Privacy News Highlights

01–14 August 2010



UK – Big Brother Facial Recognition Cameras Being Rolled Out in NCP Car Parks. 3

CA – Commissioner Seeks to Block Finger-Printing of Cdn Med-School Applicants. 3

CA – Biometrics Help Separate Good From Bad in Afghanistan. 3

CA – Privacy Rights Threatened by Amended BC Law.. 4

CA – Settlement between the Privacy Commissioner and Canad Corporation of Manitoba. 4

US – Wireless Tire Pressure Monitoring Systems in Cars May Compromise Privacy. 4

UK – Information Fear Over Benefits Plan. 5

CA – Ontario’s OLG Rolling Out Internet Gambling in 2012. 5

UK – Choosing Data Protection Over Child Protection. 5

US – Voting Machine Company Offers Ohio Counties Settlement for Dropped Votes. 5

IN – India Demands Access to BlackBerry Communications. 6

WW – RIM Responds to Indian Government 6

WW – Saudi Says There’s a Deal with Blackberry. 6

UA – RIM to Place Three Servers in Saudi Arabia. 6

UA – UAE to Ban BlackBerry Services as of October 11. 6

EU – German Government Considering Ban on BlackBerrys, iPhones. 7

CA – Cavoukian Launches Multi-Level “Think Before You Copy” Educational Campaign. 7

WW – PCI Updates Unveiled. 7

EU – Commission Confirms Directive’s Timetable. 8

EU – Google to Introduce Street View in Germany. 8

SK – Police Raid Google’s Office in South Korea. 8

UK – ICO Says Google Wi-Fi Data Collection Case Not Closed. 8

HK – Six Banks Sold Customers’ Personal Data. 8

US – Texas Company Seeks Liability Settlement from Bank Over Fraudulent Transactions. 8

US – Leak of Afghan War Documents Prompts US Military Information Security Review.. 9

US – Consumer Watchdog Asks FBI, DEA to Explain Use of Google Earth. 9

IN – Don’t Do Paternity Test Routinely: Supreme Court 9

US – Court Backs Prescription Privacy Law in Maine. 9

US – Undercover Investigation Finds Passport Issuance Process Vulnerable to Fraud. 10

US – Florida Students and Faculty at Risk. 10

WW – PseudoID: Enhancing Privacy for Federated Login. 10

US – Schwartz Moves to NIST. 10

WW – Experts Warn of a Weak Link in the Security of Web Sites. 10

WW – Facebook Bug Could Give Spammers Names, Photos. 11

WW – An Analysis of Private Browsing Modes in Modern Browsers. 11

UK – Report a Crime, End Up on a Secret Database: Police Force Logged 180,000 Names. 11

AU – Atkinson to Ask Privacy Commissioner Not to Cut Access to Go Cards. 12

CA – Speeding Teen Convicted After Web Boast 12

US – Body Scanner Debate Continues. 12

US – Appeals Court Says No to Long-Term GPS Monitoring Without a Warrant 12

WW – Privacy Breaches in the Clouds? Blame the Customer 13

IN – India Using Facebook to Catch Scofflaw Drivers. 13

AU – Keating: Protect Privacy in Info Age “Free-for-All”. 13

EU – Polish DPA Agreement with the Internet Industry. 13

NZ – Privacy Issues In Fines Collection Bill 14

US – Court: Snooping Employees Didn’t Violate Right to Informational Privacy. 14

US – Rite Aid Penalized For Poor Patient Privacy Policies: Million Dollar Settlement 14

US – Legislators Seek Answers About Website Data Collection. 14

US – XY Publisher to Destroy Personal Info on Gay Teens. 15

EU – EC Releases Report on PETs. 15

WW – Pixels Could Replace People in Street Photography. 15

US – The New Tools of the Trade. 15

US – Walmart CPO Dispels Clothing ID Concerns. 15

US – Feds Admit Storing Checkpoint Body Scan Images. 16

US – Electric Grid Vulnerabilities Exposed. 16

UK – RBS Fined for Lax IT Governance. 16

HK – Octopus CEO Resigns over Privacy Scandal 16

US – Maryland to Create Statewide Database for License Plate Readers. 16

WW – Granada Charter of Privacy in a Digital World – WG on Telecoms Data Protection. 17

US – DARPA Draws White House Praise; Will Appoint Privacy Ombudsman. 17

US – Clarification of National Security Letter Authority Raises Privacy Concerns. 17

US – Judge Grants Partial Lift on Gag Order in National Security Letter Legal Challenge. 17

US – Data Breach Legislation Introduced in Senate. 18

US – Illinois: Quinn Signs Bill Limiting Employment Credit Checks. 18

US – IT Administrator Draws Four Year Sentence. 18





UK – Big Brother Facial Recognition Cameras Being Rolled Out in NCP Car Parks

Cutting-edge cameras will scan drivers’ faces and check them against a crime database as they enter car parks, it emerged last night. NCP, which is trialling the system at 40 sites, hopes it will help identify potential car thieves. But privacy campaigners reacted with fury, saying the technology could criminalise innocent people. Britons are already the most watched people on the planet, with each of us caught on camera an average of 3,000 times a week. That will increase if NCP rolls out its ‘Big Brother’ scheme. The car park giant plans to check drivers’ images against a database it will build up of car crime suspects. It has yet to reveal details of how the database will be established or what information it will contain. It says the pioneering system will improve security at car parks by providing a warning which will help staff to protect vehicles. But privacy campaigners argue the technology - which will analyse the faces of thousands of car park users every day - is too invasive and not accurate enough. David Page, of the No2ID group, said: ‘If you are an innocent person who happens to look a bit like a criminal, I would be worried about what the response would be. ‘What would happen if you were wrongly added to this database?’ Guy Herbert, general secretary of the group, said: ‘It’s overthrowing the presumption of innocence for a start. ‘How does NCP know who the car criminals are, and if someone has stolen a car as a teenager is he banned from a car park for the rest of his life? [Source]


CA – Commissioner Seeks to Block Finger-Printing of Cdn Med-School Applicants

Canada’s privacy watchdog has gone to court to stop the collection and storage of fingerprints from students who apply to medical schools. Privacy Commissioner Jennifer Stoddart launched legal action in Federal Court last week, accusing the American Association of Medical Colleges of violating the Canadian law that governs electronic personal information. The association administers the Medical College Admission Test on behalf of schools in the U.S. and Canada. It uses “biometric identity verification” to stop cheating on the tests. Students who take the MCAT are digitally photographed and fingerprinted to confirm their identity when they enter the testing rooms. The association’s website says it retains the electronic data for 10 years. This helps ensure that the person who shows up to attend medical school was the same person who took the test, the organization says. Stoddart is asking the court to order AAMC to develop an alternative procedure for verifying the identity of people registering for the MCAT in Canada that does not involving collecting fingerprints. LSAC decided to replace the thumbprints with photographs that would be retained if a question about the identity of test-taker arose. Stoddart ruled that there was less of an expectation of privacy with photographs. She called the change an appropriate balance but recommended the pictures be stored for only five years. [Source]


