Privacy News Highlights

01–09 April 2010

 

Contents:

CA – Insurance Company Challenges PIPEDA Jurisdiction. 3

CA – BC Privacy Commissioner: Gov’t Has No “Culture of Privacy”. 3

CA – Catholic Church Hides Behind Privacy Laws: Residential School Abuses. 3

CA – Privacy Quiz Aims to Educate Small Businesses. 4

US – FTC Complaint Focuses on Tracking, Profiling Consumers. 4

US – Adzilla Suit Settled, Questions Remain. 4

EU – Personal Data: A Comic Book for European Young Adults. 4

US – Making Voting Systems Open Source Could Forever Change Election Technology. 5

US – Navy Took More Than a Year to Announce Personal Data Breach. 5

US – Public Opinion Shows Concern About ONC Data Project 5

EU – At Madrid Meeting, EC Will Seek Privacy, Reciprocity. 5

UK – New ICO Breach Fines £500K Start: a 100-fold Increase. 6

EU – German Minister Criticizes Facebook on Privacy. 6

WW – Facebook Users Not Wild About New Privacy Changes: Survey. 6

EU – Irish DPA Report: Tighter Control of Data Needed. 7

EU – Film Explores Escaping the “Surveillance State”. 7

AU – Survey: Data Breach Costs - $2 Million per Incident, n Average. 7

WW – E-Snooping on Significant Other Increasingly Common. 7

EU – European Commission Proposes Net Blocking and Defends Illegal Activity. 7

AU – Australian Plan to Filter Internet Meets With Criticism.. 8

US – Washington Law Lets Banks Recover Breach Costs. 8

UK – ICO: Nearly a Third of Police Bodies Failing their FOI Obligations. 8

US – NIST Workshop Takes First Steps toward Standards for Preserving Digital Data. 9

US – DoJ to Create Online FOIA ‘Report Card’ Grading 92 Agencies. 9

UK – Conservatives Drop Opposition to DNA Proposals Following Ultimatum.. 9

AU – NSW State Puts DNA and Forensics Under Microscope. 10

CA – IPC Paper: Applying Positive-Sum to Health Care Data. 10

CA – Patient Access Rights Strengthened With Amendments to Health Information Act: 10

CA – Saskatchewan Critics Rattled Over New Patient Opt-Out Privacy Rules. 11

UK – NHS Breaks Pledge: Sends Millions of Confidential Patient Records to India. 11

US – Medical Data at Risk: Computer Theft, Staff Negligence & Inside Hackers. 11

US – Stolen Laptops Put 5,000 Patients’ Data at Risk. 12

US – Countrywide Sold Private Info, Class Claims. 12

US – Lawsuit Says McAfee Plays Loose With Customer Data. 12

US – Lenders Overlook the Warning Signs of ID Theft: Study. 13

IN – 2010 Indian Census Will Help Build National Biometrics Identity Database. 13

WW – Tubingen Computer Scientists Develop a Comfortable and Secure Login Method. 13

WW – Visual Artists to Sue Google Over Vast Library Project 13

US – Feds Developing Cloud Security Program.. 14

WW – Calls for Greater Cooperation in the Fight Against Cybercrime. 14

EU – New Media, Search Engines and Network Neutrality on 2010 CoE Agenda. 14

NZ – New Zealand Privacy Commissioner Shroff Pushing UN Privacy Treaty. 15

UK – Stalker Jailed for Framing Man. 15

WW – Potential Facebook Privacy Changes in the Works. 15

WW – Suit Claims Google Buzz Violated Privacy. 15

WW – Google Buzz Gets New Privacy Controls. 16

US – Entrepreneur Deletes Social Networking Data to Avoid Lawsuit 16

WW – Professional Reference Hub in Beta. 16

MY – House Passes Data Protection Bill 16

US – New FTC Commissioners Take Oaths. 16

US – New Advisory Board Members Join EPIC.. 16

US – Security Flaws Found in Smart Meters. 17

WW – Companies Should Reevaluate Security Resource Allocations. 17

US – Report Calls for C-level Involvement in Cybersecurity. 17

WW – Canadian Researchers Reveal Online Spy Ring Based in China. 17

WW – Researchers Sound Alarm on Web App ‘Side Channel’ Data Leaks. 18

US – Court Says NSA Illegally Wiretapped Two Americans. 18

CA - Alberta Cops Want Warrantless Access to Cell & Computer Records. 19

UK – CIA Given Details of Almost 1000 British Muslim Students. 19

US – Half of NYC Subway Surveillance Cams Don’t Work. 19

UK – Road Cam Net Allows Police to Snap & Store 14m Drivers Per Day. 19

EU – Airline Passenger Conversations & Movements to be Monitored under EU Project 19

UK – Digital Economy Bill Assigns Users Burden of Protecting Wireless Networks. 20

US – Court Rules for Comcast Over FCC in ‘Net Neutrality’ Case. 20

US – No-Fly List Has Doubled in Size and Will Get Bigger, Say Gov’t Officials. 20

US – Former DOJ Lawyers: ECPA Outdated. 21

US – Legislation Would Remove Birth Dates from Open Records. 21

US – Legislation Planned to Keep Inmates from Data. 21

US – Court Rules that Employee-Attorney E-Mails Are Private. 21

 

 


Canada

 

CA – Insurance Company Challenges PIPEDA Jurisdiction

Later this month, Canada’s Federal Court will hear a case that has the potential to radically change the nation’s privacy protections. Law Professor and regular Star columnist Michael Geist says State Farm Mutual Automobile Insurance Co. will argue that Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), enacted in 2000, oversteps the federal government’s jurisdictional power. The case stems from a 2005 State Farm customer’s request to know which third parties had access to his personal information, which State Farm refused to provide. Geist writes that “if successful, PIPEDA would no longer apply to thousands of Canadian businesses and new legislation such as the Electronic Commerce Protection Act (ECPA) would be imperilled.” [Toronto Star] [State Farm challenges Canada’s privacy law in court]

 

CA – BC Privacy Commissioner: Gov’t Has No “Culture of Privacy”

The British Columbia government’s push for greater power to collect and widely share citizens’ personal information should be refused given the province’s dismal recent record at protecting privacy, acting information and privacy commissioner Paul Fraser told a committee reviewing British Columbia’s freedom of information and protection of privacy act. “The government had not yet established what we call a ‘culture of privacy,’” said Fraser, referring to his office’s conclusion from a recent investigation into a privacy breach. “That’s not just a buzz word. It’s a real expression of concern.” The commissioner offered several recommendations for improving access to government records, but argued that it is unnecessary to change the act’s privacy provisions. Last week senior government officials told the same committee that they needed sweeping new powers to collect people’s information, without their consent, and share it across the government as well as with non-governmental organizations and the police. They also wanted to be able to have that data stored outside of Canada. They made the arguments as the government proceeds with a $180 million integrated case management system that will include computer files shared between the ministries of child and family development and housing and social development. This week Fraser took a sceptical look at the government’s pitch, drawing on recent examples of government privacy problems. “Expediency has consistently trumped privacy,” he said. “Information is not being managed properly now, so how does that portend for the future?“ [Source] See also: [Interim BC Commissioner’s Term Set to Expire on April 12]

 

CA – Catholic Church Hides Behind Privacy Laws: Residential School Abuses

The Roman Catholic Church is balking at the release of Indian residential schools documents that name individual church members, insisting its concern is purely about respecting Canada’s privacy laws and not an attempt to cover up new allegations of abuse. But the research director for Canada’s Truth and Reconciliation Commission says the denominations involved in residential schools are being unco-operative, and suggests the Catholic church in particular fears more abuse stories will come out against living members. The Conservative government and the churches that helped run Canada’s Indian residential schools are sitting on mountains of archived material, but not a single page has yet been turned over to the commission. For years, the churches, Ottawa and representatives of former students have negotiated behind the scenes over how to release the documents while respecting Canada’s privacy laws. All the churches say they are being co-operative. There now appears to be broad agreement that names of individual students will be released only with their permission, but it remains undecided whether the names of church members - whether dead or alive - will be revealed. Pierre Baribeau, the lawyer who speaks on behalf of 54 Catholic entities involved in the agreement, said Catholics are the ones waiting on the commission to produce a clear policy for how documents can be released while respecting federal and provincial privacy laws. [Globe & Mail]

 

