Privacy News Highlights

10–16 April 2010



NZ – Commissioner: Build Privacy into Biometrics. 3

CA – Saskatchewan Hospitals Will Release Patient Info for Fundraising. 3

CA – Keeping Credit Scores Private Can Mean Increased Insurance Costs. 3

US – Groups File FTC Complaint on Real-Time Ad Auctions. 3

US – Young People Care about Online Privacy: Study. 4

US – Eight Fired or Disciplined for Accessing Data. 4

US – Judge Orders Restraining Order to Keep State Employee Birthdates Private. 4

US – Library of Congress Will Save Tweets. 4

US – DHHS Notice Explains Breach Data Uses. 4

CA – More Controls Needed for Healthcare Workers’ Access to Personal Information. 5

CA – DFAIT Consults on Cryptography Exemption for IT Export Licensing. 5

EU – EC Will Seek Privacy, Reciprocity at Madrid Meeting. 5

EU – Milan Court Files Reasoning behind Google Convictions. 5

EU – Irish Report: Tighter Control of Data Needed. 5

EU – E-Waste Can Be Treasure Trove for Criminals: EDPS. 6

WW – Keeping Number of Breached Records Lost Secret Can Protect Stock Prices. 6

US – Agencies Release Tool for Model Consumer Privacy Notices. 6

US – House Passes Act to Eliminate Notice Confusion. 6

US – EU-U.S. to Resume Bank Data-Sharing Talks. 7

CA – Harper Government Slammed for its Record on Access to Information. 7

US – Scrubbing IDs Out of Medical Records for Genetic Studies. 7

US – Survey Shows Increased Use of Digital Medical Records, Privacy Concerns Persist 8

IS – Ministries Taking Second Look at Medication Benefit 8

US – Class Action Seeks $20 Million in Damages. 8

US – Nearly One Million Now Said to Be Impacted. 8

NZ – Law Would Give Banks Access to Validation System.. 8

CA – Alberta Commissioner OKs University’s Move to Gmail 9

US – Tech Specs Issued For ‘You Are Being Targeted’ Icons. 9

CA – Police Officer Demoted for Computer ‘Stalking’ 9

WW –Apple’s Plans for iPhone Location Privacy. 9

CA – Smart Phones Could Pose Trouble, Privacy Watchdog Says. 10

WW – Privacy Risks from Geographic Information. 10

US – Suit Claims Google Buzz Violated Privacy. 10

CA – Courts Raising Questions about Internet Anonymity. 10

WW – Privacy Changes Will Keep Flash Cookies Off Computers. 10

WW – News Sites Rethinking Anonymous COmments. 11

CA – Pardoned Sex Offenders Evade Record Checks Due To Tighter Privacy. 11

MY – House Passes Data Protection Bill 11

US – Report on Cross-Border Data Flow Impediments Released. 11

US – New FTC Commissioners Take Oaths. 12

US – House Committee Hears about Student Privacy. 12

WW – New Data Breach System Tries User Pop-Ups. 12

EU – Report: Assess Privacy Risks before Deploying Passenger RFID Tags. 12

WW – Lost Media Top Reason for Data Exposures. 13

CA – BC Ferry Audits Reveal Many Deficiencies. 13

US – Survey: Compliance Focus Leaves Secrets Vulnerable. 13

US – NIST Releases Guidelines to Protect Personal Data. 13

CA – Canadian CIOs Admit Lack of Security Awareness. 13

UK – Kent Police Faces Legal Threat Over ANPR Cameras. 14

WW – Film Explores Escaping the “Surveillance State”. 14

US – Coalition: Warrant Should Be Required for Gov’t Access to E-mail 14

US – Md. Law Limits Military Recruitment of High School Students. 14

US – Two States, Two New Laws. 15

US – Virginia Passes Medical Breach Notification Law.. 15

US – Supreme Court to Hear Employment Text Privacy Case. 15

WW – Unvarnished – Website Sparking Controversy over Professional Privacy. 15





NZ – Commissioner: Build Privacy into Biometrics

Privacy Commissioner Marie Shroff believes that when it comes to biometrics, privacy should be built in from the beginning of the design. Speaking at a recent Biometrics Institute conference, Shroff noted that while biometrics do not currently have specific regulation under New Zealand’s Privacy Act, regulation is “never off the table.” Shroff said that may not be necessary, however, if biometrics developers and vendors focus on privacy principles when creating systems and managing data. Aaron Baker of the Department of Labour’s immigration unit, which is participating in a five-country collaborative development of biometrics-aided immigration procedures with Australia, the UK, Canada and the U.S., said privacy will be built into any such system. [Computerworld]




CA – Saskatchewan Hospitals Will Release Patient Info for Fundraising

Health foundations in Saskatchewan will soon once again be allowed to contact former hospital patients to ask for donations. A recent amendment to provincial privacy regulations, slated to take effect in May, will allow the names and addresses of people who receive hospital services to be shared with their local hospital foundation, who can use the info for fundraising drives. The province’s privacy watchdog calls the move inappropriate. Health Minister Don McMorris, however, says the change “balances the tremendous benefit that local donations provide for health facilities and services with the privacy rights of individuals.” With the exception of children, people in long-term care and other categories of patients deemed “vulnerable,” an individual’s contact information will be shared unless the person tells the health region he or she doesn’t want to be included. Hospital foundations were forced to stop contacting former patients in the early 2000s due to the introduction of the Health Information Protection Act. [Regina Leader-Post]