CA – Biometrics Help Separate Good From Bad in Afghanistan

Canadian troops conducting combat operations in Kandahar are using a camera-sized, high-tech biometric device to record the data of suspected Taliban fighters. The information is then transferred to a terrorist watch list updated every week by the NATO-led International Security Assistance Force that already contains more than 25,000 individuals who are suspected of being a threat or have been cleared and been issued plastic identity cards stating that. Permission to use what is officially called the Handheld Interagency Detection Equipment (HIDE) was given by Canadian Expeditionary Force Command in May, although it was only at the end of July that use of the gear was discussed publicly. The ruling from Ottawa was based on thorough research by military lawyers, said Lt.-Col. Shane Gifford, the assistant chief of staff for Task Force Kandahar, to ensure that it complied with existing Canadian legislation regarding privacy and human rights. Canadian troops have already recorded the biometric data of at least “a thousand” local nationals, Ledoux said. The device has also been used to record the biometric data of Afghans seeking employment with the Canadian military and, therefore, access to a Canadian base. American forces are allowed to register individuals and entire villages on a consensual basis, but it is not Canadian policy to take such data from volunteers. The data base used by the Canadian Forces is managed by the Biometrics Identity Management Agency, which is a branch of the U.S. Department of Defence. But the colonel added that “to meet Canadian legislation requirements, there is a caveat attached to each file that goes to the data base that states that the data is to be used in Afghanistan and only for the purposes of support to the ISAF mission.” By order, no biometric data from Canadian soldiers or civilians was ever taken. [Source]




CA – Privacy Rights Threatened by Amended BC Law

The Gordon Campbell Liberals are seeking to amend the Freedom of Information and Protection of Privacy Act to allow all provincial government offices, police and even agencies working under government contract to share your personal information without your consent. The government is already spending $28 million this year on a $181-million information sharing system – without an assessment of the impact on privacy rights, and without public consultation. The proposed amendments raise serious questions about who should be able to access your confidential information. Even more worrying is how broadly that information would be spread. “The planned ICM system would be an unprecedented grab by the government for . . . personal information,” said a March report by the B.C. Freedom of Information and Privacy Association. “The ICM System would provide government officials with access to extensive information about B.C. citizens’ daily lives. [Source]


CA – Settlement between the Privacy Commissioner and Canad Corporation of Manitoba

The Privacy Commissioner of Canada has reached a settlement with the Canad Corporation of Manitoba Ltd (Canad Inns), a hotel chain that operates a number of night clubs in Manitoba. This settlement follows legal proceedings stemming from an investigation into the collection of personal information of bar patrons using a machine that copies and stores personal information appearing on the front of an identification card such as a driver’s licence. As part of the settlement between Canad Inns and the Privacy Commissioner, the company has made commitments to:

·         Stop collecting personal information at its night clubs via its identification machines;

·         Destroy the personal information collected with the machines; and

·         Limit the amount of personal information found on its list of barred people and ensure that this information is adequately secured.

The Privacy Commissioner has agreed that it would not be unreasonable for Canad Inns to collect limited personal information (names, dates of birth and photos) from bar patrons and to retain that personal information for 24 hours. This is a similar approach to that taken in both British Columbia and Alberta, where provincial privacy commissioners have investigated similar issues. [Case summary] [Source]




US – Wireless Tire Pressure Monitoring Systems in Cars May Compromise Privacy

Modern automobiles are increasingly equipped with wireless sensors and devices, such as systems that monitor air pressure inside tires and trigger dashboard warnings if a tire’s pressure drops. The Rutgers researchers have shown that these wireless signals can be intercepted 120 feet away from the car using a simple receiver despite the shielding provided by the metal car body. Since signals in tire pressure monitoring systems (TPMS) include unique codes from each wheel sensor, this raises concerns that drivers’ locations could be tracked more easily than through other means, such as capturing images of license plates. TPMS wireless transmissions also lack security protections common in basic computer networking, such as input validation, data encryption or authentication. The researchers demonstrated how a transmitter that mimics, or “spoofs,” the sensor signal can easily send false readings and trigger a car’s dashboard warning display. This could prompt a driver into stopping his or her car when there is actually nothing wrong with the tires. He notes that tire pressure monitoring is the first widespread use of in-car wireless networking, and because of the increasing cost and complexity of wired electronic systems, it’s reasonable to expect other aspects of automobile operation to come under wireless control. [Source] [Source]




UK – Information Fear Over Benefits Plan

The Information Commissioner has said he is seeking an “urgent meeting” over Government plans to use credit rating agencies to root out benefit cheats. Christopher Graham wants to discuss the proposals with the Department for Work and Pensions (DWP) amid concerns over state snooping and the misuse of personal data. It comes after David Cameron announced that private firms could be brought in to help in an “uncompromising crackdown” on benefit cheats to be unveiled in the autumn. The Prime Minister said reducing the £5.2 billion annual cost of fraud and error would be the “first and deepest” cut in public spending and that credit rating agencies could be recruited to help identify false claims. [The Hillingdon & Uxbridge Times]


CA – Ontario’s OLG Rolling Out Internet Gambling in 2012

Ontario Lottery and Gaming Corporation announced that it is introducing legalized online gambling. Set to go live in 2012, the Internet gaming site will be regulated by the Alcohol and Gaming Commission of Ontario (AGCO). Finance Minister Dwight Duncan and OLG chairman Paul Godfrey kicked off an 18-month consultation and implementation process today at Queen’s Park. Officials estimate the plan could bring in about $100-million over five years. Gamblers in Ontario already spend approximately $400-million per year online through unregulated internet gaming providers, according to the OLG. [Source]


UK – Choosing Data Protection Over Child Protection

ContactPoint, a £224 million government database containing records of all UK children, will be switched off at noon today. One of the boldest moves made so far by the new Coalition Government in its first 100 days of power, the decision to scrap Labour’s ambitious child protection initiative is being greeted with a mixture of applause and despair. While advocates, and the government, claim the costly IT scheme is redundant and badly maintained by social services, the real issue to promote its disbandment is data protection. And with the names, ages and addresses of 11 million under-18s (not to mention their parents’ and doctors’ details), available to hundreds of thousands of teachers, police officers and social workers at the click of a button, you can hardly blame them. Children’s minister Tim Loughton said on this morning’s Today Programme that it was “a civil liberties issue.” He called ContactPoint “a surrogate ID card scheme for children by the back door, and we just don’t think it’s necessary.” But, however important this data protection issue, scrapping the database without presenting an immediate alternative – or even plans for an eventual solution–, clearly puts demands for privacy protection before child protection. [Source]


