Privacy News Highlights

15–31 August 2010



US – U.S. Scans Afghan Inmates for Biometric Database. 3

US – Student DNA Testing Scaled Back at University of California, Berkeley. 3

SK – Fingerprint Scans for South Korea. 3

WW – City to Track People With Eye Scanners. 3

CA – Canada Joins APEC Privacy Enforcement Initiative. 4

NZ – Fingerprint-Sharing Begins With Aussie on Migrant Fraudsters. 4

CA – Saskatchewan Privacy Commissioner Concerned About Health Card Requests. 4

CA – Canadians Concerned About Privacy and Security: Survey. 4

CA – Ottawa Investigating Wikipedia Edits. 5

WW – Google Tests a Hidden ‘Instant Regrets’ Email Button. 5

IN – BlackBerry Gets Two Month Reprieve in India. 5

UK – MoJ Responds to EC on Data Protection. 5

WW – Businesses Cash In on Web Privacy Concerns. 6

UK – Zurich Insurance Fined Over Data Loss. 6

US – Insurance Dept. Mandates 5-Day Breach Notifications. 6

CA – N.B. Teen’s Prison Files to Be Released. 6

US – Prosecutors Urged to Collect DNA in Plea Bargains. 7

US – Panel Drafts Privacy Recommendations for Health Data Exchanges. 7

CA – Privacy Boss Watching Access to Alberta Health Files. 7

EU – Drugstore Customers’ Data Exposed. 8

US – Settlement Reached in Security Breach Case. 8

AU – Coalition to Revive Identity Card. 8

US – Attorney Files Lawsuits Over Disney Flash Cookies. 8

US – New iPhone Security Patent App: User Protection or 1984 iSpy?. 8

US – CIO Council Releases Cloud Computing Framework. 9

UK – One in Three Have ‘Stalked’ Celebs on Street View.. 9

US – States Use K-9s to Search for Smuggled Cell Phones. 9

US – Cell Phone Privacy - Not at This School 10

WW – Facebook Places Location Tool Unveiled, Sparking Fresh Privacy Concerns. 10

WW – Mixed Reactions to Social Network’s Location Feature. 10

WW – Free Android Game Gathers GPS Data. 10

IN – Survey: Many Organizations Not Confident in Data Protection. 11

WW – Google CEO Discusses Privacy Trends. 11

CA – Facebook Falls Short of Privacy Obligations to Canada, Says Law Group. 11

US – Is ‘Private’ Data on Social Networks Discoverable?. 11

US – Online ‘Sextortion’ of Teens on the Rise in U.S. 12

AU – Companies Cry Foul Over Reforms to Privacy Laws. 12

NZ – Anti-Fraud Data Sharing Laws Introduced. 12

NZ – Privacy Concerns Not Warranted. 12

US – Google Privacy Lawsuits Consolidated. 13

US – No Criminal Charges in Pennsylvania High School Web Cam Case. 13

US – Man Who Recorded Conversation on iPhone Did Not Violate Wiretap Act 13

US – Lottery Winner Sues Texas for Privacy. 13

US – Boyd: Privacy Is Not Dead. 14

CA – Concept of Privacy in Danger: Information Commissioner 14

CA – Sensors and In-Home Collection of Health Data: A Privacy by Design Approach. 14

WW – S.N.A.P. App Locks Down Facebook Privacy. 14

EU – Germany to Roll Out ID Cards With Embedded RFID.. 15

WW – Researcher: RFID Tags Can Spy on Consumers. 15

US – Connecticut Schools Consider RFID Program.. 15

US – DARPA Seeks Proposals for Detecting Insider Threats. 15

US – GAO Report Finds Poor Public-Private Cyber Threat Information Sharing. 16

UK – Dog Squad: Police Train CCTV Cameras on Pet Owners. 16

UK – Woman Who Tossed Cat in Garbage Bin Has Police Protection. 16

US – Legislators Seek Answers from US Marshalls About Stored Body Scan Images. 16

US – ‘Enhanced Patdown’ Tested at 2 Airports. 16

US – California Legislators Send Improved Breach Notification Bill to Governor Again. 17

US – California Bill Would Protect Privacy of FasTrak Users. 17

US – Law Would Challenge Stop and Frisk Database. 17

EU – Law Would Ban Employers from Social Networking Site Research. 17

CA – Corrections to Pay Victims Of Breach Of Privacy. 17





US – U.S. Scans Afghan Inmates for Biometric Database

Wired reports on the U.S. military’s new detention facility in Parwan, Afghanistan, as “an emerging datafarm” where all detainees brought to the facility are given medical exams and have their irises scanned and fingerprints taken to be stored in a military database called the Automated Biometric Information System. The report cautions that given Afghanistan’s “shaky commitment to the rule of law, those identifiers could become weapons.” Human rights advocates are raising concerns about privacy, including the fear that when Parwan is turned over to Afghanistan, the nation’s leaders will use the facility to lock up individuals against their will to collect biometric data. [Source]


US – Student DNA Testing Scaled Back at University of California, Berkeley

A plan to analyze the DNA of incoming students at the University of California, Berkeley and give them personalized results was recently scaled back amid concerns that such research amounts to a medical diagnosis – a violation of state and federal laws. The university has already sent more than 5,000 genetic testing kits to incoming students for the voluntary, anonymous program, which involves testing three common gene variants that would “reveal aspects of how an individual metabolizes milk, alcohol and vitamin B9 [folic acid].” About 600 students consented to the test and provided their saliva samples, according to the university, which contests the state’s position that the program violates any statutes. “The change to UC Berkeley’s program was necessitated because the California Department of Public Health [CDPH] insisted that since students would have been given access to their own test results, the academic exercise was not exempt from laws designed to assure the accuracy and quality of diagnostic tests used in providing medical care to patients,” a university press release stated. [Government Technology]


