Privacy News Highlights

17–30 April 2010



US – Army Wants Sensors to Nab Sweaty, Smelly Security Threats. 3

CA – BC Gov’t Case for Restricting Privacy Law “Bogus”. 3

CA – Industry Associations Argue PIPEDA Is Strong Enough as Law Faces Review.. 3

CA – Canada/US Border Agencies Access the Other’s Data Thousands of Times a Day. 4

CA – PIAC Files Complaint, Seeks Investigation. 4

US – Studies: Young People Care About Privacy Online. 4

US – Computer Experts Tackle Privacy, Security Policy Issues at CFP 2010. 5

US – Supreme Court Ponders Privacy Rights for Petition Signers. 5

IN – India’s Electronic Voting Machines Are Vulnerable to Attack. 5

UK – Sex Offenders Win Right to Challenge Lifetime Place on Sex Offenders Register 5

US – Feds Withdraw Demands for E-mails. 6

EU – Commission Promises Data Protection Law Rewrite. 6

UK – Gov’t Supporting EU Plan for Foreign Gov’t Surveillance of Brits at Home. 6

EU – European Data Protection Supervisor Calls for Built-in Data Wiping Technology. 6

EU – Peter Hustinx Receives 2010 Privacy Leadership Award. 7

WW – Study: Perception of Data Security at Odds with Reality - Study. 7

US – Ponemon Study: How Data Laws Slap Insecure Companies. 7

EU – Lone IT Industry Voice Speaks Out Against EU Web Filter Plan. 7

CA – B.C. Court Asked to Overturn Ruling on Freedom of Information. 8

US – Former NSA Official Pleads Not Guilty in Data Leak Case. 8

US – Indian Tribe Wins Fight to Limit Research of Its DNA.. 8

US – Fairfield Woman Claims Gene Discrimination After Breast-Cancer Test 9

US – Police May Use Trash to Get a Suspect’s DNA.. 9

UK – EU Plan to Allow Foreign Cops to Seize DNA from Brits is Slammed. 9

UK – Insecure National NHS Database: Patient Secrets Being Sold. 9

US – Large Patient Information Breaches Skyrocket 10

US – HHS Advisory Panel Considers Patient Consent Framework. 10

US – Affinity Health Plan Acknowledges Data Breach. 10

US – Discarded Copiers Hold Sensitive Data on Hard Drives. 10

WW – Google Attackers Reportedly Stole Single Sign-On Source Code. 11

US – COPPA Hearings: PFF Says Expanding to Include Teens Will Undermine Privacy. 11

EU – Irish High Court Says “Three Strikes” Doesn’t Violate Law.. 11

WW – “Exponential” Growth in Demand for Social Data. 12

US – Facebook Careful About Privacy Guidelines at FTC.. 12

WW – Report: Facebook CEO Mark Zuckerberg Doesn’t Believe In Privacy. 12

WW – No Agreement on UN Global Cyber Crime Treaty. 12

WW – Russia and US Move Toward Cooperation at Internet Conference. 13

WW – Google Faces Condemnation from Privacy Watchdogs. 13

WW – Google Launches New Government Transparency Tool 13

US – Amazon Fights Demand for Customer Records. 13

WW – Google Street View Logs Wifi Networks, Mac Addresses. 14

CA – GPS Device Lets Parents Listen in on Their Children. 14

WW – Facebook Spreads to Broader Web, Offers Personalization. 14

US – Senator Concerned About Facebook’s Privacy ‘Invasion’ 15

TW – Taiwan Legislature Approves Revised Personal Data Act 15

US – Commerce Department Scrutinizes Internet Privacy. 15

WW – Site Grades Privacy of Internet Apps. 16

WW – Secure P2P Scheme Leverages Social Networks. 16

CA – Student Hopes New Technology Will Provide RFID Privacy. 16

US – OMB Memo Describes New Direction for Federal Cyber Security. 16

US – More Than 30 Privacy Groups Challenge U.S. Airport Body Scanners. 17

WW – New Airport Security Scanners A Waste Of Money: Israeli Security Specialist 17

US – DHS Acknowledging Three More Domestic Spying Programs. 17

US – Pennsylvania School District Laptop Surveillance Case Prompts New Legislation. 17

WW – Self-Training Video Analytic Software Developed to Monitor Crowds. 18

IN – Muslim Leaders Furious Over Phone Tapping In Muslim-Dominated Cities. 18

CN – China Wants Telecom Companies to Inform on Clients. 18

WW – Spy Software Watches Blackberry, Privacy Advocates Too. 18

UK – Secret Trial: Satellite Tracking Motorists Via High-Tech Speed Cams. 19

WW – Researchers’ Network Exploits Pull Sensitive Information on Cell Phone Users. 19

US – DHS Begins Einstein 3 Tests. 19

US – California Senate Approves Notification Law Update. 19

US – New and Proposed Data Breach Legislation Around the US. 20

US – Illinois Lawmakers Pass Big Change to Adoption Privacy Act 20

US – Arizona Governor Signs Immigration Enforcement Bill 20

US – California Senate Passes Bill to Prohibit Posts about Minors. 20

US – Survey: Most Security Pros Favor Federal Breach Law.. 20

US – Survey: CIOs Restricting Use of Social Media. 20





US – Army Wants Sensors to Nab Sweaty, Smelly Security Threats

The U.S. military has been after scent-based detection systems for years now. In 2007, Pentagon research agency Darpa solicited proposals for sensors to sniff out terrorists using unique genetic markers found in human emanations. The idea was based on research showing that mice each carried a unique “odortype” that was consistent despite variables like stress, hydration or diet. And odortypes are so powerful, they stick around for around a month after their host body has fled the premises. But the most state-of-the-art tech, known as E-Nose, has only succeeded in distinguishing between two different people, and relies on “detecting human odor from the armpit region.” Now, the Army is launching Identification Based on Individual Scent (IBIS), and wants proposals for a more sophisticated detection system, that could “uniquely identify an individual based on scent,” at a geographical distance or after several hours or even days. The Army’s also launching “Human Signature Collection and Exploitation via Stand-Off Non-Cooperative Sensing,” to refine technology that can detect hostile intent based on thermal imaging — an analysis of the heat radiating off a body. And since research has shown that different faces radiate heat in unique patterns, they’re hoping to create sensors that can positively identify people, much like iris scans or fingerprinting. []




CA – BC Gov’t Case for Restricting Privacy Law “Bogus”

Last month the government submitted its official pitch to a legislative committee tasked with updating the freedom of information and protection of privacy law. Although there is a lot of concern about the freedom of information side of the issue, the brief was mostly about privacy law. Specifically, it was a lengthy objection about how protection of privacy law is getting in the way of government efforts to streamline and improve services. The government’s main point, based on horror stories where privacy stood in the way of government providing services smoothly, was on the need to relax the privacy law to allow more sharing of information. But acting information and privacy commissioner Paul Fraser showed up later at the committee. He represents the independent office that oversees both parts of the information and privacy law. And the striking thing about his testimony to the committee was how bogus the government’s examples of privacy restrictions gone awry were. Fraser said the government examples are still valid, if only because they illustrate “the lack of training and the understanding of public servants and the need for leadership and direction within the government.” Based on a review of various officials’ testimony before the committee and a review of the brief itself, Fraser told MLAs his office was unable to identify how the government had determined that the law interferes with any of the projects officials had cited. “All of the examples are either permitted or are permitted and underway,” he stressed. His main point was one he made earlier after the last big breach of citizens’ privacy courtesy of the government – the government needs a chief privacy officer to help explain how the law works to government itself. He also noted a big paradox shaping up. To some people’s surprise, it’s the big corporations that are investing huge sums in privacy protection and taking the concept seriously on behalf of their customers. The public sector is offering resistance and going in another direction. [Times-Colonist]


