Biometrics

AU – NAB Deploys Voice Recognition for Phone Banking

National Australia Bank customers will no longer have to remember PINs and passwords thanks to the implementation of a voice biometrics system for telephone banking. Once callers have registered their unique voiceprint in the system, they can recite their individual account number over the phone to have their identity verified. This will enhance security and privacy for customers, according to the bank. The voice biometric technology was developed by the Salmat-owned VeCommerce. [Source]

UK – 400 Million Contract Awarded for Biometric UK Passports

The next generation of British passports will be delivered under a new £400 million contract. The Identity and Passport Service (IPS) has announced De La Rue has won the contract to produce the new British passport book. The passport, which will be available from October 2010, will have a new design and improved security features including the capacity to hold fingerprint biometrics. The contract will last for ten years. This Design and Production Contract forms part of the wider National Identity Service which by the latest estimates will cost £4.9bn over ten years to deliver. [Source]

WW – Priv-ID Starts Biometric Health Passports Project in Cape Town, South Africa

Priv-ID, a spin-out company of Royal Philips Electronics, in collaboration with the Medical Knowledge Institute introduces a biometric health passport in the township of Cape Town. The health passports will record the relevant medical history and a priv-ID biometric identity check is performed to establish a link between the health passport and its rightful owner. This project is the start of a large roll out of health passports with biometrics in SouthAfrica. Major reasons for introducting a Biometric Health Passport are:

§ Having health information accessible in a convenient and reliable manner;

§ Improved care with reliable patient records by means of biometric identity verification;

§ Reduce cost for patients and care-providers by having readily available the relevant health data;

§ Control over own health data and increased responsibility for health and the health of family

Biometric fingerprint recognition is essential to verify the identity of the passport holder. The priv-ID software makes it possible to uniquely verify the identity of the patient in a fully anonymous and privacy compliant manner, in an environment without centralized data storage or ICT infrastructure. [Source] See also: [Cancer patient held at airport for missing fingerprint] and also: [four states have banned smiling in driver’s license photographs]

Canada

CA – Conservative Bills Would Force ISPs to Widen Police Access

Justice Minister Rob Nicholson and Public Safety Minister Peter Van Loan introduced two bills that would give law enforcement much greater access to Internet communications and the personal details of subscribers. The proposed legislation would:

§ enable police to access information on an Internet subscriber, such as name,
street address and email address, without having to get a search warrant.

§ force Internet service providers to freeze data on their hard drives to prevent
subscribers under investigation from deleting potentially important evidence.

§ require Telecom companies to invest in technology that allows for the
interception of Internet communications.

§ allow police to remotely activate tracking devices already embedded in
cellphones and certain cars, to help with investigations.

§ allow police to obtain data about where Internet communications are coming
from and going to make it a crime to arrange with a second person over the
Internet the sexual exploitation of a child.

Privacy and civil liberties advocates have raised alarms over the changes, particularly the measure to remove the obligation of police to obtain a warrant before getting personal information about a Canadian Internet user. The new regime would allow a select number of law enforcement officials to see the data, and would conduct regular audits on how the information is being viewed and accessed. [Source] [Public Safety Canada news release and backgrounder regarding lawful-access legislation] [Bill C-47] [Surveillance Legislation Dissected – Bill C-46] [Surveillance Legislation Dissected – Bill C-47] [Small ISPs face new pressures under Tory bill] [Electronic snooping bill a ‘data grab’: privacy advocates]

CA – MPs Call for Expanded Privacy Law

A House of Commons committee says the federal privacy law should be expanded to cover new technologies such as live surveillance-camera feeds and DNA swabs collected from suspects. Currently the Privacy Act deals only with information collected by the government in recorded form, such as papers, tapes and computer files. In a report tabled, the MPs also advocate giving Privacy Commissioner Jennifer Stoddart a clear public-education mandate and making government departments tell Parliament more about their privacy-related activities. In addition, they endorse the idea of a new provision requiring agencies to protect personal information with proper security safeguards. The report zeroes in on a dozen quick fixes to the law proposed by Stoddart. It says a complete overhaul of the privacy law is warranted, but the quick fixes are a step forward for now. However, the committee either rejected or had no firm opinion on several of Stoddart’s proposals. It said further study was needed on a proposal for a legislative “necessity test” that would require government agencies to demonstrate the need for the personal information they collect. [Source] [Report]

CA – Ontario Privacy Chief to Survey Crowns on Jury Checks

The privacy commissioner of Ontario will expand her investigation into juror-vetting practices. Last week, Commissioner Ann Cavoukian launched a probe into the practice, which was recently uncovered in Windsor, Barrie and Thunder Bay, and involves police accessing confidential databases to help Crown prosecutors stack juries. Yesterday, Cavoukian announced that she will widen the investigation to include all 54 Crown offices in Ontario. She says she is looking for a “systematic response.” “The public can then decide if we need to go further, such as a judicial inquiry,” Cavoukian said. [IPC Press Release] [Source] [Windsor police drop jury background checks] [Publication ban ordered on jury checks]

