Canada

CA – Privacy Commissioner Issues Annual Report

The PCC’s annual report regarding PIPEDA focuses on the importance of making informed choices about sharing personal information online, and highlights the issue of youth privacy. It also looks at 2008 privacy complaint investigations; technology and privacy issues; and the Commissioner’s efforts to encourage the development of international privacy standards. The OPC received 422 new PIPEDA-related complaints for investigation in 2008, ending a downward trend that had lasted for several years. [Press Release] [PIPEDA Annual Report to Parliament 2008] [Think before you post, privacy czar says] [Insurance Industry Sees Spike in PIPEDA-Related Complaints]

CA – Stop Illegal Juror Checks, Crown Attorneys Ordered

Ontario’s privacy commissioner has ordered Crown attorneys to stop the “disturbing” practice of using police to collect personal information on prospective jurors. Blasting what she called a “very serious” invasion of privacy, Ann Cavoukian revealed this week that the vetting – first flagged by a judge as a problem in 1993 – was far more common than thought when newspapers finally exposed it last May. Eighteen of 55 provincial Crown attorney offices gathered background information about potential jurors.

In doing so, the prosecutors were breaking privacy laws – even though Cavoukian emphasized the breaches appeared unintentional because the rules were “vague.” Attorney General Chris Bentley said the government will reform the Juries Act to impose better privacy protections and promised to enact all 22 of Cavoukian’s recommendations in her special 212-page report entitled “Excessive Background Checks Conducted on Prospective Jurors.” [Source] [IPC background info] See also: [20 secret checks of jurors uncovered] [N.S. prosecutors deny they vetted jurors] and [Juror vetting not illegal, prosecutor says]

CA – Canada’s CAs Offer Guidance to Help Prevent Data Breaches

A new toolkit from the Canadian Institute of Chartered Accountants (CICA) is designed to help organizations be proactive in identifying data security and privacy risks. The toolkit titled “The Canadian Privacy and Data Security Toolkit for Small and Medium Enterprises” features a foreword written by Jennifer Stoddart, Privacy Commissioner of Canada and an introductory chapter by Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario. The Privacy and Data Security Toolkit offers a number of valuable resources:

a comprehensive self-assessment to help determine your organization’s information risks
ready-to-use advice on privacy and security risks in key areas such as accounts payable, sales and marketing
a resource-filled CD-ROM containing checklists, informative articles, training templates and a customizable privacy policy

The CICA toolkit is available in both English and French. More information is available at www.cica.ca/privacy [Press Release]

CA -- Parliamentary Report Pushing Random Roadside Breath Testing

The prospect of permitting police to search people on a whim ought to make any Canadian uneasy. Such behaviour, as many civil libertarians have reminded us, is usually reserved for police states, not those governed by the rule of law. But the devil, as always, is in the details. Take, for example, the recent report of the House of Commons Standing Committee on Justice and Human Rights, which recommended Parliament grant to police the authority to conduct random roadside breath testing. This certainly raises the spectre of a police state, since police would no longer require reasonable grounds to believe a driver had been drinking before demanding a breath sample. And it would, as the committee freely admits, constitute a prima facie infringement of the Charter rights to be free from unreasonable search and arbitrary detention. But that is the beginning, rather than the end of the matter. In the end, random breath tests may well pass constitutional muster. [Source]

Consumer

EU – EU Commissioner Warns of Privacy Risk to Children

United Press International reports that EU Information Society Commissioner Viviane Reding said earlier this week in Brussels that the proliferation of minors posting personal information to Web sites, and social networking utilities in particular, constitutes a threat to children’s privacy and that new legislation is needed to address the issue. Addressing a gathering of industry and government officials on the future of the Internet, Reding warned: “The European Commission has already called on social networking sites to deal with minors’ profiles carefully, by means of self-regulation. I am ready to follow this up with new rules if I have to.” [Source]

US – FTC Asked to Investigate Echometrix

The Electronic Privacy Information Center (EPIC) has filed a complaint with the Federal Trade Commission (FTC) claiming that marketing-intelligence software maker Echometrix violates the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act, reports Research. EPIC says that “parents are unaware that the company collects information about their children and discloses it to third parties.” On its Web site, the company says it “never has and never will collect, distribute or sell personal information as defined by COPPA.” Echometrix makes software that analyzes language to help parents and marketers monitor online chatter. [Source]

E-Government

UK – Surrey Police Prepared with Data on Citizens When Responding to Incidents

Surrey Police boasts one of the lowest crime rates in the country, living up to its slogan “With you, making Surrey safer”. The simple name and address forms a crucial part of daily operations at Surrey Police. The accuracy of this information impacts on areas such as emergency response, investigations, stop and search and compliance. Since 1997, Experian QAS has been providing Surrey Police control room staff with name and address data which gives them a quick snap shot of people living in and around an incident. This means that officers go to a location forewarned. Surrey Police are also about to embark on a new mobile data pilot. As part of this initiative, NameTracer Pro will be used to increase the number of citizens whose details can be verified during stop and search. [Source]