CA – Industry Associations Argue PIPEDA Is Strong Enough as Law Faces Review

The effectiveness of the Personal Information Protection and Electronic Documents Act (PIPEDA) is under debate as groups prepare for the privacy commissioner’s upcoming 2010 Consumer Privacy Consultations. While companies and industry associations say PIPEDA protects consumer privacy effectively, public interest groups argue the act should be modernized to reflect new technologies. An overarching theme in the consultation submissions, obtained through access-to-information, is PIPEDA’s effectiveness in dealing with new technologies because it is intended to be technology-neutral. [Source]

CA – Canada/US Border Agencies Access the Other’s Data Thousands of Times a Day

FBI records show that thousands of times each day, Canadian authorities tap into sensitive U.S. government databases to check the criminal histories of U.S. citizens who are crossing the border or have been entangled in the Canadian criminal justice system. The databases are an integral part of security operations for Canadian officials, who are preparing for June meetings of the Group of Eight summit of the world’s leading economic powers and the G-20 leaders of developed and developing countries. The summit meetings have drawn thousands of protesters in the past, including at last year’s G-20 meeting in Pittsburgh. The databases “provide invaluable investigative assistance” daily for law enforcement and support agencies, the Royal Canadian Mounted Police (RCMP) said in a statement. During the Winter Olympics, Canadian authorities ran nearly 10,000 criminal history checks per day, more inquiries than some U.S. states perform each day, FBI records show. Even more Canadian citizens receive similar scrutiny by U.S. officials with access to Canadian records, according to RCMP records. Since January, Canada has conducted 400,000 queries and the U.S., 1.4 million. The U.S. shares its criminal databases more freely with Canada than any other country as part of a treaty signed during the Reagan administration. Yet some U.S. and Canadian analysts say the countries’ frequent use of the systems raises serious privacy and information security concerns potentially involving millions of people on both sides of the border. “This is a dangerous practice that needs a tremendous amount of accountability,” said Michael German, the ACLU’s national security policy counsel and a former FBI agent. He says Canada’s access to such detailed - and possibly outdated - personal histories of U.S. citizens, including decades-old misdemeanors, can result in wrongful detention, interrogation and foreign travel bans. About half of the arrest records in the system have not been updated to reflect convictions, dismissals or acquittals, Weise said, adding that local law enforcement agencies are responsible for giving the FBI updated information. [USA Today]


CA – PIAC Files Complaint, Seeks Investigation

The Ottawa-based Public Interest Advocacy Centre has filed a complaint with Canada’s federal privacy commissioner about the Nexopia social networking site. The 35-page complaint alleges that six of Nexopia’s privacy practices violate the Personal Information Protection and Electronic Documents Act. “PIAC would like to see the privacy commissioner investigate Nexopia’s privacy practices for compliance with Canadian privacy law, with special consideration to how Nexopia handles the privacy and personal information of minors,” said PIAC counsel John Lawford. The complaint states that the company’s very advanced search function “does not respect youth privacy,” and its default settings “are set to share information with the whole world.” [PIAC complaint]




US – Studies: Young People Care About Privacy Online

There’s often talk about how young people don’t care about their privacy, especially online. But recent papers from Harvard, Berkeley and University of Pennsylvania researchers show that kids and young adults do want to keep information private. They just aren’t as savvy about privacy laws, and kids and teens in particular are concerned about a specific type of privacy - namely whether parents, teachers and other adults are viewing their information. Both sets of researchers found that young people’s values are similar to those of older adults when it comes to privacy. One big difference, though, is that young people seem to think that rules protecting their privacy are more stringent than they actually are, according to the study by researchers at the University of California at Berkeley and the University of Pennsylvania, which compared people ages 18 to 24 with those in older age groups. The young people were more likely to think incorrectly that sites had to delete private information about users on request or that sites had to obtain people’s permission before following their Internet use across multiple sites, for example. Another difference is that more young people see important social benefits in sharing information with their peers. Online businesses encourage young adults to release personal data in order to be included in online social circles, even though in “their most rational moments,” the young people may prefer to keep their privacy, the Berkeley study said. [The Wall Street Journal] Rebuttal: [Flawed Online Privacy Study Obscures Age Differences]


US – Computer Experts Tackle Privacy, Security Policy Issues at CFP 2010

The 20th Annual ACM Computers, Freedom and Privacy (CFP) Conference will address several key issues, including privacy in the cloud, healthcare information technology, social network activism, the 2010 census, and human rights. Microsoft chief privacy strategist Peter Cullen will give a keynote address on privacy issues in cloud computing, while human rights in the context of the Web will be the focus of the keynote address of Google chief legal officer David Drummond. The American Civil Liberties Union of Northern California’s Nicole Ozer will lead the opening panel, entitled “Privacy and Free Speech: It’s Good For Business.” CFP 2010 also will offer a technology fair; sessions on “Investing in Privacy,” “The Internet of Things,” and “Foundations of Trust Online;” the first “Unconference on Computers, Freedom and Privacy;” graduate student poster sessions; and birds of a feather roundtable sessions. CFP 2010 will be held June 15-18 at San Jose State University. [Source] [What the data crunchers know about you]




US – Supreme Court Ponders Privacy Rights for Petition Signers

The Supreme Court seemed skeptical this week that the Constitution offers protection to individuals who fear harassment over their signature on referendum petitions, with the toughest questioning coming from Justice Antonin Scalia. James Bopp Jr., representing voters in Washington state who objected to disclosure of their signatures on petitions challenging a gay-rights law, told the justices that “the First Amendment protects citizens from intimidation resulting from compelled disclosure of their identity.” Scalia, the first to question Bopp’s assertion, was unrelenting in his opposition. “The fact is that running a democracy takes a certain amount of civic courage,” Scalia said. “And the First Amendment does not protect you from criticism or even nasty phone calls.” [Washington Post] [What’s Your Sign? A Supreme Court case that puts Scalia and gay rights advocates on the same side] [Supreme Court Justices Trade Barbs, Wit During Transparency and Disclosure Debate] See also: [NYT: Judges rap Wiki-evidence in immigration cases]


IN – India’s Electronic Voting Machines Are Vulnerable to Attack

A University of Michigan (UM) collaborative study has found that India’s direct recording electronic (DRE) voting machines are vulnerable to fraud. UM researchers demonstrated two attacks against an Indian electronic voting machine. One attack involves replacing a part with a similar-looking component that can be instructed to steal a%age of the votes from a candidate. Another attack uses a small device to change the votes stored in the machine. “Almost every component of this system could be attacked to manipulate election results,” says UM professor J. Alex Halderman. However, the Election Commission of India claims that weaknesses found in other electronic voting systems around the world do not apply to India’s DRE machines, which it called “fully tamper-proof.” DREs store votes in internal memory and provide no paper records for later inspection or recount. “Such machines have already been abandoned in Ireland, the Netherlands, Germany, Florida, and many other places,” says Rop Gonggrijp, a security researcher from the Netherlands who took part in the study. “India should follow suit.” [Source]


UK – Sex Offenders Win Right to Challenge Lifetime Place on Sex Offenders Register

Two sex offenders have won the right to challenge their lifetime inclusion on the sex offender register after complaining that it breached their human rights. The ruling in the Supreme Court opens the way for hundreds of other sex offenders placed on the register for life to seek to have their details removed. The offenders, a teenager convicted of rape and Angus Thompson, convicted of indecent assault, argued that the register breached their human rights because there is no right of review even if they could produce evidence that they had reformed. Sex offenders are placed on the register for life if they are given a sentence of 30 months or more in jail. In 2008-9 there were 44,700 people on the register in England and Wales. Two years ago the High Court ruled that indefinite registration with no right of review was “incompatible” with their rights to privacy. The decision, won by the teenager, referred to as JF, and Thompson, 52, was upheld by the Appeal Court last year. Now five Supreme Court justices have unanimously dismissed a Home Office appeal and said that the Sexual Offences Act, which set up the register, was incompatible with the European Convention on Human Rights because it did no allow for a review of individual cases. [TimesOnLine]