CA – Google Canada Promises Street View Won’t Invade Privacy

The head of Google Canada says his company will work fast to eliminate faces or other personal information captured by cameras taking images of the country for an upcoming online virtual map. But federal politicians summoned the company to Parliament to find out whether some of the images might violate existing privacy laws. Jonathan Lister, the managing director of Google Canada, told a parliamentary committee his company has a distinct goal for its new product, which it hopes to balance with privacy concerns. Mr. Lister said the company is working with the federal privacy commissioner and other stakeholders across Canada to ensure it addresses all concerns, but he has not yet announced the launch date for the Street View map in Canada. [Source] [Google Canada vows to purge faces from its Street View data] See also: [Google cedes to German demand to erase Street View data] [Lab Results Breach Brings New Concerns: Breach confirms TestSafe privacy fears]

Consumer

US – FTC Plans to Monitor Blogs for Claims, Payments

New FTC guidelines, expected to be approved late this summer with possible modifications, would clarify that the agency can go after bloggers - as well as the companies that compensate them - for any false claims or failure to disclose conflicts of interest. It would be the first time the FTC tries to patrol systematically what bloggers say and do online. The common practice of posting a graphical ad or a link to an online retailer - and getting commissions for any sales from it - would be enough to trigger oversight. [Washington Post]

E-Government

CA – MPs Want Privacy Law Expanded

In a report tabled last week, a House of Commons committee calls for immediate implementation of 12 “quick fixes” for the federal Privacy Act. Members of Parliament (MPs) on the committee said the law should be expanded to include guidance on new technologies and a provision for requiring government agencies to have security safeguards in place for the protection of personal information. The MPs also recommended greater departmental disclosure on privacy-related activities, and suggested the Privacy Act be reviewed every five years. “...The Privacy Act has not kept up with the times...,” said New Democrat MP Bill Siksay. [Source]

US – Obama Criticized for Withholding Visitor Logs

President Obama has embraced Bush administration justifications for denying public access to White House visitor logs even as advisers say they are reviewing the policy of keeping secret the official record of comings and goings. In recent days, the Secret Service has rejected requests from two organizations for the logs, which document the West Wing meetings that have helped shape Obama’s policies on banking regulation, economic recovery, foreign policy and the auto industry. Yesterday, Citizens for Responsibility and Ethics in Washington (CREW) filed a lawsuit against the Obama administration seeking the release of information about the visits of coal company executives. “The Obama administration has now taken exactly the same position as the Bush administration,” said Anne Weismann, the chief counsel for CREW. “I don’t see how you can keep people from knowing who visits the White House and adhere to a policy of openness and transparency.” The prior administration said the logs were presidential records that were not subject to the Freedom of Information Act. Asked about the issue by reporters, White House press secretary Robert Gibbs said yesterday that the administration’s policy regarding the release of the logs is under review. [Source]

WW – Smart Meters are Full of Holes

“Smart” electricity meters currently being installed at homes and businesses in the US are full of vulnerabilities that could place the country’s power grid in peril. The researcher who found the flaws plans to demonstrate them at the Black Hat security conference next month. The meters allow two-way communication between the electricity users and the power plants supplying their energy. They were designed to make power use more efficient. Most of the devices do not use encryption and do not require authentication before installing software updates or cutting customers off from the grid. [Source] [Source]

E-Mail

CA – Arbitrator Allows Google Apps Use at Canadian University

Lakehead University moved to Google Apps for Education in 2006 to solve problems with their e-mail server. But faculty took exception to the terms of service that Google imposed, arguing their privacy was being violated. Now an arbitrator has determined that faculty privacy was affected, but that doesn’t matter and the university can continue to use Google’s e-mail service. [Source]

Electronic Records

US – Data Mining For Drug Companies Goes to Courts

“Data-mining” firms have sued to block laws restricting their activities in New Hampshire, Maine and Vermont. At issue is the use by drug company “detailers” - the sales force that deals with doctors and other prescribers and tries to get them to use the company’s products - of the information about doctors’ prescribing habits. [Washington Post]

Encryption

WW – Experts Suggest Google Cloud Have Security Enabled By Default

Cyber security and privacy experts have written to Google CEO Eric Schmidt, asking that the company “protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.” Those services do not have encryption enabled by default, meaning that users’ documents and email messages composed from public connections, such as cafes, libraries, and schools, are vulnerable to snooping. Users do have the option of enabling stronger security measures, but many may not be aware that the option exists. [Source] [Coverage] [Coverage] [Google blog response]

EU Developments

UK – Lords Report: Ministers ‘Do Not Value Privacy’

The government does not appreciate the threat posed to privacy by surveillance, peers have warned. In a report, the Lords Constitution Committee says the Information Commissioner does not have enough power to prevent abuse by the private sector. In February, the committee published a report entitled Surveillance: Citizens and the State, which will be debated in the Lords this week [Part II: Evidence]. It warned that surveillance and collection of personal data were “pervasive” and a threat to British democracy. In a follow-up report, peers warn that the government has not given enough details of how the Information Commissioner’s Office will monitor the effect of surveillance and data collection on privacy. It also says ministers’ promise of privacy impact assessments to preserve the public’s rights should be “treated with caution” as they are not a panacea and are untried in the UK. The latest report also criticises the government’s decision not to allow the Information Commissioner’s Office to inspect private sector organisations without their consent. However, it welcomes the decision by ministers to hold a review into the effectiveness of CCTV. In its latest report, the committee called for compensation for people subject to illegal surveillance, saying people were often unaware of the scale of personal information held and exchanged by public bodies. Among areas of most concern to the committee were the growth of CCTV cameras, of which there are now an estimated four million in the UK. The committee recommended that the use of cameras should be regulated on a statutory basis, with a legally binding code of practice governing their use. There was evidence of abuse of surveillance powers by some councils, with cameras wrongly being “used to spy on the public over issues such as littering”. The UK’s DNA database was the “largest in the world”, the report concluded, with more than 7% of the population having their samples stored, compared with 0.5% in the US. [Source] [Lords Constitution Committee]

