F to A- with at least one “incomplete” in the area of consumer privacy. The Electronic Privacy Information Center issued an A- in the area of medical privacy--lauding the American Recovery and Reinvestment Act for giving patients more control over their electronic health records (EHRs)--but another group gave the administration a D+ in the same area, saying the EHR landscape is “antiprivacy.” Many groups expressed dismay that the administration has not turned over what they view as Bush-era privacy infractions. [Source] [Secrecy Report Card]

US – 2009 Privacy Innovation Awards Presented

From the IAPP Privacy Academy 2009 in Boston last night, the International Association of Privacy Professionals and Hewlett Packard revealed the winners of the 2009 HP-IAPP Privacy Innovation Awards. Barclays Bank and Graduate Management Admission Council received the award in the Large and Small Organization categories, respectively. IBM Research and Stanford University received this year’s technology Innovation Award for their breakthroughs in homomorphic encryption. “This year’s results show privacy can be effectively woven into the fabric of business, society and technology,” said IAPP Executive Director Trevor Hughes, CIPP. “On behalf of more than 6,000 privacy professionals across 50 countries, we salute this year’s winners for their impressive accomplishments.” [Source]

US – Dennedy Receives Privacy Vanguard Award

A Sun Microsystems executive received the 2009 Goodwin Procter-IAPP Privacy Vanguard Award in Boston. Michelle Dennedy, Sun’s chief governance officer, cloud computing, is the fourth recipient of the Vanguard Award, which recognizes the individual who has best demonstrated outstanding leadership, knowledge and creativity in privacy and data protection. Dennedy was selected for her privacy leadership at Sun, where she created and built Sun’s global privacy program and established its internal “privacy council,” among other accomplishments. “Michelle embodies the spirit of innovation, education and leadership in privacy and data protection,” said IAPP President Jonathan D. Avila, CIPP. “Her impressive tenure at Sun has elevated the broader privacy profession.” [Source]

US – Sears Ordered to Destroy Collected Customer Data

The US Federal Trade Commission (FTC) has ordered Sears to destroy customer data it collected with online tracking software. Sears paid customers to participate in a research project that monitored their browsing activity, but the company was not forthcoming about exactly what information was to be collected. The software collected data from third party websites, including online banking sessions, prescription drug purchases and data about web-based email messages. [Source] [Source]

US – Walmart Photo Policy Spurs Parents’ Lawsuits

Walmart’s policy on “unsuitable” photos is being blamed by a Peoria couple who say they lost custody of their three daughters after being falsely accused of sexual abuse. Now they are suing the retail chain and the state, saying a mix-up over innocent bath- and playtime pictures led to what their lawyer called “a parent’s worst nightmare.” [Source]

US – Lawmakers Push for Arson Registry

The deadly fire at Angeles National Forest is renewing a push from California lawmakers for a national registry of convicted arsonists. Democratic Sens. Barbara Boxer and Dianne Feinstein introduced legislation that would establish the registry. It complements a similar bill backed by Reps. Mary Bono Mack, a Republican, and Adam Schiff, a Democrat, which has been in a House Judiciary subcommittee since March. Currently, only three states maintain a database of convicted arsonists: California, Illinois and Montana. Investigators acknowledge that a nationwide registry would help them solve only a small percentage of arsons, but many still consider the investment worthwhile, particularly for keeping tabs on serial arsonists. The bill is H.R. 1759. [Source]

Privacy Enhancing Technologies (PETs)

EU – European Privacy Seal Awarded to Online Ad Service and Video Anonymizer

The European Privacy Seal (EuroPriSe) has been awarded to two privacy services, following a review by privacy experts and an independent body. The first EuroPriSe was awarded to German company nugg.ad’s Predictive Targeting Networking service, an online advertising service that follows principles of data avoidance and minimization by not maintaining multi-website tracking profiles, deleting IP address records, and offering a blocking cookie for users to opt out. The second certification was awarded to Austrian company Kiwi Security’s KiwiVision Privacy Protector, a software module that performs real-time anonymization of video data by obfuscating faces, license plates, and other identifying imagery. For more on Privacy Enhancing Technologies, see EPIC Practical Privacy Tools. [Source]