CA – Privacy Quiz Aims to Educate Small Businesses

Canada’s Office of the Privacy Commissioner (OPC) has posted an educational quiz to its Web site as part of an effort to help small businesses identify risks. Rotating sets of five questions comprise the quiz, and answers provide links to OPC documents with additional information. Topics covered include privacy laws, video surveillance and user consent. The OPC will continue to revise questions as new privacy issues emerge. [Source] See also: [Personal Health Information Act: Are You Ready for PHIA? Take Readiness Audit - Newfoundland and Labrador Medical Association]

 

Consumer

 

US – FTC Complaint Focuses on Tracking, Profiling Consumers

The Center for Digital Democracy, U.S. PIRG and World Privacy Forum plan to file a complaint today with the FTC questioning the tracking and profiling practices Internet companies use to target consumer advertising. The privacy advocates contend that newer methods of targeted advertising are especially problematic because of the detailed user profiles that result from integrating online and offline information. The groups allege this “massive and stealth data collection apparatus threatens user privacy,” the report states, and are asking the FTC to compel companies to obtain express consent from consumers before targeting them with ads based on their online activities. [Mercury News] See also: [Microsoft’s web privacy push: ‘We’re the anti-Google’]

 

US – Adzilla Suit Settled, Questions Remain

A privacy lawsuit launched against behavioral targeting company Adzilla and its partners last year has been settled, but the settlement “leaves unresolved whether it’s legal to target Web users based on data purchased from Internet service providers.” Under the settlement terms, Adzilla must “require opt-in consent of consumers” should it resume ISP-based ad targeting in the U.S. The company halted operations in 2008, the report states. A Richmond, Virginia, resident brought the suit forward after realizing that Adzilla had been tracking her online activity via her ISP. [MediaPost News]

 

EU – Personal Data: A Comic Book for European Young Adults

Information and communication technologies (telephone, Internet, emails, blogs and social networks) make daily life and relationships with our relatives, friends or even strangers easier. Young people and young adults make a particularly intense use of them. However, unless we are careful, they can lead us to hand over excessive amounts of our personal data, facilitating surveillance of our private lives. Protection of personal data is crucial for the respect for privacy. The European project “Sensitization and information of young European citizens on the protection of their personal data” takes stock of the situation in nine EU countries (Czech Republic, Finland, France, Germany, Greece, Netherlands, Romania, Spain and United Kingdom) and on the European legislation. This 18-month project started in January 2009 and is funded by the “Fundamental Rights and Citizenship” programme of the European Commission. It is coordinated by the French League of Human Rights (LDH), in partnership with the European Association for the Defense of Human Rights (AEDH), European Digital Rights (EDRi), the Czech association Iuridicum Remedium (IuRe) and the Spanish association Comunicació per a la Cooperació (Pangea). The project aims at raising citizens’ awareness on the issue of privacy protection. Country reports, a comparative analysis of the various situations and an inventory of the legislation and practices in the EU are being produced for that purpose. They will come with recommendations to public authorities. As for now, the project publicly releases a comic book “Under surveillance” it produced as an information and awareness tool for young adults. Press release: Personal data: a comic book to raise awareness among European young adults (7.04.2010) Données personnelles : une bande dessinée à destination des jeunes adultes européens pour prendre conscience, s’informer et se protéger au quotidien (French, 7.04.2010) [Comic Book “Under Surveillance“ | Cover ]

 

 

E-Government

 

US – Making Voting Systems Open Source Could Forever Change Election Technology

The nonprofit Open Source Digital Voting (OSDV) Foundation is developing a suite of open source election software that allows users to see and tweak the underlying computer code, which advocates say enables a global expert community to assess the code’s security and make positive changes. OSDV’s Greg Miller says that eight U.S. states are engaged in the foundation’s Trust the Vote project, and custom, modular tools might be necessary to address different jurisdictions’ various requirements and needs. Customization will be built into the OSDV’s suite, which could prove essential in the extremely scattered voting system market. Miller says the foundation’s goal is to have all of its election elements in place and a system that is ready for federal certification by the time of the general election in 2016. ODSV developers already have built an online open source voting registration tool, and a series of Web-based data management services are either deployed or in the prototype phase. [Government Technology]

 

US – Navy Took More Than a Year to Announce Personal Data Breach

Government employee organizations are asking the Navy for identity-theft insurance following the notification that the personal data of 244 employees was inadvertently released to a “non-government entity.” The breach occurred in June of 2008, but employees were not notified until October of 2009, the report states. According to the notification letter sent to the employees, Navy officials are “not aware of any evidence to suggest that your PII (personally identifiable information) has been misused or further distributed...” However, the National Association of Government Employees is concerned about the risk of “loss of reputation” and, potentially, “loss of their security clearance” due to the breach, the report states. [Washington Post] Unrelated: [Heineken Code of Whistleblowing: full procedure]

 

Electronic Records

 

US – Public Opinion Shows Concern About ONC Data Project

David Blumenthal of the Office of the National Coordinator (ONC) for Health Information Technology is asserting that the National Information Exchange Model (NIEM) is not a “Trojan Horse” to funnel patient data to government agencies. Blumenthal referred to speculation about whether NIEM “might make it inevitable” that data is transmittable “to the Department of Justice, the Department of Homeland Security, the CIA, the NSA--I don’t know where else,” the report states. However, a recent survey indicates Americans do not trust the government with their medical information. According to the results of a Ponemon Institute survey of 883 adults, only 23% responded that they trust the federal government to protect the privacy of their health records. [Modern Healthcare] See also: [Health Goes Digital: Balancing Privacy and Innovation of Electronic Medical Records]

 

EU Developments

 

EU – At Madrid Meeting, EC Will Seek Privacy, Reciprocity

During a meeting with U.S. officials in Madrid this week, the European Commission (EC) will seek the right for its citizens to sue in American courts if they believe airline passenger data transmitted to the U.S. has been misused. The commission will also ask U.S. Attorney General Eric Holder and Homeland Security Secretary Janet Napolitano to share information about U.S. travelers, the report states. “We need a balance between security and justice and a relationship based on real reciprocity,” EU justice commissioner Viviane Reding said. At the Thursday-Friday meeting, officials will also discuss EU-U.S. sharing of bank transfer data and airport body scanners. [New York Times]

 

UK – New ICO Breach Fines £500K Start: a 100-fold Increase

From Tuesday 6 April, the Information Commissioner’s Office (ICO) will get enhanced powers to fine organisations up to £500,000 for serious breaches of the Data Protection Act. Previously the maximum fine was a paltry £5,000. The tougher measures will be imposed alongside compulsory audit notices to central government departments found culpable for data breaches. The new powers for the UK’s privacy watchdog are designed to deal with serious personal data breaches that arise through negligent behaviour. Precautions an organisation had previously applied as well as the circumstances of a breach will be taken into account in deciding a fine. Revised guidelines state that the most severe fines will be imposed in cases where the “data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress”. The enhanced powers for the ICO were approved by parliament three months ago. However a recent survey found that two thirds of 500 city workers (65%) are still blissfully unaware that they could cost their organisation £500K if their actions cause a “deliberate or negligent” breach of personal data. The study, sponsored by Cyber-Ark Software, found that employers are often doing little or nothing to inform workers of important changes in UK data privacy rules. The survey found that 64% of those quizzed carry customer data on mobile devices, with only 12% using encryption to protect data from prying eyes in the event of a loss. A further 50% of mobile devices are protected only by basic password defences, and 38% store sensitive data without any protection at all. [The Register]

 

EU – German Minister Criticizes Facebook on Privacy

In an open letter, German Consumer Protection Minister Ilse Aigner has urged Facebook CEO Mark Zuckerberg to revise the company’s privacy policy “without delay.” Referring to more planned changes to the site’s privacy settings, Aigner wrote, “I was astonished to discover that, despite the concerns of users and severe criticism from consumer activists, Facebook would like to relax data protection regulations on the network even further.” According to the report, Aigner stressed that the company should not allow users’ personal data to be shared with third parties for commercial purposes without users’ consent. “Private information must remain private,” Aigner wrote. [Washington Post]

 