UK – Tories ‘Will End Big Brother state’

Shadow security minister Baroness Pauline Neville-Jones says a future Tory Government would “substantially curtail” the Regulatory of Investigatory Powers Act (RIPA) and would draw back the “database state.” In a speech today, Neville Jones is expected to say: “The individual is the rightful owner of personal information...We need to roll back the advance of Big Brother and restore this fundamental right of our citizens.” Neville Jones also says she would strengthen the role of the Information Commissioner and would increase oversight on information-sharing within centralized government databases. [Source]

UK – Code for Consumer-Friendly Privacy Notices

Research findings have indicated that privacy policies baffle consumers. The Information Commissioner’s Office (ICO) wants to change that. After a three-month consultation process, the ICO has released its Privacy Notices Codes of Practice. The guidance is designed to help organisations create user-friendly privacy and marketing notices. “The new Code of Practice places the emphasis on language to ensure privacy notices are understandable to the people they are aimed at,” said Iain Bourne, ICO head of data protection projects. A similar effort is underway in the U.S., where the Future of Privacy Forum is working to find effective methods for communicating with Web users about online behavioral advertising practices. [Source] [Source] See also: [Proceedings of Data Protection Conference 19-20 May 2009]

UK – ICO Blasts Databases

The Information Commissioner has expressed concern about two databases intended to help protect children. Richard Thomas said an Independent Safeguarding Authority (ISA) system for flagging criminals and paedophiles would also include so-called “soft-intelligence”--speculation and rumours--about some of the 11 million people in the database. If the data gets into the wrong hands, Thomas said, “the scope of damage done both to individuals and the system as a whole is quite considerable.” The ISA denied that rumours would inform decision makers using the database. Thomas also reiterated concerns about the ContactPoint system, saying that collecting data “...for the sake of collecting data...” is a “step too far.” [Source]

Facts & Stats

WW – Industry Differences in Types of Security Breaches

Interhack has been working on a taxonomy of security breaches, and has an interesting conclusion: The Health Care & Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration’s proportion of compromised host reports was below average, but their proportion of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used. [Full study].

Filtering

CN – Chinese Government Says Use of Green Dam is Not Mandatory

A Chinese government official now says that people are not required to use the content filtering software it has mandated be preinstalled on PCs sold in that country as of July 1. The Green Dam Youth Escort software was developed with the intent to protect minors from viewing inappropriate Internet content. The government now says that people who choose not to use the software or who remove it from their PCs will not face legal repercussions. Green Dam has come under widespread criticism for lacking sophistication - it blocks some legitimate sites while failing to block others that should be blocked. Others noted that the software posed security risks for the computers on which it is installed. [Source] [Source]

Finance

WW – Study: Credit Card Transactions Vulnerable

An Associated Press investigation into credit card hacks has revealed that industry-accepted safeguards are lacking. The AP looked at data breaches back to 2005, finding that companies--even those certified as compliant with the payment card industry’s self-authored data security standards (PCI DSS)--have experienced security breaches, such as Hannaford Bros. and Heartland Payment Systems. AP investigators found that a lack of incentive to achieve PCI compliance and the fact that the “rules are cursory at best and all but meaningful at worst” means that “every time you pay with plastic, companies are gambling with your personal data.” [Source]

CA – Canadian Telecoms Roll out Wireless Payment System

Canada’s three largest wireless phone companies this week announced Zoompass, a new cashless payment program that uses NFC technology. Zoompass will be run by EnStream, a joint venture among Bell Mobility, Rogers and TELUS. [News Release]

NZ – New Zealand Moving Closer to Becoming a Cashless Society: Report

The study says the proportion of people using cash has dropped over the past three years from 84% to 77%. New Zealanders put through more electronic funds transactions per head of population than anyone else in the world. Paymark, which processes most of New Zealand’s transactions, says it has also noticed the trend in increasing use of electronic funds transfer. However, the president of the Auckland Council for Civil Liberties says the trend towards a cashless society is concerning. Barry Wilson says removing cash completely would have a big impact on people’s privacy. [Source]

FOI

UK – Blogging Detective Has No Right to Privacy, Rules High Court

A controversial blogging detective has failed in his attempt to protect his anonymity and The Times newspaper has named him. The High Court said it was not its job to protect blogging police officers from disciplinary action over broken police rules. The author of the NightJack police blog, which has revealed details of cases and engaged in criticism of ministers potentially in breach of police rules, claimed that The Times should be stopped from naming him. He said that the newspaper owed a duty to keep the information confidential, and that he had a right to privacy. The blogger lost the case and has now been named by The Times as Richard Horton, a detective constable. The newspaper said that Lancashire Constabulary told it that Horton had been given a written warning about his actions. Horton argued that he had the right to remain anonymous on two grounds. He said that The Times had a duty of confidence in relation to the information about his identity. He also argued that he had a right to privacy unless there was a public interest justification for naming him. Mr Justice Eady in the High Court found that there was no duty of confidence; that Horton had no right to expect privacy when publishing a public blog; and that even if he had that right, it would be outweighed by the public interest in disclosing his identity. [Source] [The ruling] See also: [Ian Wilson: Standing on guard for Canada’s records]