CA – Keeping Credit Scores Private Can Mean Increased Insurance Costs

Insurance companies across Canada are increasingly using credit scores to determine the cost of premiums, and for those who choose privacy over sharing their scores, the costs can be significant. While companies report they do not force customers to reveal their credit scores, those who choose to keep the information private can face rate hikes. Some consumers, however, say they are willing to pay that price. “My exact words were I’ll eat the keep my privacy private,” said Paul Renny of Ontario. Credit scoring has been banned in Ontario and Alberta for auto insurance, the report states, while New Brunswick has become the first province to ban the practice outright for any type of insurance. [CBC-TV]




US – Groups File FTC Complaint on Real-Time Ad Auctions

Three privacy groups filed a complaint with the FTC seeking a review of the practice of “real-time auctions” for online advertising slots. In their 32-page filing, the World Privacy Forum, U.S. Public Interest Research Group (PIRG) and the Center for Digital Democracy are calling the technology a “privacy threat” that enables “the real-time profiling, targeting and auctioning of consumers...” The complaint cautions that the data sources available for sale online provide detailed information on consumers. “Consumers will be most shocked to learn that companies are instantaneously combining the details of their online lives with information from previously unconnected offline databases without their knowledge, let alone consent,” says Ed Mierzwinski of U.S. PIRG. [New York Times] [Complaint] see also: [Adzilla Suit Settled, Questions Remain] and also: [Criteo Says Privacy Advantage Coming to U.S. Market]


US – Young People Care about Online Privacy: Study

Young adults care about online privacy to a similar degree as older adults, according to survey findings released this week. Researchers at two universities polled 1,000 Americans age 18 and older, finding that “older adults are more alike on many privacy topics than they are different.” For example, 84% of 18 to 24-year-old respondents said a person should seek their consent before posting a photo or video of them to the Internet, while 90% of 45 to 54-year-olds felt the same way. The researchers conclude that “Public policy agendas should therefore not start with the proposition that young adults do not care about privacy...” [The San Francisco Chronicle]




US – Eight Fired or Disciplined for Accessing Data

Eight Virginia Beach human services employees have been fired or disciplined in the past year for wrongfully accessing personal information contained in state databases. City officials are now expanding the probe that revealed the breaches. “We need to look at the magnitude of the problem,” said city auditor Lyndon Remias. Human Services Director Robert Morin said that most of the breaches involved city workers accessing information about people they knew. The 330 department employees have varying degrees of access to up to 13 state and federal databases, according to the report. [Virginian-Pilot] See also: [Privacy scandal leads to charges for fired BC government worker]


US – Judge Orders Restraining Order to Keep State Employee Birthdates Private

The birthdates of state employees will not become a matter of public record, at least for the time being. An Oklahoma County judge issued a temporary restraining order preventing the state from releasing that information to reporters or anyone else who wants it. Oklahoma County Judge Bryan Dixon based his ruling on an opinion attorney general Drew Edmondson gave regarding an individual’s right to privacy in relation to the state’s Open Records Act. Media watchers are wondering what the ruling means when it comes to the public’s right to know. The Public Employees Association filed the lawsuit after The Oklahoman requested the names and birthdates of all state employees. It quickly got the attention, and support, of some state lawmakers. “We’re talking about a batch request for 40,000 state employee birthdates with no rhyme or reason as to why The Oklahoman wanted them,” Rep. Randy Terrill (R) said. OPEA argued that it’s a violation of privacy, even though birthdays are listed on many public documents including voter registration records. [Source] See also: [Miami Lakes residents threaten to sue town over e-mail addresses]




US – Library of Congress Will Save Tweets

Not everyone would think that the actor Ashton Kutcher’s Twitter musings on his daily doings constitute part of “the universal body of human knowledge.” But the Library of Congress, the 210-year-old guardian of knowledge and cultural history, thinks so. The library will archive the collected works of Twitter, the blogging service, whose users currently send a daily flood of 55 million messages, all that contain 140 or fewer characters. Library officials explained the agreement as another step in the library’s embrace of digital media. Twitter, the Silicon Valley start-up, declared it “very exciting that tweets are becoming part of history.” [New York Times] See also: [Peter Fleischer: To tweet or to delete? ]


Electronic Records


US – DHHS Notice Explains Breach Data Uses

The Office for Civil Rights (OCR) in the Department of Health and Human Services has published a notice detailing how it will use information from organizations reporting health data breaches. According to the report, the notice explains new routine uses of the Program Information Management System, allowing the office to collect and list large breaches, collect and disseminate data necessary in breach investigations and reports to Congress, among others. The notice will become effective after a 40-day comment period that began yesterday. [Health Data Management]


CA – More Controls Needed for Healthcare Workers’ Access to Personal Information

Information and Privacy Commissioner Gary Dickson says there needs to be a review of how Saskatchewan trains, approves and monitors healthcare workers and their use of personal health information. Dickson’s report came after an investigation into a 2009 incident where a pharmacist was caught improperly accessing drug information about a former patient. The pharmacist looked up information about a patient and two family members a total of nine times for personal reasons. Dickson’s report also recommends tighter restrictions on when and where pharmacists and other healthcare workers should be allowed to access computers to look up such information. [CBC] See also: [Confidential BC health files sent to wrong address]




