AB – Alberta’s Privacy Leader Makes a Case for Balance

In today’s world of mouse-click government, data-on-demand and identity theft personal privacy is one of the most sensitive issues facing any large organization, whether in the private or public sectors. “It’s important to strike the best balance between the privacy of the individual and the business goals of the organization. In other words: accomplish what you need to do, but disclose only what you absolutely must,” said Alex Campbell at the Government and Health Technologies Forums 2005, held recently in Ottawa. As executive director for privacy and policy assessment for the Government of Alberta, Campbell led the development and implementation of Alberta’s ground-breaking privacy architecture. Campbell is a firm believer that privacy legislation - Canada has more than 20 laws on the books addressing the private sector, the public sector and the health industry - is not enough on its own to strike that critical balance. Privacy needs to be designed right into the system architecture. Automated systems cannot be effectively managed with manual privacy controls alone, he said. Addressing a packed session at the conference, Campbell outlined a set of elements that should be included in any privacy architecture. To start with, any privacy architecture has to be based on privacy standards: Specifically the OECD Data Protection Principles and the CSA Model Privacy Code. Following that there is a set of elements that he said are critical to the foundation of such an architecture: Following that you have to settle on a lexicon. The tricky thing about vocabulary, especially in technology, is that different people use the same word to refer to different things, said Campbell. For example early planning sessions in the creation of Alberta’s architecture tripped over the word ‘record.’ A clear common terminology needs to be established. [Source]

MB – Manitoba Ombudsman Chastises School for Hidden Cameras

Manitoba's ombudsman has concluded that a high-school administration violated the province's Freedom of Information and Protection of Privacy Act by installing covert video surveillance cameras, including one hidden as a smoke detector. Two of the cameras were hidden in teachers' offices. [Source]

WW – Yahoo Accused of Hosting Thousands of Phishing Sites

Yahoo is playing host to thousands of phishing sites and doesn’t have sufficiently well-trained staff to address the problem of online fraud, according to a leading anti-spam and security organization. Richard Cox, chief information officer of Spamhaus, told an audience of politicians, security experts and law enforcement officials that Yahoo has just under 5,000 domains hosted and registered with the words ‘bank’, ‘eBay’ and ‘PayPal’ within the domain names. [Source]

IE – Company Guilty Of Violating Ireland’s Anti-Spam Law

Ireland’s Data Protection Commissioner Billy Hawkes has obtained a conviction for anti-spam violations. 4’s A Fortune Limited, a company that offers an online casino-like cash game, was found guilty of sending prohibited messages to five cell phones without the subscribers’ consent. The messages violated Ireland’s privacy laws that apply to phone and email spam. Prosecutors are pleased with the conviction, the first under the 2003 regulations, but note that prosecuting spam cases are difficult. Authorities are looking for “technical solutions to spam, not legal solutions. [Source]

EU – European SpamSpot to Store List of Spammers

According to the 3rd German anti-spam summit in Cologne, the Internet organization Eco and Microsoft have announced that the EU Commission will approve the "Self-regulatory Plan on Tackling Spam" or "SpamSpot" in the next few days." [Source]

US – Arizona Medical-Records Initiative Launched

Gov. Janet Napolitano has signed an executive order bringing together health care and high-tech leaders to focus on making electronic medical records common in Arizona by 2010, four years earlier than the federal goal. Napolitano's order, signed Tuesday and being announced today, creates an Arizona Health-e Connection steering committee that has six months to come up with a roadmap for health care information technology. The roadmap would set directions and milestones for health care providers, insurers and consumers as they begin to share health data electronically [Source]

US – Embattled Cardsystems Submits Audit Report to Credit Card Companies

On Thursday, the embattled CardSystems submitted an audit of its practices to Visa, Mastercard and American Express in hopes of ensuring the survival of the company. According to the Arizona Daily Star, Visa has been pursuaded by an Arizona congressman to reconsider its decision to cut ties with Cardsystems: CardSystems hopes audit will help. [Source]

EU – Dutch ISPs Sue Government for Wiretapping Costs

A large group of ISPs and telecom operators in the Netherlands is to sue the Dutch Government for the cost of installing wiretaps. Wiretapping is required by the Dutch Telecommunication Act of 1998. The Dutch Government insists that it is normal for ISPs and telecom operators to pay the costs for general law enforcement. [Source]

UK – Wider Use of Electoral Roll Raises Privacy Concerns

The UK Government intends that voters will register their address with the security services, police and other public bodies when they register for the vote according to proposed regulations from the Department of Constitutional Affairs (DCA). The Police and Credit Reference Agencies already have full access to the register for policing and credit purposes respectively. But a new consultation document published by the DCA reveals plans to extend these rights of access. [Source]