WW – Facebook Users Not Wild About New Privacy Changes: Survey

Facebook CEO Mark Zuckerberg certainly raised many eyebrows when in January he suggested that people’s growing level of comfort with sharing personal information through social networks was a sure sign that people’s expectations of privacy have dwindled in the last five years. And hey, considering all the stuff that people reveal about themselves on blogs, video blogs and their Facebook profiles (drunken binges, affair confessions, when they take off on vacations and leave their houses alone, etc.), he might be right. Or then again, he may not. UK-based security firm Sophos recently asked some of its Facebook and Web site readers what they thought about the new privacy changes Facebook proposed last month. The changes would basically enable the popular social network to automatically share information about its users with third-party pre-approved sites. Survey says? 95% of respondents hated the idea. Only 2% supported the changes and 3% didn’t understand what Facebook wanted to change. The proposed changes would enable Facebook to share user information with third-party Web sites while the user remains logged onto Facebook. Contrary to previous changes to their privacy settings, this would be something you’d have to opt out instead of opting in. Facebook has said it would partner with only a small number of carefully vetted Web sites while it tests the feature and would require them to prominently offer an opt-out option. “Once again, it feels like online privacy is being eroded by stealth,” said Graham Cluley, senior technology consultant at Sophos. “Too many websites are chipping away at their members’ privacy and security, potentially exposing their personal data to third parties that were never in the equation when they first signed-up for the service. Facebook would be doing its hundreds of millions of users a service if it thought again about this new privacy policy.” [San Francisco Chronicle (blog)]

 

EU – Irish DPA Report: Tighter Control of Data Needed

Data Protection Commissioner Billy Hawkes released his annual report for 2009 this week. The commission investigated 914 complaints last year, which is slightly less than the two previous years. The commission issued several calls for increased data protection in 2009. Among them, it ordered the Health Service Executive (HSE) to increase controls around patient data. “The HSE holds the most sensitive detail about people--patient data,” Hawkes said. “It’s very important that is minded carefully so that we can all trust the health service when we use it.” [Belfast Telegraph] [DP Commish Annual Report Blasts Health Service] [Shocking data breaches are rife in Irish public sector]

 

EU – Film Explores Escaping the “Surveillance State”

The advocacy group Privacy International has ranked the UK just behind such nations as Russia and China in terms of its use of surveillance. In an interview with filmmaker David Bond, the magazine explores Bond’s experiment spending a month escaping detection, which was prompted by the government’s loss of his newborn daughter’s personal information in 2007. Bond’s experiences resulted in the creation of a documentary entitled “Erasing David.” Going “off the grid,” Bond says he learned that, “We’re normalized to living an utterly exposed life. But there’s value in privacy--it’s a tremendously uplifting and strengthening feeling, to feel like you can withdraw. Not because you’ve got anything to hide, just because you want to.” [TIME]

 

Facts & Stats

 

AU – Survey: Data Breach Costs - $2 Million per Incident, n Average

One of the first comprehensive local surveys of data breach costs shows organisations sustained financial losses of almost $2 million on average per incident, with an average $123 spent to deal with each compromised record. The 2009 Australian Cost of a Data Breach study, conducted by US-based Ponemon Institute on behalf of data encryption specialist PGP, examined the actual financial losses incurred by 16 organisations from different industry sectors following a data loss, with breaches ranging from around 3300 to 65,000 lost or stolen records. In the most expensive incident, one organisation spent more than $4m to resolve a single event. The average cost of a data breach globally stands at $US204 per record, or about $US6.75m per incident, and warned that new cloud and mobile environments required security built-in from the outset. 31% of breaches were due to external causes, where third-parties such as professional service providers, outsourcers, vendors and business partners were responsible for protection of the data; offshore breaches were also more costly to rectify. And 31% of cases involved the loss or theft of a laptop or mobile device containing sensitive information. The study concludes that organisations must do more to defend against increasingly aggressive outsiders. [The Australian]

 

WW – E-Snooping on Significant Other Increasingly Common

In a recent survey, a whopping 38% of respondents under 25 years old said they found the chance to “eavesdrop” on their boyfriend’s or girlfriend’s BlackBerry call logs, text messages, and e-mails simply too tempting. Even worse, of those who snooped, one in 10 found unfaithful behaviour. Across all age groups, 28% have snooped on their significant others. Men are just as likely to snoop as women. Married couples snoop almost as much as dating couples, although only 3% of married snoopers uncover infidelities. [IT Business]

 

Filtering

 

EU – European Commission Proposes Net Blocking and Defends Illegal Activity

On 29 March 2010, the European Commission re-launched its initiative on child exploitation. This initiative was originally launched in March 2009 as a “Framework Decision”, but was withdrawn due to the entry into force of the Lisbon Treaty. With regard to Internet blocking, there are two crucial differences between the new proposal and the one launched last year. Both changes were made in order to try to reduce the opposition to the proposal to introduce EU-wide Internet blocking, thereby creating the basis for a continent-wide censorship infrastructure. Firstly, when the Commission launched its original proposal, the blocking measures would have required laws to be introduced in the Member States (as blocking would have been by judicial or police order). This is necessary in order for the measure to be in compliance with Article 10 of the European Convention on Human Rights. In the Council of Ministers, Member States such as Sweden and the United Kingdom that already have “self-regulatory” “voluntary” blocking opposed this measure as they did not want to introduce laws. As a result, the European Commission amended its proposal to simply require “measures” to be taken to bring about blocking. The second change was to create a vague and therefore legally unenforceable “obligation” on Member States to take the “necessary measures” to have the websites in question removed from the Internet. This measure duplicates a range of existing “binding” international obligations, such as those provided for in Article 34 of the UN Child Rights Convention. Would another vague and unenforceable obligation on Member States achieve anything? Well, not according to the European Commission, which argued (in its “impact assessment” of this proposal) that a Directive is necessary due to the lack of a “ vigorous monitoring mechanism” in the Council of Europe Convention on child exploitation. This new text does, however, permit the Commission to argue that it is not promoting blocking (with its specific obligation) ahead of deletion of sites (with its vague and unenforceable obligation) but is working on both measures simultaneously. [Proposal for a Directive on combating the sexual abuse, sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA (29.03.2010)] [Impact assessment (25.03.2009)] [Commissioner Malmström’s blog on this issue] [MOGiS (abuse survivors against internet blocking): Remove, don’t block! - Act, and don’t look away! ]

 

AU – Australian Plan to Filter Internet Meets With Criticism

US State Department officials have expressed concern over the Australian government’s plan to deploy Internet filters. The practice runs counter to the US policy of encouraging open Internet access around the world. Google has voiced its opinion that the Australian plan could inhibit the free flow of information and is likely to be ineffective in preventing the spread of offensive Internet content. [The Australian]

 

Finance

 

US – Washington Law Lets Banks Recover Breach Costs

A new law in Washington will let banks recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with Payment Card Industry (PCI) standards. Washington is the third state to enact such a law; Nevada and Minnesota impose similar requirements. The law will “put more pressure on companies to ratchet up their PCI compliance schedule,” said Jim Halpert, a partner at DLA Piper in Washington, DC. [esecurityplanet.com] See also: [United States: Is Your Bank’s Security System Adequate?]

 

FOI

 

UK – ICO: Nearly a Third of Police Bodies Failing their FOI Obligations

Almost 30% of police forces and authorities are not following an approved publication scheme as legally required under the Freedom of Information Act, the Information Commissioner’s Office (ICO) has said. The findings are based on a study published last week, in which Information Commissioner Christopher Graham urges police bodies to fulfil their obligations under the Act. All police forces are required to publish a range of information for the public on a proactive basis. In its second monitoring report since the introduction of the model publication scheme, the ICO found that 26 of the 90 police organisations inspected between October 2009 and January 2010 did not appear to be operating an approved publication scheme. [Police Professional]

 

US – NIST Workshop Takes First Steps toward Standards for Preserving Digital Data

A recent U.S. National Institute of Standards and Technology (NIST) workshop discussed the requirements for creating an international digital data preservation standard. “Everybody is doing their own thing to preserve data, but they are not doing it in a common way,” says NIST computer scientist Wo Chang. “This is a huge problem.” Chang says an approved standard is still at least two years away and then it will only address a preliminary set of needs. Any new standard will have to work within existing technology and infrastructure because there is so much data already in existence. Chang envisions adding new metadata about the formatting and metadata contained within the data envelope, which would enable users to identify the data and determine what is usable. “One thing that could help adapt data to a common standard for preservation would be to adopt a common workflow for capturing metadata in a systematic way,” Chang says. [Government Computer News]

 