CA – DFAIT Consults on Cryptography Exemption for IT Export Licensing

The Department of Foreign Affairs and International Trade is currently engaged in consultations relating to export controls of goods or technology employing cryptography. The government is seeking information on the way in which different countries are interpreting the scope of an export licence exemption for products sold at the retail level to the general public. [Blakes Bulletin]


EU Developments


EU – EC Will Seek Privacy, Reciprocity at Madrid Meeting

During a meeting with U.S. officials in Madrid this week, the European Commission (EC) will seek the right for its citizens to sue in American courts if they believe airline passenger data transmitted to the U.S. has been misused. The commission will also ask U.S. Attorney General Eric Holder and Homeland Security Secretary Janet Napolitano to share information about U.S. travelers, the report states. “We need a balance between security and justice and a relationship based on real reciprocity,” EU justice commissioner Viviane Reding said. At the Thursday-Friday meeting, officials will also discuss EU-U.S. sharing of bank transfer data and airport body scanners. [New York Times]


EU – Milan Court Files Reasoning behind Google Convictions

Yesterday, the Milan Court filed the judicial reasoning behind the February conviction of three Google executives for violating Italian privacy code. In the 111-page document, Judge Oscar Magi said the employees were convicted and sentenced based on Italian law that prohibits the use of someone’s personal information with the intent of making a profit. “In simple terms,” Magi wrote, “it is not the writing on the wall that constitutes a crime for the owner of the wall, but its commercial exploitation can.” Italian lawyer Rocco Panetta told the Daily Dashboard the reasoning confirms “Google had no obligation to filter and/or prior remove the eventual illegal content,” nor was this “a case around freedom of speech.” Rather, “it was a matter of compliance with laws and regulations dealing with personal data processing currently in force,” Panetta said. [New York Times] See also: [Italian Judge Cites Profit as Justifying a Google Conviction]


EU – Irish Report: Tighter Control of Data Needed

Data Protection Commissioner Billy Hawkes released his annual report for 2009. The commission investigated 914 complaints last year, which is slightly less than the two previous years. The commission issued several calls for increased data protection in 2009. Among them, it ordered the Health Service Executive (HSE) to increase controls around patient data. “The HSE holds the most sensitive detail about people--patient data,” Hawkes said. “It’s very important that is minded carefully so that we can all trust the health service when we use it.” [Belfast Telegraph] See also [Call for Irish Data Breach Notification Law] See also: [Irish Medical Office: Data Protection Legislation Needs Review]


EU – E-Waste Can Be Treasure Trove for Criminals: EDPS

The wealth of sensitive personal data that often remains on old computers and mobile phones has prompted European Data Protection Supervisor Peter Hustinx to raise concerns about the European Commission’s proposal to recast its old directive for waste electrical and electronic equipment. With the focus “solely on the environmental risks related to the disposal of e-waste,” Hustinx said, the proposal “does not take into account other additional risks to individuals or organisations that may arise from the operations of disposal, reuse or recycling of e-waste, in particular those related to the likelihood of improper acquisition, disclosure or dissemination of personal data.” Hustinx said appropriate security measures must be adopted at every stage of the processing of personal data. [EUobserver]


Facts & Stats


WW – Keeping Number of Breached Records Lost Secret Can Protect Stock Prices

When companies publicly declare that they have suffered a data breach, it’s best not to reveal how many individual records were involved if they don’t want to take a hit in their stock prices, according to a study. The Heartland breach last year involving 130 million lost records set off a plunge that reduced its stock price by 90%, and it hadn’t fully recovered a year later, according to the Perimeter E-Security “U.S. Data Breach Study of 2009” report. Smaller breaches triggered stock-price drops of 12% on average that were made up for in about 60 days, the study says. But when companies don’t reveal how many records were compromised, there is no discernible impact on the stock price. “When it is a high-profile, largely publicized breach, it seems to impact the stock heavily,” the study says. “When a company does not disclose the total number of records lost, there appears to be no statistically meaningful impact to the stock.” Perhaps businesses have already figured this out. The study says that last year in cases when financial data records were lost, two-thirds of the public reports of these incidents did not state how many records were involved, and this seems to be a trend. “In 2008, 42% of incidents did not include the number of records compromised,” the data-breach study says. [Network World]




US – Agencies Release Tool for Model Consumer Privacy Notices

Federal agencies released a tool to help financial institutions create customized versions of model consumer privacy notices. According to a joint press release, the Online Form Builder is based on the model form regulation published in the Federal Register last December under the Gramm-Leach-Bliley Act, and includes several options and instructions. “To obtain a legal ‘safe harbor’ and so satisfy the law’s disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder,” the release states. Eight agencies collaborated on the form. [Press Release]

The Online Form Builder is available at: Privacy Notice Instructions
Privacy Notice—Opt Out Options: With Affiliate Marketing | Without Affiliate Marketing

Privacy Notice—No Opt Out Options: With Affiliate Marketing | Without Affiliate Marketing