SK – Fingerprint Scans for South Korea

South Korea will introduce fingerprint scans at airports and ports in a bid to stop suspected criminals and foreign visitors with forged documents, officials said. Immigration officials will scan the fingerprints of suspect arrivals to check against databases for possible criminal records, the justice ministry said. A facial recognition programme would be used as a secondary device. Anyone with a criminal record in South Korea or travelling on a fake passport would be banned from entering the country, the ministry said. [Source]


WW – City to Track People With Eye Scanners

Imagine a public eye-scanner that can identify 50 people per minute, in motion. Now imagine the government installed these scanner systems all across an entire city. Leon, Mexico, is doing exactly that, installing real-time iris scanners from biometrics research and development firm Global Rainmakers Inc. These retinal scanners don’t require people to stop and put their eyes in front of a camera. They work in real time, as people walk...[embedded video] There are different kinds of machines being installed across Leon – from large scanners capable of identifying 50 people per minute in motion, to smaller ones like the EyeSwipe...that range from 15 to 30 people per minute. These devices are being installed in public places, like train and bus stations and connected to a database that will track people across the city. The retinal scanning of Leon’s one million population has started already with its convicted criminals. Citizens with no criminal records have been offered the opportunity to “voluntarily” scan their retinas. This, however, is just the beginning. According to Carter, everyone in the planet should be connected to the iris-tracking system in 10 years: “In the future, whether it’s entering your home, opening your car, entering your workspace, getting a pharmacy prescription refilled, or having your medical records pulled up, everything will come off that unique key that is your iris. Every person, place, and thing on this planet will be connected within the next 10 years.” [Gizmodo]




CA – Canada Joins APEC Privacy Enforcement Initiative

Canada has been accepted as a participant in a new Asia-Pacific Economic Cooperation (APEC) mechanism for cross-border cooperation on data privacy enforcement. The initiative – the APEC Cross-border Privacy Enforcement Arrangement – was developed to facilitate information sharing and cooperation between authorities responsible for data and consumer protection in the APEC region. Privacy Commissioner of Canada, Jennifer Stoddart, says the arrangement is an important step forward in addressing new challenges for privacy in a globalized, online world. The arrangement establishes a process under which participating authorities may contact each other for help with collecting evidence, sharing information on an organisation or matter being investigated, enforcing actions, and transferring complaints to another jurisdiction. It also encourages cooperation between privacy enforcement authorities in APEC and their international, non-APEC counterparts as the arrangement has been designed to work seamlessly with other regional and global schemes. The arrangement was developed by a volunteer group of APEC member economies with input from civil society and business groups. To date, the participants in the arrangement also include the Office of the Privacy Commissioner of Australia, Hong Kong’s Office of the Privacy Commissioner for Personal Data, the Office of the Privacy Commissioner of New Zealand and the U.S. Federal Trade Commission. Additional privacy enforcement authorities from APEC member economies are also expected to join. [Source]


NZ – Fingerprint-Sharing Begins With Aussie on Migrant Fraudsters

Immigration authorities in New Zealand and Australia have begun sharing fingerprints of asylum seekers and people they suspect of lying about their identity. The move could be a first step towards the much more widespread sharing of visa applicants’ fingerprints with Australia, the United States, Canada and Britain. Immigration NZ identity manager Arron Baker said that, for now, the checks were being done on only “very specific categories of clients” awaiting immigration decisions. New Zealand and Australia have agreed to share the fingerprints of up to 3000 people each year. At present, the checks need to be carried out manually. But Mr Baker said the long-term intent of the 2009 Immigration Act was that biometrics would be used more routinely to verify the identities of visa applicants. Both countries expect to sign similar agreements with the US, Britain and Canada, and work has begun on developing software that could allow for the automated matching of fingerprints. That software could allow for up to 30,000 fingerprint checks to be carried out each year with each country. [Dominion Post]


CA – Saskatchewan Privacy Commissioner Concerned About Health Card Requests

Renting a movie and getting a big game hunting licence are not occasions where you should be asked for your health card, says Saskatchewan’s privacy commissioner, Gary Dickson, who said they can and have been used inappropriately. It’s not illegal for a customer to voluntarily hand over their health card, but it is against the law for the business to ask for it or require it if it’s not administering health services. That store and every other private business in Saskatchewan is also subject to a federal privacy law safeguards how our private information is copied and stored. Dickson says the province is slowly building an electronic health record system and it’s important residents can feel confident their information is safe. [Source]




CA – Canadians Concerned About Privacy and Security: Survey

KPMG International’s annual Consumers and Convergence survey found that about two-thirds, or 63%, of Canadians are concerned about privacy when using a mobile device. More than half, 58%, are worried about security. That’s not far off other respondents around the world. However, Canadians are also less likely to use mobile devices for buying goods or services and banking. Only 19% of Canadians feel comfortable using their mobile phone for financial transactions, compared to 34% of global respondents, the survey found. Just 8% of Canadians have made purchases using a mobile phone through a retailer’s site. That’s double the amount from last year, but significantly less than global consumers at 28%. About 15% of Canadians have done banking through a mobile device, compared to 45% globally. “These consumer concerns over privacy and security are pivotal to the continued adoption of e-commerce and mobile commerce. Companies that implement robust policies and safeguards and provide for full disclosure of these measures are likely to reap the rewards through enhanced customer attraction and retention.” Nearly half, or 45% of Canadians would welcome advertising on their personal computer in exchange for lower prices or free content. Only 21% feel the same when it comes to their mobile phone. That compares to 56% and 42% of global respondents indicating they would accept advertising on their computer and mobile phones, respectively. [Source]