US – Privacy Issue Raised in Crash Forms Feud

First the crash then the phone calls. Some Texas officials want to stop cops from including motorists’ phone numbers on accident reports. The Houston Chronicle reports that some Texas Transportation Commission members want them eliminated to protect citizens from the solicitations that often follow accidents. But a Texas Department of Public Safety official says the numbers should stay for investigative purposes, and that a new state law should help cut down on unwanted post-accident calls. The law prohibits lawyers and healthcare professionals from making phone solicitations within a 30-day period following an accident. [Source]

Electronic Records

US – MSN Launches Personal Health Management Service

MSN last week released its beta version of a new online health information management service, including widgets to upload and organize data stored in HealthVault accounts. MSN describes My Health Info as a feature designed for busy parents, adults managing aging parents, and anyone managing chronic conditions and multiple medications. [CNET]

US – Healthcare Execs: EMR Data Will Be Treasure Trove

PricewaterhouseCoopers (PWC) surveyed more than 700 healthcare executives, finding that 75% of respondents feel that within five years, the industry’s most valuable asset will be the information contained in electronic medical records, reports InformationWeek. PWC issued the survey findings yesterday. However, the hundreds of billions of gigabytes of patient data will only be useable if privacy concerns, among others, can be resolved. Other findings reveal that 90% of respondents feel data use and sharing guidelines should be improved and 76% feel there should be national regulation around the use of health data, the report states. [Source]

EU Developments

EU – COE Seeking Private-Sector Comments

A Council of Europe committee is seeking comments from the private sector on its draft of the “Protection of Individuals with regard to Automatic Processing of Personal Data in the Framework of Profiling“ document. The Consultative Committee of the Convention 108 on Data Protection has been working on the draft recommendation, which will be one of the first documents on the topic to be issued by an international organization. Comments are due by the end of this month and should be directed here. [Source] [Draft document]

EU – EU Countries Doing More to Protect Privacy, Should Do More Still

A recent study released by the European Commission found that EU member nations are doing more to protect the privacy of their citizens, but still have a long way to go in instituting policies to address the many threats to their sensitive, personal data. The study, published yesterday, identified spam as a major threat to privacy. The study also outlined a number of other findings: nearly all EU countries have Web sites where citizens can file complaints; an analysis of 140 enforcements across 22 member states shows a significant gap in cases prosecuted and fines levied; and public education is a critical component to fighting online privacy and security threats. [Source]

Facts & Stats

AU – One In Five Fall Victim To ID Theft

A fifth of all Australians are victims of credit card fraud or computer hackers, a crime report said. The identity crimes report found more than 1.5 million people’s credit cards had been skimmed and 1.2 million people’s bank accounts were illegally accessed. [Australian IT]

CA – Youth More At Ease Posting Online Comments: Poll

A survey of 1,001 Canadian adults has revealed that more than a quarter are unaware of the risk they take when posting comments to blogs and Web sites. Angus Reid Strategies conducted the poll for TD Insurance. “Most people approach online commenting as though they were chatting in person,” said TD VP Henry Blumenthal. The findings suggest that younger people are more likely to post online comments. The results come on the heels of recent high-profile lawsuits concerning online posts and the federal privacy commissioner’s recommendation for Canadian youths to ‘think before you post.’ [Source]

Filtering

WW – Google Apologized for Temporarily Removing Pirate Bay from Search Results

Google has issued a public apology for removing The Pirate Bay from its search results. Google removed Thepiratebay.org in response to a Digital Millennium Copyright Act (DMCA) takedown request that mistakenly included the site’s address. Takedown notices are used to let companies know that they are hosting copyrighted material and that they must remove it or face legal repercussions. The Pirate Bay has been restored to Google’s search index. [Source] [Source] [Source]

AU – Filtering Works, Enex Trial Shows

Results of an Australian federal government trial show that live ISP-level content filtering does not have a negative impact on network performance and can work in a real-time environment. However, a highly anticipated report based on the pilot is still weeks away and the federal Opposition says the government can not be trusted to deliver on the $43 billion national broadband network when the goalpost keeps shifting for a mere $300,000 filtering trial. [Australian IT]