Electronic Records


US – Voting Machine Company Offers Ohio Counties Settlement for Dropped Votes

Premier Election Solutions has agreed to pay US $470,000 and offer up to US $2.4 million in replacement machines, free software licensing and maintenance contract discounts to settle charges of dropped votes in the March 2008 primary election in Ohio. The settlement is the outcome of a lawsuit filed by Ohio Secretary of State Jennifer Brunner over voting machines that malfunctioned and dropped votes. The settlement applies to 47 counties that used the faulty machines; each county may decide for itself whether to accept the terms of the settlement. Premier used to be part of Diebold, but was acquired by Election Systems & Software. [ComputerWorld] [BusinessWeek]




IN – India Demands Access to BlackBerry Communications

The Indian government has informed BlackBerry parent company Research in Motion (RIM) that it has until August 31 to offer a solution that will provide Indian law enforcement agencies with access to data streams from BlackBerry Enterprise Server and Blackberry Messenger. If a suitable arrangement is not made by August 31, India will block the BlackBerry email and instant messaging services in the country. Some point to RIM’s recent agreement with Saudi Arabia to put servers in that country as evidence the company is likely to propose a workable solution in India. [Computer World] [] [CNET] See also: Indian government also wants to access Skype, Google and other communication services]


WW – RIM Responds to Indian Government

Research in Motion (RIM) responded to the Indian government’s threat to “take steps to block” some Blackberry services if they’re not made accessible to law enforcement there. RIM has announced four principles to guide negotiations with foreign governments over access. The principles include that carriers must observe the strict context of lawful access and national security requirements by the country’s judiciary and rules of law; the carrier’s demands must be what BlackBerry calls “technology and vendor neutral;” there will be no changes to the security architecture for BlackBerry Enterprise Server, and RIM will maintain a “consistent global standard for lawful access requirements that does not include special deals for specific purposes.” BlackBerry services have been banned in the United Arab Emirates and Saudi Arabia, and Indonesia is also considering a ban. [Victoria Times Colonist] [Schneier commentary] [Zittrain commentary]


WW – Saudi Says There’s a Deal with Blackberry

Saudi Arabia and the makers of the BlackBerry smartphone have reached a deal on accessing users’ data that will avert a ban on the phone’s messenger service, a Saudi official said. The agreement, involving placing a BlackBerry server inside Saudi Arabia, would allow the government to monitor users’ messages and allay official fears the service could be used for criminal purposes, the official said. The deal could have wide-ranging implications for several other countries, including India and the United Arab Emirates, which have expressed similar concerns over how BlackBerry maker Research in Motion Ltd., handles data. The Saudi regulatory official, who spoke on condition of anonymity because he was not authorized to discuss the details of the deal with the media, said tests were now under way to determine how to install a BlackBerry server inside the country. The kingdom is one of a number of countries expressing concern that the device is a security threat because encrypted information sent on the phones is routed through overseas computers — making it impossible for local governments to monitor. Critics, however, maintain that Saudi Arabia and other countries are more motivated by the desire to further curb freedom of expression and strengthen already tight controls over the media than by a fear of terrorism. [Source] [Saudi Arabia orders BlackBerry ban] [Blackberry maker holds ground in privacy fight] [Blackberry Maker to Saudis: No] [NYT] [CNN] [ComputerWorld] [CNET] and [NYT: For E-Data, Tug Grows Over Privacy vs. Security] See also: [Tough Indian telecom security rules spark foreign backlash]


UA – RIM to Place Three Servers in Saudi Arabia

BlackBerry parent company Research in Motion (RIM) will put three servers in Saudi Arabia and allow them to be under the jurisdiction of the government there. The action is likely to make unnecessary a planned ban on BlackBerry devices in that country. Authorities plan to test the servers to ensure the accessibility meets with their requirements. Lebanon has said that it plans to start talks with RIM to allow Lebanese security agencies to monitor communications conducted through the BlackBerry network. [The Register] [ABC News] [Bloomberg] [Techworld]


UA – UAE to Ban BlackBerry Services as of October 11

Authorities in the United Arab Emirates (UAE) have decided to suspend Blackberry services until concerns about the security of the services are addressed. The Telecommunications Regulatory Authority will suspend services to Blackberry Messenger, Blackberry email and Blackberry web browsing as of October 11, 2010. The concerns lie in the fact that Blackberry data are exported off-shore and managed by a foreign corporation. The Emirates News Agency said, “Today’s decision is based on the fact that. In their current form, certain BlackBerry services allow users to act without any legal accountability, causing judicial, social and national security concerns for the UAE.” The issue of control is not unique to the UAE; other countries have expressed concerns about not being able to access communications conducted through BlackBerry devices. [NY Times] [NY Times] [CNN]


EU – German Government Considering Ban on BlackBerrys, iPhones

The German government is reportedly considering a ban (applying to government ministers) on BlackBerrys, iPhones and other smartphones because of security concerns. The email push services can route messages through servers outside Germany. German interior minister Thomas de Maiziere is recommending that politicians use the SiMKo 2 smartphone instead. [The Register] [InfoSecurity]


CA – Cavoukian Launches Multi-Level “Think Before You Copy” Educational Campaign

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is urging key players in the province’s health sector to join her in a multi-level education campaign aimed at preventing the far-too-frequent disclosure of unencrypted personal health information through the loss or theft of portable electronic devices such as laptops and USB keys. This announcement comes on the heels of yet another USB key containing the unencrypted, identifiable personal health information of more than 750 patients being lost through the theft of a purse. Commissioner Cavoukian is encouraging all health colleges and associations to contact her office “to determine how we may work together in helping you create education programs for health-care practitioners, their employees and other agents on how to minimize the threat to privacy posed by mobile devices.” [Source]


WW – PCI Updates Unveiled

The long-anticipated new version of the Payment Card Industry Data Security Standard includes no new requirements - just clarifications and new guidance on existing components. This is the headline news from the PCI Security Standards Council, which has just released a summary of the expected changes to PCI DSS and the Payment Application Data Security Standard. A more detailed summary of the proposed versions 2.0 of PCI DSS and PA DSS will be released in September, prior to the council’s community meetings. The final version of the amended standards is expected to be released on Oct. 28, then go into effect on Jan. 11, 2011. There are 12 proposed changes in version 2.0. Key updates include:

This summary of changes comes after the announcement in June that the council is moving all three of its standards to follow a three-year development lifecycle period, starting with the release of updated versions of the PCI DSS and PA DSS in October of 2010. A consistent, transparent lifecycle for all council-managed standards is intended to simplify the implementation process for the entire payment industry. Then these standards are scheduled to go into effect after the Christmas holiday season, starting January 11, 2011. [Source] [Summary of Proposed Changes]


EU Developments


EU – Commission Confirms Directive’s Timetable

The European Commission has confirmed that while it will release plans for a review of the Data Protection Directive this year, the proposed new law itself will not be published until next year. A spokeswoman has said the commission is taking time to consider 160 responses from public consultations, noting the process could not be a short one because the changes EU Commissioner Viviane Reding is seeking are significant. “Commissioner Reding envisages it as a bit more than simply ‘an amendment’... It is rather an overhaul because the idea is to integrate data protection for law enforcement purposes into the new framework,” the spokeswoman said. [OUT-LAW.COM]


EU – Google to Introduce Street View in Germany

Google will introduce its “Street View” mapping feature for 20 of Germany’s largest cities before the end of the year, the company announced Tuesday, launching a new debate over privacy in Germany. German officials have been one of the harshest critics of the “Street View” program, which provides detailed photographs of neighbourhoods taken by Google cameras. At the insistence of authorities, the faces of individuals and licenses plates will be blurred and people can also ask to have images of their homes removed from the database starting next week — a move aimed at dispelling privacy fears. [Source]


SK – Police Raid Google’s Office in South Korea

South Korean police searched the offices of Google Korea to investigate whether it breached privacy law in collecting information for its Street View service, an officer said. “We searched Google Korea as it is suspected of breaching the law on the protection of privacy in the course of collecting information needed for its Street View service,” the officer involved in the case told AFP on condition of anonymity. There was no immediate comment from Google Korea. [Source]


UK – ICO Says Google Wi-Fi Data Collection Case Not Closed

The UK Information Commissioner’s Office (ICO) now says it will consider the findings of other countries regarding Google’s collection of personal data while gathering information and images for Street View. The statement could be perceived as backpedaling from a statement the ICO made several weeks ago, when it said it had examined some of the data Google had collected and deemed them harmless. The ICO defended its apparent shift of position by noting that it lacks the authority to enforce the law/rule that Google allegedly violated: interception of communications. That infraction falls under the Regulation of Investigatory Powers Act (RIPA). The ICO’s lack of authority to act in this case underscores a deeper problem in the UK’s privacy and security laws: if the UK government does not establish an authority to regulate interception of communications by private companies, it could face legal action from the European Commission (EC). [The Register]




HK – Six Banks Sold Customers’ Personal Data

The Hong Kong Monetary Authority (HKMA) has revealed that six local banks have sold the personal information of more than 600,000 clients to unrelated third parties for marketing purposes over the past years. It said some of these institutions, which cannot be named for legal reasons, only stopped selling such data last month following a public outcry over the privacy row involving the Octopus card company. The HKMA said two of the six cases had previously been uncovered by the Privacy Commission two years ago. [Source]


US – Texas Company Seeks Liability Settlement from Bank Over Fraudulent Transactions

Dallas, Texas-based Hi-Line Supply, Inc. is attempting to get its bank to settle a liability claim over US $50,000 in fraudulent transfers. The bank claims that the entity requesting the transactions knew all the company’s passwords. Hi-Line maintains that the bank should have been wary of the transactions because the payments were going to individuals who had never before done business with the company; the requests were made from IP addresses that were physically more than 1,500 miles from the bank and had not been used before to conduct any transactions; and the amount was out of the ordinary. The fraudulent transactions were made last August. Hi-Line has convinced a court to seek depositions from the bank to find out exactly what it knew about the transactions. [Krebs on Security]




US – Leak of Afghan War Documents Prompts US Military Information Security Review

The US military will review information security practices in the wake of the leak of tens of thousands of classified documents about the war in Afghanistan through WikiLeaks. Defense Secretary Robert Gates says that procedures for restricting the access and transportation of data have already been put in place. [Computer World]


US – Consumer Watchdog Asks FBI, DEA to Explain Use of Google Earth

The FBI and DEA are now making extensive use of Google Earth, according to federal spending records. Consumer Watchdog is filing Freedom of Information Act requests with the agencies to determine how the Internet giant’s digital mapping technology is being used for domestic surveillance, including whether it is used for racial profiling or other abuses of civil liberties. “The public needs to know how law enforcement is using Google’s technologies,” said John M. Simpson, consumer advocate with the nonpartisan, nonprofit group. “We call on the FBI and the DEA to expeditiously respond to our requests for information.” Congress should also investigate how the U.S. law enforcement and intelligence communities are using technologies that Google provides, Simpson added. [Source]




IN – Don’t Do Paternity Test Routinely: Supreme Court

In a significant judgement, the Indian Supreme Court has said that paternity test to determine the identity of the child should not be done in a routine manner as it infringes on the right to privacy and may also render the child as bastard. Such test should be done after taking into account various balancing acts and when it eminently required, said the apex court, setting aside the order of the Orissa High Court which had ordered for a DNA test to determine the paternity of a child in a matrimonial dispute. [Source]


Health / Medical


US – Court Backs Prescription Privacy Law in Maine

The 1st Circuit upheld a Maine law allowing doctors to keep their prescribing histories confidential from drug companies that target them for marketing. A three-judge panel in Boston ruled against three prescription drug data analysts who challenged the law, claiming it prevents them from selling information about doctors and other prescribers to drug companies that use the data for marketing. The law lets prescribers opt to have their personal information and prescribing history kept out of the hands of “detailers,” or pharmaceutical representatives who analyze the data and develop marketing agendas based on a prescriber’s history and likeliness to switch brands or order more of a certain brand. Prescribers can also allow detailers to market to them, a practice that some doctors -- but not the majority -- find informative and helpful, according to the ruling. According to the state Legislature, “Restricting the use of prescriber identifying information will act to decrease drug detailing that targets the prescriber, thus increasing decisions to prescribe lower-priced drugs and decisions made on the basis of medical and scientific knowledge and driving down the cost of health care.” [Source]


Horror Stories


US – Undercover Investigation Finds Passport Issuance Process Vulnerable to Fraud