WW – Technological Measures to Remove Sensitive Information from Public Records

The Wisconsin State Journal is reporting that Florida has contracted with Exact Systems of Wisconsin to implement an automated system to redact sensitive information from public records. The system reviews documents for social security numbers, bank account numbers and the like and blacks it out. See Company offers shield from identity theft. [Source]

US – Poll: Americans Don’t Check Credit Scores, Reports

Many Americans don’t know the basics about credit scores, and are not regularly checking their credit reports for signs of fraud, a new survey shows. The survey conducted on behalf of Capital One Financial Corp., the No. 5 U.S. credit card issuer, and the nonprofit Consumer Action was released less than a week after the expansion of a federal law that lets consumers obtain free credit reports up to three times a year. [Source]

US – Study: Online Banking Growth Hit by ID Theft Fears

The number of people who turn to the internet for personal banking isn’t growing - but those who are already hooked on such services are using them more often, a new survey has shown. The percentage of Americans who conduct personal banking activities online has stagnated at 39% in the 12-month period ending August 2005, Ipsos Insight said in a study released on Tuesday. The research firm, which interviewed 1,000 American adults for the study, found many consumers were worried that their personal information could either be stolen by hackers and phishers or sold to third parties by banks. Nearly 83% of those who conduct banking online reported such concerns, while 73% of respondents said personal information theft is a deterrent for them. [Source]

US – Report: Gov’t Secrecy Grows, Costs More

The U.S. government is withholding more information than ever from the public and expanding ways of shrouding data. Last year, federal agencies spent a record $148 creating and storing new secrets for each $1 spent declassifying old secrets, a coalition of watchdog groups reported Saturday. That’s a $28 jump from 2003 when $120 was spent to keep secrets for every $1 spent revealing them. In the late 1990s, the ratio was $15-$17 a year to $1, according to the secrecy report card by OpenTheGovernment.org. Overall, the government spent $7.2 billion in 2004 stamping 15.6 million documents “top secret,” “secret” or “confidential.” That almost doubled the 8.6 million new documents classified as recently as 2001. Last year, the number of pages declassified declined for the fourth straight year to 28.4 million. In 2001, 100 million pages were declassified; the record was 204 million pages in 1997. These figures cover 41 federal agencies, excluding the CIA, whose classification totals are secret. “These numbers show we are going in the wrong direction,” said Rick Blum, author of the report and director of the coalition of consumer, environmental, labor, journalism and library groups. The report also noted the growing use of secret searches, court secrecy, closed meetings by government advisory groups and patents kept from public view. “The 9-11 Commission pointed out that too much secrecy can make us less safe from terrorists, and the inadequate response to Hurricane Katrina shows the public needs to know what could happen in their communities and what the response plans are,” said Blum. He said a new law outside the classification system shrouds “sensitive homeland security information” about infrastructure vulnerabilities and plans. [Source]

US – Smoking Study Suspended Because of Privacy Concerns

Indiana University officials have suspended a smoking study that began in 1980 after learning personal information about the research subjects had been released. The school's Institutional Review Board, which oversees studies on human subjects, stopped the study after learning about the release of the information, said Ann Gellis, associate vice president for research compliance. The IU Smoking Survey began as a survey of 8,500 students in Monroe County middle and high schools. Researchers kept in touch with the students after they left school and conducted a series of follow-up surveys. Gellis said someone involved with the study disclosed contact information about the subjects to someone who was trying to reach old classmates for a school reunion. "There wasn't any physical or emotional harm to anyone," she said. "Nevertheless, it was a serious breach that we're investigating." [Source]

US – Student Loan CD with Personal Information Disappears

About 165,000 people, most of them Iowans, have been alerted that a compact disc with student loan information has disappeared. The CD disappeared early last month when a company was sending it back to Iowa Student loan by private courier. [Source]

US – University of Texas System Phases out SSNs as Student Identifiers

The University of Texas is joining the majority of other post-secondary institutions by phasing out the use of SSNs as student numbers. The process will take place over the next year and the university is also implementing a policy that will require officials to advise students, when an SSN is asked for in the future, whether it is mandatory or voluntary. [Source]