EU – Turkey Blocks Thousands Of Foreign Websites

Following the entering into force in November 2007 of the Turkish Law No. 5651 entitled Regulation of Publications on the Internet and Suppression of Crimes Committed by means of Such Publication, a large number of websites have been blocked in Turkey. According to Dr. Yaman Akdeniz, Founder and Director of Cyber-Rights & Cyber-Liberties (UK), there are at present more than 6000 websites blocked in Turkey including known sites such as YouTube, WordPress, GoogleGroups and Sites, DailyMotion and others. Some of the sites are blocked by court orders while most of them are blocked by administrative blocking orders issued by the Telecommunications Communication Presidency (TIB). Some websites are blocked because they are considered obscene, others for involving child abuse and sexual exploitation, gambling, betting, prostitution and others for being considered as related to crimes committed against Atatürk. [Source] [At least 6000 websites censored from Turkey] [Unblock The Banned Websites In Turkey Petition] [EDRi-gram: Turkey: Another blocking order against YouTube]

Finance

CA – eBay Canada to Hand over More Seller Tax Records to Government

eBay Canada said it would hand over more data to Canada’s tax agency after receiving a court-authorized requirement from the Canada Revenue Agency. The company will release the account information and sales data of Canadian resident eBay members who meet the following criteria: Sales of more than $20,000 and at least 24 sales transactions in any of the calendar years 2006, 2007 or 2008; or, Sales of more than $100,000 in any of the calendar years 2006, 2007 or 2008, regardless of the number of sales transactions. eBay said it was only required to release sales information for the year(s) in which a seller met the above sales thresholds. The member information that will be released for 2006, 2007 and/or 2008 includes: full name, user id, mailing address, billing address, telephone number, fax number, email address, and the selling prices (high bids) of the items. The September 2009 request followed a similar request made by the Canada Revenue Agency; in November 2008, after a lengthy legal battle, eBay was required to reveal the account information of members who held PowerSeller status in 2004 and 2005. eBay Canada said it strenuously objected to the “violation of our members’ privacy,” but said it was obliged to comply with the court-ordered requests. eBay said it was alerting all members affected by the court order prior to disclosing their account information to the Canada Revenue Agency. [Source]

Genetics

US – Lawsuit Challenges California’s Mandatory DNA Collection at Arrest

A lawsuit filed by the ACLU of Northern California seeks to stop California’s policy of mandating that DNA is collected from anyone arrested for a felony, whether or not they are ever charged or convicted. The ACLU opposes this law because it violates constitutional guarantees of privacy and freedom from unreasonable search and seizure, and because of the harmful impact on communities of color. Under the statute, which went into effect on the first of the year, people who are arrested for a felony must provide DNA samples that will be stored in a criminal database accessible to local, state, national, and international law enforcement agencies. Instead of being limited to serious, violent offenses, the new requirement even applies to victims of domestic violence who are arrested after defending themselves, people wrongfully arrested due to police misconduct, someone who has written a bad check, and people arrested during political demonstrations. In March 2009, Lily Haskell attended a peace rally in San Francisco and was arrested. She was not charged with a crime and was quickly released, but not before being required to provide a DNA sample. “When your DNA is taken after an arrest at a political demonstration, it can have a silencing effect on political action,” said Haskell. “Now my genetic information is stored indefinitely in a government database, simply because I was exercising my right to speak out.” People like Haskell who are innocent and were never even charged with a crime may seek to have their DNA sample expunged from the state database, but the process is cumbersome and requires a long wait until the statute of limitations to bring charges has run out–at least three years and, in some cases, much longer. California’s huge forensic DNA database–the third largest in the world–already faces tremendous backlogs. The resources spent collecting thousands upon thousands of DNA samples from arrestees detract from the resources that could instead be devoted to processing crime-scene samples to help solve violent and serious crimes like rape, assault, and murder. The case (No. 09-04779) is filed in the United States District Court for the Northern District of California in San Francisco. [Source]

Health / Medical

US – AHIMA Floats Privacy ‘Bill Of Rights’

The American Health Information Management Association (AHIMA) is looking to bridge what it sees as a yawning gap in health privacy protections with a seven-point bill of rights it hopes will push the healthcare industry to a “major paradigm shift” in patient privacy practices. The bill is necessary because of “repeated abuses of access, accuracy, privacy and security of the most basic rights of individuals,’ said AHIMA’s president. There are many entities that operate outside of HIPAA, AHIMA said, and there is a wide variance of regulations imposed by the states. AHIMA tallies a number of rights that cover privacy of health information stored both in digital and paper form, including several that guarantee consumers cost-free access to their health information and that the information be as accurate and complete as possible. Others deal with patients’ right in the case of medical identity theft, the need for a national privacy and security standard, and the right to a legal recourse in the event a breach of information causes someone harm. It’s an educational effort to start with, the association says, which will build momentum over the next few weeks. However, in introducing the bill at its annual meeting in Dallas on Monday, AHIMA said it may require legislation to prod the healthcare industry into making the required changes. [Source]