CA – Ottawa Investigating Wikipedia Edits

The federal government is conducting two investigations into federal employees who have taken to Wikipedia to express their opinion on federal policies and bitter political debates. The Correctional Service of Canada began a probe after learning one of its computers, apparently in Ottawa, had been used to change the online encyclopedia’s entry on the Official Languages Act – the law allowing Canadians to receive federal services in the language of their choice – as the “Quebec Nazi Act.” That online outburst would likely result in the suspension or dismissal, and it may even be a crime in the view of at least one Quebec politician, who suggested the comment amounted to hate propaganda. [Source]




WW – Google Tests a Hidden ‘Instant Regrets’ Email Button

Google Labs is testing an “undo” button on Gmail that gives you 30 long seconds to stop an email from reaching your boss, your husband or your soon-to-be-former best friend. Being a Google Labs feature, it comes with the caveat that it “may break at any time” or “disappear temporarily or permanently.” “Undo send” is one of a dozen or more experimental features that Gmail users can try out by burrowing into the Settings page on the Gmail Labs website and enabling the feature. The feature, which could also be called the “second thoughts” button, used to give you only five seconds to rewrite your personal history. Now you can tailor it to just how skittish you’re feeling each day. [Source]




IN – BlackBerry Gets Two Month Reprieve in India

Indian authorities have postponed a planned ban on BlackBerry services for 60 days while they study and test a proposal from Blackberry parent company Research in Motion (RIM) to allow security agencies more access to certain Blackberry communications. India has asked for real-time access to encrypted corporate email; RIM says it is impossible to grant the request because they do not have the encryption keys. RIM competitor Nokia has agreed to place a server in India to allow government monitoring of communications. [NY Times] [CNN] [FT] [ComputerWorld] [Google News] and [RIM Offers Indian Government Some Message Monitoring Capability]


EU Developments


UK – MoJ Responds to EC on Data Protection

The UK Ministry of Justice said today it has responded to the European Commission on demands that it bring British data protection in line with European law. In June, the EC gave the UK government two months to respond to its demand that the government come into line with Europe’s Data Protection Directive of 1995. Specifically, the EC wants the information commissioner’s powers strengthened. “Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement,” EU justice commissioner Viviane Reding said in June. [The Register]


Facts & Stats


WW – Businesses Cash In on Web Privacy Concerns

As online data breaches increase to 100 million in the U.S. alone, the numbers of data protection startups are increasing as well, thanks to the investments of entrepreneurs and venture capitalists. Protecting online identity is a $2.5 billion market, according to Forrester Research, growing 12 to 15 percent annually. Among the new companies in the space are those that allow parents to monitor their children’s online activities, which is expected to become a $1.5 billion industry and as popular as anti-virus software. Also growing are startups allowing individuals to manage their online reputation. One such company charges between $100 and $1,000 annually to control what users see about clients when they are searched online. [CNBC]




UK – Zurich Insurance Fined Over Data Loss

The UK’s Financial Services Authority has fined the UK branch of Zurich Insurance GBP 2.27 million (US $3.53 million) for losing data of 46,000 customers. The data were on an unencrypted backup tape that was lost en route to a data storage center in August 2008; the company did not become aware of the missing tape for a year. The information includes names and bank account, credit card and other financial data. The fine was less than it could have been; had the company not agreed early on to settle, it would have been fined GBP 3.25 million (US $5.05 million). [Heise Online] [BBC]


US – Insurance Dept. Mandates 5-Day Breach Notifications

Following a string of incidents involving the exposure of residents’ personal information, insurance regulators in the state of Connecticut are placing notification requirements on insurers and their agents, requiring that they let the state insurance commissioner know within five days of discovering a breach. In a bulletin sent to state entities this month, officials said, “The Department’s concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information.” [Insurance Journal]




CA – N.B. Teen’s Prison Files to Be Released

Corrections Canada has dropped its bid to keep the personal files of a teenage inmate who killed herself under wraps. Ashley Smith of Moncton, N.B., choked herself with a piece of cloth in October 2007 while guards, under orders not to intervene, looked on. She was 19. The Canadian Association of Elizabeth Fry Societies, a non-profit advocacy group for federally sentenced women, had applied for the documents on Smith’s behalf before she died in prison in Kitchener, Ont. In April, Federal Court Justice Michael Kelen ordered the Correctional Service to hand over the nearly 300 pages of records about Smith, including numerous assessments, her transfer and violent-incident records, criminal charge sheet and documents about her “maximum” security risk classification. He said Corrections Canada had breached the Privacy Act in not giving Smith her records. Smith’s death and the subsequent RCMP investigation into the conduct of prison staff were not valid reasons to withhold the documents from the Elizabeth Fry Societies, the judge said. Smith had complained of poor treatment by the Correctional Service, alleging an assault, lack of psychiatric care and frequent transfers among prisons and treatment facilities across Canada. Smith’s death was the “entirely preventable” result of a series of systemic failures. Privacy requests are supposed to be answered within 30 days, but the service took a 30-day extension. It missed that deadline, and the request had gone unanswered when Smith died — 123 days after her initial application. The Correctional Service told the court such delays “happen all the time.” [Source]