Us – The Customer Is Always Wrong: A User’s Guide to DRM in Online Music

If you buy music from an online music store, you may be getting much less than you thought. The US Electronic Fronteir Foundation (EFF) released “The Customer Is Always Wrong: A User’s Guide to DRM in Online Music,” which exposes how today’s digital rights management (DRM) systems compromise a consumer’s right to lawfully manage her music the way she wants. The guide takes a close look at popular online music services provided by Apple, RealNetworks, and Napster 2.0, as well as Microsoft’s “Plays For Sure” DRM campaign. In an effort to attract customers, these companies try to obscure the restrictions they impose on you with clever marketing. Unfortunately, bypassing these hidden restrictions to make perfectly legal uses puts you at risk of liability under the Digital Millennium Copyright Act (DMCA). This guide “translates” the marketing messages, giving you the real deal rather than the spin. Understanding how DRM and the DMCA pose a danger to your rights will help you to make fully informed purchasing decisions. Before buying DRM-crippled music from any service, check out the guide and be sure you understand how the service might limit your ability to make lawful use of the music you purchase. [EFF] | [Source]

WW – Privacy International Demands Yahoo Boycott

Privacy International (PI) has called on Internet users to boycott Yahoo over allegations that the Web giant provided information that helped Chinese officials convict a journalist accused of leaking state secrets. [Source] [Source] [Source]

US – Police Blotter: Cell Phone Tracking Rejected

In the first case of its kind, a federal judge chastises the U.S. Department of Justice for trying to constantly track a cell phone user’s location without providing any proof of criminal behavior. [Source]

EU – Data Logs to Fight Terror

Britain, which is pushing for new EU laws on data retention, said last Wednesday that logging and storing telephone calls, email and Internet use had helped its police trap suspected terrorists. European Union states have agreed to speed up plans for common rules on the use of data after the July 7 London attacks but the strategy has drawn criticism from EU lawmakers and the European telecommunications industry. [Source]

WW – Privacy Concerns over Yahoo IM upgrade

Yahoo’s latest salvo in the battle for control of users’ desktops has got some worried - the ‘default’ installation of Yahoo Instant Messaging (IM) now surreptiously installs myriad other things as well. If you’re one of the tens of millions of Yahoo users asked to upgrade your instant-messaging software this week, be on your toes; the update can open the door to unwanted PC houseguests - and setting changes - by default. [Source]

UK – UK Considers New Measures to Tackle Identity Theft

A report by criminologist Martin Gill recommends ways the UK could better empower consumers and equip police as identity theft remains on the rise. The report suggests looking at U.S. laws, including a provision that allows consumers access to free annual credit reports. Under current UK law, identity theft is not a crime – a shortcoming that will be addressed in the pending Fraud Bill. However, the report questions whether police have the resources to investigate identity theft. [Source]

US – Role, Functions of Chief Privacy Officers Debated

Congress passed a bill last year requiring each federal agency to appoint a chief privacy officer, but lawmakers failed to write a clear job description. Although the legislation asked agencies to report to Congress on privacy violations and establish guidelines that are easy for the public to understand, it left the duties of the senior privacy official largely undefined. Does the job require privacy officers to protect individual privacy? Is it the privacy officer’s job to ensure compliance with privacy requirements under HIPAA and the Freedom of Information Act? Who should the privacy officer represent -- the agency or the citizen -- in cases involving conflicts or complaints? Experts say that defining the role of federal privacy officers is a work in progress. In most cases, privacy officers have to learn how to balance the demands of security and privacy in an age of terrorism. Franklin Reeder, chairman of the federal Information Security and Privacy Advisory Board, said he has a few ideas for federal privacy officers’ duties. “The challenges facing the chief privacy officer are growing as a result of new technology and new information practices, like the growing use of third-party data,” Reeder said. He leads a board that advises the National Institute of Standards and Technology and the Office of Management and Budget on information security and privacy issues. The board is expected to discuss the role of federal chief privacy officers in a meeting this month. Its members will try to reach consensus on the responsibilities of privacy officers in the federal government. Experts offered the following suggestions for privacy officers’ job descriptions. [Source]

US – ACLU TV Debuts “Beyond the Patriot Act”

Join grassroots groups and households around the country who, during the first two weeks of September, will be hosting premieres of the ACLU’s “Beyond the Patriot Act“ – a 30-minute program from producers of “Outfoxed” and “Unconstitutional.” The program, the first in a series called “The ACLU Freedom Files,” is designed to spark action and reveal how civil liberties affect real people every day. It features stirring accounts of current cases, as well as well-known actors, activists, and comedians. [Website]

[Source] [Source]