US – Congress Wants Repeal of HHS Medical Breach Rule

Members of the House Committee on Energy and Commerce are concerned that the data breach notification provision included in the HITECH Act may have been undermined by a Health and Human Services rule, known as the “harm threshold,” which gives breached companies leeway in deciding whether notice may be required. In a letter to HHS Secretary Kathleen Sebelius, committee chair Rep. Henry Waxman (D-CA) and other members of the committee urged the secretary to revise or repeal the provision, published in late September. Privacy watchdogs claim the HHS rule was drafted under pressure from the healthcare industry to eliminate possible financial repercussions stemming from a health information data breach. [Source]

US – IU Gets Grant for Health Research Privacy Project

The Center for Applied Cybersecurity Research (CACR) at Indiana University has received more than a half-million dollars in support of a two-year project on patient privacy. The National Institutes of Health awarded $559,827 for the “Protecting Privacy in Health Research” project. Privacy, security, legal and medical research experts will collaborate to develop new approaches to protecting personal data used in health research, while reducing the challenges imposed upon that research by current laws, according to an IU press release. CACR director Fred Cate says the panel will “develop a specific proposal” that could lay the foundation for regulations or legislation. [Source]

US – Public Comment Period Open on Consumer Preferences Standards

The Office of Interoperability and Standards and the Office of the National Coordinator have released the Consumer Preferences Draft Requirements Document and are seeking public comments through October 16. The document addresses the processes, information exchanges, stakeholders, functional requirements and issues and obstacles surrounding consumer preferences. It will be used to assist the Healthcare Information Technology Standards Panel in identifying, harmonizing and/or facilitating the development of standards which address consumer preferences. [Source] [Consumer Preferences Draft Requirements Document]

Horror Stories

US – Missing Hard Drive Contains 70 Million US Military Veterans’ Records

A hard drive containing personally identifiable information of US military veterans was sent to a contractor to be repaired without first being erased. The contractor determined that the drive could not be repaired and sent it to another company to be recycled. The National Archives and Records Administration is investigating the breach, which may affect more than 70 million people. The hard drive contains data used by a system through which veterans can request copies of their health records and discharge papers. [Source] [Source] [Source] [Source]

US – Express Scripts Notifies 700,000 of Data Security Breach

Pharmacy benefits management company Express Scripts says that approximately 700,000 people have been notified that their personally identifiable information was compromised following a data security breach in 2008. The company learned of the breach when the data thief attempted to extort money in exchange for not exposing the information on the Internet. The initial extortion demand contained information of 75 patients; the recent set of letters was sent in response to a larger file of information that was sent to a law firm. [Source] [Source]

US – Stolen Laptop Holds Unencrypted Data of 850,000 Doctors

A laptop computer stolen from the car of a BlueCross BlueShield employee contains unencrypted personal data of 850,000 physicians. The data include names, addresses, tax ID numbers and national provider identification numbers. About 187,000 of the physicians use their Social Security numbers (SSNs) as their tax ID or national provider numbers. Company policy dictates that the data be encrypted, but the unidentified employee downloaded unencrypted data to work on at home; BlueCross BlueShield is reviewing its security policy in light of the incident. [Source] [Source]

WW – Hotmail Passwords Leaked Online

Thousands of Windows Live Hotmail passwords have been leaked online, Microsoft has confirmed. Microsoft was quick to point out that credentials were stolen through what was “likely a phishing scheme.” [CNET]

Intellectual Property

US – Amazon.com Agrees to Pay US $150,000 to Settle Kindle eBook Removal Lawsuit

Amazon.com has agreed to a settlement that would have the company pay US $150,000 to a Michigan high school student who sued the company after his copy of 1984 was deleted from his Kindle reading device without notice. In June of this year, Amazon deleted copies of 1984 and Animal Farm from users’ devices after learning that the entity that had made the e-books available did not have proper authorization to do so. Justin D. Gawronski sued Amazon, in part because when the file was deleted from his Kindle, he lost annotations he had been making as part of his summer homework for an Advanced Placement class. The settlement also mandates that Amazon will not delete e-book files from users’ Kindles unless the user agrees, the user seeks a refund or the payment does not clear, a court orders that the file be deleted, or the deletion is deemed necessary to protect users from malware. In September, Amazon offered to return the books to customers’ Kindles along with any annotations that had been made or give them credit at Amazon.com or a check. [Source] [Source]