US – Prosecutors Urged to Collect DNA in Plea Bargains

New York prosecutors are being urged to collect DNA samples as part of plea bargains in all misdemeanor cases after a bill proposing to do just that got stuck in the legislature. The Department of Criminal Justice Services’ acting commissioner wrote to 62 county district attorneys last week encouraging the idea, which is aimed at preventing violent crimes. The New York Civil Liberties Union opposes the idea, which would roughly double the current state database. “DAs must resist this kind of pressure and continue reaching plea bargaining agreements as they always have,” a spokeswoman said. [Associated Press]


Health / Medical


US – Panel Drafts Privacy Recommendations for Health Data Exchanges

A “tiger team“ that advises the federally chartered Health IT Policy Committee will submit a list of recommendations for ensuring the privacy and security of personally identifiable health information in health data exchanges. The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information. A 19-page letter, detailing all of the recommendations is scheduled to be submitted to David Blumenthal, chairman of the HIT Policy Committee. One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well. However, any data exchange that involves a third party does require specific and “meaningful” patient consent, the letter noted. Any such consent also needs to be transparently and easily revocable by the patient at any time, the panel said. The letter also recommended further exploration of technologies that allow individuals to exercise more granular control over the data – for instance, they should be able to permit the exchange of certain kinds of health data, but not all. Third-party service organizations should also not be allowed to collect, use or share personal health data for any purposes other what’s specified in their service agreements, the panel recommended. Third parties should also be required to retain personal health data only for as long as it is reasonably needed, and once they no longer need the data they should then be required to destroy it, the panel said. The tiger team’s proposals will need to be reviewed and approved by the HIT Policy Committee before they can go into effect. [Source] [Recommendations]


CA – Privacy Boss Watching Access to Alberta Health Files

A move that will allow more health-care professionals access to patient information -- in an effort to create a seamless health-care system -- is a boon and a concern to the province’s privacy commissioner. Amendments to the Health Care Information Act go into effect Sept. 1, including a change that will give more regulated members of health-care professions, such as pharmacists, podiatrists, optometrists and dental hygienists, access to patient information through Netcare, the provincewide electronic health database. The changes are expected to make the health-care system more seamless, allowing people to move through along with their information, said Information and Privacy Commissioner Frank Work. Yet more people using the system may also mean an increase in the number of incidents of people using it improperly. If anything looks suspicious, Albertans can report their concerns to his office. “They have the right to know who’s looking at their information,” he said [Source]


Horror Stories


EU – Drugstore Customers’ Data Exposed

German drugstore chain Schlecker has confirmed that, for an unspecified amount of time, the personal details of about 150,000 customers were exposed on the Internet. An external service provider was responsible for the error, according to the report. Schlecker is investigating how the names, profiles and e-mail addresses of customers were exposed. Customer account numbers and passwords were not affected. The e-mail addresses of an additional 7.1 million company newsletter subscribers were also exposed in the breach. “We are in close contact with our service provider,” a Schlecker spokesperson said. [Source]


US – Settlement Reached in Security Breach Case

A federal judge has approved a settlement between Countrywide Financial Corp. and millions of customers whose information was exposed in what has been described as “the biggest reported case of data theft by a financial insider.” The company will provide free credit monitoring for up to 17 million customers who obtained a mortgage or used Countrywide to service a mortgage before July 1, 2008, and individuals could be reimbursed up to $50,000 for each instance of identity theft stemming from the breach. Countrywide has said it worked with federal investigators on the case, and it does not appear that any identities have been stolen. [Associated Press]


Identity Issues


AU – Coalition to Revive Identity Card

A coalition government would revive the controversial Howard-era plan for a national access card to identify every individual receiving government benefits, shadow treasurer Joe Hockey has revealed. On the eve of a “cliffhanger” federal election, Mr Hockey has told The Age that giving everyone a single identifier for access to health and welfare benefits could lead to “massive improvements in productivity in health and welfare”. But instead of everyone having a card, this time the identifier could be in electronic form... In recent months Health Minister Nicola Roxon and Human Services Minister Chris Bowen have revived aspects of the access card plan, floating a single system to store individuals’ health information, and to allow government agencies to share a single IT platform. [Full article]


US – Attorney Files Lawsuits Over Disney Flash Cookies

Privacy attorney Joseph Malley has filed a lawsuit against Specificmedia for using technology to respawn cookies that users have deleted. Malley has filed two other similar lawsuits: one against a number of companies, including MTV and Hulu, for using Quantcast technology to recreate cookies and another against Disney and Demand media for using a Clearspring Technology widget that does the same thing. All the technologies use Adobe Flash to store copies of browser cookies; while clearing regular cookies is fairly straightforward, clearing Flash cookies can be complicated because they cannot be managed through browser privacy controls. According to the lawsuits, the companies did not inform users about the use of Flash to store the information; the suits allege that using Flash in this way violates state and federal privacy and computer security laws. Flash cookies allow websites to store 25 times more information than traditional cookies hold. [Wired] [ZDNet] [Wired] [The Register]


Intellectual Property


US – New iPhone Security Patent App: User Protection or 1984 iSpy?