US – House Passes Act to Eliminate Notice Confusion

The House of Representatives passed a bill that would nullify the need for some financial institutions to send annual privacy notices. The Eliminate Privacy Notice Confusion Act will cut “red tape and bureaucracy, while also protecting consumers from confusion over their privacy policies when nothing has changed,” according to the office of Rep. Erik Paulsen (R-MN), who cosponsored the bill with Rep. Dennis Moore (D-KS). Debt buyers in particular are expected to benefit from the reform, according to PaymentsSource. The legislation now moves to the Senate. [Star Tribune]


US – EU-U.S. to Resume Bank Data-Sharing Talks

European Union interior ministers are expected to meet on April 22 to discuss and endorse the start of new negotiations between the European Commission and the U.S. on sharing bank transfer data that the U.S. contends is essential to the fight against terrorism. The EU is considering new arrangements to replace those thrown out by the European Parliament in February due to data privacy concerns. According to the draft mandate, transfer requests from the U.S. will have to be approved by a designated judicial authority in the EU to ensure that EU citizens have the same administrative and judicial redress as U.S. citizens against any misuse of their data, the report states. [The European Voice] See also: [NYT: Holder Says “Extensive Privacy Safeguards” in Place]




CA – Harper Government Slammed for its Record on Access to Information

Canadians’ access to federal government information risks “being totally obliterated” because of chronic delays in releasing the material, Canada’s information watchdog said in a harshly-worded report on the government’s record. Suzanne Legault, interim information commissioner, also said that despite the Conservative government’s introduction of the 2006 Federal Accountability Act, she questioned its commitment to transparency. “Do we have a government right now that is instilling a culture of transparency, that is taking a leadership role like the American president is taking in matters of promoting transparency — which is broader than access to information — I haven’t seen evidence of that yet,” Legault told a news conference. Legault’s report was made public less than an hour before Guy Giorno, Prime Minister Stephen Harper’s chief of staff, made a rare appearance before a parliamentary committee exploring whether the access-to-information system has been tainted by political interference. Legault said in her report that delays in releasing information are eroding Canadians’ right to know what is going on in their government. Citing excessive consultations, inappropriate time extensions and lack of leadership within institutions, Legault said delays have now become the norm in Canada. In particular, Legault blamed unwarranted delays on the “flawed or ill-enforced delegation of authority for access-to-information decisions within institutions.” The report, tabled in the Commons, found 13 out 24 institutions representing 88 per cent of all access requests had failing grades or worse for responding to information requests within 30 days. The 30-day deadline can legally be extended under certain circumstances. Legault said that despite the 2006 Federal Accountability Act, which promised a “duty to assist” requesters with timely access to records, the Conservative government has not stepped up to the plate. Legault praised 11 institutions for performing “relatively well” in the report. The departments of justice, and citizenship and immigration both received top marks, with a performance rating of “outstanding” for their handling of requests. [Source]




US – Scrubbing IDs Out of Medical Records for Genetic Studies

A new technique allows medical records to be used for research on the genetics of disease while still protecting patients from prying eyes. The new method, published online April 12 in the Proceedings of the National Academy of Sciences, simply disguises parts of the medical history data that are not relevant to a geneticist’s particular research question using an algorithm that combs through health records and makes some aspects of them more general. The researchers tested their algorithm against potential hackers using information from more than 2,600 patients. The team assumed a hacker might know a patient’s identity, some of their medical history and maybe some of the medical codes associated with that history. The technique stymied efforts to ID an individual based on that information, the researchers report. [Source]


Health / Medical


US – Survey Shows Increased Use of Digital Medical Records, Privacy Concerns Persist

A survey of 1,850 Americans shows the number who are using digitized personal health records (PHRs) has doubled since 2008. However, that number remains at just 7% of all patients, with respondents pointing to fears about privacy as the primary reason they are not making the move to digital records. Respondents also indicated they would be more likely to lie to their doctors if there was any chance their information could be shared with outside organizations. The survey indicates that two out of three Americans are concerned about the privacy of their health information, and that those who use the system are divided along socioeconomic lines. Mike Perry, a partner at Lake Research Partners, which conducted the survey, said, “The point is while privacy concerns remain high, most consumers want to move in the direction of adoption.” [The Wall Street Journal]


IS – Ministries Taking Second Look at Medication Benefit

The Finance Ministry is considering creating a special commission to look into privacy issues associated with its plan to reduce medication costs for Holocaust survivors. Since announcing plans for the program, the ministry has received dozens of letters from individuals concerned about the personal data they would be required to provide in order to benefit from the program. Some requested to be kept off the list of those eligible for the benefit, while others called for laws to prohibit the disclosure of their survivor status. The Social Affairs Ministry is also examining the issue. []


Horror Stories


US – Class Action Seeks $20 Million in Damages

Sixteen named plaintiffs have filed a class action suit against Countrywide Financial, Countrywide Home Loans and Bank of America, which bought Countrywide, alleging Countrywide Financial employees stole and sold customers’ personal financial information. The class action suit, which seeks more than $20 million in damages, claims customers’ privacy was invaded, exposing them to identity theft. “Countrywide delayed several months before informing their customers,” the complaint states. “Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures...” [Courthouse News Service]