WW – Study: Companies Lack Resources to Meet Privacy Requirements

According to the Ponemon Institute’s recently completed 2005 Benchmark Study of Corporate Privacy Practices, there are some very positive trends in corporate privacy and data-protection practices. However, there are also gaps that could trip up the best-intentioned company when faced with a breach. The study, which looks at 68 organizations based in North America, focused on eight issues: privacy policy, communications and training, privacy management, data security methods, privacy compliance, choice and consent, global standards, and redress. It was sponsored by Vontu Inc. and conducted with support from the IAPP. On a positive note, 56% of the respondents now attempt to integrate information security and privacy activities. This is a 10% increase from 2003. More than 80% of responding companies stated that they have privacy or data-protection strategies, and 70% conduct an inventory of personal data that’s collected, used, shared and stored to assess compliance risk areas. More companies are using technologies such as encryption, firewalls and antivirus software to protect sensitive data. Between 2003 and 2005, there was a 19% increase in the use of encryption in the transfer of employee records. A smaller but growing number of companies appear to be using privacy technologies as part of their compliance programs. While these practices help companies mitigate security breach risks, according to the study, only 31% of companies have instituted a formal notification procedure in the event of a privacy crisis. In addition, there has been no substantive improvement in the number of companies that have redress mechanisms for consumers who have complaints or questions about a company’s commitment to protect their personal information. [Source] [Source]

EU – EU Privacy Law Poses Compliance Challenge for IT, Warns Gartner

Preventing the release of confidential information will be a major challenge for IT directors as they strive to comply with the EU Privacy Directive, analyst firm Gartner has warned. [Source]

WW – New Technology Could Increase ID Theft, Criminologist Warns

New technology could increase rather than solve the problem of identity theft and fraud, a British criminologist warned. Identity cards and chip and pin technology for credit cards will force fraudsters to be more creative and are unlikely to alleviate the problem. [Source]

WW – Camera Phones Give Flashers Unexpected Exposure

When the stranger on the subway car unzipped his fly and started fondling himself, Thao Nguyen, 23, did what any woman confronted by a flasher might like to do. She took out her cellphone, snapped him in the act with its built-in camera, then posted the image online. [Source]

US – U.S. Will Require Canadian, Mexican and Other Travelers to Present Passport

The U.S. will require airline travelers from Canada, Mexico, the Caribbean, Bermuda, South America and Central America to present a passport or other secure identification document by Dec. 31, 2006. Canadian and Mexican citizens will have to comply with the new rules by Dec. 31, 2007. Homeland Security officials say the use of biometric technology is under consideration for the creation of a new identification card before the 2007 deadline. [Source]

US – USPS Urges Katrina Victims to e-file Address Change Requests

Bracing for a historic number of relocations, the U.S. Postal Service is asking those displaced by Hurricane Katrina to use the Internet where possible to file change of address requests. In a notice Monday, the Postal Service said the best way to send the change of address forms is online at USPS’ Web site, or by calling 800-ASK-USPS. To date, more than 36,000 hurricane victims have filed to change their addresses. While it did not give any estimates on when it will reopen the numerous post offices closed, damaged or destroyed by the storm, the agency said customers can use its Web site to check the status of Katrina-affected branches. USPS also said it is establishing a new ZIP code for the Houston Astrodome, a stadium serving as temporary shelter to thousands of evacuees from the Gulf Coast, and will be setting up new ZIP codes for other sites being used as temporary hurricane shelters. [Source]

US – Congress Looks to Pass Data Breach Law

The U.S. Congress will look to pass consumer data protection legislation as it returns next week from its mid-year recess. With no fewer than six bills under consideration in the Senate or House, data brokers, credit card companies and others are battling consumer groups over how strong and how broad a final bill should be. Insiders say emerging legislation could include the following elements: Specific Safeguards– The FTC would be directed to give companies clear standards, akin to those used by bank regulators, on storage and protection of sensitive data; Consumer Notice– The feds could adopt rules, like California’s law, requiring companies to inform customers about data breaches. Banks fear they’ll be required to send millions of notices – and alarm customers – about routine glitches; Credit Report Freeze– Stevens’ bill would let individuals order temporary freezes on their own credit, a move that would block applications for new mortgages and credit cards if consumers suspect their ID has been filched; Social Security Numbers– The law could limit use of Social Security numbers as primary financial identification. Sale of others’ SSNs would largely be banned. Other possible provisions include: Restrictions on government uses of commercial data; Improved consumer access to data, and a “carefully crafted” state law pre-emption. But if Congress fails to act, a tough new state law will force interstate companies to disclose virtually all data breaches, no matter how small the risk. A New York data breach law, signed by Governor George Pataki on Aug. 10, would take effect in mid-December. New York, the 19th state to pass a data breach notification law, would allow no exceptions for companies that have their own disclosure policies. [Source] [Source]

US – California Lawmakers Send Phishing Ban to Governor

To keep up with the trends of online scams and rip- offs, the California Senate has approved a bill to ban the online deceptive practice known as phishing. The bill would give Web site owners, email users and prosecutors the authority to sue senders of the scam emails that appear legitimate as a ruse to collect personal information. [Source]

----------------------------------------------------------