Your next iPhone might listen to your heartbeat or scan your face to identify its rightful owner — and it could react with anti-theft measures if it ended up in the wrong hands, according to a patent application recently filed by Apple. Filed in February and made public this month, the patent application describes an invention that uses several methods to detect “unauthorized” usage of a device, such as voice and facial recognition or a heart rate monitor. Possible anti-theft measures include restricting access to some applications, gathering location data about the unauthorized user or shutting down the device remotely. One method the patent describes for detecting a stolen iPhone is checking whether it’s been hacked (aka “jailbroken”) or its SIM card has been yanked out — things a clever thief would do to override the iPhone’s security. The up-close-and-personal security patent has some concerned journalists screaming “1984,” interpreting the patent application as a draconian move by Apple to spy on users and punish customers who hack their iPhones. [Source]


Internet / WWW


US – CIO Council Releases Cloud Computing Framework

The federal CIO Council says agencies must be aware of the privacy concerns involved in storing personally identifiable information on the cloud. In a new document outlining a proposed policy framework on privacy and the cloud, the CIOs warn that federal agencies should seek legal and privacy team counsel before moving data to the cloud, as providers are not necessarily bound by the same laws and regulations as the federal government when it comes to storing personally identifiable information. The document recommends agencies conduct a “Privacy Threshold Analysis” to determine whether a new system creates privacy risks, the report states. The council says a “thoughtfully considered” move to the cloud may actually enhance privacy. [InformationWeek] [Document]


UK – One in Three Have ‘Stalked’ Celebs on Street View

More than a third of Brits (34%) have attempted to take a sneak peek at where their favourite celebrity lives by ‘stalking’ them on Google’s Street View. Research by double glazing firm Central Scotland Joinery revealed the White House, home of US President Barack Obama, is the most searched property on Google Street View, with 19% of Brits admitting they want to take a sneak peek around the Presidential residence. Hugh Hefner’s home in Los Angeles came second with 17% of web users admitting to searching for the Playboy Mansion on the Google Maps add-on. Nearly a quarter of those that admitting to looking at Hefner’s LA residence on Street View, said it was because they wanted to catch a glimpse of a Playboy Bunny. The home of Apple boss Steve Jobs was the third-most searched for property on Google Street View. Jobs beat Microsoft boss Bill Gates, whose house was the sixth most search-for property. Celebrity couples David and Victoria Beckham, Jay-Z and Beyonce, and Katie Price and Alex Reid also appeared in the list of the ten most searched-for homes on Google Street View. Furthermore, 16% of Google Street View users said they had searched for an ex-partner’s house while nearly half (47%) said they’d looked for their childhood home. [Source]


Law Enforcement


US – States Use K-9s to Search for Smuggled Cell Phones

Dogs are being deployed in prisons to help curb one of the most serious problems confronting corrections officials: smuggled cell phones. It turns out that cell phones smell. And their distinct odor can lead a well-trained canine to a device hidden under a mattress, stashed into a wall or tucked into a fan or radio. Inmates use them to arrange drug deals, plot escapes and attacks, coordinate riots and harass victims. “They have 24 hours a day to figure out how to hide these from us,” said Sgt. Wayne Conrad, who leads the K-9 program in California. “I couldn’t tell you how long it would take me to go through every nook and cranny in a cell. But when these dogs work, they pick up the odor and go right to it.” There are currently 14 dogs working in California’s 33 prisons. Five of them are specifically trained as cell phone sleuths. By the end of the summer, the K-9 unit will have 23 dogs trained, about half in finding cell phones, the other half in narcotics. As of May of this year, California prison officials had already confiscated 4,800 cell phones through the K-9 program and other random searches. They seized nearly 7,000 last year, up from just 261 in 2006. [Source]


US – Cell Phone Privacy - Not at This School

A school district in Washington state wants to clamp down on cyber bullying and sexting. But the district could be running right into a constitutional controversy. Oak Harbor school district wants to be able to search a student’s electronic items like cell phones. This crackdown could have school administrators looking through anything on the student’s phone, like pictures, text messages and videos. School officials view is as a protective measure, but some parents call it an outright invasion of privacy. The first reading of the proposal passed the school board unanimously. A final approval could happen by the end of the month. [Source]




WW – Facebook Places Location Tool Unveiled, Sparking Fresh Privacy Concerns

Facebook risks a privacy backlash today when it launches a feature that automatically shares information on the location of users with their online friends. The feature allows users to “check in” at locations which will then be shared with their friends and Facebook network but it is likely to raise concerns over safety. Users will also be able to browse shops, clubs and nearby venues to see which friends are nearby, leading to concerns it could put individual’s security at risk. The service will launch in the US only at first. Reitman said users should be particularly judicious about who they accept as friends, and be aware that even information shared with an intimate network could be copied and pasted elsewhere. “Don’t post anything online you wouldn’t want to get out publicity to anyone.” Critics will note that the primary location setting is switched on by default, which means any “places” tags automatically being shared with immediate friends. [Source] See also: [Town Uses Google Maps to Check for Illegal Pools]


WW – Mixed Reactions to Social Network’s Location Feature

The Wall Street Journal reports on reactions to Facebook’s new location feature, “Places,” which range from concerns about privacy to nods to the company for improvement over past privacy-related issues. Among those who are still concerned about the feature, which allows users to share their physical location and that of friends who have not opted out of Places, is Ireland’s Data Protection Commissioner, which has announced it will be monitoring its privacy implications. Facebook has defended the new feature, stating it consulted numerous privacy and safety groups before it went live, the report states. However, advocacy groups including the Electronic Privacy Information Center have said the company has not given users adequate controls. [Wall Street Journal]