The State Department’s passport issuance process lacks data verification and counterfeit detection techniques, according to several testimonies at a July 29 hearing before the Senate Judiciary subcommittee on terrorism and homeland security. In an undercover investigation, the Government Accountability Office applied for seven U.S. passports using counterfeit or fraudulently obtained documents to simulate scenarios based on identity theft. The GAO successfully obtained three of the seven passports. Five were processed by the State initially, and later two passport applications were intercepted by mail, prior to delivery. GAO identified two major vulnerabilities in the issuance process: Passport agents and examiners accepted counterfeit or fraudulently acquired genuine documents as proof of identification and citizenship—a problem complicated by the wide variety of documents that are eligible to prove citizenship and identity. State is limited in its ability to access data from other federal and state agencies, due to privacy limitations, making verification difficult. At the hearing, Cardin announced the introduction of the “Passport Identity Verification Act,” which he said aims to give the State greater legal authority to “access information contained in federal, state and other databases that can be used to verify the identity of every passport applicant, and to detect passport fraud, without extending the time that the State Department takes to approve passports. [Source]


US – Florida Students and Faculty at Risk

A software upgrade at the College Center for Library Automation exposed the personal information of about 126,000 Florida public college students and faculty. According to the center, there is no evidence that the information was inappropriately accessed. However, the center is notifying those affected and encouraging them to place a fraud alert on their credit files. Florida State College at Jacksonville (FSCJ) and five other institutions were affected by the breach, which was discovered when a student found his personal information through a Google search. FSCJ is employing a new student identification card that does not include Social Security numbers that will be used for all on-campus resources to help curb the threat of identity theft. [The Miami Herald]


Identity Issues


WW – PseudoID: Enhancing Privacy for Federated Login

PseudoID is a privacy enhancement for federated login systems that is backward-compatible with OpenID. PseudoID is designed to protect users from disclosre of private login data held by federated identity providers. It is based on a cryptographic tool called a blind signature, which are used in a manner similar to David Chaum’s classic untracable payment scheme. PseudoID was designed and developed by Arkajit Dey and Stephen Weis. [Short introductory video] [Source] [Paper]


Internet / WWW


US – Schwartz Moves to NIST

Internet privacy advocate and Center for Democracy and Technology Chief Operating Officer Ari Schwartz will, on August 30, take a new post as senior Internet policy adviser at the National Institute of Science and Technology (NIST). In his new role, Schwartz will work with the Commerce Department’s Internet Policy Task Force on information security, among other issues, and advise NIST Director Patrick Gallagher on working groups such as the subcommittee on standards under the National Science and Technology Council’s Committee on Technology, says the report. Schwartz says he is looking forward to the new opportunity. “NIST’s work on Internet issues is at a critical juncture, and NIST and the Department of Commerce are taking the lead on some really key issues right now.” [GovInfoSecurity]


WW – Experts Warn of a Weak Link in the Security of Web Sites

Computer security researchers are raising alarms about vulnerabilities in some of the Web’s most secure corners: the banking, e-commerce and other sites that use encryption to communicate with their users. Those sites, which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say. “It is becoming one of the weaker links that we have to worry about,” said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group. Mr. Eckersley said Exhibit No. 1 of the weak links in the chain is Etisalat, a wireless carrier in the United Arab Emirates that he said was involved in the dispute between the BlackBerry maker and that country over encryption. Mr. Eckersley also said that Etisalat was found to have installed spyware on the handsets of some 100,000 BlackBerry subscribers last year. Research In Motion later issued patches to remove the malicious code. Yet Mr. Eckersley said that Etisalat was one of the “certificate authorities” and could misuse its position to eavesdrop on the activities of Internet users. Mr. Eckersley wrote that Etisalat could issue fake certificates to itself for scores of Web sites, and “use those certificates to conduct virtually undetectable surveillance and attacks against those sites.” Etisalat could also eavesdrop on virtual private networks used by corporations to communicate securely around the world. [NYTimes] See also: [Certifed Lies: Detecting and Defeating Government Interception Attacks Against SSL by Christopher Soghoian and Sid Stammy] and also: [China, India leads global surge in mobile Web usage]


WW – Facebook Bug Could Give Spammers Names, Photos

Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special “Please re-enter your password” page, which includes the Facebook photo and full name of the person associated with the address. The feature helps people understand if they’ve mistyped their e-mail address at login, but it could be misused by spammers to get information on Facebook’s 500 million users. [Source]


WW – An Analysis of Private Browsing Modes in Modern Browsers

Abstract: We study the security and privacy of private browsing modes recently added to all major browsers. We first propose a clean definition of the goals of private browsing and survey its implementation in different browsers. We conduct a measurement study to determine how often it is used and on what categories of sites. Our results suggest that private browsing is used differently from how it is marketed. We then describe an automated technique for testing the security of private browsing modes and report on a few weaknesses found in the Firefox browser. Finally, we show that many popular browser extensions and plugins undermine the security of private browsing. We propose and experiment with a workable policy that lets users safely run extensions in private browsing mode. Conclusions: We analyzed private browsing modes in modern browsers and discussed their success at achieving the desired security goals. Our manual review and automated testing tool pointed out several weaknesses in existing implementations. The most severe violations enable a local attacker to completely defeat the benefits of private mode. In addition, we performed the first measurement study of private browsing usage in different browsers and on different sites. Finally, we examined the difficult issues of keeping browser extensions and plug-ins from undoing the goals of private browsing. [Source: paper by: Gaurav Aggarwal Elie Bursztein (Stanford University) Collin Jackson (CMU) Dan Boneh (Stanford University)]


Law Enforcement


UK – Report a Crime, End Up on a Secret Database: Police Force Logged 180,000 Names

Tens of thousands of innocent members of the public who report crimes are having their personal details stored on a ‘secret’ police database. Those calling 999 about an incident or witnesses to crimes are routinely being asked for their ethnicity and date of birth, it has emerged. The details are being kept without their knowledge on a ‘Big Brother’ file - where thousands of suspected criminals’ details are also held. On the database of one force alone, the personal details of 180,000 people who phoned police were recorded - four times more than the number of suspected criminals listed on the site. North Yorkshire Police’s information management system contained data on 181,917 innocent informants, 38,259 suspects and 107,566 victims recorded as aggrieved or ‘vulnerable aggrieved’. The figures, released under the Freedom of Information Act, have outraged privacy campaigners who say that many people will refuse to report crimes if they think their personal details are being kept. Phil Booth, of the campaign NO2ID, said: ‘This is a database that intermingles criminal suspects with victims, with random members of the public. There is potential for some sort of mix-up.’ [Source]


AU – Atkinson to Ask Privacy Commissioner Not to Cut Access to Go Cards

Queensland Police will appeal to the state’s privacy commissioner not to sever their access to Brisbane commuters’ movements recorded on Go Cards. Police Commissioner Bob Atkinson said officers had used the information “lawfully and appropriately” and should be allowed to continue to do so. revealed last week police were tapping into commuters’ Go Card records to not only pinpoint the movements of criminal suspects but also potential witnesses. Public concern led the state’s new privacy commissioner, Linda Matthews, to announce she would head an investigation to ensure proper safeguards were in place surrounding personal information on Go Cards. Police have applied to TransLink for access to Go Card records 46 times. None of the applications were rejected under an exemption to the Information Privacy Act 2009 (Chapter 29). [Source]