UK – BT Resisting BPI’s Demand to Act on List of Suspect IP Addresses

The British Phonographic Industry (BPI) has provided UK Internet service provider (ISP) BT with the IP addresses of 100,000 BT customers the BPI suspects of illegal filesharing. BT has not yet taken any action. BPI is unhappy with BT’s inaction; the ISP maintains it has no formal agreement with the BPI regarding suspected piracy. BT ran a 12-week test program in July 2008 during which it sent warning letters to suspected copyright infringers. A BT spokesperson said that investigating each allegation of filesharing would not only prove costly, but would also violate customers’ privacy rights. [Source] [Source]

AU – Film Companies Take ISP to Court to Failure to Act on Filesharing Information

Australian Internet service provider (ISP) iiNet was in court facing charges that it has not taken action against suspected illegal filesharers. Movie companies sued the ISP for allegedly not disconnecting subscribers that the movie companies maintained were sharing pirated copies of films through BitTorrent. Australia’s safe harbor law allows ISPs immunity from prosecution if they “reasonably implement” the practice of cutting off subscribers who are “repeat [copyright] infringers.” iiNet stands by its assertion that “allegation of infringement” and “proof of infringement” are not the same thing, and that copyright holders who believe their rights have been infringed upon should seek judgments against the alleged perpetrators in court and present those judgments to iiNet, which will then disconnect that user. [Source]

Internet / WWW

CA – MySpace, LinkedIn Have Privacy Issues: OPC Study

A study commissioned by Canada’s Privacy Commissioner of six popular social network sites including MySpace and LinkedIn found many social network sites have the same problems as Facebook, ranging from not telling users enough about how their information is shared with advertisers and third party developers to just how much of that information is shared. Assistant Privacy Commissioner Elizabeth Denham Denham said the report, prepared by Jennifer Barrigar in February and made public without fanfare on the Privacy Commissioner’s website this week, isn’t an investigation like the recent Facebook report but part of the effort to better educate Canadians about the privacy issues connected to social network sites. In her report, Barrigar outlines the practices of six social network sites - Facebook, Hi5, LinkedIn, Livejournal, Skyrock and MySpace. Among the common problems was that sites didn’t make it clear to users just what information was being shared with advertisers or third party developers. Another problem was that some information was viewable to non-users through public search engines. Barrigar also recommends that default settings on sites protect privacy. Users who want to be more public would have to make changes to do so. [Report and Findings] [Source]

WW – ICANN Studies Secretive Domain Owners

Approximately 15–25% of domain names have been registered in a manner that limits the amount of personal information available to the public through WHOIS queries, according to the preliminary results of a report from ICANN (Internet Corporation for Assigned Names and Numbers). Domain owners who want to limit the amount of personal information available to the public generally use a privacy or a proxy service. A privacy service lets the registrant limit the amount of personal information available via a search in a WHOIS database, while proxy services register domain names on behalf of registrants. It’s the use of these two services that ICANN has surveyed, the organization said this week. The main objective of the study – which was based on a random sample of 2,400 domain names registered under .com, .net, .org, .biz and .info – is to establish baseline information to inform the ICANN community on how common privacy and proxy services are. ICANN now is seeking community comments, which can be filed until Nov. 6, on the report. But ICANN isn’t just taking a closer look at how secretive domain owners are. On Sept. 28 it announced plans to conduct a study into the misuse of public data available via WHOIS searches and in June it announced a study of domain name WHOIS contact data accuracy. Information from WHOIS searches can be used by spammers, but at the same time correct information is necessary when pursuing cybersquatters and cybercriminals. [Source]

Law Enforcement

CA – Privacy Rules Impede Emergency Responders: Police Chief

Different privacy rules governing police, who work for the city, and paramedics, who now work for the province, are hampering investigations, says Calgary’s police chief. Critical information is being withheld from officers because of new privacy rules that Emergency Medical Services personnel must follow, Chief Rick Hanson told the aldermanic committee on community and protective services this week. “[If] we’re responding to a stabbing, we get to the scene of that event, we need to know as much information as possible relative to the nature of the injury, the circumstances when the medics may have gotten there, information around the identity of the individual, if that person is already in an ambulance. These are things that were just freely shared before,” said Hanson. When police, firefighters and EMS staff all worked for the city, they were bound by the Freedom of Information and Protection of Privacy Act. In April, however, the province took over ambulance services, bringing the additional requirement of the Health Information Act, which covers the collection, use and disclosure of health records. That has led to information not being fully exchanged between emergency responders. [Source]

US – DHS Considers Body Signal Scan at Airports

The Department of Homeland Security (DHS) is testing an experimental body scanning system designed to detect, based on body signals, whether passengers may have violent intentions before boarding aircraft. Known as Future Attribute Screening Technology (FAST), the system measures heart rate, breathing, eye movement, body temperature and fidgeting to determine whether a passenger might constitute a safety risk. Project manager Robert Burns said the system is designed to detect the body’s natural reactions to a person’s mental or emotional state of mind. If successful, DHS says the system may be deployed at airports, federal buildings, stadiums, convention centers and mass transit facilities. [Source]