WW – On the “Failure of Anonymization”

Writing for Ars Technica, Nate Anderson discusses the limits of anonymization and outlines a new report on “the surprising failure of anonymization.” In the report, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” Paul Ohm of the University of Colorado Law School says when it comes to data collection, data can either be useful or perfectly anonymous but never both. He says that advances in re-identification expose the promise of anonymization as “too often illusory.” In his analysis, Anderson says that most data privacy laws need to be rethought, but there will be no “magic bullet.” He offers an approach that could reduce the problems. [Source]

RFID

AU – Library ‘Vigilantes’ Track Down ‘Lost’ Books

Five Sydney councils want to implant microchips into books and media items to deter theft. The group councils are soliciting bids for millions of radio frequency identification (RFID) tags, the report states. Librarians say that, in addition to helping prevent theft, the system will ease check-out procedures. But some feel it amounts to an invasion of privacy. “If these systems are implemented on the cheap,” said Electronic Frontiers Australia spokesperson, “you wind up with situations where someone can cobble together a reader, stand outside a library and detect what books people have borrowed.” [Source]

Security

WW – SANS Report: Top Cyber Security Risks Underestimated by Industry/Government

The SANS Institute’s Top Cyber Risks Report found that two types of vulnerabilities are responsible for the majority of attacks. Unpatched flaws in popular programs like Adobe Reader and Flash Player and unpatched flaws on legitimate web pages can be, and often are exploited to infect vulnerable computers and use them to commit further cyber crimes. The report also found that organizations usually take twice as long to patch web applications as they do for flaws in operating systems. [Source] [Source] [Source] [Source] [Source] [Source]

WW – Trend Micro Study Finds Malware Often Remains For Months

A study from Trend Micro found that malware sticks around on computers it infects. Of 100 million IP addresses studied, 80% that had been infected remained infected 30 days later; 50% remained infected 10 months later. The reason for the long latency periods is that often the malware does not do anything to attract attention, such as consuming system resources. Many of the infected machines are part of botnets, meaning they receive regular updates, which may also help the malware evade detection. [Source] [Source] [Source]

US – Govt Review: No Privacy Problems in Cyber Security

The U.S. Justice Department has concluded that a beefed-up surveillance program that monitors federal employees’ Internet traffic does not violate their rights or those of private citizens who communicate with them. The review, completed last month and released last week, said the system addresses potential privacy concerns by warning employees when they log in that their communications may be monitored. [Washington Post] [August 14 Justice Department Memo] [35-page legal opinion dated 9 January 2009]

Smart Cards

IN – 1.2bn Population of India to be Given Biometric ID Cards

In India, 1.2 billion citizens are to be issued with a biometric identity card in an attempt to improve the delivery of India’s inefficient public services – a move civil liberties’ activists are condemning as the act of a “surveillance society”. This month, the country began the ambitious scheme of issuing everyone with a unique identity number. Within the first five years of the scheme, giant computer servers will hold the personal details of at least 600 million people. The introduction of what will be one of the world’s most ambitious IT projects will cost an estimated £1.5bn. Eventually, cards will hold the person’s name, age, and birth date, as well as fingerprint or iris scans, though no caste or religious identification. Doubts have been raised over privacy and the complex security needed to police such the system, as well as concerns that the project is just too ambitious. “We could have a hacking Olympics,” said Guru Malladi, a partner at Ernst & Young. Civil liberty campaigners fear the card could be a tool of repression. Nandita Haskar, a human rights lawyer, said: “There’s already no accountability in regard to violations of human and civil rights. In this atmosphere what are the oversight mechanisms for this kind of surveillance?” [Source]