CA – Speeding Teen Convicted After Web Boast

A Vaughan, Ont., teenager convicted of careless driving after boasting online about his speeding exploits has become the latest cautionary tale for social media users. Vladimir Rigenco, 19, found himself the target of a police probe several months ago, when a U.S. citizen called in a tip stemming from Mr. Rigenco’s post on an Internet forum for BMW fans. In it, the young man boasted about driving 100 kilometres per hour above the posted speed limit on Apple Blossom Drive, a residential road in Vaughan. Now, Mr. Rigenco has been convicted, sentenced last week to a six-month driving prohibition and 12 months of probation. He must also complete a remedial driving program and pay a $1,000 fine. [Source]


US – Body Scanner Debate Continues

The Electronic Privacy Information Center (EPIC) has asked a federal judge to grant an injunction on Transportation Security Administration (TSA) plans to implement the scanners at major U.S. airports, saying that the “devices are designed and deployed in a way that allows the images to be routinely stored and recorded.” EPIC points to the recent acknowledgment by the U.S. Marshals Service that it has retained more than 35,000 body-scan images collected from an Orlando, FL, federal courthouse as cause for concern. However, “TSA privacy policies don’t apply to the U.S. Marshals Service, which falls under the Department of Justice.” The TSA asserts that the scanners intended for airport use “will not and cannot store, transmit or print images of passengers at airports” and that “there is no way for someone in the airport environment to alter the machine in any way that would give it any functionality to do so.” [CNET News]




US – Appeals Court Says No to Long-Term GPS Monitoring Without a Warrant

The US Court of Appeals for the District of Columbia has ruled that the government may not track suspects for extended periods of time with GPS devices without first obtaining a warrant. The ruling overturns the conviction of a suspected cocaine dealer; law enforcement authorities used a GPS device they installed on the man’s car to surreptitiously track his activity for two months. The prosecution argued that a precedent was set in a 1983 case in which police used a tracking beacon to follow a suspect to a secluded location. But the court ruled that a one-time tracking event, much like a police tail, differs greatly from monitoring a suspect’s activity over a period of several weeks, because information gleaned from the latter could provide patterns of behavior that were not discernable previously and might reveal more than the police were looking for. “The pattern the Government would document with the GPS data was central to its presentation of the case.” The ruling is binding only within that court’s jurisdiction. [Wired] [The Register] [Source]


WW – Privacy Breaches in the Clouds? Blame the Customer

When it comes to computing in the cloud, the default contract from many major cloud providers puts the onus for any privacy problems on the customer--even if the provider is at fault for the breach, Steven J. Vaughan-Nichols writes in a report. “You should ask questions about data security and privacy during the preliminary stages, even before you get to the contract,” warns Tanya Forsheit of Info Law Group. “You should ask them what kind of privacy and security controls they have, whether they’ll let you audit their security and what they will agree to in regards to liability.” Vaughan-Nichols notes that “when it comes to cloud computing, it’s better to be safe than sorry regarding both the legal and technical issues.” [San Francisco Chronicle]


Online Privacy


IN – India Using Facebook to Catch Scofflaw Drivers

This city is famous for its snarled traffic and infamous for its unruly drivers — aggressive rule-breakers who barrel through red lights, ignore crosswalks and veer into bicycle or bus lanes to find open routes. Now, the city’s overburdened traffic police started a Facebook page two months ago, and almost immediately residents became digital informants, posting photos of their fellow drivers violating traffic laws. As of Sunday more than 17,000 people had become fans of the page and posted almost 3,000 photographs and dozens of videos. The online rap sheet was impressive. There are photos of people on motorcycles without helmets, cars stopped in crosswalks, drivers on cellphones, drivers in the middle of illegal turns and improperly parked vehicles. Using the pictures, the Delhi Traffic Police have issued 665 tickets, using the license plate numbers shown in the photos to track vehicle owners. Despite some concerns about privacy, and the authenticity of the photos, the public’s response has been overwhelmingly positive. [Source]


Other Jurisdictions


AU – Keating: Protect Privacy in Info Age “Free-for-All”

Former Australian Prime Minister Paul Keating is voicing his support for a proposal by the Australian Law Reform Commission to create national legislation that would punish businesses and organizations responsible for ‘‘unwarranted and serious breaches of privacy’’ with tough financial sanctions. Keating’s comments follow on a push by Sen. Joe Ludwig for the Australian Privacy Act to be amended with “serious sanctions” to ensure individuals’ privacy rights are protected. Speaking in support of tougher legislation, Keating said, “This is likely to concentrate minds on the importance of compliance with privacy principles a little more than hitherto.” [The Age]


EU – Polish DPA Agreement with the Internet Industry

The Interactive Advertising Bureau Poland entered an agreement with the Polish Data Protection Authority to undertake joint educational activities to improve the industry’s knowledge of privacy and personal data, develop a code of best practice for protecting personal data, and ensure proper application of data protection provisions; the agreement is meant to address some of the risks posed by the internet (e.g. collection of information without consumer knowledge or consent) and instill consumer confidence in online contents and services. [Press Release]


NZ – Privacy Issues In Fines Collection Bill

Legislation allowing driver licences to be suspended when people haven’t arranged to pay overdue traffic fines would have “significant privacy impacts”, the Privacy Commissioner says. Marie Shroff warned about the disclosure of personal information to credit recovery agencies,in a submission to a parliamentary select committee. The Courts and Criminal Matters Bill creates the new enforcement measure of driver licence stop orders (DLSOs) which can be issued against fine defaulters. People with overdue fines would be given 14 days warning before a DLSO was be issued against them. Licences would remain suspended until the overdue fines were paid outright or through time-to-pay arrangements. It contains other measures, including substitution of home detention or prison sentences for unaffordable and unenforceable reparation orders, and allowing the Ministry of Justice to release overdue penalty amounts to credit reporting agencies. The bill, which passed its first reading on a vote of 113-9, is now before the law and order select committee for public submissions. Ms Shroff’s office recommended the removal of a clause allowing “identifying particulars”, including the debtor’s full name, former names and aliases, past and present addresses, occupation and employer, to be passed on to credit reporters. In a written submission, the commissioner said the merits of dealing with fines defaulters did not outweigh the privacy implications, including “unavoidable” identity mismatches with innocent people. The office also said the disclosure of sensitive personal information by the Government to the private sector was “disturbing” and could reduce public trust in the government. The select committee is due to report back to Parliament in November. [Source]


Privacy (US)