WW – Free Android Game Gathers GPS Data

A free game application available in Google’s Android Market reportedly includes a Trojan horse program. The game, called Tapsnake, is a version of the well-known game Snake. While in play, a satellite icon appearing in the menu bar indicates that the application is harvesting GPS data. The information is uploaded to a remote server, so the location of the user playing the game can be tracked. To receive the GPS information, users aiming to track others need another application called “GPS Spy, which is available for US $4.99.” To use the application’s tracking feature maliciously, people would need access to both Android devices to enter specific information; however, the application is being considered malicious because it does not disclose the tracking activity. The application also continues to run in the background even after users attempt to kill the app. [SC Magazine] [The Register]




IN – Survey: Many Organizations Not Confident in Data Protection

Almost half of Indian organizations polled in a recent survey said they’ve experienced at least one internal security breach within the last year. 32% said their information security professionals are missing competencies to handle existing and foreseeable security requirements, the report states, though 66% of organizations said they are very confident or extremely confident in their ability to thwart external attacks. Deloitte’s “2010 Global Security Survey-India Report,” polled 62 Indian organizations. “While organizations have taken a step in the right direction by reinforcing budgets towards information security, current strategies may still be inadequate to close the gaps,” said a Deloitte spokesperson. [India Blooms]


Online Privacy


WW – Google CEO Discusses Privacy Trends

In an interview with The Wall Street Journal, Google CEO Eric Schmidt describes a future where the transition from childhood to adulthood could include an option where adults can change their names to protect their privacy later in life. CRN reports on his point of view that “as our private information becomes ubiquitous on the Internet due to postings on social media sites such as Facebook, young people should be entitled to automatically change their name on reaching adulthood.” Schmidt also discussed Google’s ongoing privacy-related issues across the globe, stating it will do what is “good for consumers” and “fair” to competitors. [Source]


CA – Facebook Falls Short of Privacy Obligations to Canada, Says Law Group

Facebook has failed to meet the Privacy Commissioner of Canada’s requirements to improve user privacy controls before the Sept. 1 deadline, according to a University of Ottawa-based law group. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) lodged the original complaint with the Privacy Commissioner’s office that led to the original investigation. At its conclusion, Facebook agreed to a long list of changes requested by the commissioner. That included revamping its privacy policies, making it easier to delete an account, and how it treats the accounts of deceased users. But by far the most complex changes it committed to was reworking its third-party application programming interface. Facebook agreed to give users more granular controls over what sort of information outside application developers could access, and limit it to only what was required for the purposes of the application. Now letters that were exchanged between the Privacy Commissioner’s office and Facebook suggest a disagreement on exactly what user information should be up for grabs. The correspondence was acquired by CIPPIC through an Access to Information request. Facebook says it has made a number of changes to address the commissioner’s concerns. That includes updating user notifications, a rewritten privacy policy, as well as the new authorization process for applications. In November and December, Facebook rolled out changes to all users’ privacy settings as it disposed of regional networks. At the same time, it changed the default privacy setting for many information categories to “Everyone”, meaning it was public to the entire Internet. That meant that application developers would automatically have access to this information, with no authorization being presented to users. [Source] See also: [Posting nude Facebook pics of ex gets man jail time]


US – Is ‘Private’ Data on Social Networks Discoverable?

A U.S. district court opinion appears to offer the first in-depth analysis on social network privacy settings and whether user information is protected from discovery by the Stored Communications Act (SCA) of 1986. The court’s decision determined that “the SCA’s protections reach at least some of the content” on social networks and suggested that users’ privacy settings do matter. It found that “private messages as well as comments visible to a restricted set of Facebook or MySpace users were held in ‘electronic storage,’ but its analysis was complicated by novel features of these technologies,” the report states. Questions remain related to what forms of content the SCA protects and how much users need to restrict their content for it to be designated as private. [Law Technology News]


US – Online ‘Sextortion’ of Teens on the Rise in U.S.

Federal prosecutors and child safety advocates say they’re seeing an upswing in cases of online sexual extortion. They say teens who text nude cellphone photos of themselves or show off their bodies on the Internet are being contacted by pornographers who threaten to expose their behaviour to friends and family unless they pose for more explicit porn, creating a vicious cycle of exploitation. One federal affidavit includes a special term for the crime: “sextortion.” [Source]


Other Jurisdictions


AU – Companies Cry Foul Over Reforms to Privacy Laws

Some of Australia’s largest companies fear a big increase in compliance costs from proposed reforms to the country’s privacy laws. Companies including Coles Supermarkets, National Australia Bank, Telstra and Westpac say the proposals must be softened to ease the cost burden. A Senate committee is examining draft laws that would introduce a new set of privacy principles after the Australian Law Reform Commission in 2008 made 295 recommendations for change. If the proposals pass into law, companies would have to consider whether they can continue to transfer personal information overseas as the proposals could see them held liable for privacy breaches offshore, and may also have to overhaul their direct marketing practices. The proposals would also require companies to be able to identify the source of personal information if a customer later asks, which worries Coles Supermarkets as it collects such material from the internet, loyalty programs, competitions and emails. And while these all have privacy notices attached, Coles would not be able to work out where the information came from at a later point without making “prohibitively expensive” changes to its computer systems. [Source]