US – DoJ to Create Online FOIA ‘Report Card’ Grading 92 Agencies

The U.S. Department of Justice (DOJ) will create a Web site that compares 92 federal agencies’ compliance with the Freedom of Information Act – in hopes that the virtual “report card” will encourage them to up their game in responding to the public. As part of the DOJ’s Open Government Plan – and in alignment with President Barack Obama’s Open Government Directive – the FOIA dashboard plan was announced Wednesday, April 7. The DOJ has a unique responsibility when it comes to FOIA. Federal law requires that the department provide guidance on FOIA-related issues to other agencies and that it collects information on FOIA compliance, DOJ new media specialist Tracy Russo wrote in a recent DOJ blog posting. The Web site will allow the public to “shine a light” on government FOIA compliance in an understandable, user-friendly manner, Russo said. Once fully operational, a user can track the number of FOIA requests a federal agency received over a year, whether agencies granted or denied the requests and, as the site is developed, how the handling of requests changed from year to year, according to the DOJ’s plan. Such information is already available in annual FOIA reports located on the DOJ Web site, but it’s “pages and pages of information” that’s not easily understood by the general public, Russo said. The FOIA dashboard will present such information graphically and more easily comparable from year to year and agency by agency. Aside from information being visually digestible, the site will allow users to sort and filter data and access only information of interest, the plan states. The dashboard will also include an educational component, which will explain statutory FOIA exemptions that allow the government to withhold information for reasons related to national security, personal privacy and the need to protect witnesses and informants cooperating in law enforcement investigations, the plan states. [Government Technology] See also: [EPIC’s Annual Champion of Freedom Award Dinner to be Held June 2]

 

Genetics

 

UK – Conservatives Drop Opposition to DNA Proposals Following Ultimatum

The Conservatives have dropped their opposition to the government’s crime and security bill, including its controversial provisions to allow the police to retain the DNA profiles of innocent people for up to six years. Instead of blocking the bill, the shadow home secretary, Chris Grayling, made a fresh commitment that the Tories would bring in early legislation to ensure the DNA profiles of innocent people arrested for minor offences would not be retained on the national police DNA database. The police would, however, be allowed to continue to keep the profiles of those arrested for serious violent or sexual offences. “We will not seek to block this bill because the indefinite retention of innocent people’s DNA is unacceptable and has been ruled illegal,” said Grayling. The decision follows a threat by the home secretary, Alan Johnson, to ditch the DNA provisions of the crime and security bill entirely, unless the Conservatives dropped their opposition to keeping profiles of innocent people on the database for up to six years. If Johnson’s threat had been carried out, the current system would be in breach of the European ruling, and other reforms – to introduce a uniform system of appeal for people to argue to have their profiles removed from the database – would also have been lost. [The Guardian] See also: [The dangers of growing DNA databases in the U.S.]

 

AU – NSW State Puts DNA and Forensics Under Microscope

One of the most encouraging developments this week was the NSW government’s far-sighted decision to review the way the criminal justice system deals with DNA and forensic evidence. It seems that somebody inside the Attorney-General’s Department has been following the intense debate among legal academics about the weight that the criminal justice system gives to this expert evidence. US television programs may well have added to the belief that forensic science is beyond doubt, when the reality is very different. Examples of flawed DNA evidence are stacking up. The fact that the NSW review will also be headed by a judge, Graham Barr of the Supreme Court, is a very positive sign. It should be enough to ensure that this review is not “captured” by those with something to hide. The NSW government insists that the timing of this inquiry has nothing to do with the High Court challenge by Benjamin James Forbes that could raise doubts about hundreds of criminal convictions -- in all states -- that have relied on DNA evidence alone. What NSW wants from this inquiry is a new regulatory framework. [The Australian]

 

Health / Medical

 

CA – IPC Paper: Applying Positive-Sum to Health Care Data

The Information and Privacy Commissioner of Ontario has released a paper with Dr. Khaled El Emam, Canada Research Chair in Electronic Health Information at the University of Ottawa, containing a tool that minimizes: the risk of re-identification; and degree of distortion of databases of personal health information (“PHI”). In Ontario, health information custodians have a general obligation to collect, use and disclose de-identified personal health information (“PHI”) rather than identifiable PHI, if de-identified data would be sufficient to serve the purpose; it is often possible to re-identify data where traditional de-identification methods have been used - thus the information would fall within the scope of PHIPA’s definition of PHI and be subject to the restrictions imposed by that Act. The risk of re-identification is a function of four factors - re-identification probability, mitigating controls in place, motives and capacity of the data recipient, and extent to which inappropriate disclosure would be an invasion of privacy; health information custodians must balance the mitigating controls with the re-identification probability, imposing additional controls (e.g. audit requirements and breach notification protocol) as the probability of re-identification increases. [IPC] See also: [Protecting Healthcare Data In a Mobile World]

 

CA – Patient Access Rights Strengthened With Amendments to Health Information Act:

New amendments to the Manitoba Personal Health Information Act (PHIA) will improve patient access rights and privacy standards by helping Manitobans understand how to access their personal health information and how it is shared with others, creating a stronger culture of patient care and safety in the health-care system, Health Minister Theresa Oswald announced this week. The changes to PHIA will:

o        require a hospital to respond to a request from an inpatient as soon as reasonably possible, but no later than 24 hours from receiving the request for access to information about care currently being provided;

o        require providers in all other settings, including for hospital outpatients and in personal care homes, doctors offices and other community health services, to respond to requests for information about care currently being provided within 72 hours of receiving the request;

o        require patients be provided with information about their rights to access their personal health information and authorize another person to access that information on their behalf;

o        clarify the consent needed before a patient’s personal health information can be shared;

o        permit the disclosure of information to police services to help them locate an individual reported as missing;

o        permit the disclosure of information about current health-care services to family members and close friends of a patient when those services are being provided in the individual’s home; and

o        permit the disclosure of patient information to community clergy who provide spiritual care to their congregations in hospitals or personal-care homes and to health-facility fundraising foundations for charitable purposes, while at the same time respecting a patient’s right to object to having their information shared.

The amendments come into effect on May 1. Manitoba Health and the ombudsman’s office are developing a brochure and poster on how Manitobans can access their personal health information and how this information may be accessed by others. These documents will be available by May 1 at a wide range of health care facilities. The act applies broadly to the health-care sector in Manitoba including hospitals, personal-care homes, regional health authorities, health professionals and other health-care organizations. It also applies to government departments and other public bodies across the province that hold personal health information. [canadaviews.ca]

 

CA – Saskatchewan Critics Rattled Over New Patient Opt-Out Privacy Rules

The Saskatchewan government’s decision to amend privacy rules that will allow the names and addresses of hospital patients to be used for fundraising is receiving opposition from the province’s privacy commissioner and the NDP. “The intention of this change is to make it easier for publicly-funded health facilities to identify people who might be motivated to donate, while maintaining meaningful protection of patients’ privacy,” said Health Minister Don McMorris in a news release. But Gary Dickson, Saskatchewan’s privacy commissioner, said the government should not be putting convenience for fundraisers above the privacy of patients. “Information that’s provided so we can be diagnosed and treated shouldn’t be shared with any third party without the consent of the patient,” said Dickson. “This obviously violates that. If I provide information to Regina Qu’Appelle health region for treatment I wouldn’t expect that to be shared with a fundraising body that has nothing to do with treating or diagnosing me.” The provincial NDP said in a news release that the government should have consulted patients and the public before reaching a decision. “Health Minister Don McMorris says his government consulted with the health regions and hospital administrators before coming to the decision that it was somehow conscionable to release patients’ personal contact information to health organizations for fundraising,” said NDP health critic Judy Junor in a press release. “Yet the most important people who should have been consulted - the patients, the public - were left in the dark.” Former patients will be allowed to opt out and the amended rules won’t apply to children, patients in palliative care and residents of long-term care homes, provincial officials said Tuesday. The amendment, which was approved last week, comes into effect in May. [CBC News]

 

UK – NHS Breaks Pledge: Sends Millions of Confidential Patient Records to India

The NHS is sending millions of patient records and confidential medical notes to India for processing - despite a pledge by Labour that personal information would not be sent overseas. It is the first time that databases of names, addresses and NHS numbers of patients have been sent abroad, along with private information about medical appointments. NHS managers, under pressure to cut costs, are implementing the changes despite warnings about poor security in some offshore centres. The Sunday Times has identified seven primary care trusts in northeast London, serving more than 1.5m people, that have begun to send patient details overseas. The databases are administered by about 200 workers in Pune, western India. [Times Online]

 