Surveillance

US – U.S. Justice Dept Wants Surveillance Methods Extended

The Obama administration has asked the U.S. Congress to extend three surveillance techniques for intelligence agencies tracking suspected militants that expire this year, according to a letter to lawmakers. In the letter released last week, a Justice Department official asked that three of the techniques expiring on December 31 be renewed and said the Obama administration was open to lawmakers’ plans to add more privacy protections. [Washington Post] SEE ALSO: [What the DHS Knows About You ]

US – Bill to Add Surveillance Safeguards Introduced

A group of senators filed a bill this week that would add privacy safeguards to the Patriot Act and tighten restrictions on other surveillance policies. The bill follows the Obama administration’s request for renewal of Patriot Act provisions that allow for financial information-collection and roving wiretaps. In his request, Assistant Attorney General Ronald Weich said the administration would be “willing to consider” additional privacy safeguards. More related bills are anticipated in the coming weeks. This week, House and Senate committee members will hold hearings on Weich’s request. [New York Times] [bill]

US – Surveillance Cameras in Pennsylvania Town Prompt Privacy Concerns

The seven-square-mile city of Lancaster, Pennsylvania, population 56,000, has embarked on a project to install 165 surveillance cameras to help fight crime. Once complete, the $2.7 million system will be larger than that of San Francisco. Ordinary citizens will monitor the Lancaster cameras almost around the clock. This nettles some residents who feel it is an invasion of privacy. While some citizens in the Amish enclave have welcomed the network, others have banded together against it. “There’s just a huge potential for personal and political abuse,” said one. Police credit the network for lowering property-crime rates and helping solve a murder. [Source] See also: [Greenspan: Costly cameras crazy]

Telecom / TV

EU – Smart Grid Privacy Considerations Outlined

The Independent Center for Privacy Protection Schleswig-Holstein has released a detailed report on data privacy in the smart grid environment. “The introduction of smart meters opens up the possibility of a more detailed survey of...information from individuals,” the report states, adding that such information is protected by the Federal Data Protection Act. The report discusses how Advanced Meter Readings allow for “the creation and management of consumers’ energy-use profiles,” and discusses the need for data protection of such reports, particularly when they are transmitted over networks or handled by third-party service providers. (Text in German)

CA – Ottawa Keeps Close Tabs On War Correspondents

Government monitors what reporters are asking about, what they are writing about and what they have been told are the subject of regular briefing notes shared with everyone from officers in Kandahar to commanders in Ottawa to civilian officials reporting to the Prime Minister The records, obtained under access-to-information legislation, show that what reporters are asking about, what they are writing about and what they have been told are the subject of regular briefing notes shared with everyone from officers in Kandahar to commanders in Ottawa to civilian officials reporting to the Prime Minister. [Source]

US Government Programs

US – Inspector General Issues Report on TSA

The Department of Homeland Security Inspector General (IG) says the Transportation Security Administration (TSA) has made progress in the areas of privacy and compliance, but there is room for improvement. In a report issued Friday, the IG said the TSA should implement “automated privacy-specific tools for testing and monitoring.” The IG surveyed nearly 2,300 TSA employees, finding a high awareness on privacy policies and issues. But “without privacy-focused measurements and testing, TSA cannot...improve overall privacy data protection and monitoring,” the report states. [Source] [Report]

US – Indiana Court Strikes Down State Voter ID Law

Yesterday, the Indiana Court of Appeals ruled that the Indiana Voter ID law, which requires certain individuals to present government-issued photo identification before they could vote, violates the state Constitution. The law is unconstitutional, the court held, because it “regulates voters in a manner that is not uniform and impartial.” The United States Supreme Court previously ruled that the law did not violate the federal Constitution, but did not address the law’s validity under the Indiana Constitution. EPIC and ten legal scholars and technical experts filed a “friend-of-the-court“ brief in that case, urging the Court to invalidate the law because of its disparate impact and its reliance on REAL-ID, a “flawed federal identification system.” For more information, see Crawford v. Marion County Election Board and EPIC Voting Privacy.