NZ – Anti-Fraud Data Sharing Laws Introduced

The Department of Internal Affairs has developed an electronic data validation service to combat identity fraud. Internal Affairs Minister Nathan Guy said it would be extended to banks and other institutions on a ‘‘strictly need to know basis.’’ Private sector agencies will be able to enter customer information into a website which will confirm if it is consistent with other personal details held by the Government. It includes details on citizenship, passports and information from births, deaths and marriages registers. Opening up the service would allow financial institutions to comply with laws on the financing of terrorism and money laundering, Mr Guy said. “This service will help ensure compliance with the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, which requires banks and other financial institutions to undertake more comprehensive ‘know your customer’ checks.’’ In April Mr Guy said the Government was mindful of privacy concerns and the records would not include sensitive information such as income, travel details or criminal records. The service will be monitored by Privacy Commissioner Marie Shroff. “Any agency using this tool must have the consent of customers - it is up to individuals whether or not to give permission. The tool only confirms whether the information provided by customers is accurate and does not give out any additional information about the person. The Data Validation Service will be available only to organisations which meet strict security, privacy and integrity criteria. The Government has also agreed that the Privacy Commissioner will monitor this service.” [Source]


NZ – Privacy Concerns Not Warranted

An email doing the rounds warning that personal information could be handed out to anyone who has someone’s licence plate number, is “misleading”, according to the New Zealand Transport Agency (NZTA). The email states “As of 1 November 2010, a new law comes into effect which allows third parties access to your name and address details via your vehicle registration plates.” The email tells recipients to opt-out of the scheme online on the NZTA website. But the NZTA’s media manager Andy Knackstedt said the email creates a false impression, and that the situation is the opposite. “People’s details have in fact been publicly accessible from the Motor Vehicle Register for decades. When the new legislation comes into force it will significantly restrict access to this information,” Knackstedt said. He said under the new law, the release of personal information will only be permitted for the following purposes: Enforcement of the law, maintenance of the security of New Zealand, collection of charges imposed or authorised by an enactment; and the administration and development of transport law and policy. Anyone seeking names and addresses held on the Motor Vehicle Register outside of these purposes after the new law comes into force will have to make an Official Information Act request to the NZTA. But anybody can seek a special “authorisation” from the Secretary for Transport to obtain information from the register, unless that person has ‘opted out’ of the scheme on the NZTA website. [Source]


Privacy (US)


US – Google Privacy Lawsuits Consolidated

Eight class action lawsuits filed against Google over its Street View wireless data collection have been consolidated and transferred to a California judge. Five additional cases may join the already consolidated case. The suits allege that Google violated federal and state privacy laws when it collected snippets of wireless data from unencrypted wireless networks while gathering data for Street View. [Wired] [Consolidation Decision] See also: [NYC woman to Google: Who’s posting trash about me? She asks court to get users unmasked]


US – No Criminal Charges in Pennsylvania High School Web Cam Case

There will be no criminal charges in the case involving the Lower Merion (Pennsylvania) School District’s use of remotely activated webcams on laptops issued to high school students. Instead, the issue will be resolved in civil court. The issue was brought to light earlier this year when the family of a student filed a lawsuit alleging the technology had been used to take pictures of the student in his home. A second lawsuit with similar allegations was filed last month. The technology was supposed to be used to locate missing computers, but was activated and remained on, taking pictures and screenshots for weeks, or in some cases, months. A new policy adopted by the school board prohibits school employees from accessing the laptops remotely without written permission from the family. [Philly] [MSNBC] [Wired]


US – Man Who Recorded Conversation on iPhone Did Not Violate Wiretap Act

A federal appeals court in New York has ruled that David Weintraub did not violate the federal Wiretap Act when he used an application on his iPhone to record a family discussion about his dying mother’s wishes regarding her estate. The conversation involved Weintraub, his mother, Elizabeth Caro, his stepfather, Marshall Caro, and other family members. Elizabeth Caro died. The stepfather sued for violation of the Wiretap Act, but the judge in that case dismissed the stepfather’s claim and agreed that Weintraub was party to the conversation and that the conversation was not private. For Weintraub to be guilty of violating the Wiretap Act, he must have had criminal intent when he began recording the conversation; the court ruled he did not. The stepfather appealed, but the lower court’s ruling was upheld. [Courthouse News] [Wired]


US – Lottery Winner Sues Texas for Privacy

A Texas lottery winner sued the state to keep his identity private, for the privacy and safety of his family. After the Lottery Commission claimed that it had received a freedom of information request about the winner, Attorney General Greg Abbott ruled that information about John Doe should be released without redactions. State lotteries customarily use information about winners, including photos, to advertise the gambling games. [Source]


Privacy Enhancing Technologies (PETs)


US – Boyd: Privacy Is Not Dead

In the MIT Technology Review, researcher danah boyd says that the way privacy is encoded into software doesn’t match the way we handle it in real life and that, as social media mature, “we must rethink how we encode privacy into our systems.” As social media become more embedded in everyday society, Boyd says, “the mismatch between the rule-based privacy that software offers and the subtler, intuitive ways that humans understand the concept will increasingly cause cultural collisions” and users will have to work harder to gain privacy. “Instead of forcing users to do that,” Boyd asks, “why not make our social software support the way we naturally handle privacy?” [Source]


CA – Concept of Privacy in Danger: Information Commissioner

The world has less than a decade to make the protection of personal information and online privacy a priority before the two concepts are lost forever, according to Ontario’s Information and Privacy Commissioner. Speaking at a conference held at the University of Ottawa, Ann Cavoukian said that information is already flowing freely and technology is advancing at a pace at which legislation pertaining to privacy rights can no longer keep up. Cavoukian argued now is the time for governments to radically change the way they police the sharing of personal information. Government’s around the world must adopt a “privacy first” mantra and encourage businesses to make personal information private, she said. “Reactive models won’t work in the future,” said Cavoukian. “Unless we adopt Privacy by Design now, in 10 years time we will not have any privacy.” [Source]