US – Medical Data at Risk: Computer Theft, Staff Negligence & Inside Hackers

A new study from the Healthcare Information and Management Systems Society reports that since January 2008, more than 110 healthcare organizations have reported the loss of sensitive patient data affecting over 5,306,000 individuals. The findings, published in the 2010 HIMSS Analytics Report: Security of Patient Data, show that the vast majority of the 250 healthcare IT and security professionals surveyed have policies, procedures and technology in place at their organizations to prevent data theft. But changes made to protect medical records haven’t curbed the number of reported breaches, which increased six percent since 2008. HIMSS’s Analytics unit did the study in partnership with Kroll Fraud Solutions, a provider of data protection and identity theft response services. More than 40% of survey respondents reported that data loss incidents were caused by theft (stolen laptops, computers, or media/tapes. Another 27% were the result of loss or by staff or third parties; malicious insiders caused 20%; and 9% were caused by system hacks, Web exposure, and virus attacks. The organizations in questions have security policies in place, said Brian Lapidus, Kroll’s chief operating officer. But “the gap between security policy and actual behavioral change is still significant,” he said. [InformationWeek] See also: [How some ex-employees turn to cybercrime]

 

Horror Stories

 

US – Stolen Laptops Put 5,000 Patients’ Data at Risk

A California Hospital is providing one year of free identity theft protection to 5,450 patients whose personal and health information was potentially breached after the theft of two laptop computers. Officials at John Muir Health notified police and the U.S. Department of Health and Human Services after discovering the theft two months ago. The laptops were password protected and “contained data in a format that would not be readily accessible,” said Muir’s chief compliance and privacy officer, though the data was not encrypted. Muir officials say there is no evidence that the patient data has been compromised, and that it has now installed encryption software on the hospital system’s laptops. [San Francisco Business Times]

 

US – Countrywide Sold Private Info, Class Claims

Countrywide Financial employees stole and sold “tens of thousands, or millions” of customers’ personal financial information, invading their privacy and exposing them to identity theft, a class action claims in Ventura County Court, Calif. The class seeks to know, among other things, whether Countryside merely aided and abetted the theft and illegal dissemination, or whether it was “an architect of the plan”. Sixteen named plaintiffs sued Countrywide Financial, Countrywide Home Loans, and Bank of America, which bought Countrywide, the poster boy for the subprime mortgage crisis. The class claims the defendants do not dispute that customers’ private financial information was “disseminated.” It wants to know “whether the dissemination was intended as a plan or scheme, or was intentional; [and] whether any of the defendants was simply aiding and abetting, rather than an architect of the plan to disseminate the personal information.” The class claims that the defendants were slow to admit the massive breaches of confidentiality, and offered little help when they finally did admit it. It adds that the defendants delayed informing customers about the breaches to “gain time and money to extricate defendants from the financial stress [they] had created.” The class seeks more than $20 million for invasion of privacy and aiding and abetting, and punitive damages. It is represented by Mitchell Stein of Walnut Creek. [Courthouse News Service]

 

US – Lawsuit Says McAfee Plays Loose With Customer Data

McAfee, a household name for computer virus-protection, is facing accusations it dupes customers into purchasing third-party services, and hands over consumer banking information to enable those transactions. A proposed federal class action in San Francisco claims that, once McAfee customers purchase McAfee software online, a pop-up appears even before the McAfee download begins. “The pop-up, mimicking the look of the other pages on the McAfee site, thanks the customer for purchasing McAfee software, and prompts McAfee’s customers to click a red button to ‘Try it Now,’“ the lawsuit alleges. “The pop-up contains no obvious visual cues or conspicuous text indicating that it is an advertisement for another product, or that clicking on ‘Try it Now’ will lead not to the delivery of the McAfee product but rather to the purchase of a completely different product”. The unfair-business practices lawsuit comes as McAfee and rival Symantec are accused in a New York federal court of automatically renewing antivirus software subscriptions absent customer consent. [Wired]

 

Identity Issues

 

US – Lenders Overlook the Warning Signs of ID Theft: Study

Despite all the new fraud alert tools and increased awareness of the perils of identity theft, incidence of the crime remains at 2003 levels, with about 10 million Americans falling victim every year. ID theft experts and politicians blame the easy availability of personal data like Social Security numbers. But there may be a simpler reason for the persistence of ID theft: lenders are too willing to extend credit to just about anybody, even when there are big red flags that indicate fraud. That’s a thesis presented by a University of California, Berkeley lecturer, Chris Jay Hoofnagle, in a new report: “Internalizing Identity Theft.” Using a 2003 amendment to the Fair Credit Reporting Act that allows victims of ID theft to ask creditors for the fraudulent applications submitted in their names, Mr. Hoofnagle worked with a small sample of six ID theft victims and delved into how they were defrauded. Of 16 applications presented by imposters to obtain credit or medical services, almost all were rife with errors that should have suggested fraud. Yet in all 16 cases, credit or services were granted anyway. Solutions to the ID theft problem have focused on increasing criminal penalties for impostors and on educating consumers. But Mr. Hoofnagle argues that the perverse incentives of lenders – to sign up as many new customers as possible – are the heart of the problem and must be central to the solution. “Certain institutions have a very high risk tolerances and those risk tolerances are rational,” he said. “Identity theft remains so prevalent because it is less costly to tolerate fraud.” Among the ways to move the cost of the crime back to issuers of credit, Mr. Hoofnagle suggests that lenders contribute to a fund that will compensate victims for the loss of their time in resolving their ID theft problems. [New York Times] [Daniel Solove commentary: How Identity Theft Is Like the Ford Pinto]

 

IN – 2010 Indian Census Will Help Build National Biometrics Identity Database

India’s 2010 national census is now underway as the government attempts to count the nation’s one billion people and gather data on everything from fertility, literacy and mortality to the number of mobile phones and Internet connections in households. Ultimately, the census will help build India’s National Population Register, a biometric database that includes photographs and fingerprints of every “usual resident” over the age of 15, the report states. The goal is to create a national identity card for everyone over 18, and the plan is raising concerns about the privacy implications. Usha Ramanathan writes in an op-ed for The Hindu that the ID database “will act as a bridge between silos of information that will help profile the individual.” [The Times]

 

WW – Tubingen Computer Scientists Develop a Comfortable and Secure Login Method

Tubingen University’s Bernd Borchert has developed a new method that saves smartphone users the trouble of memorizing, and typing, passwords and login names. The new approach provides a solution to the issue of keyloggers, which are trojans on the computer a password is entered into, and could later be misused for criminal purposes. The user downloads the application software to a smartphone. In order to access an account, the user can open the login page in a browser window on any computer. The user will be shown a two-dimensional code that must be scanned with the smartphone’s camera. The data is processed by the application and the smartphone contacts the account server, which checks the data and connects to the browser window on the computer and opens the user’s account. [AlphaGalileo]

 

Intellectual Property

 

WW – Visual Artists to Sue Google Over Vast Library Project

Google’s library project is facing a new legal challenge, as groups representing visual artists plan to file a class-action lawsuit asserting that the company’s efforts to digitize millions of books infringes on their copyrights. The groups suing Google include the American Society of Media Photographers, the Graphic Artists Guild, the North American Nature Photography Association, and the Professional Photographers of America. The complaint claims that Google’s widespread copying efforts infringe on the rights of photographers and other creators of graphic works. “We are seeking justice and fair compensation for visual artists whose work appears in the 12 million books and other publications Google has illegally scanned to date,” says American Society of Media Photographers general counsel Victor Perlman. The lawsuit includes Google’s “partner program,” under which some publishers allow Google to include their books in the company’s book search service. The suit is not expected to delay or affect Google’s copyright settlement with authors and book publishers, which is awaiting court approval. [New York Times]

 

Internet / WWW

 

US – Feds Developing Cloud Security Program

A U.S. federal interagency working group is developing a unified, government-wide risk-management program that could greatly decrease the amount of security work agencies must do to access cloud services. The proposed new effort, called the Federal Risk and Authorization Management Program Pilot (FedRAMP), would give agencies a centralized approach to solving security problems such as certification and accreditation. FedRAMP will develop common security requirements for certain systems, provide ongoing risk assessments, and carry out government-wide security authorizations. Agencies also will be able to see what security controls have been conducted for different products and services. The program would make certification and accreditation processes simpler because they would only need to be carried out once per cloud service, and agencies could share security management services. Initially, the program would focus on public and private cloud computing technologies, but could eventually expand to cover traditional Web hosting and other domains. [InformationWeek]

 