UK – Cops: You’re Not Allowed to Know Which Areas You’re Not Allowed to Photograph

In Britain, cops have the power to search you if you take a picture of a “sensitive” area, but they won’t tell you which areas are “sensitive,” because they’re so “sensitive.” The British Journal of Photography is trying to use the UK Freedom of Information Act to find out which places in Britain have such precious photons that people who collect them without authorization can have their civil rights violated, but so far they’ve been unsuccessful. The Home Office has rejected a Freedom of Information Act request filed by the BJP regarding the disclosure of the list of all areas where police officers are authorised to stop-and-search photographers under Section 44 of the Terrorism Act 2000. The request was rejected on grounds of national security. As part of its ongoing campaign for photographers’ rights, BJP has appealed the decision, requesting an internal review of the request’s handling. It has also filed 46 additional Freedom of Information Act requests to all Chief Constables in England and Wales, asking them to disclose whether they have asked for stop-and-search powers under section 44 of the Terrorism Act 2000. [Source]

Health / Medical

US – CDT Files Comments on Health Information Technology Extension Program

CDT filed comments with the Department of Health and Human Services (HHS) regarding the proper role of regional extension centers in supporting privacy and security protections for health data. This year’s stimulus legislation called for the creation of nonprofit extension centers to disseminate best practices and offer training and technical assistance to health care providers seeking to adopt health information technology systems. In the comments, CDT urged HHS to explicitly require the extension centers to include privacy and security as components of their training and assistance services. CDT’s comments also urged HHS to position extension centers as an interface between health care providers and newly-established HHS regional privacy officers. [CDT Comments to HHS Notice]

US – Healthcare Providers and PCI Compliance

The chief financial officer of a healthcare IT company says that, despite the fact virtually all healthcare providers now accept credit cards for payment, “virtually none of them are PCI compliant.” Jim Lacy cites a lack of incentive and misperceptions about the need to comply as some of the primary reasons. But, says Lacy, “if you take a credit card (regardless of how, when, why or where), you must be PCI compliant.” He points out that the largest payment card processors will increasingly enforce PCI compliance and, by year’s end, non-compliant entities may not be able to process card transactions. [Source]

Horror Stories

US – Illinois State Agency Missing 52 Computers

Reports from Illinois state auditors indicate that the Department of Financial and Professional Regulation cannot account for 52 computers. The department is responsible for regulating the banking and insurance industries as well as several professions, including accounting, medicine, and engineering. The agency cannot say if the missing computers held confidential information. The machines may have been transferred to other agencies, but there are no records indicating such transfers. [Source]

EU – Stolen Bord Gais Laptop Contains Sensitive Customer Information

One of four laptop computers stolen from the offices of Irish gas and electricity company Bord Gais contains unencrypted, personally identifiable information of 75,000 Bord Gais customers. The compromised information includes bank data and affects customers who participated in the Bord Gais “Big Switch” electricity campaign. The computers were stolen on June 5, 2009; police and the Irish Data Protection Commissioner were notified immediately. Customers affected by the data security breach will be contacted in the next few weeks. All company machines are now encrypted. [Source] [Source] [Source]

US – Aetna Named In Class Action Data Security Breach Lawsuit

A class-action lawsuit filed in Pennsylvania District Court names Aetna as a defendant, alleging that the Hartford-based health insurance company “failed to maintain reasonable systems and procedures to protect [the plaintiffs’ personal] information.” Intruders allegedly gained access to Aetna’s computer systems and compromised the Social Security numbers (SSNs) and other sensitive information of approximately 65,000 current, former employees and job applicants. [Source]

UK – ICO Will Investigate Breach

The Information Commissioner’s Office (ICO) will investigate the loss of personal data by a Royal Mail entity. Parcelforce last week confirmed that confidential information--including names, postcodes and signatures--were exposed on its delivery-tracking Web site. The ICO said it will contact Parcelforce to determine what happened and what the organisation is doing to prevent a recurrence. “Failure to protect personal details...could lead to information falling in the wrong hands and ultimately the loss of customers’ trust and confidence,” the ICO said. Parcelforce said a problem with its mail tracing system was to blame and that it has rectified the issue. [Source] [Source]

Identity Issues

US – CDT Supports Privacy Provisions in the PASS ID Bill

CDT supports the introduction of the Providing for Additional Security in States’ Identification (PASS ID) Act of 2009. CDT has long promoted the goal of making driver’s license and ID card issuance more secure, as recommended by the 9/11 Commission. The PASS ID Act mitigates or corrects critical privacy and security flaws introduced by REAL ID while still establishing minimum federal standards for the issuance of driver’s licenses and ID cards. CDT supports the reforms proposed by PASS ID as a much-needed improvement over current law. [CDT’s Pass ID Press Release, June 15, 2009] [CDT’s Pass ID--REAL ID comparison chart] [CDT Report]