Location

CA – BC Commissioner Takes Dim View of Street View

Google’s 360 degree visual mapping feature, Street View, went live in Vancouver this week. Within hours British Columbia Information and Privacy Commissioner David Loukidelis contacted the company to report that privacy protections, including blurring the faces of pedestrians and license plates captured by the service, were not in effect. The Vancouver Sun reports that students at Vancouver’s Notre Dame high school scoured the service and found un-blurred images, which the school’s IT department head Peter Vogel reported to Loukidelis’ office. “We acknowledge that this tool may be of interest to people, but at the same time under the privacy law in BC there are issues that have to be addressed,” Loukidelis said. [Source]

WW – Charting the Final Frontier – Google Maps for Indoors

Ever been to a conference, shopping mall, college campus or even theme park, and wasn’t sure which way to turn? Micello will soon offer free maps to help you get to where you are supposed to be. Google maps are great for navigating to an address, but once you arrive, it’s up to you to find the office, meeting room or vendor inside. Now Micello takes over where conventional navigators leave off, mapping your route inside buildings, malls, convention centers and other points of interest. “Micello is quite literally Google maps for the insides of buildings,” said Ankit Agarwal, founder and CEO of Micello. “We are mapping the last unchartered territory—the last mile—between the front door and where you are going. We are building the foundation for an indoor location-based services market.” Gartner predicts that location-based services will exceed $2.2 billion in 2009, and grow to as much as $8 billion by 2011. Micello plans to tap this market by charging fees to subscribing venues to provision the content at their location on Micello maps. Available as a free service to users of the iPhone, BlackBerry, Palm or Android mobile handsets, Micello displays the Google maps to an address adorned with icons showing where indoor maps are available. Once the user arrives at an address, clicking on the Micello icon overlays the indoor map. Search for a particular venue inside, and Micello highlights a recommended route from your current location. Future versions will also provide directions from your car in the parking lot, as well as store-to-store directions once inside a mall. Micello also plans to personalize maps by highlighting items that may be of interest to users based on their profile and history, as well as allow them to share their location with Facebook friends, Twitter followers or LinkedIn contacts. In addition, users will be encouraged to crowd-source information about destinations by posting reviews about points of interest. [Source]

Offshore

US – CTG Releases National Survey of Cross-Boundary Information Sharing

Factors Influencing Government Cross-Boundary Information Sharing: Preliminary Analysis of a National Survey was released by The Center for Technology in Government. The report is part of a long term project to understand how governments share information across program, agency and jurisdictional boundaries as they work to improve programs and services. For example, some 700 survey participants from law enforcement and health care reported that clarity of roles and responsibilities; knowledge of organizational policies and information needs; informal problem solving; and information confidentiality, security, privacy and disclosure concerns were prominent in the course of their CBI initiatives. CTG will continue to analyze the project data to test the weight of each of the factors as compared to their overall influence, and make further results available in both academic and practitioner publications. [Report] [Source]

Online Privacy

WW – Google Street View Arrives In 11 Canadian Cities

Google announced on Wednesday that it has launched its Street View service to 11 cities in Canada, including Vancouver, Toronto, Montreal, and Ottawa, among others. Whether Google would ever be able to bring Street View to Canada was very much up in the air not too long ago. In September 2007, Canada’s Privacy Commissioner Jennifer Stoddart wrote to Google saying that she was concerned that the service might violate her country’s privacy regulations. [CNET]

US – Researchers: “Americans Want Openness with Marketers”

The results of the first national survey of Americans’ attitudes toward behavioral targeting were issued earlier this week. The findings indicate that two-thirds of Americans don’t want to receive tailored ads online. The survey polled 1,000 adult Internet users. After learning more about the techniques online companies use to determine which ads to deliver, the percentage of those averse to the practice grew to between 73 and 86%. Wired drills down on the fact 86% of respondents between the ages of 18 and 24 years indicated they were not in favor of advertising generated by the monitoring of their online activities, questioning the generally accepted notion of a “privacy generation gap.” [Source]

Privacy (US)

US – The Privacy Projects Launches to Encourage Privacy Research

In a press release yesterday, The Privacy Projects officially announced its launch as a not-for-profit organization to encourage academic, “evidence-based” research into the effectiveness of privacy related tools, policies and practices. Richard Purcell, CEO of the Corporate Privacy Group and chairman of the U.S. Department of Homeland Security Data Privacy and Integrity Advisory Committee, will serve as president of The Privacy Projects. “Our goal is to provide evidence-based information to support the dialogue toward establishing increased corporate accountability and greater regulatory relevance to today’s information economy,” Purcell said. [Source] [http://theprivacyprojects.org/]