WW – Calls for Greater Cooperation in the Fight Against Cybercrime

The fifth annual Council of Europe (CoE) conference on cybercrime is taking place this week in Strasbourg, France. During the conference delegates are looking at a number of ways to tackle the growing threat of cybercrime. These include greater cooperation between law enforcement and industry, ICANN to tighten up controls on domain name registration processes and for a worldwide implementation of the CoE’s Convention on Cybercrime. A total of 29 countries, which includes the USA and a number of European countries, have already ratified the convention, which was first introduced in 2001. Nineteen other countries have signed the convention but have yet to ratify it. The convention provides guidelines to countries that wish to introduce legislation against cybercrime and also provides a framework for international cooperation. [The Register] [Network World]

 

EU – New Media, Search Engines and Network Neutrality on 2010 CoE Agenda

The Council of Europe (CoE) Committee of experts on new media (MC-NM) held its second meeting on 25-26 March 2010 in Strasbourg. This group is a follow-up to the previous CoE Group of specialists on Human Rights in the Information Society (MC-S-IS), which 5 years mandate expired end 2008, and to which EDRI was an observer. The group is thus exploring the challenges to human rights, especially to the right to freedom of expression and to privacy, with social network services (SNS) and search engines, and working on CoE Recommendations to member States in order to protect and promote these rights. Guidelines to other stakeholders, especially the providers of these services, will complement the Recommendations. MC-NM is at the same time addressing the new notion of media, in order to examine whether the understanding of media and mass communication services remains valid in the new information and communications environment: the challenges here relate to issues such as defining online journalism, ensuring freedom of expression, freedom of the press, democracy and pluralism, etc. The second MC-NM meeting was busy with examining three draft Recommendations on, respectively, the definition of new media, on SNS and on search engines, prepared by ad hoc subgroups. Next meeting of the MC-NM group is scheduled in September 2010. [CoE MC-NM, MC-S-CI and MC-S-NR public websites]

 

NZ – New Zealand Privacy Commissioner Shroff Pushing UN Privacy Treaty

A United Nations treaty may be required to protect privacy now that cloud computing, online search engines and the globalisation of direct marketing are resulting in “huge increases in international data flows”, says Privacy Commissioner Marie Shroff. Ms Schroff says global privacy standards and enforcement have been discussed by her counterparts in Canada and Australia. China is beginning to consider privacy legislation and calls for better regulation are growing in the United States. Draft international standards on the protection of privacy were agreed at a privacy commissioners’ conference in Madrid in November, but Ms Shroff says these are “very much a work in progress.” Some of the issues a treaty might tackle could include the collection of information by international search engines, the practice of companies contracting call centres in developing countries to carry out international telemarketing, and the protection of personal information when people used credit cards to purchase items from businesses in countries with no privacy law. “It would also potentially I hope apply to government uses of information as well. One of the drivers of international data flows is [counter] terrorism.” Ms Shroff says multinationals want more rules. Ten corporations including Microsoft, Google, IBM, Walt Disney, Proctor and Gamble and General Electric signed a letter calling for international privacy standards before the Madrid conference, she says. [Source]

 

Law Enforcement

 

UK – Stalker Jailed for Framing Man

In the United Kingdom a 48 year old man, Ilkka Karttunen, has been jailed for four and half years for breaking into the house of a female work colleague and framing her husband for downloading child pornography. Basildon Crown Court heard how Karttunen became obsessed with his work colleague and hoped to develop a relationship with her by breaking up her marriage. He broke into her family home and while the family was asleep, downloaded the illegal material onto the husband’s PC. He then stole the hard disk from the computer and sent it anonymously to the police with a note stating the origin of the disk. Police discovered Karttunen’s involvement when they searched his home and found a computer containing the entire contents of his victim’s home computer. [Times Online] [Net Security]

 

Online Privacy

 

WW – Potential Facebook Privacy Changes in the Works

The world’s most popular social networking site is inviting its 400 million users to comment on its most recent proposed changes, which could include sharing personal information with third-party Web sites. The new experiment would allow sites to access users’ personal information if they are logged into Facebook in the same browser they are using to visit the secondary sites. One example offered by Bret Taylor, a Facebook product director, would be posting a link to a song on your wall and then visiting the record label’s site, where you would be told which of your Facebook friends also liked the song. Facebook has said it will include opt-out functions for individual sites and for the program as a whole, the report states. [The Washington Post]

 

WW – Suit Claims Google Buzz Violated Privacy

A class action suit filed this week in federal court alleges Google’s Buzz social networking service violated the privacy rights of users of the company’s e-mail service when it automatically displayed their contacts to other users. Following customer complaints, Google modified the service, but the lawsuit contends the changes “do not go far enough” and the error “already caused damage because the Buzz program disclosed private user information the moment Google launched the service.” This week’s lawsuit follows a letter last month to federal antitrust authorities from 10 members of Congress requesting an investigation into whether Buzz compromised users’ privacy, the report states. [BusinessWeek]

 

WW – Google Buzz Gets New Privacy Controls

Google has created new privacy controls for its Buzz social networking service. The new privacy setting, which went into effect on Monday, includes a confirmation screen requiring users to confirm their privacy settings when they log onto Buzz, the report states. The new privacy controls include approving a list of subscribers to users’ Buzz feeds. Admitting the company “didn’t get everything right” when Buzz was launched in February, Google Product Manager Todd Jackson notes that Google has moved “as fast as possible” to improve it and protect the privacy of its users. [MediaPost News]

 

US – Entrepreneur Deletes Social Networking Data to Avoid Lawsuit

A Colorado entrepreneur has destroyed a database reflecting regional patterns among 210 million Facebook users after the company threatened to sue him for allegedly misusing the social networking site. Pete Warden says he gathered the data to share with researchers, while Facebook contends he did so without the company’s permission, violating the rules of the site. Warden started compiling the data while developing a search engine, the report states, and while he was not convinced his actions were against the law, he deleted the database because “he couldn’t afford to fight a lawsuit.” [Associated Press]

 

WW – Professional Reference Hub in Beta

A new Web site designed to help employers find out more about job candidates has some concerned about its potential for damaging professional reputations. Currently in beta and only accessible through Facebook, the Unvarnished site lets individuals create profiles of themselves or someone else. Other users can then build upon the profiles anonymously, adding feedback on professional performance. Once created, the profiles cannot be removed, the report states. Critics say the site could damage the professional patinas of “unsuspecting individuals.” [San Diego Entertainer]

 

Other Jurisdictions

 

MY – House Passes Data Protection Bill

Malaysia’s Lower House of Parliament has passed The Personal Data Protection Bill. The bill seeks to prevent data theft and misuse of personal data. It will bring the appointment of a personal data protection commissioner, and will require credit agencies to apply to the commissioner’s office before they can store individuals’ personal data in databases. It will also establish a code of practice to regulate dealings with personal information. The bill will now move to Parliament’s Upper House. If passed into law, offenders could face two-year jail terms, fines of up to RM200,000, or both. [Bernama.com]

 

Privacy (US)

 

US – New FTC Commissioners Take Oaths

Julie Brill and Edith Ramirez took their oaths of office this week, bringing the Federal Trade Commission’s roster up to five and facilitating its new tougher stance on privacy. During her tenure with the Vermont Attorney General’s Office, Brill received an award from Privacy International for her efforts to require state banks to obtain consumers’ written opt-in consent before sharing information with third parties. “These individuals bring a depth of experience to their respective roles, and I am confident they will serve my administration and the American people well,” said President Barack Obama in a statement earlier this year. [Hunton and Williams Privacy and Information Security Law Blog]

 

US – New Advisory Board Members Join EPIC

The Electronic Privacy Information Center (EPIC) has announced the new members of the EPIC Advisory Board. The new members are Alessandro Acquisti Associate Professor of Information Technology and Public Policy at Carnegie Mellon University, Urs Gasser, Executive Director of the Berkman Center for Internet & Society, Pamela Jones Harbour, Former FTC Commissioner who recently started at Fulbright and Jaworski, Kristina Irion Assistant Professor at the Center for Media and Communications Studies at Central European University, Jeff Jonas, Chief Scientist at IBM Entity Analytics Group, and Michael Kirby, Honorary Professorial Fellow at Australian National University and University of Melbourne Former Justice, High Court of Australia. Also, three members of the EPIC Advisory Board have joined the EPIC Board of Directors. They are Christine Borgman, Presidential Chair and Professor of Information Studies, UCLA; Pamela Samuelson, Professor, Berkeley Law School and School of Information, University of California, Berkeley; and Paul Smith. Partner with Jenner and Block, and chair of the firm’s Appellate and Supreme Court Practice committee. [EPIC Advisory Board Page] [Advisory Board Announcement]