Intellectual Property

UK – Digital Britain: Government Vows to Cut Illegal File-Sharing by 70%

The Government believes it can reduce unlawful file-sharing by 70% to 80% by forcing ISPs to tell users that their copyright infringement has been noted and making evidence of infringement available to the courts. It said that its policy “needs” to make that much difference, even as it came under fire from content industry bodies for not mandating the cutting off of file-sharing internet users. In its just-published Digital Britain report, the Government said that most piracy will be wiped out by its plans. ISPs will be expected to produce a code of practice outlining how and when they will inform users of their services that they think the user has been file-sharing unlawfully and how the ISP will share data with the legal system. If file-sharing is not reduced by its ambitious target, though, the Government said that it will give telecoms regulator Ofcom powers to force ISPs to interfere with the internet connections of suspected file-sharers. Those include blocking individual internet connections from accessing certain sites or certain types of content, slowing down connections or placing a cap on a connection’s bandwidth. “These powers should be used if, and only if, the combination of measures set out above has been fully implemented but has not succeeded in significantly reducing the level of unlawful file-sharing,” said the report. [Source] [Digital Britain report] [Supporting documents from DCMS]

US – Woman Loses Retrial in Music Download Case

A federal jury in Minneapolis has ruled that Jammie Thomas-Rasset violated several music copyrights in the nation’s only file-sharing case to go to trial. A federal jury ruled yesterday that Thomas-Rasset wilfully violated the copyrights on 24 songs, and awarded recording companies $1.92 million, or $80,000 per song. Thomas-Rasset’s second trial actually turned out worse for her. When a different federal jury heard her case in 2007, it hit Thomas-Rasset with a $222,000 judgment. [SiliconValley.com] [Source] [Source] [Source]

EU – France’s Constitutional Council Says Three-Strikes Law is Unconstitutional

France’s Constitutional Council has rejected as unconstitutional the government’s plan to sever Internet connections of users who are believed to habitually download digital content in violation of copyright law. The government’s plan would have given the authority to cut off service to the newly created High Authority for the Distribution of Works and the protection of Rights on the Internet. The Constitutional Council ruled that to cut off users from the Internet without judicial involvement would violate citizens’ rights. [Source] [Source]

WW – Survey Shows Losing Internet Connection is Strong Motivation to Stop Piracy

Just 33% of people who receive warning letters would stop downloading content in violation of copyright law, according to the results of a survey from media law firm Wiggin. However, 80% of the respondents said they would stop pirating digital content if they thought their Internet connections would be cut off. The UK’s Strategic Advisory Board for Intellectual Property estimates that seven million Internet users in the UK use filesharing networks once a week to pirate content. The UK government is expected to publish a report next week that will include “recommendations that ISPs investigate ‘technical solutions’ to piracy, which could involve slowing down connection speeds.” The survey also found that people would be willing to pay more for various levels of content services through their ISPs. [Source] [Source]

Internet / WWW

WW – Researchers to Present Browser-Based Darknet Concept at Black Hat

Researchers plan to present a proof-of-concept, “zero-footprint” darknet called Veiled at next month’s Black Hat Security Conference. HP’s Billy Hoffman and Matt Wood say their idea “take[s] the idea of a darknet and move[s] it into the browser platform.” While the idea of a darknet is not new, the concept as presented by the pair “uses the latest in rich Internet technologies” to make it a simpler affair than it has been in the past. Normally, a darknet requires third-party technology, but Veiled requires no new software. By taking advantage of newer developments like HTML 5, the researchers have created a system similar to a P2P network. Hoffman and Wood say that while their idea may not have the strength of the Tor network, it “is a lot easier to use.” [Source] [Source] [Source]

Law Enforcement

CA – Leaked Calgary Police Document Causes Worries

The fact an internal police document that lists FOB Killers gang members was found in a rival gang’s possession drew concern from the province’s top police officer, the privacy commission and gang experts. When police raided a Heritage Pointe house allegedly tied to the FOB gang in December in a gang bust, they found a list of rival FOB Killers gang members. The police document from 2005 has mug shots of 37 suspected members, their names and is used by police for identification purposes. Calgary police are conducting an internal review of how their own document made its way into gang members’ hands. Alberta privacy commissioner Frank Work said his office was informed of the situation in a letter from Calgary police dated June 8. He said his office will offer police its expertise on managing information. [Source]

Location

CH – Privacy stepped up for Google Street View

Swiss data protection commissioner Hans-Peter Thür announced on Monday that Google must adhere to Swiss laws before rolling out its Street View service in that country. Thür said that the company must inform passers-by of its photography efforts before they are captured on the Google cameras. Thür also said that Google must obscure the faces and vehicle license plates captured in images, and that his office would conduct checks on the application, once launched, to ensure these conditions were satisfied. Google cars photographed Geneva, Zurich and Bern earlier this year. The service offers 360-degree online views of cities and towns and has been launched in 11 countries, so far. [Source]

EU – Google Agrees to Delete Unblurred German Street View Data

Google has agreed to delete some of the original, unblurred photographs captured by its German Street View service, ceding to demands by Hamburg’s Data Protection Office. And in a departure from its policy in other countries, it will delete images of peoples’ homes in advance of publication if asked. Elsewhere, it only removes images if it receives a complaint after they have been published. Under pressure from the Data Protection Agency for Hamburg, Google has agreed to delete the original, unblurred images from its internal database within two months of receiving a request. Google usually retains the raw images indefinitely, something it says helps it improve its algorithms for automatically identifying image features. The Data Protection Agency had hoped that Google would delete all raw images, not just the ones subject to a request, but is happy with the compromise, agency head Johannes Caspar said in a statement late Wednesday. Google has also agreed to develop an online tool allowing German users to request that images of their home not be published. Last week, Google outlined its views on image data retention in its European public policy blog. [Source]