US – Generally Accepted Privacy Principles Revised

The American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants have published an updated version of their Generally Accepted Privacy Principles (GAPP). GAPP provide data protection criteria and materials for certified public accountants in the U.S. and chartered accountants in Canada. Version three of the principles will become effective on October 30. The revision includes more on information security as it relates to third parties and incorporates enhancements based on GAPP users’ feedback. “We consider the criteria of GAPP in our assessments related to privacy, and when we help design and build privacy governance, risk management and compliance programs,” says Brian Tretick, CIPP, executive director of Ernst & Young’s Privacy Advisory Services. [Source]

Privacy Enhancing Technologies (PETs)

WW – Anonymized Genetic Research Data Still Carries Privacy Risks

New technology has allowed scientists to thoroughly comb the genome for changes associated with genetic diseases. Although sharing that data might help advance medical research, researchers are now suggesting that doing so would place the privacy of people involved in the study at risk. [Source]

RFID

US – U.S. DOT Wants RFID License Plates ASAP

The United States Department of Transportation (DOT) is soliciting bids from developers of radio frequency identification (RFID) technology in an effort to create license plates that can be identified without being seen, RFID Journal reports. The request comes in response to police complaints related to motorcycle “stunting,” in which bikers goad police into high-speed chases, and then elude the authorities by accelerating to speeds that can be in excess of 150 miles per hour. The project is being managed under the DOT’s Small Business Innovation Research program. Both data and personal privacy protection are considered to be critical elements to the adoption of any resulting product or system. [Source]

US – Mobile RFID Device for Shoppers Boosts Store Sales

A Utah supermarket retailer uses The Giving Cart system to gain insight into consumer behavior, as well as provide shoppers with coupons, prizes and promotional material as they traverse the store’s aisles. [Source]

Security

US – CIO Council to Develop Outcome-Based Security Metrics

The US Chief Information Officer Council has established a Security Metrics Taskforce that has been given the objective of developing “new metrics for information security performance for federal agencies that are focused on outcomes.” The metrics are expected to be complete by the end of this calendar year. Federal CIO Vivek Kundra noted in a blog post that “FISMA metrics need to be rationalized to focus on outcomes over compliance.” [Source] [Source] [Source]

WW – How Dangerous Could a Hacked Robot Possibly Be?

Researchers at the University of Washington think it’s finally time to start paying some serious attention to the question of robot security, mainly because the robots can already be used to spy on us and vandalize our homes. Robots have emerged as popular consumer devices over the past few years -- prmarily as toys, but also as household chore robots such as iRobot’s Roomba vacuuming machine. In a paper published this week the researchers took a close look at three test robots: the Erector Spykee, and WowWee’s RoboSapien and Rovio. They found that security is pretty much an afterthought in the current crop of robotic devices. “We were shocked at how easy it was to actually compromise some of these robots,” said the paper’s co-author. Some of today’s robots operate as wireless access points, and Kohno’s team found that a nearby attacker could connect to someone else’s robot quite easily. Robots such as the Rovio can also be controlled over the Internet, meaning that if a hacker could somehow sniff the victim’s user name and password, he could turn the robot into a remote-controlled spy machine. “We think that consumers should at least be aware that there is the possibility that someone would listen in on their robot and take over their robot and have mobile eyes and ears in their home,” said another co-author. “They’re little computers.” The University of Washington team says that as more sophisticated robots come online -- especially future generations of powerful household robots -- they could be misused in ways that their designers have not foreseen. In their paper, they discuss ideas such as “robot vandalism” -- even weak robots can push something fragile down a flight of stairs -- and “robot suicide.” Robots could be used to eavesdrop on conversations or frighten small children too, the researchers said. The attacks that they can actually pull off may sound more creepy than scary, but robot makers will serve their customers best by thinking of these issues from the start, rather than having to patch machines after they get compromised. “Let’s think about security and privacy as one of the initial design goals,” he said. [Source]