 

Security

 

US – Security Flaws Found in Smart Meters

A security researcher, Joshua Wright of InGuardians, has identified a number of security vulnerabilities with the smart meters a number of US utilities are rolling out to their customers. The vulnerabilities, which could be exploited remotely via wireless technology or by physically tampering with the meter, include the ability to ramp up peoples’ bills and to shut off their power. The research, which was commissioned by a three power utility companies, discovered vulnerabilities in all five of the makers of meters submitted for testing. So far eight million smart power meters have been installed within the United States with that number reaching 60 million by 2020. [Syracuse] [KATU]

 

WW – Companies Should Reevaluate Security Resource Allocations

According to a study from Forrester Research conducted on behalf of RSA and Microsoft, companies may not be taking adequate precautions to protect intellectual property and proprietary information. Compliance initiatives like the payment card industry data security standard (PCI-DSS) and data protection laws in Europe, New Zealand, and Australia require companies to take steps to protect custodial data. The companies acknowledge that their data security budgets are directed more at compliance with regulations and laws surrounding consumer data rather than at protecting company intellectual property assets. Forrester, Microsoft and RDA make several recommendations for companies to get their data security strategies in line with the true value of the data themselves, including identifying and assessing the value of the data they hold and realigning their security strategies so that secrets and intellectual property are adequately protected. [Dark Reading] [RSA] [Full paper]

 

US – Report Calls for C-level Involvement in Cybersecurity

The Financial Management of Cyber Risk,” a new report published by the Internet Security Alliance (ISA) and American National Standards Institute (ANSI), is recommending C-level executives implement cybersecurity risk management programs at their companies. Part of the goal is to get executives directly involved in such efforts, citing a federal cyberpolicy review indicating U.S. businesses lost $1 trillion worth of intellectual property to cyberattacks between 2008 and 2009. “We believe if we can educate American organizations about how much they’re actually losing, we can move to the next step, which is solving the problem,” said Larry Clinton of the ISA, pointing out that between 80 and 90 percent of cybersecurity problems can be avoided by a combination of best practices, standards and security technology. [CIO Reports]

 

WW – Canadian Researchers Reveal Online Spy Ring Based in China

Canadian researchers have uncovered a vast “Shadow Network” of online espionage based in China that used seemingly harmless means such as e-mail and Twitter to extract highly sensitive data from computers around the world. Stolen documents recovered in a year-long investigation show the hackers have breached the servers of dozens of countries and organizations, taking everything from top-secret files on missile systems in India to confidential visa applications, including those of Canadians travelling abroad. The findings, which are part of a report made public this week in Toronto, will expose one of the biggest online spy rings ever cracked. Written by researchers at the University of Toronto’s Munk Centre for International Studies, the Ottawa-based security firm SecDev Group and a U.S. cyber sleuthing organization known as the Shadowserver Foundation, the report is expected to be controversial. The researchers have found a global network of “botnets,” computers controlled remotely and made to report to servers in China. Along with those servers, the investigators located where the hackers stashed their stolen files, allowing a glimpse into what the spy ring is looking for. “Essentially we went behind the backs of the attackers and picked their pockets,” said Ron Deibert, director of the Citizen Lab at the Munk School of Global Affairs, which investigated the spy ring. The report, titled Shadows in the Cloud, comes one year after the same team discovered a spy ring with links to China that it dubbed GhostNet. Using information gleaned from that investigation, investigators followed a trail of websites that led to a much larger operation, also with links to China. The report is careful not to conclude the Chinese government is behind the operation, since it is difficult to tell who is orchestrating the attacks. Last year, the Chinese government denied any involvement in GhostNet after the researchers uncovered nearly 1,300 infected computers in 103 countries linked to servers in China. But computers belonging to exiled Tibetan leader, the Dalai Lama, who is denounced by China, have been the most compromised. Almost every e-mail sent to or from the Dalai Lama’s offices in 2009 has shown up in the files, the report says. Nearby India has also taken the brunt of the cyber attacks, with numerous secret government documents recovered by the Canadian researchers. They include 78 documents related to the financing of military projects in India, details of live fire exercises and missile projects, and two documents marked “secret” belonging to the national security council. Sensitive data from 16 countries, such as visa applications by Canadian citizens, were also recovered. It is believed the hackers accessed those files through computers at India’s embassies in Kabul, Dubai, Nigeria and Moscow, which were corrupted. [The Globe and Mail] [New York Times] [Report: “Shadows in the cloud: Investigating cyber espionage 2.0“, available via the following link] UPDATE: [China rejects hacking ‘insinuations’ after spy ring revealed] See also: [Cyberattacks Are ‘Existential Threat’ to U.S., FBI Says]

 

WW – Researchers Sound Alarm on Web App ‘Side Channel’ Data Leaks

Researchers who have tested the security of popular online tax, health, investing, and search sites report that the Web applications are becoming more vulnerable to data leaks. The team from Microsoft and Indiana University note that encryption does not prevent the exposure of data passed back and forth between a Web client and server. Side-channel data characteristics such as packet size and timing give network eavesdroppers the opportunity to gather information on program and site users. The vulnerability could become “an unprecedented threat to the confidentiality of user data processing by these applications,” according to the researchers. Moreover, programs that use newer Web technology, such as the AJAX programming language, could be more vulnerable to data leaks. [Network World]

 

Surveillance

 

US – Court Says NSA Illegally Wiretapped Two Americans

Federal Judge Vaughn R. Walker has ruled that the U.S. National Security Agency’s program of surveillance without warrants was illegal. Under the surveillance program the National Security Agency monitored international e-mail messages and phone calls of American citizens without court approval, which is required under the Foreign Intelligence Surveillance Act, or FISA. The ruling undermined claims by President Bush’s administration that the surveillance program, which President Bush secretly authorized after the terrorist attacks of September 11, 2001 using presidential wartime powers, was lawful. Judge Walker ruled that by intercepting the phone calls of the Al Haramain Islamic charity based in Oregon, and the calls of two lawyers representing the charity in 2004, the government had violated a 1978 federal statute requiring court approval for domestic surveillance. Judge Walker also declared the plaintiffs had been “subjected to unlawful surveillance,” and that the government was liable to pay them damages. [WIRED] [NY Times] [WTHITV] [CATO: State Secrets, Courts, and NSA’s Illegal Wiretapping]

 

CA - Alberta Cops Want Warrantless Access to Cell & Computer Records

Police told a parliamentary standing committee on organized crime they need access to subscriber information for cellphone and Internet IP addresses to succeed in the fight against organized crime. But critics say increasing police powers threatens Canadians’ rights. “People are innocent until proven guilty -- you can’t just go on fishing expeditions looking for evidence of criminal activity,” said Kelly Ernst of the Rocky Mountain Civil Liberties Association. Defence lawyer and former president of the Alberta Civil Liberties Association Stephen Jenuth said the power to search needs to be subject to checks and balances in a democracy. “The police want to be accountable to no one, they think they’re the highest law in the land,” he said. “When the police want it, they should justify it. In an emergency they can get (a search warrant) very quickly ... You can get a warrant by phone if you need to. A justice of the peace can do it – you don’t even need to go before a judge.” [The Edmonton Journal]

 

UK – CIA Given Details of Almost 1000 British Muslim Students

Personal information concerning the private lives of almost 1,000 British Muslim university students is to be shared with US intelligence agencies in the wake of the Detroit bomb scare. The disclosure has outraged Muslim groups and students who are not involved in extremism but have been targeted by police and now fear that their names will appear on international terrorist watch lists. So far, the homes of more than 50 of the students have been visited by police officers, but nobody has been arrested. The case has raised concerns about how the police use the data of innocent people and calls into question the heavy-handed treatment of Muslim students by UK security agencies. This week, MPs criticised the Government’s key policies on countering extremism which they said were alienating Muslim communities. [Source] See also: [EU-U.S. Data-Sharing Agreements Back in Discussion]

 