US – Feds Withdraw Demands for E-mails

In a Colorado court on Friday, federal authorities withdrew demands to obtain from Yahoo e-mail related to a pending and sealed criminal case, saying it would not be useful to their investigation. The authorities had been seeking user-accessed e-mail that was less than six months old. In December, a Colorado magistrate ordered Yahoo to release the e-mail, but the company refused, citing the 1986 Stored Communications Act that requires the government to show probable cause, the report states. Had Friday’s decision been different, “the vast majority of Americans’ e-mail would be accessible to the government without probable cause,” according to the report. [Wired]


EU Developments


EU – Commission Promises Data Protection Law Rewrite

The European Commission will rewrite data protection laws to take account of new plans to govern areas of justice and security policy. The Commission claimed that the changes will improve citizens’ privacy when it comes to crime prevention activity. A new “legal framework” will be introduced in 2010 for data protection law in the European Union, the Commission has said. The Commisison has published a plan to govern on issues of justice and security in the wake of the passing of the Lisbon Treaty, a new legal basis for EU government that came into force last December. This absorbed policy on security and justice into the main body of EU government and reduced the ability of member states to block policies. [Out-Law] [The Communication on the Stockholm Programme]


UK – Gov’t Supporting EU Plan for Foreign Gov’t Surveillance of Brits at Home

British citizens face being subjected to secret EU ‘Big Brother’ spying missions. Labour is supporting plans for a dramatic expansion in the powers available to fellow member states who accuse UK nationals of committing even the most minor crimes while visiting. Under the plans, other countries could get the right to demand surveillance on a UK resident who has returned home, and access to his or her bank records. They could also be entitled to demand British police take a suspect’s DNA or other samples. Civil liberties groups across the continent are furious at the proposals, designed to bolster the controversial new European Evidence Warrant - a partner to the deeply controversial European Arrest Warrant. [Source]


EU – European Data Protection Supervisor Calls for Built-in Data Wiping Technology

European data protection supervisor Peter Hustinx has called for data-wiping technology to be built in to electric and electronic equipment. Hustinx made the suggestion while reviewing the European Commission’s proposed revision of the Waste Electrical and Electronic Equipment (WEEE) directive. The data deletion process should be simple and free of charge, said Hustinx. He also wants WEEE to ban the sale of used electronic devices that have not been wiped clean of data. The UK’s Data Protection Act requires that organizations delete data from devices before they are disposed of. [ZDNet] [SCMagazine] [ComputerWeekly] [Hustinx’s Opinion]


EU – Peter Hustinx Receives 2010 Privacy Leadership Award

European Data Protection Supervisor Peter J. Hustinx has received the International Association of Privacy Professionals’ 2010 Privacy Leadership Award for his commitment to ensuring individual privacy rights are respected. In a video acceptance speech Hustinx said, “I feel very honored and proud to have received this prestigious award from the International Association of Privacy Professionals.” The award recognizes ongoing commitment to furthering privacy policy, promoting recognition of privacy issues and advancing the growth and visibility of the privacy profession. Hustinx has been involved in shaping national and international privacy law for nearly 40 years. He has served as European Data Protection Supervisor since January, 2004. [Source]


Facts & Stats


WW – Study: Perception of Data Security at Odds with Reality - Study

Nearly three-quarters of organizations believe they have adequate policies in place to protect sensitive, personal information, yet more than half have lost sensitive data within the past two years – and nearly 60% of those organizations acknowledge data loss as a recurring problem, according to findings of a global study released today by Accenture. The study – which surveyed more than 5,500 business leaders and 15,500 adult consumers in 19 countries – reveals a startling difference between organizations’ intentions regarding data privacy and how they actually protect sensitive personal information, such as name, address, date of birth, race, National ID/social security number and medical history. The study was conducted in conjunction with the Ponemon Institute, an independent privacy, protection and information security research firm. [Source] [Full research report]


US – Ponemon Study: How Data Laws Slap Insecure Companies

Breach disclosure laws—the rules that require companies to alert customers or employees when they’ve lost control of their private data—may not always achieve their intention to prevent identity theft. But a new study suggests the laws bolster protections in a less direct way: by financially punishing companies that suffer data security mishaps. In an analysis of 133 companies in five countries, the privacy-focused nonprofit Ponemon Institute surveyed executives anonymously on the financial repercussions of data breaches they had experienced in the last year. The study found that American companies lost about $6.75 million on average as a result of data spillages, only slightly higher than the $6.6 million per incident that they experienced in 2009. Ponemon found a more significant trend: Companies in countries like the U.S. and Germany, which in most cases require firms to tell the affected individuals when their personal data has been spilled, experience far higher losses than companies in countries that allow breach victims to hide their data security incidents. “This confirms what we’ve suspected, that when regulations require exposing information about [a breach,] that compels companies to incur costs that they might have avoided by keeping an event secret,” says Ponemon analyst Mike Spinney. Ponemon’s study may show how data breach laws protect consumers less directly over time: By increasing the publicity around incidents, they hold the companies more accountable for their security failures. The threat of an expensive breach, argues Ponemon’s Spinney, may be the best incentive for companies to take basic security measures. “As the saying goes,” Spinney says. “Sunshine is always the best antiseptic.” [Forbes]




EU – Lone IT Industry Voice Speaks Out Against EU Web Filter Plan

A European proposal to introduce mandatory blocking of child abuse websites poses a threat to the openness of the Internet, according to Ed Black, president of the Computer & Communications Industry Association (CCIA). Black is so far the only person from the IT industry willing to speak out on the issue. Companies including Google, Microsoft, Yahoo and the Spanish telecommunications operator Telefónica, as well as other trade groups representing the interests of the IT industry, either declined to comment, failed to respond to questions or said they are still analyzing the draft law. Meanwhile, the European Commission which drafted the proposal is paying a group of child protection groups from around Europe EUR300,000 to lobby in favor of the proposed law. And key politicians in the European Parliament are already lined up firmly in favor of the plan. The website blocking plan is part of a wide-ranging draft law intended to clamp down on child exploitation that was proposed by the European Commission last month. [Source]




CA – B.C. Court Asked to Overturn Ruling on Freedom of Information

The B.C. Liberal penchant for secrecy is under legal scrutiny ironically for its use of the Freedom of Information Act to block access to documents about freedom of information. In what is expected to be a two-day hearing, Justice Miriam Gropper was asked to overturn a ruling by the Information and Privacy Commissioner to not disclose material to the Freedom of Information and Privacy Association. The non-profit society wanted copies of submissions on proposed changes to the Freedom of Information Act received by the government as part of a 2006 consultation process. At first, Victoria said the stakeholders who provided those oral and written reports — basically lobbyists — did not want them released. The Information and Privacy Commission initially sent the request back to the government saying that wasn’t a good enough reason to withhold the material so the administration claimed the documents were “advice to the minister” and thereby protected under section 13 of the act. The commission accepted that. But the society argued that’s stretching the intention of the section, which was to protect cabinet deliberations and a narrow range of material used in them. [Vancouver Sun]


US – Former NSA Official Pleads Not Guilty in Data Leak Case

Former National Security Agency (NSA) official Thomas Andrews Drake has pleaded not guilty to charges of willful retention of national defense information, obstruction of justice and making a false statement. Drake allegedly leaked NSA secrets to a journalist who used the information in a series of articles about problematic programs within the NSA. Drake’s attorneys have requested that he be tried by a jury; a trial has been scheduled for October. [Washington Post] [Baltimore Sun] [Text of Indictment]