US – Nearly One Million Now Said to Be Impacted

The number of those affected by the BlueCross BlueShield of Tennessee data theft last October has increased to 998,422 since the last count in March. The insurer began notifying those potentially affected in January. To date, the tab for investigating the incident, notifying customers, extending credit monitoring to individuals affected and working with attorneys general in 32 states has reached $7 million. The insurer plans to release a final report when the process is complete, the report states. [Health Data Management]


Identity Issues


NZ – Law Would Give Banks Access to Validation System

New Zealand’s government will introduce legislation this year to allow private sector access to its data validation service. The law would let financial institutions validate individuals’ identities by cross-checking them with information on the Interior Ministry’s site, which includes citizens’ personal details but not those of a sensitive nature, according to Internal Affairs Minister Nathan Guy. Giving banks access to the system is expected to help them comply with certain laws and track terrorism financing, the report states. Privacy Commissioner Marie Shroff said, “So far we are satisfied that it appears to be on the right track, and we will be keeping closely involved with its development.” [New Zealand Herald]


Internet / WWW


CA – Alberta Commissioner OKs University’s Move to Gmail

Alberta Information and Privacy Commissioner Frank Work has given the University of Alberta the approval to convert its e-mail accounts to Google’s Gmail service—as long as university officials warn users about the possibility that their e-mails could be examined by U.S. authorities. The commissioner’s decision came after the university supplied him with a privacy assessment of the Gmail plan. In his decision, Work said the university has done what it reasonably can to ensure the protection of personal information, but because the e-mails are stored on American servers, they could fall under the U.S. Patriot Act. Under that law, e-mails could be secretly viewed by American authorities, the report states. [The Edmonton Journal]


US – Tech Specs Issued For ‘You Are Being Targeted’ Icons

The Interactive Advertising Bureau and Network Advertising Initiative have released technical standards to accompany a new icon designed to inform Internet users about targeted ads. The CLEAR (Control Links for Education and Advertising Responsibly) Ad Notice Technical Specifications intend to guide ad networks and media companies on how to provide consumers with notice when serving ads that are the result of tracking. The icon is part of an industry effort to better inform consumers about the methods behind the ads they receive in order to stave off regulation. In the next few weeks, advertisers will begin testing the icon. [MediaPost News]


Law Enforcement


CA – Police Officer Demoted for Computer ‘Stalking’

An Ottawa police officer has been demoted and will lose almost $40,000 in pay over the next two years for running more than 200 unauthorized police computer checks on himself, a lover, friends and police colleagues. Const. Dan Bargh, 28, was demoted from a first-class constable with a salary of more than $80,000 to a third-class constable, making about $58,000. Bargh was found guilty in November of two counts of insubordination under the Police Services Act in November for using the Canadian Police Information Centre (CPIC) and an Ottawa police records system for personal use. The practice is forbidden for several reasons, including violation of privacy and other rights, along with fears that sensitive police and other information could fall into criminal hands or be made public. [Montreal Gazette] [Source]




WW –Apple’s Plans for iPhone Location Privacy

Apple introduced its iAd mobile advertising platform last week and previewed the next version of the iPhone operating system, which will include features to help users control their geo privacy, reports the New York Times. “We’re taking privacy several steps further,” with iPhone OS 4, Apple’s senior vice president of iPhone software said at a preview event. Among them, OS 4 will include a status bar arrow that indicates when a user’s location is being tracked as well as other “fine-grained settings” to improve users’ awareness and control. Jules Polonetsky, of the Future of Privacy Forum, said the move shows “how treating data use as a feature is a better way to communicate to users than legal policies” about privacy. [New York Times] See also: [When It Comes to Data, Location Matters]


CA – Smart Phones Could Pose Trouble, Privacy Watchdog Says

Canada’s privacy commissioner says she has reservations about smart phones because they could allow people to be tracked without their knowledge. “The GPS feature on smart phones has a lot of potential to improve quality of life, but at the same time people can be tracked 24 hours a day without knowing,” Stoddart said. “It can be dangerous for some people to know where they are, and others just want to stay anonymous.” She said she’s also concerned about future implications of smart-phone technology, specifically the emerging marketing strategy of sending coupons through text messages to people who walk in the vicinity of certain stores or attractions. “It should be something that people can turn on or turn off,” Stoddart said. “There should be a way for people to choose to give out their information or not.” [Source]


WW – Privacy Risks from Geographic Information

A new research study published online in the BMC Medical Informatics and Decision Making journal measures how easy it is to determine the identity of individuals using their geographical information. In the article, Prof. Khaled El Emam, Canada Research Chair in Electronic Health Information and lead author, explains that they have developed a new method for measuring the privacy risk for Canadians, in particular, those living in small geographic areas. This privacy risk measure can then be used to decide whether it is appropriate to release/share geographic information or not and what demographics to include with this geographic information. The article also presents a set of criteria and checklists for managing the privacy risks when releasing/sharing location information. This study shows that by protecting only the individuals living in small geographic areas, as defined by the new measures, it is possible to share more information while still being able to manage privacy risks. The study was financed by the GeoConnections program of Natural Resources Canada, the Public Health Agency of Canada, the Ontario Centers of Excellence, and the Natural Sciences and Engineering Research Council. [Science Daily]