Surveillance

CA – CSIS Can Listen in on Canadian Terror Suspects Abroad: Court

Canada’s intelligence service can listen to the communications of Canadians who are traveling abroad and pose a threat to national security, the Federal Court has ruled. The court released a decision this week approving a warrant allowing Canadian Security Intelligence Service officers to eavesdrop on two Canadians who went overseas earlier this year. Justice Richard Mosley said CSIS could do so because, even though the targets of the investigation were in a foreign country, the communications were to be collected within Canada. The 41-page ruling clarifies the powers of CSIS to investigate terror suspects who have left Canada to train, meet co-conspirators or participate in overseas conflicts. Previously, the Federal Court had refused to issue warrants to CSIS to investigate terrorists overseas, saying the court lacked the jurisdiction to do so. But Justice Mosley said the circumstances in this case were different because the eavesdropping was to occur in Canada. CSIS had said it would enlist the Ottawa-based Communications Security Establishment, the government’s top secret electronic eavesdropping agency, to intercept the conversations from listening posts inside Canada.The 41-page ruling has been partly censored and contains few details of the case, but it says CSIS had asked for the warrant on Jan. 24 “in respect of newly identified threat-related activities.” The court granted the warrant at the time, although a declassified version of the ruling has only now been released. [Source]

UK – Internet Game for Spotting Real Crimes on CCTV Branded ‘Snooper’s Paradise’

A new internet game is about to be launched which allows ‘super snooper’ players to plug into the nation’s CCTV cameras and report on members of the public committing crimes. The ‘Internet Eyes’ service involves players scouring thousands of CCTV cameras installed in shops, businesses and town centres across Britain looking for law-breakers. Players who help catch the most criminals each month will win cash prizes up to £1,000. The Internet Eyes’ website will also feature a rogue’s gallery of the so-called ‘criminals’ along with a list of their offences and which internet user caught them. But civil rights campaigners today condemned the game, which launches next month, and branded it ‘a snoopers paradise’. They claim nosey neighbours could snoop on homeowners putting the wrong rubbish in bins and even motorists guilty of the most minor misdemeanors. Last month it was revealed that Britain has 4.2 million CCTV cameras - the equivalent of one per 14 people - one-and-a-half-times as many as Communist China. [Source]

Telecom / TV

US – Comcast Testing Malware Alert Service

On Thursday, October 8, Comcast began testing a service that alerts its broadband subscribers with pop-ups if their computers appear to be infected with malware. Among the indicative behaviors that trigger alerts are spikes in overnight traffic, suggesting the machine has been compromised and is being used to send spam. Comcast also uses information supplied by research groups about IP addresses that appear to have been infected with malware. The Comcast test program appears to be the first in which a major Internet service provider (ISP) is taking measures to alert customers to potential security issues. Comcast Constant Guard is being piloted in Denver. The alerts will direct users to Comcast’s antivirus center where they can receive help cleaning their machines of malware. [Source] [Source]

US Legislation

US – Senate Panel Approves Extension of Patriot Act

The U.S. Senate Judiciary Committee this week voted 11-8 to approve the USA PATRIOT Act Sunset Extension Act with a handful of amendments. One of the most controversial portions of the bill allows the U.S. FBI to obtain warrantless subpoenas to get personal information from ISPs, telephone carriers and other businesses. The National Security Letter (NSL) program allows the FBI, and potentially other U.S. agencies, to issue letters to businesses or organizations demanding information about targeted users or customers. E-mail messages and phone records are among the information that the FBI can seek in an NSL. The NSL program does not require government agencies to show probable cause that the target users have committed a crime, and the program does not require that courts approve the subpoena letters. The program also prohibited businesses and organizations from disclosing to the public that they had received a National Security Letter, although in December, a U.S. appeals court struck down that provision as violating free speech guarantees in the U.S. Constitution. The U.S. Department of Justice is appealing that decision. The bill approved in committee Thursday “falls far short” of restoring civil liberties compromised in the original Patriot Act, the ACLU said. The bill makes only minor changes to the Patriot Act, the organization said. [Source]

US – Peer-to-Peer Legislation Passes in Committee

The House Energy and Commerce Committee this week approved a bill aimed at protecting users from inadvertently sharing information meant to stay private. The Informed P2P User Act would require file-sharing providers such as Limewire to offer “clear and conspicuous” notification to users before allowing files on their computers available for sharing. The programs would also be prohibited from surreptitiously installing software on users’ computers and cannot be structured to prevent their removal from users’ computers. Companies that do not follow the rules would be in violation of Federal Trade Commission Act unfair and deceptive trade practices rules. [Source] [Source] [Source]

Workplace Privacy

CA – More than Half of Canadian Companies Block Access to Social Nets

According to a survey by Robert Half Technology, 58% of Canadian companies said they prohibit employees from visiting social networking sites (SNSs) while on the clock, the Vancouver Sun reports. Additionally, 22% make provisions for social networking for business purposes, 16% make allowances for some personal use social networking, and three percent have no restrictions. Vancouver-based telecommunications company Telus, which employs 35,000 across Canada, is among those without restriction. “People are going to take breaks in their day,” said Telus spokesperson Shawn Hall, adding that, from the company’s perspective, using SNSs to communicate on breaks is no different from grabbing a cup of coffee. [Source]

+++