US – Indian Tribe Wins Fight to Limit Research of Its DNA

Seven years ago, the Havasupai Indians, who live amid the turquoise waterfalls and red cliffs miles deep in the Grand Canyon, issued a “banishment order” to keep Arizona State University employees from setting foot on their reservation - an ancient punishment for what they regarded as a genetic-era betrayal. Members of the tiny, isolated tribe had given DNA samples to university researchers starting in 1990, in the hope that they might provide genetic clues to the tribe’s devastating rate of diabetes. But they learned that their blood samples had been used to study many other things, including mental illness and theories of the tribe’s geographical origins that contradict their traditional stories. The geneticist responsible for the research has said that she had obtained permission for wider-ranging genetic studies. Acknowledging a desire to “remedy the wrong that was done,” the university’s Board of Regents on Tuesday agreed to pay $700,000 to 41 of the tribe’s members, return the blood samples and provide other forms of assistance to the impoverished Havasupai - a settlement that legal experts said was significant because it implied that the rights of research subjects can be violated when they are not fully informed about how their DNA might be used. The case raised the question of whether scientists had taken advantage of a vulnerable population, and it created an image problem for a university eager to cast itself as a center for American Indian studies. But genetics experts and civil rights advocates say it may also fuel a growing debate over researchers’ responsibility to communicate the range of personal information that can be gleaned from DNA at a time when it is being collected on an ever-greater scale for research and routine medical care. [The New York Times]


US – Fairfield Woman Claims Gene Discrimination After Breast-Cancer Test

In a case that raises concerns about the handling of genetic and medical information, a Fairfield woman has filed a discrimination complaint after she had a voluntary double-mastectomy, then lost her job. Pamela K. Fink had the surgery last October after genetic tests suggested that she was at risk for breast cancer. On Tuesday, she filed complaints with state and federal agencies against Stamford-based MXenergy, the natural gas and electricity provider that eliminated her job March 25. Fink, 39, who was public relations director for MXenergy, says she was fired because she is a carrier of the BRCA2 gene - a so-called breast- cancer gene. The company fired her “because it regarded me to be an ‘individual with a disability,’” Fink said in a complaint to the Connecticut Commission on Human Rights and Opportunities. The complaint, also filed with the federal Equal Employment Opportunity Commission, is believed to be the first genetic discrimination case in the state - and one of the first in the nation - since the federal Genetic Information Nondiscrimination Act took effect in November. MXenergy denied her claims. [The Hartford Courant]


US – Police May Use Trash to Get a Suspect’s DNA

Police may sift through a suspect’s trash, collect a genetic sample and send it off for DNA testing without a warrant, the state’s highest court ruled last week in upholding a 2007 county rape conviction. The 5-2 opinion by the state’s Court of Appeals - which was issued Thursday in Annapolis - drew praise from prosecutors who said they had “no doubt” a county police detective was in the right four years ago when she tricked Kelroy Williamson into throwing away a fast food cup and unwittingly giving her a DNA sample. “I’ve always thought it was legal, and apparently now five judges do as well,” State’s Attorney Frank Weathersbee said. District Public Defender William Davis, who represented Williamson at trial, blasted the majority opinion, though. He said the court is ignoring the U.S. Constitution’s protection against unlawful search and seizure, and that Chief Judge Robert M. Bell and Judge Clayton Greene Jr. got it right in their dissenting opinion. “They aren’t chipping away at the Fourth Amendment, they are taking a jackhammer to it,” Davis said. He expects police departments across the state to “pick up this opinion and run with it.” “It opens up the door for the police to just follow you around and pick up your DNA and put it in a database,” he said. [Source] See also: [Use of GPS throws burglary evidence into doubt]


UK – EU Plan to Allow Foreign Cops to Seize DNA from Brits is Slammed

The European Union has put forward a proposal for a continentwide search warrant, which could be issued in any state, and which would be binding on all police forces. Under the proposals, authorities in countries such as Poland would be given the power to demand that British police seize the bank account details of a suspect living in this country. Warrants could also be issued which would force police to intercept phone calls, set up CCTV surveillance, monitor bank accounts, and even demand body samples such as fingerprints or DNA. Civil liberties groups including Justice and Fair Trials Abroad have warned that the extended European Evidence Warrant could see a repeat of the problems caused by the European Arrest Warrant, which have led to Britons being extradited for relatively minor offences. [Source]


Health / Medical


UK – Insecure National NHS Database: Patient Secrets Being Sold

Thousands of patients have unwittingly become victims of the new NHS computer system. Beset by blunders, the national database of patient records is now four years late and some £10bn over-budget. Worse still, it appears that civil liberties campaigners’ worst fears are now also being realised. Last month it emerged that as many as 140,000 non-medical staff, including porters, cleaners and receptionists have access to sensitive NHS patient files. Crucially, these auxiliary staff do not need patient consent or to inform clinicians before opening the data. This disturbing lack of privacy protection has been revealed by a Freedom of Information survey carried out by the campaign group Big Brother Watch. One investigation into the state of the NHS computer project has discovered a litany of frightening errors that go to the very heart of the debate regarding patient confidentiality. Most worryingly, private detectives are selling top-secret patient information on the black market for up to £300 a time. They claim they can reveal ex-directory numbers and private addresses, along with other personal medical details. Unsurprisingly, a backlash against the new database is now under way. As the NHS begins the mammoth - and costly - task of informing patients that their records are being computerised, consumer organisations report hundreds of thousands of enquiries from people hoping to opt out of the system altogether. [Daily Mail]


US – Large Patient Information Breaches Skyrocket

The number of entities reporting large-scale breaches of patient information has doubled since February. The Office for Civil Rights (OCR) Web site now lists 64 entities as having reported breaches of unsecured personal health information affecting 500 or more individuals, the report states. The HITECH Act requires the OCR to make public such breaches. Eight of the 64 breaches involve unnamed sole practitioners. The OCR cannot release the names of those practitioners without their consent, but the agency filed a notice in the Federal Register last week indicating its intent to take away the “consent” option. [HealthLeaders Media]


US – HHS Advisory Panel Considers Patient Consent Framework

An advisory group to the Health and Human Services Department began considering a draft Basic Patient Privacy Consent technical framework that describes how health organizations should incorporate patients’ consents and consent policies into their enterprises. The patient consents are needed for collecting and sharing patient health care data in EHR systems to improve quality of care and public health. In many cases, data is de-identified to avoid identifying the patient. HHS currently is distributing $17 billion in incentives under the economic stimulus law to doctors and hospitals that adopt the electronic systems. The goal of the basic patient privacy consent framework is to be human readable, machine readable and able to handle multiple types of consents and documents. Under the framework, a health information exchange would develop a set of privacy and consent policies and start an access-controlled system to implement those policies supported by an EHR system. Patients would be given the policies and could “selectively acknowledge” which policies apply to their records. The draft included at least 12 types of patient consents, including implicit and explicit opt-out and opt-in, authorizations for specific research projects and authorizations for use of the document but not for republishing. The metadata for the consent would classify the level of confidentiality associated for the consent document. [FCW]


Horror Stories


US – Affinity Health Plan Acknowledges Data Breach

A New York managed health care service is notifying more than 400,000 people that their personally identifiable information may have been compromised. The data were held on the hard drive of a digital copier that had been leased by Affinity Health Plan and then returned to the leasing company. The notification follows an NBC News story about information contained on hard drives of used digital copiers. Affinity has not yet reviewed the data, but the breach is believed to affect former and current employees, providers, job applicants, members, and coverage applicants. [Dark Reading+] See also: [Researcher gets 4 months in prison for reading celebrity medical records]


US – Discarded Copiers Hold Sensitive Data on Hard Drives

A CBS news investigation found that the hard drives of four digital copy machines purchased second hand at a New Jersey warehouse contained treasure troves of personally identifiable information, including police files on domestic violence and sex crimes; copies of pay stubs and checks; and sensitive medical information such as test results, prescriptions and diagnoses. Each machine cost approximately US $300. A survey conducted by Sharp two years ago indicated that 60% of Americans do not know that copiers store images on their hard drives. [CBS]


WW – Google Attackers Reportedly Stole Single Sign-On Source Code

The cyber attacks on Google’s corporate systems disclosed in January apparently targeted a password system, according to an unidentified person with knowledge of the internal investigation. The system, code-named Gaia, controls users’ access to the majority of Google’s web services. The Single Sign-On system, as it is now known, allows users to sign in once to access many services. The attackers appear to have been after the software, not user passwords. Google has been bolstering the security of its systems in the wake of the attacks. The attackers appear to have made their initial foothold in Google systems through an employee in China using Microsoft Messenger. From there, the intruders maneuvered their way into a Google software repository used by the company’s development team. The theft could spell long-term liability problems for Google. [NYTimes] [USA Today]