Online Privacy


US – Suit Claims Google Buzz Violated Privacy

A class action suit filed Monday in federal court alleges Google’s Buzz social networking service violated the privacy rights of users of the company’s e-mail service when it automatically displayed their contacts to other users. Following customer complaints, Google modified the service, but the lawsuit contends the changes “do not go far enough” and the error “already caused damage because the Buzz program disclosed private user information the moment Google launched the service.” This week’s lawsuit follows a letter last month to federal antitrust authorities from 10 members of Congress requesting an investigation into whether Buzz compromised users’ privacy, the report states. [BusinessWeek]


CA – Courts Raising Questions about Internet Anonymity

A panel of Ottawa judges is considering whether Web sites named in libel actions must identify people who post anonymous defamatory comments, and that is raising concerns among some privacy and civil liberties organizations. Privacy advocates’ argue that, “if the judges support unmasking anonymous posters, that could erode their privacy by allowing others to piece together vast amounts of personal information.” Meanwhile a Nova Scotia Supreme Court judge has ordered that newspapers provide the identities of anonymous commentators in legal cases such as defamation suits, stating, “They, like other people, have to be accountable for their actions.” [The Ottawa Citizen]


WW – Privacy Changes Will Keep Flash Cookies Off Computers

Adobe Flash Player 10.1 will honour each user’s browser privacy setting, which means Flash cookies will no longer be “dropped on computers to track Web activity.” Adobe officials noted in a statement that the enhancements will help users better control their personal information “so that when someone activates private browsing in their browser, it is also activated in Flash Player—meaning there is no local storage of information from that Flash Player session.” The changes, which are intended to improve user privacy, could mean difficulties for online merchants and banks that use Flash cookies to identify returning customers, the report states. [NetworkWorld] [Adobe Private Browsing Support website]


WW – News Sites Rethinking Anonymous COmments

News sites are rethinking the anonymity option for readers who post comments in response to articles. Journalists and the organizations they work for may be losing patience with those who use anonymity to make inappropriate comments. “As the rules of the road are changing and the Internet is growing up, the trend is away from anonymity,” says Huffington Post founder Arianna Huffington, whose site will soon implement a ranking system for commenters. Other sites, such as the Washington Post, are considering similar changes to their comments policies. [The New York Times]


CA – Pardoned Sex Offenders Evade Record Checks Due To Tighter Privacy

Some churches and volunteer groups have stopped screening for potential pardoned sex offenders due to newly tightened rules on police database searches. As the government mulls changes to protect public safety, stricter enforcement of privacy around criminal records has made it far more cumbersome for society to weed out volunteers and employees who should not be working with the vulnerable. The Mounties clamped down on access to the Canadian Police Information Centre database, or CPIC, last Dec. 8, sharply restricting the amount of information that had been readily and routinely – if technically illegally – released to organizations and employers doing criminal checks with their employees’ consent. “We didn’t make any changes to the system, per se,” Superintendent Chuck Walker, director of field services for CPIC, said in an interview. “What we did was we insisted that the policies be observed.” There were 887 pardons granted to sex offenders in 2009-10 and 667 the year before, according to figures released Thursday by the National Parole Board. The Criminal Records Act and a ministerial directive dating from 1987 set out very clear rules for the release of pardoned records: Only the individual, not his or her potential employer (even with a signed consent), can ask whether a flagged file even exists; If a flagged file is found, only the individual can ask to see it by providing fingerprints, a process that can take 120 days or more; Police may release the contents of the file initially only to the individual. For routine background checks, police can only respond that no record exists or that there may possibly be a record. At that point, the individual would have to submit fingerprints and wait 120 days or more to see if there is in fact a record and what is in it. Organizations liable for ensuring that employees and volunteers who work with children and other designated vulnerable groups are anxious to learn more about the RCMP changes. Interviews with both the prospective volunteer and their references, as well as probationary periods for new recruits, are recommended by Volunteer Canada. [Source] See also: [CA – Slain Officer’s Family Pleads for Change in Parole System]


Other Jurisdictions


MY – House Passes Data Protection Bill

Malaysia’s Lower House of Parliament yesterday passed The Personal Data Protection Bill. The bill seeks to prevent data theft and misuse of personal data. It will bring the appointment of a personal data protection commissioner, and will require credit agencies to apply to the commissioner’s office before they can store individuals’ personal data in databases. It will also establish a code of practice to regulate dealings with personal information. The bill will now move to Parliament’s Upper House. If passed into law, offenders could face two-year jail terms, fines of up to RM200,000, or both. []


Privacy (US)


US – Report on Cross-Border Data Flow Impediments Released

The North American Trilateral Committee on Transborder Data Flows has released a report detailing the leading impediments to cross-border information sharing. “I am encouraged by the collaborative work that has been done to identify these impediments to free flow of information and international trade,” said Under Secretary for International Trade Francisco Sanchez. “I am confident that we can work together with the North American business community to overcome these barriers.” The Trilateral Committee, established in 2008, comprises representatives from the governments of Mexico, Canada and the United States. [U.S. Office of Technology & Electronic Commerce] Report of the Trilateral Committee on Transborder Data Flows: [Press Release on Report ] [Full Report] [2008 Statement on the Free Flow of Information and Trade in North America]