Online Privacy

EU – Working Party Publishes Opinion on Social Networking

The Article 29 Working Party has published its concerns about the collection and use of social networkers’ personal information. On Friday, the Financial Times reported that the group of European data protection commissioners recommends tougher restrictions on social networks’ release of users’ personal information to third-party developers. The group says that in order to better protect users’ personal information, developers of applications that piggyback social networking sites should be subject to European Union privacy and data protection rules, regardless of their location. [Source]

EU – Article 29 Working Party Targets Data Sharing

European data protection regulators want tougher restrictions on social networks’ release of users’ personal information to third-party developers. In what has already been described as a “landmark” opinion, the Article 29 Working Party says that in order to better protect users’ personal information, developers of applications that piggyback social networking sites should be subject to European Union privacy and data protection rules, regardless of their location. It is the first time regulators have sought to address the practice. The Working Party’s report is intended to guide national regulators on the topic. [Coverage] [Coverage] [Opinion 5/2009 on online social networking]

US – Lawmakers Blast Internet Data Collection

American lawmakers in the House are drafting Internet-privacy legislation designed to provide consumers more information about what is being collected online and to give them greater control about how that data can be used. It could also set rules for how consumers could prevent their personal data from being shared with advertisers. [WSJ]

WW – Hunch Wants You to Give it Some Ideas

Looking for a handbag? A dog? A new place to live? A New York company, Hunch.com, will tailor answers to consumer-generated questions using user-supplied and microdemographic data. The application will become more powerful as more people use it, says founder Caterina Fake, founder of Flickr.com. Hunch gives users control over data they’ve divulged, and its privacy policy says it will not sell users’ information to marketers. But a new-media scholar says that policy is not legally binding and “without any strong consumer protection laws with respect to privacy,” problems can arise. Ultimately, Hunch hopes to use profile data to sell targeted advertising. [Source]

Other Jurisdictions

IR – Social Media Breaks Through Iran censorship

Social media websites became the front lines in Iran’s nascent revolution, after the government banned foreign media from reporting on ever-growing protests in the wake of Mahmoud Ahmadinejad’s disputed re-election last week. While censorship efforts also appeared to be targeting ordinary citizens and websites, users around the globe joined in online efforts aimed at circumventing the crackdown, protecting information sources within Iran and getting their story out, against the government’s will. [Source]

Privacy (US)

US – Court: Show Me the Monetary Damages

The 11th U.S. Circuit Court of Appeals has decided that veterans whose personal data was stolen could not recover financial damages for mental anguish. The Atlanta court said the veterans would have to show financial harm in order to be reimbursed. The identities of nearly 200,000 U.S. veterans were exposed in 2006 when a Birmingham Alabama VA Hospital hard drive disappeared. Courts’ differing interpretations of the Privacy Act of 1974 “actual damages” language may have come into play, says an Alabama plaintiff’s attorney. [Source] [Decision]

US – Brown to Department of Education: Update FERPA

A U.S. Senator wants an overhaul of the Family Educational Rights and Privacy Act (FERPA). Senator Sherrod Brown (D-OH) says universities are misusing the law to shield non-academic information. Brown sent a letter to the U.S. Department of Education yesterday, stating: “It is important that the public have confidence in the integrity of our higher education system, which requires a measure of transparency in reporting violations of rules.” The call follows the release of a Dispatch special investigation--Secrecy 101--into colleges’ information-release practices. FERPA became effective in 1974 to protect the privacy of students’ grades, transcripts and other academic information. [Source]

US – FTC Issues Order on GLBA Violations

The Federal Trade Commission (FTC) yesterday issued a consent order against James B. Nutter & Company for violations of the Gramm-Leach-Bliley Act privacy and safeguards rules. The commission found that the mortgage lender failed to: maintain a written information security program; adequately protect information stored on its network; institute appropriate security measures for personal information on its network; and provide adequate privacy notices, among other violations. The notice sets out actions the company must take as a result, including an order requiring biennial third-party assessments for the next 10 years. Privacy expert Rebecca Herold, CIPP, says: “This case demonstrates the long-term consequences of not implementing a strong information security program.” [Source]

US – City Stops Facebook Snooping

The US city that asked job applicants to hand over Facebook login details has caved in to a wave of negative publicity. The city of Bozeman, Montana, asked applicants to provide login details for “any internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.” Managers used the details to investigate potential employees and ensure they were correct for the job. However, “Effective at noon today, the City of Bozeman permanently ceased the practice of requesting that candidates selected for positions under a provisional job offer to provide their user names or passwords for candidates internet sites,” said city manager Chris Kukulski. Kukulski went on to say that over the course of a 90-minute meeting officials had decided the intrusive practice “exceeded that which is acceptable”. Critics of the practice questioned whether such an invasion of privacy was legal, and pointed out that it was against the terms and conditions of most sites to hand over login details to a third party. [Source]