Identity Issues


US – COPPA Hearings: PFF Says Expanding to Include Teens Will Undermine Privacy

The Internet would become less innovative, offer fewer choices, and be more expensive for consumers if the Children’s Online Privacy Protection Act (COPPA) were expanded, said Berin Szoka, PFF Senior Fellow and Director of PFF’s Center for Internet Freedom, in testimony today before the U.S. Senate.       In his view, “COPPA’s unique value lies in its flexibility, subtlety, and intentional narrowness,” and he cautioned lawmakers against expanding the Act beyond its original structure and purpose: protecting children under the age of 13, primarily through enhancing parental involvement. As Congress looks at the effectiveness of the 1998 law, some policymakers have urged, among other things, that COPPA be expanded to cover adolescents under 17 or 18 years of age. According to Szoka, such expansion would:

·                  Raise serious First Amendment concerns because once the age threshold rises, “it becomes increasingly difficult to distinguish sites ‘directed at’ children below the threshold from general audience sites,” potentially forcing adults to prove their age before using sites that allow sharing of user-generated content;

·                  Ironically, undermine privacy by compelling Internet sites to collect more information from adolescents and adults for age verification purposes, such as credit card information;

·                  Fail to make the online experience safer for adolescents because “the reality is that the technology for reliable age verification simply doesn’t exist;” and

·                  Damage the commercial viability of many online sites and services, especially if it required general audience sites that are funded by tailored advertising to age-verify all users, thus raising “costs for smaller or new sites and services geared toward minors.”

Szoka believes that, despite COPPA’s limitations, the law “has been reasonably successful in fulfilling Congress’s original goal of ‘enhancing parental involvement’ to protect children’s online privacy and safety.” He adds that it should not be expanded “beyond its original, limited purposes,” and suggested that policymakers should encourage education and parental empowerment solutions as less restrictive alternatives to sweeping new “COPPA 2.0” regulations. Szoka’s oral testimony is available here and his written testimony, summarizing PFF’s work in this area, is available here. [Source] Szoka and PFF President, Adam Thierer, are the authors of a May 2009 paper, COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech. PFF also publishes a special report, “Parental Controls & Online Protection: A Survey of Tools & Methods,” currently in its fourth edition, which inventories the user empowerment and education solutions available for protecting children online.


Intellectual Property


EU – Irish High Court Says “Three Strikes” Doesn’t Violate Law

Ireland’s High Court has ruled that a settlement reached between the Internet service provider Eircom and four major record labels does not breach data protection laws. Under the settlement, Eircom agreed to disconnect Internet users suspected of copyright infringement if, after two written warnings, the suspected infringements endured. Data Protection Commissioner Billy Hawkes had raised questions about whether the monitoring of users’ activities and use of users’ Internet protocol (IP) addresses broke privacy laws. The High Court determined the deal does not violate data protection laws because the information processed in such instances does not count as “personal data.” [OUT-LAW.COM]


Internet / WWW


WW – “Exponential” Growth in Demand for Social Data

VeriSign says its research arm, iDefense, has identified a data black market player called ‘kirllos’ who claimed to have for sale 1.5 million social networking accounts in bulk quantities, reports The two things that make this discovery interesting according to iDefense Director of Intelligence Rik Howard, are “the volume of social network account credentials discovered, and the fact we are seeing an eastern European hacker dip into western social networks.” VeriSign is warning of an “exponential” growth in demand for black market data stolen from social networking sites, the report states. Howard warns social networking sites to make security a priority and urges companies to ensure employees use social networks with due care. [Source]


US – Facebook Careful About Privacy Guidelines at FTC

Facebook officials said last week that they would support Internet privacy guidelines created by the FTC that companies would participate in voluntarily, so as not to impede technological advancements on the Web. In a news conference by phone, Facebook Chief Operating Officer Sheryl Sandberg and Vice President of Communications Elliot Schrage said staff for the company also met with aides for Senator Charles Schumer (D-NY) to address concerns raised about new features that made user data more broadly available to the general public and to third-party advertisers. The news conference was scheduled before Tuesday, when the lawmakers pressed the FTC to come up with new privacy rules and complained to Facebook CEO Mark Zuckerberg about recent features. Amid growing concerns over practices of social networking Web sites, an FTC spokeswoman told The Post on Tuesday that it is developing a framework that social networks and other Internet sites will use to guide how they collect data, use the information and share it. Facebook executives were careful to support new guidelines on privacy. [Source]


WW – Report: Facebook CEO Mark Zuckerberg Doesn’t Believe In Privacy

Facebook CEO Mark Zuckerberg appears to have been outed as not caring one whit about your privacy - a jarring admission, considering how much of our personal data Facebook owns, not to mention its plans to become the web’s central repository for our preferences and predilections. Also interesting is how this came about: Not in a proper article, but in a tweet by Nick Bilton, lead technology blogger for the The New York Times’ Bits Blog, based on a conversation he says was “off the record” and which he may have confused with “not for attribution.” “Off record chat w/ Facebook employee,” begins Bilton’s fateful tweet. “Me: How does Zuck feel about privacy? Response: [laughter] He doesn’t believe in it.” Ouch. [Source]


Law Enforcement


WW – No Agreement on UN Global Cyber Crime Treaty

A proposed global cyber crime treaty was rejected by the United Nations after Russia, China and several other countries could not bridge human rights and sovereignty differences over the treaty’s contents with the UK, the US, Canada, and the European Union. The advent of cyber crime has prompted countries to seek international agreements to allow law enforcement agencies the authority to pursue cases outside their own geo-political borders. The advent of cloud computing has made the need for such arrangements even more pressing. The EU and the US maintain there is no need for a new treaty because the Budapest Convention on Cybercrime already exists and has been ratified by 46 countries. That treaty allows law enforcement authorities to cross borders to access servers without the consent of local authorities as long as the network owners give their permission. [SCMagazine]


WW – Russia and US Move Toward Cooperation at Internet Conference

At a Russian-sponsored conference on Internet security in Garmisch-Partenkirchen, Germany last week, it was clear that Russia and the US have different goals. Russia will not sign the European cybercrime treaty because it would violate Russian sovereignty by allowing foreign law enforcement access to Russian Internet. The US is a strong supporter of the treaty. Russia wants US to sign a treaty saying they won’t develop offensive cyberwarfare or attack networks. US will not sign that treaty arguing that law enforcement cooperation should be sufficient. Russia has pointed to its arrests of suspects in the US $10 million Royal Bank of Scotland cyber heist. And both countries agree that “anonymity is the fundamental problem we face in cyber space.” [NY Times] [Technology Review]


WW – Google Faces Condemnation from Privacy Watchdogs

Google is facing international condemnation from privacy watchdogs from around the globe over the way it mishandled the private information of millions of its users with the roll out of its Google Buzz service in February. On Tuesday, Canada’s Privacy Commissioner Jennifer Stoddart, alongside the heads of privacy agencies from nine other countries, issued a joint letter to Google chief executive Eric Schmidt, calling on the Web giant and other international online companies to do more to respect the privacy rights of their users. The letter states that international agencies are becoming “increasingly concerned” that Google and other online companies are forgetting the privacy rights of Internet users when rolling out new technologies and services, singling out Google Buzz and the company’s Street View mapping service as examples. The letter was also signed by privacy watchdogs from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom. “As part of an unprecedented collaboration, data protection authorities representing over 375 million people in 10 countries are speaking with a common voice to remind these organizations that they must comply with the privacy laws of each country where they roll out online products and services.” [Financial Post] [Gov’t regulators slam Google’s privacy efforts] See also: [Google Warns Against Privacy Laws Requiring Opt-In Consent]


WW – Google Launches New Government Transparency Tool

Google has launched a new tool which the search engine giant hopes will shed some light on how it handles the sensitive private information of its users and how it responds to requests for information from the governments of the world. The new Government Requests tool will provide information on the requests Google receives for user data or to remove content from services like YouTube from government agencies. The new tool features a Google map overlayed with information about the number of data or user requests in various countries. To begin, Google is using aggregate data from July 2009 - December 2009 and plans to update the data every six months. Google Blog: “Data about these activities historically has not been broadly available. We believe that greater transparency will lead to less censorship.” According to the Government Requests tool, Canadian government agencies made 41 requests to access user data and 16 requests to remove content. Authorities in Brazil and the United States made the most data requests of Google, with 3,663 and 3,580 requests respectively. The U.K. was third on the list with 1,166 requests for user data. Brazil also submitted the most requests for removal, with 291, while the U.S. submitted 123. [Financial Post] [Google to politicians: who you calling ‘Big Brother’? ] [What’s behind Europe’s schizo treatment of Google?]