US – Court: Snooping Employees Didn’t Violate Right to Informational Privacy

Remember the “Joe the Plumber” flap over state employees snooping in his records? A court has dismissed his lawsuit alleging privacy invasion against Ohio Department of Job and Family Services employees. In the order dismissing the case, Judge Algenon L. Marbley dismissed the claim of retaliation under the First Amendment because Joe Wurzelbacher did not provide evidence of any specific and concrete harms he suffered as a result of their actions: The court also dismissed the claims that his 14th Amendment right to informational privacy was violated, using a fairly narrow definition of the right to informational privacy previously used in the Sixth Circuit: [Source]


US – Rite Aid Penalized For Poor Patient Privacy Policies: Million Dollar Settlement

Rite Aid has agreed to pay a million dollar settlement, and provide additional training to employees after multiple HIPAA (Health Insurance Portability and Accountability Act) violations were discovered. Apparently, Rite Aid employees have been disposing of prescriptions and pill bottles in regular store trash, rather than shredding paper and labels. Private information that is exposed through the loss of a prescription bottle includes the name of the patient, the patient’s doctor, and the type and dosage of medication prescribed. Rite Aid has plans to improve employee education on the proper disposal of sensitive information in reaction to the investigation. [Source]


US – Legislators Seek Answers About Website Data Collection

US Representatives Ed Markey (D-Massachusetts) and Joe Barton (R-Texas) have sent letters to 15 major websites seeking detailed information on the amount of user information they retain and what they do with the information. Specifically, the legislators want to know what information the sites collect; how they use that information for tracking; whether the sites sell the information, and how much money they make selling the information. Their concern was raised by a recent report in the Wall Street Journal about data privacy practices. Both legislators are senior members of the House Energy and Commerce Committee, which hopes to push through privacy legislation this year. [ComputerWorld]


US – XY Publisher to Destroy Personal Info on Gay Teens

Last month we wrote about a defunct publication and website, XY, that was at risk for being ordered to turn over private information. The publication’s publisher Peter Ian Cummings, was going through bankruptcy proceedings and one of the few things of value he owned was user information, most of which belonged to the gay teens the magazine served. Today, the Electronic Frontier Foundation reports that Cummings and his former partners and debtors have agreed to completely destroy that personal information. It will not be considered part of the publication’s transferable assets. The Federal Communication Commission stated that transferring such information could very well violate the agreement between the publication and its former readers. This is a triumph for both common sense and for privacy. EFF points out that, however, that although this particular situation has been resolved, the issue of personal information as property in bankruptcy situation is unlikely to disappear without legislative action. [Source]


Privacy Enhancing Technologies (PETs)


EU – EC Releases Report on PETs

The European Commission this week received the final report on a London Economics study that looks at the costs and benefits of Privacy Enhancing Technologies (PETs) and lays out a framework for how to understand and deploy them. Based on a survey of businesses from 12 EU member states, the economic benefits are shown to be technology and application specific and should be determined on a case-by-case basis. The report states, “There is little evidence that the demand by individuals for greater privacy is driving PETs deployment...Data controllers, on the other hand, can derive a variety of benefits from holding and using personal data, including the personalisation of goods and services, data mining, etc.” [eGov Monitor] [EC Report on PETs]


WW – Pixels Could Replace People in Street Photography

Two University of California researchers have come up with a way to ghost-out the images of pedestrians captured in street-level photography, InformationWeek reports. Arturo Flores and Serge Belongie described their method at the IEEE International Workshop on Mobile Vision in June, saying that it could be a way for Google to address the privacy issues associated with its Street View mapping application. The method “yields Street View images as if the pedestrians had never been there,” the researchers wrote in their paper, “Removing pedestrians from Google Street View images.” [Source]


US – The New Tools of the Trade

Jay Cline, writes for Computerworld about his investigation into the present and future of the software market for privacy governance, risk and compliance (GRC) products. Based on growth in organizations like the IAPP and other benchmarks, Cline estimates the market to be around $1 billion and, he says, some entrepreneurs have noticed. In his investigation, Cline and research analyst Michael Lotti found that tools are emerging to help privacy professionals track and unify laws and regulations, integrate overlapping audits and assessments and maintain data inventory. Those using these products, writes Cline, are feeling “relief at having software to leverage existing staff, but also a sense of being overwhelmed by the Year One task of getting everything loaded into the tool and customized.” [Source] [Paper by Athena Privacy]




US – Walmart CPO Dispels Clothing ID Concerns

Starting next month, Walmart will place removable smart tags on garments, and some privacy advocates are raising concerns that discarded tags could be tracked and that retailers might scan RFID-enabled identification carried by customers in their stores. Walmart CPO Zoe Strickland, CIPP/G, told the Daily Dashboard the company has taken steps to ensure that does not happen. “The only things that we’re reading are tags in the program,” she said, noting the readers cannot read through wallets. As for fears about the scanning of discarded tags, Strickland noted that would require reverse-engineering on the part of anyone trying to determine what was purchased. Walmart conducted a privacy impact assessment in developing the program, she said, and will be providing extensive notification to customers in its stores. [The Wall Street Journal]




US – Feds Admit Storing Checkpoint Body Scan Images

For the last few years, federal agencies have defended body scanning by insisting that all images will be discarded as soon as they’re viewed. The Transportation Security Administration claimed last summer, for instance, that “scanned images cannot be stored or recorded.” Now it turns out that some police agencies are storing the controversial images after all. The U.S. Marshals Service admitted this week that it had surreptitiously saved tens of thousands of images recorded with a millimeter wave system at the security checkpoint of a single Florida courthouse.” [Source] [Source]


US – Electric Grid Vulnerabilities Exposed

Computer networks controlling the electric grid are plagued with security holes says a new Energy Department report based on the findings of 24 assessments of computer-control systems performed between 2003 and 2009. Many are VERY basic. [Wall Street Journal]


UK – RBS Fined for Lax IT Governance

The Royal Bank of Scotland (RBS) has been slapped with a GBP 5.6 million (US $8.9 million) fine for negligent IT governance. RBS implemented an IT system in 2006 to screen cross-border transactions, but the bank has not tested the system for accuracy since its inception. Over a two year period, the system in question missed all incoming payments from a foreign source as well as the majority of outgoing payments except for those headed for the US. [Secure Computing]


Smart Cards


HK – Octopus CEO Resigns over Privacy Scandal

Amid pressure over her handling of a data privacy scandal, the CEO of Octopus Holdings has resigned. The company last week admitted to selling the personal data of nearly two million customers to third parties. In a statement Wednesday, Prudence Chan said that though she doesn’t believe Octopus violated any laws or regulations under her watch, she decided to step down as the company works to regain public trust and confidence. “I believe the current issues could have been better handled and for that, I sincerely apologize to our customers and the community,” Chan said. Meanwhile, the government has signaled that it will increase privacy protections. [The Wall Street Journal]