US – New FTC Commissioners Take Oaths

Julie Brill and Edith Ramirez took their oaths of office this week, bringing the Federal Trade Commission’s roster up to five and facilitating its new tougher stance on privacy. During her tenure with the Vermont Attorney General’s Office, Brill received an award from Privacy International for her efforts to require state banks to obtain consumers’ written opt-in consent before sharing information with third parties. “These individuals bring a depth of experience to their respective roles, and I am confident they will serve my administration and the American people well,” said President Barack Obama in a statement earlier this year. [Hunton and Williams Privacy and Information Security Law Blog]


US – House Committee Hears about Student Privacy

The topic of student privacy came up this week at a House Education and Labor Committee hearing about the longitudinal data systems used to track the academic progress of schoolchildren. Joel Reidenberg of the Fordham University School of Law warned that many state data systems lack the privacy safeguards necessary for protecting students’ data and lack “clear legal limitations on the purpose for which data could be accessed and used.” After the hearing, committee member Rep. John Kline (R-MN) said, “Efforts to expand data collection and standardize student tracking systems should not even be considered when weaknesses in the security of current data systems remain in question.” [Source]


Privacy Enhancing Technologies (PETs)


WW – New Data Breach System Tries User Pop-Ups

A security company has created a way for users to think twice about the data they access. A data leak prevention system developed by Check Point that can detect when sensitive data is being accessed and potentially misused. If the system senses a user is accessing data subject to certain corporate data policies, it will deploy an e-mail or pop-up box to remind him or her about the policies. A Check Point spokesperson told the Daily Dashboard the user will be given three options: discard, send or review. Regardless of what the user selects, the system logs the fact that a pop-up or e-mail was issued. [Techworld] See also: [Companies Leverage Privacy as Competitive Advantage]




EU – Report: Assess Privacy Risks before Deploying Passenger RFID Tags

An EU cybersecurity agency has developed recommendations ahead of the implementation of RFID technology in air travel. The European Network and Information Security Agency (ENISA) report focuses on RFID luggage tags and biometric chips in electronic passports. The technologies are expected to streamline the air travel experience for both passengers and airport staff. But the report recommends further research in the areas of data protection and privacy, citing possible privacy and security risks, among others. ENISA also advises European Commission policymakers to mandate security and privacy impact assessments before the new technologies are deployed, the report states. [The Register] [Flying 2.0ENISA Reports and Annexes]




WW – Lost Media Top Reason for Data Exposures

Since January 2008, more than 110 healthcare organizations have reported the loss of sensitive patient data affecting more than five million people. That’s according to a 2010 Healthcare Information and Management Systems Society study on the security of patient data. The study found that 40% of respondents said data losses were due to laptop and other media thefts. The study also found that although organizations are training staff on data protection practices, a lack of consensus on who should be responsible for data security persists. [InformationWeek]


CA – BC Ferry Audits Reveal Many Deficiencies

Recent audits of BC Ferries have revealed deficiencies in the company’s data protection safeguards. The company’s president assured the problems will be addressed by fall and said, “We are confident that our system is safe and won’t be compromised.” An audit conducted last fall revealed up to 45 security deficiencies, including insufficient password protocols and a failure to audit database access. The audit also revealed that the company is storing several years’ worth of unnecessary credit card data across multiple databases and that “the encryption routine is not fully secure or monitored/audited.” [Globe & Mail]


US – Survey: Compliance Focus Leaves Secrets Vulnerable

Many companies’ IT departments are making significant investments in data protection compliance, possibly to the detriment of company trade secrets. That’s according to a recent survey of 305 companies worldwide. The Forrester Consulting study, funded by Microsoft and RSA, found that 39% of enterprise budgets are devoted to compliance-related security programs aimed at protecting custodial data, even though “trade secrets” comprise more than half of data stored, reports. “This strongly suggests that investments are overweighed by compliance,” the report states. The authors recommend remedies for correcting the imbalance, such as determining data value and creating a “risk register.” [eSecurity Planet]


US – NIST Releases Guidelines to Protect Personal Data

The National Institute of Standards and Technology (NIST) has released guidelines aimed at helping agencies safeguard personal information. Among other recommendations, the report suggests agencies take inventory of stored personally identifiable information (PII), and develop a risk-based approach to protecting it, placing emphasis on protecting the most critical information. The report states, “All PII is not created equal,” and quotes a former presidential advisor who once told Congress, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.” [Government Computer News] [NIST Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information]


CA – Canadian CIOs Admit Lack of Security Awareness

For the first time, PricewaterhouseCoopers breaks out Canadian stats from its annual survey of security practices in organizations worldwide. Have hackers, bonets or rogue ex-employees managed to steal mission-critical data from the enterprise? Don’t ask the CIO. According to PricewaterhouseCoopers, which worked with U.S. CIO magazine on an annual survey of more than 7,000 individuals in 130 countries, Canadian organizations are 8% less likely to know if they’ve had a security incident compared to their global counterparts. A total of 39% said they were unaware of any breaches and of those that know something went wrong, nearly half, or 46%, don’t know exactly what happened. Compliance in its various forms emerged as the leading driver for IT security spending in Canada overall, followed by disaster recovery. That doesn’t really address the knowledge gaps, however. [Source]