US – Amazon Fights Demand for Customer Records has filed a lawsuit to fend off a sweeping demand from North Carolina’s tax collectors: detailed records including names and addresses of customers and information about exactly what they purchased. The lawsuit says the demand violates the privacy and First Amendment rights of Amazon’s customers. North Carolina’s Department of Revenue had ordered the online retailer to provide full details on nearly 50 million purchases made by state residents between 2003 and 2010. Amazon is asking a federal judge in Seattle to rule that the demand is illegal, and left open the possibility of requesting a preliminary injunction against North Carolina’s tax collectors. “The best-case scenario for customers would be where the North Carolina Department of Revenue withdraws their demand because they recognize that it violates the privacy rights of North Carolina residents,” said an Amazon spokesperson. [CNET]




WW – Google Street View Logs Wifi Networks, Mac Addresses

Google’s roving Street View spycam may blur your face, but it’s got your number. The Street View service is under fire in Germany for scanning private WLAN networks, and recording users’ unique Mac (Media Access Control) addresses, as the car trundles along. Germany’s Federal Commissioner for Data Protection Peter Schaar says he’s “horrified” by the discovery. “I am appalled... I call upon Google to delete previously unlawfully collected personal data on the wireless network immediately and stop the rides for Street View,” according to German broadcaster ARD. Spooks have long desired the ability to cross reference the Mac address of a user’s connection with their real identity and virtual identity, such as their Gmail or Facebook account. [Source]


CA – GPS Device Lets Parents Listen in on Their Children

A new GPS device that can track -- and listen in on -- children or elderly relatives has raised the concern of privacy watchdogs. The Amber Alert GPS, on sale in Canada since January, is meant to “provide a little peace of mind” for parents of young or special- needs children, says the company’s Vancouver-based president, Kenneth Corey. But the B.C. Civil Liberties Association says that the tracker won’t prevent abductions and – worse – could erode the natural trust between parents and their children. The small, square device can be purchased online with one- to three-year plans, starting at $249 plus a monthly fee of at least $12.99. It takes its name from the Amber Alert system founded by the parents of a Texas girl who was abducted and murdered in 1996. The tracker can be sewn into a shirt, thrown in a backpack, or hidden in a car. With a phone call, a parent can find out just where the tracker is (so long as it’s in cellphone range), and can turn on voice-monitoring without the child knowing. According to the RCMP, parents were responsible for 285 abductions in 2007, and 56 were taken by strangers that year. Richard Rosenberg said that, given the actual odds of an abduction, “the primary purpose [of the device] would be to monitor your child. “The underlying assumption here is . . . you can’t trust your kid, but even if you can, such a device will help save your kid. I don’t think either of one of these stands up to close scrutiny.” [Canwest News Service]


Online Privacy


WW – Facebook Spreads to Broader Web, Offers Personalization

Facebook is spreading its wings to the broader web with new tools that will allow users to see personalized versions of websites they visit elsewhere. The move could change the way people experience the online world, though it could come with deeper privacy implications. By accessing Facebook’s tools, websites will be able to customize the experience based on the list of friends, favourite bands and other things users have shared on their Facebook profiles. The latest changes take this a step further. It means Facebook users will be able to see a Web tailored to them based on their interests and social connections, as long as they are already logged in to Facebook. So when visiting a news site for the first time, they could see which of their Facebook friends liked recent articles. A music site such as Pandora, meanwhile, could start playing music from the user’s favourite bands. Users will also be able to share items on their Facebook profiles without leaving the other websites, simply by clicking “like” buttons next to the news article or other items they are reading. But Facebook’s plans could backfire if it doesn’t make it clear what it’s trying to do. Facebook needs to make it easy for individual users to choose not to have their outside activities posted on Facebook’s website, said Greg Sterling, an Internet analyst. “How many people are really going to want all this information about them shared?” Sterling said. “That’s the big unanswered question here.” [The Associated Press] and [Facebook’s New Features and Your Privacy: Everything You Need To Know] See also: ACLU: Is Facebook Having Another Privacy Disconnect? ]


US – Senator Concerned About Facebook’s Privacy ‘Invasion’

U.S. Senator Charles E. Schumer is urging the FTC to provide guidelines for social networking sites, like Facebook, Myspace, and Twitter on how private information submitted by online users can be used and disseminated. Schumer’s call to the FTC adds his voice to the concerns expressed by many privacy advocates. Facebook has made its software and policies so complicated that an ordinary user doesn’t even know how much information is he/she sharing with strangers or the third party Facebook partners. “I am asking the FTC to use the authority given to it to examine practices in the disclosure of private information from social networking sites and to ensure users have the ability to prohibit the sharing of personal information,” Schumer wrote. “If the FTC feels it does not have the authority to do so under current regulations I will support them in obtaining the tools and authority to do just that.” [Katonda News Network] Update: [US: Facebook execs meet Schumer staff]


Other Jurisdictions


TW – Taiwan Legislature Approves Revised Personal Data Act

The Legislative Yuan has approved a revised version of the Personal Data Act which does not require journalists to ask for permission from the subjects of their reports. An earlier version provoked concern about the freedom of the press because it required media to contact. Under the new version approved in its third reading, reporters will not have to obtain the permission of the subject of a story before publishing a story. The new law however did not make any concession to legislators revealing private information such as bank accounts, a practice which occurred frequently over the past few years, especially with the corruption and money laundering scandals surrounding former President Chen Shui-bian. The exemption for media also applies to blogs and social networking sites, lawmakers said. “Audiovisual data collected in public places and during public activities and not mixed with other personal information will not fall under the Personal Data Act,” KMT legislator Lin Hung-chih said. [Source] [Taiwan lawmakers delay privacy law after press freedom concerns]


Privacy (US)


US – Commerce Department Scrutinizes Internet Privacy

The U.S. Commerce Department kicked off an initiative to take a close look at how the privacy of individuals is impacted broadly in the Internet economy with the goal of providing advice to the White House on how both the president and government policymakers might regard the topic. “Because of the vital role the Internet plays in driving innovation throughout the economy, the Department has made it a top priority to ensure that the Internet remains open for innovation while promoting an environment respectful of individual privacy expectations,” said Commerce Secretary Gary Locke. The U.S. government plan comes one day after ten countries took Google to task for perceived failings in protecting personal information of those who use its Internet-based services, but the Commerce Dept. isn’t saying there’s any connection to that. According to one Commerce source, the idea for a broad-based privacy-policy review related to the Internet has been mulled for a few months. In order to foster a dialog with industry and the broader public, the Commerce Dept. will hold a public meeting on May 7th to discuss privacy policy in the United States. It will be held in the Ronald Reagan Building in Washington, D.C. In addition, the Commerce Dept. Is seeking public comment from the commercial sector, the academic world, all other organizations with interest in the issue, as well as individual citizens with views on the current privacy laws in the U.S. and around the world as they apply and influence the information economy. The Commerce Department indicated it “seeks to understand whether current privacy laws serve consumer interests and fundamental democratic values.” [Network World]


Privacy Enhancing Technologies (PETs)