US – Maryland to Create Statewide Database for License Plate Readers

Maryland will become the first state in the country to create a statewide network for data collected from license plate readers, Gov. Martin O’Malley announced. An existing network that makes that data available to state law enforcement agencies will be expanded to include Maryland’s localities. The single database will be housed in the state’s fusion center, and the state’s license plate readers “will be networked to ensure seamless coordination and consistent information sharing during critical incidents,” according to the state. In the past three-plus years, Maryland has made $2 million available to law enforcement to deploy 105 license plate recognition units around the state, according to the governor’s office. As part of the announcement, in the next 12 months Maryland will add 100 more license plate readers. [Source] and also [US: High-tech wow for police is a privacy worry for some]


Telecom / TV


WW – Granada Charter of Privacy in a Digital World – WG on Telecoms Data Protection

Users of communications services have the right to be informed of any proposed processing or secondary uses of their personal data, give explicit consent (opt-in) and subsequently withdraw consent (opt-out) to all such proposed disclosures or secondary uses, and opt-in to and subsequently opt-out of the collection and use of any data concerning their use of the services. Providers should set up specific safeguards to protect sensitive information such as traffic and location data, guarantee the secrecy of communications, and ensure that any information collected about users is the minimum needed to provide a service and not retained for longer than necessary for that service to be provided; they should inform users where there is a particular risk of a security breach, any possible remedies and when a privacy breach has occurred. Public authorities (including legislators) should be open and transparent as to the processing of all personal information, and refrain from any observation, interception or monitoring of communications, unless it is strictly necessary for law enforcement purposes based on a specific legal basis; user rights and the right of privacy and data protection in the use of interactive services should be enforced and data subjects given effective remedies. [Source]


US Government Programs


US – DARPA Draws White House Praise; Will Appoint Privacy Ombudsman

The White House has commended the Defense Advanced Research Projects Agency (DARPA) for its new privacy principles, unveiled this week, which aim to balance national security and individual privacy, The Hill reports. In a blog post, Tom Kalil, deputy director for policy at the White House Office of Science and Technology Policy, expressed delight with DARPA’s leadership on the issue. “It is critical that we maintain our privacy and civil liberties in the Digital Age,” Kalil said. Under the new guidelines, the agency will appoint an internal privacy ombudsman and will establish an independent privacy review panel, the reports states. [The Hill]


US – Clarification of National Security Letter Authority Raises Privacy Concerns

The move to clarify the FBI’s authority to demand electronic communications data is meeting with resistance. The change in language would allow the FBI to obtain information from Internet service providers (ISPs) with the use of national security letters, which do not require a warrant from a judge. Those targeted by the letters do not need to be suspected of wrongdoing; all that is required is that the material requested be considered relevant to counter intelligence or counter terrorism investigations. National security letters have been misused in recent years. Senate Judiciary Committee Chairman Patrick Leahy (D-Vermont) noted, “While the government should have the tools that it needs to keep us safe, American citizens should also have protections against improper intrusions into their private electronic communications and online transactions.” [Washington Post]


US – Judge Grants Partial Lift on Gag Order in National Security Letter Legal Challenge

An Internet service provider (ISP) and security consultancy owner who was served a national security letter (NSL) from the FBI in February 2004 seeking a certain customer’s records may now speak about the case in general thanks to a partial lift of the gag order that accompanied the NSL. Recipients of NSLs are barred from even acknowledging that they have received the notice, much less discuss specifics about the information authorities were seeking. Nicholas Merrill filed a lawsuit challenging the NSL he was served. Merrill contacted his attorney after receiving the letter because despite the letter’s insistence that he not contact an attorney, he said, “I’m an American. I always have a right to an attorney.” Merrill’s lawsuit was filed under the name “John Doe” and challenged the legality of the letter because customer records are constitutionally protected information. The law surrounding NSLs has been changed to allow recipients to challenge the letters and their gag orders. The FBI must provide evidence in court that disclosing an NSL would be detrimental to national security. [Wired] [Washington Post]


US Legislation


US – Data Breach Legislation Introduced in Senate

Two US senators have introduced legislation that would require organizations to notify affected individuals within 60 days of data security breaches. The bill would also require the organizations to develop and implement a plan to protect the data they retain. Other versions of national data breach notification bills have been introduced in both the House and the senate, but not one has ever cleared both chambers. There is no national data breach notification law, although 46 states have their own laws on the books. This most recent bill was introduced by Senators John Rockefeller (D-W.Va.) and Mark Pryor (D-Arkansas). [SC Magazine]


US – Illinois: Quinn Signs Bill Limiting Employment Credit Checks

Illinois Gov. Pat Quinn signed a new law Tuesday that prohibits employers from using a person’s credit history when it comes to getting a job. The new law removes a significant barrier to employment for the growing number of people whose credit history has been affected by the recession. “A job seeker’s ability to earn a decent living should not depend on how well they are weathering the greatest economic recession since the 1930s,” Quinn said. “This law will stop employers from denying a job or promotion based on information that is not an indicator of a person’s character or ability to do a job well.” House Bill 4658, sponsored by Rep. Jack Franks of Woodstock)and Sen. Don Harmon of Oak Park, creates the Employee Credit Privacy Act, which outlaws using a person’s credit history to determine employment, recruiting, discharge or compensation status. The new law forbids employers from inquiring about an applicant or employee’s credit history or obtaining a copy of their credit report, the release said. It does not affect an employer’s ability to conduct a thorough background investigation that does not contain a credit history or report. However, one of the bill’s sponsors says there are exceptions to the new law, including people who work in banking and insurance because they have access to confidential financial information. There are other exceptions as well. Pre-employment credit screenings are on the rise throughout the nation, the release said. The Society for Human Resources Management recently found that 60 percent of employers run a credit check on at least some applicants. That is an increase from 42 percent in 2006 and 25 percent in 1998. [Source]


Workplace Privacy


US – IT Administrator Draws Four Year Sentence

Former San Francisco city network administrator Terry Childs has been sentenced to four years in prison for refusing to turn over network passwords. Childs maintained that the people who wanted the passwords were not qualified to have them. The network ran during the nearly two weeks that Childs held the passwords, but he was still found guilty on one felony count of denying or disrupting computer services to an authorized user. He finally relented and handed the passwords over to San Francisco mayor Gavin Newsom. Childs has already served more than two years in county jail, which will be applied to his sentence. He could be paroled in four to six months. [BusinessWeek] [MercuryNews] [SFGate] [CSO Online]