Privacy Enhancing Technologies (PETs)

UK – Information Commissioner Seeks Suppliers for Research on Privacy Protection

The Information Commissioner’s Office (ICO) is inviting interested parties to bid to undertake a three-month research project with the aim of developing a sound business case to persuade organisations to invest in proactive privacy protection. The completed research project, entitled The business case for investing in proactive privacy protection, will help organisations put a figure on not having proper data protection and privacy safeguards in place. The ICO wants to establish a sound economic case that will help organisations protect privacy and provide those who make expenditure decisions with a clear rationale for investing in proactive privacy protection. The report produced by the successful bidder will enable organisations to place a monetary value on information as an asset, quantify the risks of holding information, and pinpoint the financial and reputational costs should problems occur. The deadline for bids is on 20 July 2009. [Source]

RFID

TW – RFID-Enabled Subway Fare Cards Extended to Library Book Checkout

In Taiwan, subway users will be able to use their RFID-enabled fare cards to check out library books from unmanned kiosks. See the report here.

Security

US – Cyber Security Review Team to Prepare National Incident Response Plan

The team that conducted the 60-day review of national cyber security is planning to develop “a comprehensive national incident response plan ... that will guide response to the cyber equivalent of a natural disaster.” The team also plans to help align the myriad laws and regulations that hinder cooperation and threat response. The effort will involve working with both the private sector and legislators. The team is led by acting Senior Director for Cyberspace for the National and Economic Security Councils Melissa Hathaway, who is one of the candidates under consideration for White House Cyber Security Coordinator. [Source] [Source]

US – CDT Releases Report Tracking Cyberspace Policy Review Action Items

CDT has released a report to help track the progress of the “action items” contained in the Administration’s recently released Cyberspace Policy Review. The Review discusses a wide range of issues that the country needs to address in order to ensure that national security, economic and civil liberties interests are adequately protected. The action items outlined in the CDT report were derived from the Review and President’s subsequent remarks on the document. The action items that develop from these themes are offered to supplement the Review’s broader near and mid-term Action Plan for the incoming Cybersecurity Policy Official. [CDT’s report: Privacy and the White House Cyberspace Policy Review, June 19, 2009] [Press Release]

WW – Malicious Attacks Most Blamed In ‘09 Data Breaches

Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released last week by the Identity Theft Resource Center. The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4%) and hacking (18%). Taken together, breaches attributed to these two types of malicious attacks have increased about 10% over the same period in 2008. [Washington Post]

WW – Survey: Admins Exploit Privileges to Access Sensitive Data

A survey of 400 IT administrators found that more than one-third abuse their administrative rights to access sensitive information about employees, customers and their companies for personal use. The information accessed includes salary data and board meeting minutes. The survey also found that the percentage of administrators who would take proprietary information with them if they left their present positions increased significantly over last year’s figures; six times as many respondents said they would take financial information if they left their firms; four times as many said they would take executives’ passwords and R&D plans. [Source] [Source]

US – Default Passwords Led to $55 Million in Bogus Phone Charges

The U.S. Justice Department has unsealed indictments against three Filipino residents accused of hacking into thousands of private telephone networks in the U.S. and abroad, and then selling access to those networks at call centers in Italy that advertised cheap international calls. The indictments correspond to a series of raids and arrests announced in Italy, where authorities apprehended five men alleged to have been operating the call centers and using the profits to help finance terrorist groups in Southeast Asia. The U.S. government alleges that the individuals arrested in the Philippines were responsible for hacking so-called private branch exchange (PBX) systems owned by more than 2,500 companies in the United States, Canada, Australia and Europe. The U.S. government’s case was filed in the U.S. District Court of New Jersey, the home of long distance provider AT&T, among the companies whose customers were most impacted by the scheme. The charging documents allege the thieves used the hacked PBX systems to relay more than 12 million minutes in unauthorized international phone calls, or $55 million worth of telephone charges. Erez Liebermann, assistant U.S. attorney for New Jersey, said the hackers broke into most of the systems by using default passwords already set on them. “The default passwords were left open in most of these PBX systems,” Liebermann said. [Source]

Surveillance

US – America Accused of Spying on Millions of Emails

American intelligence agencies have been accused of spying on the emails of millions of Americans, including those of former president Bill Clinton. In the latest in a series of intelligence scandals to hit Washington, details of a secretive email surveillance scheme are beginning to come to light - with fresh allegations reported in the New York Times. The database system, called Pinwale, is used by America’s National Security Agency to intercept and examine huge volumes of email passing through American telecommunications networks. The NSA has confirmed that Pinwale exists, although it will not comment on the latest allegations or give further details on how the system operates. The head of the Senate Intelligence Committee, which has been investigating the unauthorised surveillance claims for several years, reacted to the news of Pinwale system by suggesting that nothing illegal had taken place. In 2005 it emerged that President Bush had bypassed the usual process of court approval for wiretaps, encouraging NSA officials to conduct wiretaps at his command. Accused of abusing his powers, Bush later claimed it was his “constitutional responsibility” - but while Congress strongly objected, the controversy ended last year with a compromise that effectively approved his actions and gave immunity to American telecoms companies for their role in aiding the NSA. “Ordinary Americans’ most private emails have been and still are being intercepted in bulk and then stored in secret NSA databases, without probable cause,” said Kevin Bankston, a lawyer with the campaign group Electronic Frontier Foundation. The news comes just weeks after President Obama said he would create a new office for cybersecurity - closely linked to the NSA - while vowing not to endanger people’s privacy. “Our pursuit of cybersecurity will not - I repeat, will not include- monitoring private sector networks or Internet traffic,” he said. “We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.” [Source]