US Legislation

US – PATRIOT Act Revisions Introduced in Senate

Today, Sen. Russ Feingold (D-WI) and seven cosponsors introduced the Judicious Use of Surveillance Tools In Counterterrorism Efforts (JUSTICE) Act. The bill would amend the PATRIOT Act, the FISA Amendments Act, and other surveillance and intelligence laws. Among other changes, the JUSTICE Act would reform the National Security Letter process, revise the guidelines for business records orders, eliminate the catch-all provision for “sneak-and-peek” searches, and add new safeguards for FISA roving wiretaps. The JUSTICE Act would also repeal retroactive immunity for telecommunications companies, and is supported by many civil liberties organizations. For more information, see EPIC USA PATRIOT Act, EPIC FISA, EPIC Wiretapping, and EPIC National Security Letters.

US – Proposed Legislation in California Clarifies Breach Notification Requirements

Legislation awaiting the governor’s signature in California would require that data breach notification letters include specific information about the incident, including what type of information was compromised, and entities experiencing breaches that affect 500 or more individuals provide a copy of the notification letter to the state attorney general’s office. [Source]

US – ID Theft Bill Introduced; Would Establish New FTC Office

New York State Senator Charles Schumer has introduced a bill aimed at helping prevent and diagnose identity theft. The Personal Data Privacy and Security Act would increase penalties for those who commit the crime and would make it illegal for organizations to conceal a security breach involving personal data. The law would also require entities that hold personal data to establish data protection policies. “Identity theft is a scourge on hard-working Americans, and it is a problem that is getting worse,” said Schumer. The act would also establish an Office of Federal Identity Protection within the Federal Trade Commission. [Source]

Workplace Privacy

US – Census Workers Sworn to Confidentiality-for Life

As thousands of trained Census Bureau workers gear up to begin the 2010 census of the U.S. population, one thing makes their service unlike any other job. All census takers must take an oath that they will never reveal the information they collect as they knock on doors in neighborhoods around the country. And it is an oath that lasts for the rest of their lives. Not even the president of the United States swears a lifetime oath. The only thing that comes close are the wedding vows a couple takes to be faithful “till death do us part.” The contract Census Bureau workers sign for their employment shows the seriousness of the job and the agency’s commitment to preserving privacy and confidentiality. It includes a sworn affidavit of full nondisclosure for life. The oath itself, issued and repeated with a raised right hand, reads: “I will not disclose any information contained in the schedules, lists, or statements obtained for or prepared by the Census Bureau to any person or persons either during or after employment.” Violation of this oath can result in a maximum penalty of up to $250,000 or five years imprisonment, or both. [Source]

CA – 80 Power Plant Workers Learn To Fear Big Brother

About 80 workers at the Bruce Power nuclear plant were dismissed this week for “inappropriate” use of their computers - a warning to employees everywhere that if you use company computers for personal business or entertainment, the boss may be watching. Spokesman Ross Lamont said the workers, following an internal investigation, were determined to have violated the company’s code of conduct as it pertains to email and Internet use. Bruce Power’s code of conduct states that the company has the ability to monitor email, Internet and file sharing and that “inappropriate use, particularly usage that interferes with business processes or puts a strain on business resources, is unacceptable.” The code lists chain letters, computer games, storing of personal documents and pictures, visiting chat groups, gambling sites and personal share trading sites as examples of inappropriate use. John Oesch, a professor at the University of Toronto’s Rotman School of Management specializing in organizational justice, said he’s never heard of a situation where this many people were fired at once. [Source]

EU – Anticipating Pandemic, CNIL Issues Guidance

The French Data Protection Agency (CNIL) has issued recommendations surrounding employers’ collection of employees’ personal details in preparation for potential high absenteeism in the coming months. In anticipation of a swine flu outbreak, employers might implement work-from-home regimes to control the spread of the flu. Such regimes may cause employers to collect personal data of employees above and beyond what is normally required, such as cell phone numbers, private e-mail addresses and commuting habits. The CNIL reminds companies that such information collection must comply with French and European data protection requirements, and outlines several of the requirements. [Source]

+++