WW – Site Grades Privacy of Internet Apps

A Stanford University project has ushered in a Web forum where Internet users can review and compare the privacy and security of Internet and mobile applications. The site, released in beta last month, grades applications based on reviewers’ answers to questions about data collection and openness, for example. One news outlet described it as a mix of Consumer Reports, Yelp and Wikipedia, but with a privacy and security focus. Its creators hope the site will bring more attention to the issues. “We’ve been saying this for a while,” said McAfee Labs director David Marcus. “If developers use security and privacy correctly, they can be used as a competitive advantage.” [Press Release] [San Francisco Chronicle]


WW – Secure P2P Scheme Leverages Social Networks

Microsoft and Catholic University of Leuven researchers are proposing Drac, a method to secure anonymous instant messaging (IM) and voice-over-IP (VoIP) communication using peer-to-peer technology. Drac makes IM and VoIP traffic anonymous and unobservable by exposing the social connections of the users who make up the nodes of the peer-to-peer network. “Drac gives away the identity of a user’s friends to guarantee the unobservability of actual calls, while still providing anonymity when talking to trusted third parties,” the researchers say. Although anonymous online communications may conceal the content of conversations, information about the network addressing the timing of messages and the volume of traffic often reveal as much as the hidden correspondence, according to the researchers. Drac is designed to preserve anonymity while also stopping traffic analysis by using a peer-to-peer relay architecture that routes data through social networking connections. [InformationWeek]




CA – Student Hopes New Technology Will Provide RFID Privacy

A University of Calgary researcher is working on technology that could help protect private information included in RFID tags. With the “always-on” RFID technology being embedded into everything from passports to credit cards, security becomes a concern, the report states. “We are building our own RFID cards and adding features to them to make it visible and noticeable when someone is accessing the information,” Nicolai Marquardt, a Ph.D. student at the University of Calgary, explained at the U.S.-based Computer Human Interaction conference last week. Marquardt is working with Microsoft Research in the UK on the project, which he says could also make it possible for users to control when the information on the card is being accessed. [PCWorld]




US – OMB Memo Describes New Direction for Federal Cyber Security

The White House is taking bold steps to improve cyber security requirements for government agencies while legislators and the National Institute of Standards and Technology (NIST) ponder changes to the Federal Information Security Management Act (FISMA) that has proven to be a financial drain - costing as much as US $1,400 a page for the paperwork necessary for compliance. Guidance in a memo from the Office of Management and Budget (OMB) says that government agencies will be required to feed real-time data to a web-based gateway called CyberScope, maintained by the Department of Homeland Security. The White House will meet with agencies on May 7 to begin training. Data feeds are expected to begin as soon as June 2010. [NextGov] [Information Week] [OMB Memo]


US – More Than 30 Privacy Groups Challenge U.S. Airport Body Scanners

More than 30 privacy and civil liberties organisations have filed a formal petition with the Department of Homeland Security (DHS), urging the federal agency to shut down the use of ‘full body scanners’ (FBS) at the nation’s airports. At a press conference, Marc Rotenberg, president of the Electronic Privacy Information Centre (EPIC), one of the signatories to the petition, said, “There is no question that the body scanner programme should be shut down. This is a government boondoggle - expensive, ineffective, and offensive to Constitutional rights and deeply held religious beliefs.” Last year, the groups asked DHS Secretary Janet Napolitano to give the public an opportunity to comment on the proposal to expand the body scanner programme. She rejected the request. Since that time, the groups charge that evidence has emerged that “the privacy safeguards do not work and that the devices are not very effective”. [Inter Press Service] See also: [Jim Harper: Making Sense of New TSA Procedures]


WW – New Airport Security Scanners A Waste Of Money: Israeli Security Specialist

Boasting he could easily slip through one of Canada’s new full-body scanners with enough explosives to blow up a jumbo jet, a leading Israeli airport security expert says the federal government has wasted millions of dollars to install “useless” imaging machines at airports across the country. “I don’t know why everybody is running to buy these expensive and useless machines. I can overcome the body scanners with enough explosives to bring down a Boeing 747,” Rafi Sela told parliamentarians probing the state of aviation safety in Canada. “That’s why we haven’t put them in our airport.” Sela, former chief security officer at the Israel Airport Authority and a 30-year veteran in airport security and defence technology, helped design the security apparatus at Tel Aviv’s Ben Gurion International Airport. Sela’s pronouncements on the imaging machines come on the heels of the purchase earlier this year of 44 body scanners for major Canadian airports. Sela testified it makes more sense to create a “trusted traveller” system so pre-approved, low-risk passengers can move through an expedited screening process. That would leave more resources in the screening areas, where automatic sniffing technology would detect any explosive residue on a person or their baggage. Behavioural profiling must also be used instead of random checks, he said. [Source] See also: [Whole-Body Imaging: Intrusion Without Security]




US – DHS Acknowledging Three More Domestic Spying Programs

The Department of Homeland Security is acknowledging the existence of three more government programs charged with spying on American citizens in the aftermath of the Sept. 11, 2001 terrorist attacks. The programs – Pantheon, Pathfinder and Organizational Shared Space – used a variety of software tools to gather and analyze information about Americans, according to documents obtained by the Center for Investigative Reporting.The DHS turned over the papers in response to a December 2008 Freedom of Information Act request. The documents shed new light on the proliferation of domestic intelligence and surveillance efforts after the attacks on the World Trade Center and the Pentagon, according to the CIR, those include a vast array of information-sharing programs, dozens of intelligence “fusion” centers formed by local, state and federal officials, and data-mining projects that involve probing mountains of telecommunications and commercial records for leads. [Politics Daily] [Center for Investigative Reporting analysis and see the government documents].


US – Pennsylvania School District Laptop Surveillance Case Prompts New Legislation

According to documents filed in a lawsuit against the Lower Merion School District in Pennsylvania, surveillance technology on school-owned laptops was used to capture thousands of images of students in their homes. The technology, called LANRev, was designed to be used to locate missing or stolen computers, but the school district is facing a lawsuit from a student’s family that alleges the LANRev software was activated on the computer their son was using at home even though it had not been declared missing or stolen. The captured images include a student asleep in his bed. LANRev was also used to capture screenshots of IM conversations the student had with his friends. A motion filed last week seeks access to the home of the school district’s information systems coordinator to image the hard drives of her personal computers. The case has prompted US Senator Arlen Specter (D-Pennsylvania) to introduce legislation that would ban video surveillance. [ComputerWorld] [The Register] [Secure Computing] [CNET] [Feds Say Judge Hampering Webcam Spy Probe] and [Penn - LMSD Official: Student had “no legitimate expectation of privacy”] See also: [Third Grader Stole Teacher’s Blackboard Login]


WW – Self-Training Video Analytic Software Developed to Monitor Crowds

Curtin University of Technology (CUT) researchers have developed software that can detect unusual behavior in crowds, providing a new tool in the fight against crime and terrorism. The software learns typical behavior in busy environments and then reports on unusual activity. “It identifies events of interest which may never have been foreseen by the user, and can alert security officers to their occurrence in real time,” says CUT professor Svetha Venkatesh, who led the research effort. The software was tested in Belmont, Australia, for the past six months with encouraging results. “During this pilot program, the software was able to identify behavior such as loitering in a normal social and built environment, arson attempts, unusual-sized groups, incorrect vehicle traffic direction, and anti-social and illegal behavior,” Venkatesh says. The software also is being adapted for use in video surveillance systems. [Curtin News] See also: [Security cameras to be put in all Tokyo Metro stations] and [Nfld: Cameras needed on George Street: new chief]


IN – Muslim Leaders Furious Over Phone Tapping In Muslim-Dominated Cities

Indian Muslim community leaders are furious over phone tapping by intelligence agencies in Muslim dominated areas in Delhi, Lucknow and Hyderabad, and have demanded the government to make the agencies accountable. The disclosure about the tapping was made in the latest issue of English weekly Outlook. The magazine has also said that phone calls of some top political leaders from different parties were also tapped and taped. [Source]