Telecom / TV

UK – Mobile Phone Directory Firm Faces Legal Questions Over Breaches of Privacy Law

The company behind a controversial mobile phone directory that launched last week is struggling to defend its procurement of mobile phone numbers. The Information Commissioner’s Office (ICO) is reportedly looking into whether Connectivity’s service, which went live on Friday, complies with the Data Protection Act and certain conditions the ICO set for the company during consultations. The service lets customers find a mobile phone user by name. An operator connects the parties after receiving the call recipient’s permission. Thousands of mobile phone users have already opted out of the directory, according to the report. [Source]

IN – India to Require Mobile Phones Have IMEI Numbers

The Indian government is now requiring that all imported mobile phones have accompanying International Mobile Equipment Identity (IMEI) numbers; mobile service operators have been ordered to block calls from phones that do not have IMEIs. The numbers are most often programmed into the devices by manufacturers, and serve to identify them on Global System for Mobile Communication (GSM) networks. Phones with IMEI numbers composed entirely of zeros are also banned. Phones without IMEI numbers have been used by terrorists to evade attempts at identification. [Source]

CA – CRTC Chairman Speaks Out on DNC List Violations.

The CRTC Chair disputes the urban myth regarding the misuse of the National Do Not Call List (“NDNCL”), i.e. allegations that telemarketers based outside of Canada are purchasing subscriptions to the NDNCL only to call the numbers on the list. Further, an independent survey found that 80% of those who have registered say they now receive fewer telemarketing calls. For telemarketers who violate the law, the Chair states that it will not hesitate to use the CRTC’s authority to impose administrative monetary penalties of up to $15,000 for each violation of the rules. The CRTC will also have new responsibilities arising out of Bill C-27, the Electronic Commerce Protection Act, designed to counter spam; under the proposed Bill, the CRTC is given a wide range of inspection and enforcement tasks. [Source]

US Government Programs

US – Security Issues at Dulles Still Need Attention, Says DHS IG Report

According to a report from the US Department of Homeland Security (DHS) Office of Inspector General, US Customs and Border Protection (CBP) and the Transportation Security Administration (TSA) at Dulles International Airport still need to address certain security concerns that could compromise the “confidentiality, integrity, and availability of the automated systems used to perform their mission critical activities.” Both CBP and TSA have made “significant progress in improving technical security for information technology assets at Dulles;” however, the report recommends that both organizations take steps to improve “their operational controls over the physical security of their information technology [as well as their] technical controls.” Some servers in use appear not to be running the most current release of operating system software. [Source] [Source]

US – Congress to Again Convene on BT

The House Subcommittee on Communications, Technology and the Internet and the Subcommittee on Commerce, Trade, and Consumer Protection will hold a joint hearing this week to discuss cookies-based behavioral advertising. This is the second time this year Congress has taken up the behavioral targeting topic. Thursday’s hearing, ‘Behavioral Advertising: Industry Practices and Consumers’ Expectations,’ will focus on the technique used by Web companies such as Google, Yahoo and Facebook, the report states. Invited witnesses include representatives from industry, academia and the advocacy community. Rep. Rick Boucher (D-VA) is expected to introduce legislation this year that would impose certain restrictions on behavioral targeting practices. [Source]

US Legislation

US – Legislators’ Proposal Would Revise Real ID Act

US legislators have proposed a revision to the Real ID Act of 2005, a controversial law aimed at tightening security in the wake of the September 11 attacks. Real ID required states to issue new, more secure driver’s license and identification cards by 2017; citizens would be required to present them to enter certain buildings and to board airplanes. Some states balked at the cost of implementing the measure, and civil liberties groups decried Real ID’s assault on privacy. The proposed revision, known as Pass ID, would still require that state-issued licenses include a digital photograph and signature of the holder and a bar code and that the licensing agencies store copies of the supporting documents used to obtain the license. States would still be required to verify the identities of people applying for licenses by checking databases at the State Department, Social Security and federal immigration. Critics of the proposed revision say it takes the teeth out of Real ID because it eliminates the requirement that birth certificates, Social Security numbers and other credentials be authenticated with the authority that issued them, instead requiring only that they be validated. The proposed revision, known as Pass ID, would still require that state-issued licenses include a digital photograph, a signature of the holder, a bar code, and that the licensing agencies store copies of the supporting documents used to obtain the license. [Source] [Source] [Source]

Workplace Privacy

US – Please Provide References (and User Names and Passwords)

Officials in Bozeman, Montana want job applicants’ usernames and passwords for Internet chat rooms and social networks so they can thoroughly vet potential public employees. Although the policy has been in place for some time, a KBZK report launched it into the national spotlight. Assistant City Manager Chuck Winn defended the request yesterday, saying: “Before we offer people employment in a public trust position we have a responsibility to do a thorough background check.” An Electronic Frontier Foundation attorney said he thinks the policy is “indefensibly invasive and likely illegal as a violation of the First Amendment rights of job applicants.” [Source]