US – Half of NYC Subway Surveillance Cams Don’t Work

About half of the more than 4,000 security cameras installed along New York City’s subways are not working. At the same time, the cash-strapped Metropolitan Transportation Authority has cut the number of weekend police patrols on major bridges and tunnels. Critics say the non-working cameras are a blind spot in the crime and terrorism safety net for the nation’s largest city. Mayor Michael Bloomberg said that the MTA needs more funding. But he says Albany lawmakers turned down a plan that would’ve eliminated most of the agency’s problems. MTA officials say safety of riders is the top priority. They point out that about half of the cameras do work and about 900 more will work by June. Overall, crime is down in the subways, even as ridership increases. [The Associated Press]

 

UK – Road Cam Net Allows Police to Snap & Store 14m Drivers Per Day

Police chiefs are facing the threat of a High Court privacy action over a nationwide network of cameras that is being used to take up to 14m photographs of motorists every day. The images are being stored daily on a huge “Big Brother” database linked to automatic numberplate recognition (ANPR) technology to track vehicles’ movements. The records not only include details of car registrations, but often photographs of drivers and front-seat passengers, a police document has revealed. They are being held on a database in Hendon, north London, for at least two years without drivers’ knowledge or permission. Critics argue that mass intrusion into people’s movements may not be “proportionate” and could breach the right to privacy under the Human Rights Act. This weekend Shami Chakrabarti, the director of Liberty, the civil rights group, said it planned to launch the first legal challenge to the surveillance system. [The Sunday Times] Related Links: [Smile, you’re on the state’s candid camera] [Drivers’ personal details handed to EU]

 

EU – Airline Passenger Conversations & Movements to be Monitored under EU Project

Brussels is funding research at Reading University aimed at detecting suspicious behaviour on board aircraft. It uses a combination of cameras, microphones, explosives detectors and a sophisticated computer system which would give a pilot early warning of any danger. But the work has alarmed civil liberties campaigners who fear the growth of the surveillance state. At present intelligent CCTV systems which monitor and analyse passenger behaviour using computer software are used in a number of airports across the world, including at Hong Kong and Washington DC. They are designed to pick up unusual or suspicious behaviour, such as a bag being abandoned. Currently security on airplanes is mainly limited to a CCTV camera located by the cockpit. But under the new system microphones would be installed and passenger conversations listened to for the first time. Suspect words and phrases would alert a monitoring system. Simon Davies, director of Privacy International, said: “Audio airline surveillance is the line that must never be crossed in a high security environment. Passengers must already face intolerable intrusions and restrictions on their movements. The day the airlines install hidden microphones on planes is the day that all trust in the airlines is destroyed.” A spokesman for the Civil Aviation Authority added: “Since we are mainly concerned with safety we would want to be reassured that these cameras and microphones would not interfere with the running of the plane.” [Telegraph.co.uk]

 

Telecom / TV

 

UK – Digital Economy Bill Assigns Users Burden of Protecting Wireless Networks

The Digital Economy Bill, which is expected to pass Parliament this week, specifies wi-fi security required of UK Internet users. Many users would have to spend as much as GBP 70 (US $107) for routers to protect their wi-fi connections or face fines or disconnection if attackers use their unprotected connections for illegal filesharing activity. Users who have older laptops may have to purchase new GBP 20 (US $30) wi-fi cards to protect their computers from intrusions. The bill has also been called a potential “death-knell” for public access wi-fi because coffee shops and other businesses offering free wireless Internet can also be held liable for illegal filesharing activity conducted over their networks. [Business Times] UPDATE: [Digital Economy Bill Begins Passage Through Commons] [Webcast of the House of Commons debate on the Digital Economy Bill] [Parliament does a squalid deal and betrays Internet users (6.04.2010)] [Digital Economy Bill heads for final reading (7.04.2010)] [Government re-introduces controversial site-blocking powers (31.03.2010)] [How Hollywood lobbied for the Digital Economy Bill (3.04.2010)] [Disconnection notices served to UK Music, BPI and politicians (3.04.2010)] [Call for ‘fuller’ debate on Digital Economy Bill (6.04.2010)]

 

US – Court Rules for Comcast Over FCC in ‘Net Neutrality’ Case

The U.S. Court of Appeals for the D.C. Circuit has ruled that the Federal Communications Commission (FCC) does not have the authority to enforce network neutrality, or require that Internet service providers treat all Web traffic equally. The decision could impede other efforts, such as the Obama administration’s agenda to implement a nationwide deployment of broadband Internet service. Additionally, the ruling could spur the FCC or Congress to write new rules or legislation to more solidly entrench the agency as an Internet services regulator. The commission could impose new rules on broadband providers by placing them within the same category as phone operators. Former FCC chairman Michael K. Powell warns that imposing net neutrality rules would damage broadband network investments. Telecom lawyers say the opaque power the FCC has over Internet access has complicated the agency’s transition from phone- and broadcast-era regulation. [Washington Post]

 

US Government Programs

 

US – No-Fly List Has Doubled in Size and Will Get Bigger, Say Gov’t Officials

U.S. enforcement and intelligence officials said this week that the no-fly list barring passengers with suspected terror ties from boarding planes has already increased in size since the attempted Christmas Day bombing of Northwest Flight 253, and was likely to get much larger. “It’s getting bigger and it will get much bigger,” said Russell Travers, deputy director of the National Counterterrorism Center, testifying at a hearing of the Senate Homeland Security Committee. After the hearing, government officials confirmed to ABC News an earlier press report that the no-fly list had nearly doubled in size since December 25, from 3,400 names to over 6,000 individuals. “The figure reported today generally reflects that expansion, although the number of individuals on the no-fly list varies daily,” said an official from the FBI’s Terrorist Screening Center (TSC). [Source] SEE ALSO: [NYT: Ensnared by Error on Growing U.S. Watch List]

 

US Legislation

 

US – Former DOJ Lawyers: ECPA Outdated

Former Department of Justice (DOJ) attorneys are among those calling for updates to the Electronic Communications Privacy Act (ECPA), stressing the 1986 law is out of date with new technologies. Several former DOJ lawyers, including Marc Zwillinger and Paul Ohm, are echoing concerns raised by Digital Due Process, a coalition of technological leaders and privacy advocates. Digital Due Process is asking Congress to revamp ECPA to address issues such as government access to e-mail and personal information stored on the Internet. Both Senate Judiciary Committee and House Judiciary Committee members have confirmed they will be holding hearings this spring to consider how to balance privacy and security concerns. [Main Justice]

 

US – Legislation Would Remove Birth Dates from Open Records

Two Oklahoma senators have introduced legislation that would exempt government employees’ birth dates from the state’s Open Records Act. Senate Bill 1753 aims to protect the employees from identity theft. Within the last five years, the state has made at least $65 million from the sale of millions of motor vehicle records, according to Oklahoma Department of Public Safety records. The information, which includes birth dates of state drivers, is largely sold to insurance companies seeking driver history information, the report states. But one privacy expert claims that concealing birth dates in public records won’t thwart identity theft because the information is widely available elsewhere. “Stop trying to shut the barn door after the horses are gone,” he said. [The Oklahoman]

 

US – Legislation Planned to Keep Inmates from Data

The U.S. Social Security Administration plans to propose legislation that would put a national ban on prisoners accessing data that could be used for identity theft. A 2009 audit by the administration’s inspector general showed that a Kansas inmate involved in a work program tried to steal names and numbers. Kansas currently allows inmates to perform data entry for non-profit groups, the courts and state and local government, the report states. “This is like having the fox practice herding chickens,” said a Kansas state representative. Most states have laws that bar inmates from seeing personal data. [UPI]

 

Workplace Privacy

 

US – Court Rules that Employee-Attorney E-Mails Are Private

In the United States the New Jersey Supreme Court has ruled that the Loving Care Agency was wrong in retrieving emails that were sent by a former employee, Marina Stengart, to her attorney even though the emails were sent using the company’s own computer systems. In 2008, Marina Stengart filed a lawsuit against the company claiming discrimination based on gender, religion and national origin. Before leaving the company Ms. Stengart exchanged a number of emails with her attorney by accessing her Yahoo email account using the company’s computers. Loving Care retrieved copies of the emails from their systems and argued in court that the emails were sent in breach of company policy which states that emails “are not to be considered private or personal to any individual employee” and that the company had the right to “review, audit, intercept, access, and disclose all matters on the company’s media systems and services at any time.” Earlier, a trial court agreed with the company, but in a 7-0 ruling the Supreme Court overruled that decision and ordered the company to turn over all copies of the e-mails and delete any record of them. [ABC News] [NJ.com] [North Jersey]

 

+++