CN – China Wants Telecom Companies to Inform on Clients

China is poised to strengthen a law to require telecommunications and Internet companies to inform on customers who discuss state secrets, potentially forcing businesses to collaborate with the country’s vast security apparatus that stifles political dissent. The move, reported by state media, comes as China continues tightening controls on communications services. A draft of amendments to the Law on Guarding State Secrets submitted to China’s top legislature for review will make more explicit the requirement that telecoms operators and Internet service providers help police and state security departments in investigations about leaks of state secrets, the state-run China Daily newspaper said. Human rights activists say the information control is used to stifle any challenge to the Communist Party’s grip on power and to identify political activists and punish them. Beijing-based human rights lawyer Mo Shaoping said the requirements in the amended law mean communications service providers will be unable to protect the privacy of their clients. “Such regulation will leave users with no secrets at all, since the service providers have no means to resist the police,” Mo said. [Source]


WW – Spy Software Watches Blackberry, Privacy Advocates Too

US software firm Retina-X Studios has released a more vigilant version of its Mobile Spy program that captures every email and picture from BlackBerry smartphones, prompting Australian privacy advocates to call for order. “We invite you to open your eyes to the real actions of what your child or employee does on your BlackBerry device,” Retina-X chief executive James Johns said in a release. “What if they are being dishonest or worse? The advantages of knowing the answers are far better than not knowing at all.” The previous version of Mobile Spy software kept track of text messaging and telephone calls, providing online access to data by employers, parents or whoever else is paying for smartphone accounts. New Mobile Spy 4.0 software also provides employers or parents with smartphone contacts, calendar events, memos and records of which mobile phone towers a device was within range range of, according to Retina-X. “These new abilities help parents and employers track the activities of their monitored phones with greater accuracy,” the Arizona-based company said in a release. “This new feature gives parents a way to monitor whether or not a teenager is sending naughty pictures. Employers can find out if company secrets are being snapped for later retrieval.” [Source]


UK – Secret Trial: Satellite Tracking Motorists Via High-Tech Speed Cams

Speed cameras which communicate with each other by satellite are being secretly tested on British roads. The hi-tech devices can follow drivers’ progress for miles to calculate whether they have broken speed limits. Combining number plate recognition technology with global positioning satellites, they can be set up in a network to monitor tens of thousands of cars over huge areas for the smallest breach. Known as SpeedSpike, the system uses similar methods of recognition as the cameras which enforce the congestion charge in London, and allow two cameras to ‘talk’ to each other if a vehicle appears to have travelled too far in too short a space of time. After a covert national trial which has not been publicised until now, just days after a report showed motorists have been fined almost £1billion in speeding tickets under Labour, authorities hope the new cameras will enable them to re-create the system used on motorway contraflows. Details of the secret trials emerged in a House of Commons report and immediately attracted criticism. [Source]


Telecom / TV


WW – Researchers’ Network Exploits Pull Sensitive Information on Cell Phone Users

Researchers Nick DePetrillo and Don Bailey have found a way to use weaknesses in GSM mobile networks to discover most US cell phone users’ phone numbers, listen to their voice mail and track the location of almost any GSM-enabled devices in the world. Their technique involves tricking the GSM caller ID system into providing a virtual phone book of all cell phone numbers. The technique is not illegal, nor does it breach terms of service agreements. DePetrillo and Bailey presented their findings at a recent conference in Boston. [The Register] [CNET]


US Government Programs


US – DHS Begins Einstein 3 Tests

The US Department of Homeland Security (DHS) is several weeks into the third phase of testing on Einstein 3, a network traffic monitoring program for government agencies. This current stage of testing involves technology developed by the National Security Agency (NSA) that might allow Einstein 3 to detect and pinpoint cyber threats. The test will welp determine whether Einstein 3 makes it easier for agencies to share cyber security information, send out threat alerts to the agencies and target and disarm threats before they cause damage. Einstein 2, which has fewer capabilities, is currently being deployed at agencies. The Einstein program has raised concern among privacy advocates, who say not enough is known about the scope of the program. [NextGov]


US Legislation


US – California Senate Approves Notification Law Update

The California Senate has approved a bill to update the state’s data breach notification law. The bill is a reintroduction of a measure vetoed by Governor Schwarzenegger last year. SB 1186 would require the inclusion of certain information into breach notification letters and would require data controllers to notify the state AG of breaches involving more than 500 residents. The bill’s sponsor, state Senator Joe Simitian (D-Palo Alto), said, “This new measure makes modest but helpful changes to the law. It will also give law enforcement the ability to see the big picture and better understand the patterns and practices developing in connection with identity theft.” [SC Magazine]


US – New and Proposed Data Breach Legislation Around the US

Mississippi has passed a data breach notification law requiring that businesses and government agencies notify people immediately when their personally identifiable information has been compromised. The law goes into effect on July 1, 2010, and applies to all entities doing business within the state of Mississippi. In California, the state Senate has approved legislation that would update the state’s current breach notification law so that notification letters would include specific information about a breach and require that entities suffering breaches that affect 500 or more individuals submit the alert letter to the state attorney general’s office. Governor Schwarzenegger vetoed the proposed bill last year, but he is expected to sign it this year. In Washington State, Governor Christine Gregoire signed a law that defines the liabilities of government and business entities for costs incurred by financial institutions arising from payment card breaches. [eSecurity Planet] [SCMagazine] [PrivacyLaw]


US – Illinois Lawmakers Pass Big Change to Adoption Privacy Act

For people who are adopted, a new measure just approved by the Illinois General Assembly could help solve the biggest mystery of their life: who gave birth to them. If Gov. Pat Quinn signs the proposal, Illinois would open adoption records to adults who were adopted. The Illinois Adoption Privacy Act would open records dating back to 1946, allowing adoptees access to their birth certificates. Currently, state law automatically protects the privacy of the biological mother in birth records, unless she asks that her name be revealed to the adoptee. Under the new law, her name would be available automatically to the adoptee, unless she asks that her name be shielded. [Source] [Read the legislation]


US – Arizona Governor Signs Immigration Enforcement Bill

Gov. Jan Brewer ignored criticism from President Barack Obama and signed into law a bill supporters said would take handcuffs off police in dealing with illegal immigration in Arizona, the nation’s gateway for human and drug smuggling. With hundreds of protesters outside the state Capitol shouting that the bill would lead to civil rights abuses, Brewer said critics were “overreacting” and that she wouldn’t tolerate racial profiling. [Source] See also: [The National ID: Would It Solve the Illegal Immigration Problem?]


US – California Senate Passes Bill to Prohibit Posts about Minors

The California Senate has approved a measure that would prohibit social networking sites from posting certain personal information about minors in California. If passed, sites will be required to remove the option allowing users to publicly post their home address or phone number if users say they are under the age of 18, the report states. The Assembly will consider the bill next. Author of the bill, Senator Ellen Corbett (D-San Leandro), says it will help protect against sexual predators and identity theft. [Mercury News]


US – Survey: Most Security Pros Favor Federal Breach Law

Seventy percent of IT security professionals polled by security vendor nCircle indicated that the federal government should pass data breach/data privacy legislation that would override the current patchwork of state legislation. The survey of 257 professional also found that 76 percent believe the public sector is not doing an adequate job protecting personal data and 22 percent feel the level of cybersecurity investment in the U.S. private sector is sufficient given the risk environment, according to the report. [Dark Reading]


Workplace Privacy


US – Survey: CIOs Restricting Use of Social Media

Companies are increasingly limiting their employees’ access to social networking sites, the Montreal Gazette reports. That’s according to recruiting firm Robert Half Technology’s recent survey, which found that 21% of chief information officers are limiting employees’ personal use of social media sites like Facebook, Twitter and LinkedIn. “Social networking is becoming more and more of a business tool, so companies are re-evaluating their policies and ensuring they’re in line with business objectives,” a spokeswoman for the firm said. The study also found that most CIOs are becoming stricter in general when it comes to computing for personal use at work. [Source] See also: [Bend Call Center Lawsuit Raises Privacy Questions]