UK – Kent Police Faces Legal Threat Over ANPR Cameras

Kent Police could face a flood of High Court cases after being accused of breaking privacy laws by storing photographs of innocent motorists. Campaigners from the civil rights group Liberty have vowed to support anyone who wants to take legal action against the force after a report by the National Policing Improvement Agency revealed that pictures taken using automatic number plate recognition (ANPR) technology – which are stored for up to two years – sometimes catch passengers’ faces. The Liberty threat could spell particular trouble for Kent, which has so far invested £5.3million into the system and claims to be one of the leading constabularies in the UK for using ANPR. The technology, launched nationally in 2006, is used to detect criminal activity, ranging from motorists with no insurance to stolen cars. In Kent it records the movements of one million cars a day using 200 hidden cameras in undisclosed locations. A Liberty spokeswoman said police originally said the system would be used only to identify unlicensed and uninsured drivers. “Now we see it being used for a myriad of purposes without any public debate,” she added. [Source]


WW – Film Explores Escaping the “Surveillance State”

The advocacy group Privacy International has ranked the UK just behind such nations as Russia and China in terms of its use of surveillance. In an interview with filmmaker David Bond, the magazine explores Bond’s experiment spending a month escaping detection, which was prompted by the government’s loss of his newborn daughter’s personal information in 2007. Bond’s experiences resulted in the creation of a documentary entitled “Erasing David.” Going “off the grid,” Bond says he learned that, “We’re normalized to living an utterly exposed life. But there’s value in privacy—it’s a tremendously uplifting and strengthening feeling, to feel like you can withdraw. Not because you’ve got anything to hide, just because you want to.” [TIME] See also: [Computer Tech Busted for Women’s Room Camera]


Telecom / TV


US – Coalition: Warrant Should Be Required for Gov’t Access to E-mail

Privacy groups and Internet giant Google are supporting Yahoo’s efforts to fend off a request from the U.S. Department of Justice to access e-mail messages. “This case is about protecting the privacy rights of all Internet users,” a Google representative said. “E-mail stored in the cloud should have the same level of protection as the same information stored by a person at home.” In a brief filed this week, the coalition, which is also behind Digital Due Process, contends that a search warrant is necessary before the FBI or other police agencies can read the contents of e-mail messages. “Society expects and relies on the privacy of e-mail messages just as it relies on the privacy of the telephone system,” the brief states. [CNET]


US Government Programs


US – Md. Law Limits Military Recruitment of High School Students

Maryland schools will no longer forward scores from a popular vocational test to military recruiters under new legislation that requires high school students to send the information themselves. The test, the Armed Services Vocational Aptitude Battery, or ASVAB, is administered by the military in schools across the country as a public service and is used by career counselors as a tool to guide students toward an array of jobs, not just those in the armed services. Unless the school or a student checks an opt-out box, the scores are released to military recruiters, who can get in touch with prospective recruits. The new law, signed by Gov. Martin O’Malley this week, requires Maryland schools to check the opt-out box. “This was a victory for the privacy of student information and the right of families to engage in decision-making,” said Sen. Jamie B. Raskin (D-Montgomery), who championed the bill in the Senate, where it passed, 25 to 22, this month. The bill passed in the House, 102 to 37. Many school systems, including those in Montgomery and Prince George’s counties, haven’t forwarded the scores for several years. But the new law will apply that policy statewide. [Washington Post]



US Legislation


US – Two States, Two New Laws

Two states enacted data breach-related laws recently. Late last month Washington Governor Christine Gregoire signed a law that lets banks recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with Payment Card Industry standards. It takes effect July 1, 2010. Last week the state of Mississippi became the forty-sixth in the nation to enact a data breach notification law. According to a Kelley Drye & Warren report, the law “tracks the general language of data breach notification laws already enacted.” It takes effect July 1, 2011. [Source]


US – Virginia Passes Medical Breach Notification Law

The state of Virginia has passed a law requiring notice of security breaches involving medical information. It requires that breached entities notify affected Virginia residents and the state’s Office of Attorney General. “The Attorney General can bring an action for violations of the law and impose civil penalties of up to $150,000 per breach,” writes Info Law Group’s David Navetta, CIPP. “The law does not apply to persons or entities that must report the breach under the HITECH Act.” The new rules become effective in January. [Information Law Group]


Workplace Privacy


US – Supreme Court to Hear Employment Text Privacy Case

Next week the U.S. Supreme Court will begin its review of a Ninth Circuit decision that has implications for employee privacy. In City of Ontario v. Quon, the justices will determine whether a municipal police officer had a reasonable expectation of privacy in text messages transmitted on a department-issued pager. “The eventual decision could have huge repercussions,” the report states, and public and private sector groups are watching. The National School Boards Association filed an amicus brief in February, saying that the outcome could impact “the ability of school districts to access employees’ work-related communications.” [National Public Radio] See also: [CCIA: Supreme Court Needs Tech-Savvy Justice]


WW – Unvarnished – Website Sparking Controversy over Professional Privacy

A new Web site designed to help employers find out more about job candidates has some concerned about its potential for damaging professional reputations. Currently in beta and only accessible through Facebook, the Unvarnished site lets individuals create profiles of themselves or someone else. Other users can then build upon the profiles anonymously, adding feedback on professional performance. Once created, the profiles cannot be removed, the report states. Critics say the site could damage the professional patinas of “unsuspecting individuals.” [San Diego Entertainer]