CA – Sensors and In-Home Collection of Health Data: A Privacy by Design Approach

In-home health care monitoring devices are gaining in prominence. Technological improvements in networking, wireless communications, and the miniaturization of electronics have resulted in a suite of emerging technologies that rely on the collection of information from within the home, from an individual’s body, or both. This new technology brings with it significant potential benefits for both society as a whole and individual citizens, such as reducing strain on health care systems through a more preventative (rather than reactive) approach to potential health care problems, which generally improves an individual’s clinical outcomes and/or independence. In order to create these benefits, however, significant and continuous data collection about the individual is required. Until now, these data have not been accessible, as technologies were not sufficiently advanced to collect necessary information accurately, reliably, and securely. It is important to recognise that these data tend to be of a highly sensitive nature, as they are collected either directly about the individual or about actions taken within his or her home (traditionally the most privacy protected location in one’s daily life). As such, people’s privacy must be at the forefront of these new technologies and be strongly protected. In this white paper, we describe a general technology that is commonly used to collect data for in-home health care monitoring systems – sensors and sensor networks. We then identify the points of interest within such a system with regard to privacy, and describe some of the considerations that might be made when determining appropriate privacy protections. To demonstrate this approach, we will describe examples of devices being developed by the Univeristy of Toronto’s Intelligent Assistive Technology and Systems Lab (IATSL). [Full White Paper ]


WW – S.N.A.P. App Locks Down Facebook Privacy

S.N.A.P. is an iPhone and iPod Touch app that does what desktop Facebook privacy scanners do, only using your phone. The app scans your Facebook Profile and checks your privacy and security settings to see what you make public and what information you keep private. Once the scan is complete, the app gives you a grade, and walks you through the process of locking down your account. S.N.A.P. is designed for use by anyone, and features easy-to-understand descriptions and icons that will work well even for people who aren’t terribly concerned about privacy in theory, but want to make sure they don’t get themselves in trouble by sharing something they shouldn’t with the world. The app is free in the iTunes Music Store. The app also allows you to keyword search your entire Facebook account for terms like “beer” and “party,” and if the app finds the term, you can see where the term was found in your account, so you can see if it’s a private status update for example, or a public tagged photo you’ll want to edit. [PC Mag]




EU – Germany to Roll Out ID Cards With Embedded RFID

The production of the RFID chips, an integral element of the new generation of German identity cards, has started after the government gave a 10 year contract to the chipmaker NXP in the Netherlands. Citizens will receive the mandatory new ID cards from the first of November. The new ID card will contain all personal data on the security chip that can be accessed over a wireless connection. The new card allows German authorities to identify people with speed and accuracy, the government said. These authorities include the police, customs and tax authorities and of course the local registration and passport granting authorities. The new electronic ID card, which will gradually replace the old mandatory German ID cards, is one of the largest scale roll-outs of RFID cards with extended official and identification functionality. The card will also have extended functionality, including the ability to enable citizens to identify themselves in the internet by using the ID card with a reading device at home. After registering an online account bonded to the ID card, are able to do secure online shopping, downloading music and most importantly interact with government authorities online, for example. There are some concerns that the use of RFID chips will pose a security or privacy risk, however. Early versions of the electronic passports, using RFID chips with a protocol called “basic access control” (BAC), where successfully hacked by university researchers and security experts. The German ID card is using the BAC protocol as well, but only for the basic data which is printed on the front of the card, the picture and the name. Other fields are protected by a stronger proprietary protocol. [Source]


WW – Researcher: RFID Tags Can Spy on Consumers

The electronic tracking tags some retailers are putting in their products could threaten consumers’ privacy, says a researcher from Purdue University. One major retailer is planning on attaching the tags to some of its products starting this month, raising concerns among some privacy advocates that the discarded RFID tags could be tracked and even reveal what products are in a consumer’s home. Information security expert Eugene Spafford says companies can use the tags to track what consumers have purchased without alerting them that they’re being spied on, and relatively inexpensive devices can read tags from hundreds of feet away. [The Chicago Tribune]


US – Connecticut Schools Consider RFID Program

One Connecticut community is considering RFID monitoring in an effort to “keep students safe and save the district money.” New Canaan, CT, is considering embedding RFID into student ID cards to monitor student locations, the report states. According to New Canaan Board of Education Chair Nick Williams, the primary use of RFID would be student safety as the school has an open campus. Privacy of RFID is a major concern, said Assistant Superintendent of Schools Steven Swerdlick, noting, “We will have to be thoroughly satisfied there is no negative impact on privacy and safety.” Participation in the program would be voluntary, the report states. [New Canaan Patch]




US – DARPA Seeks Proposals for Detecting Insider Threats

The Defense Advanced Research Projects Agency (DARPA) is seeking proposals for technologies to help detect insider threats quickly. Dubbed the CINDER program, the effort aims to “greatly increase the accuracy, rate and speed of detection [of insider threats ... and to] impede the ability of adversaries to operate undetected within government and military interest networks.” Abstract proposals are due by September 17; final versions of the proposals are due by October 22, 2010. DARPA has not drawn a connection between the project and the leak of thousands of military documents through Wikileaks, but the project has been described as being able to “detect a Defense employee or service member who conducts a network search or probes file index systems, and then copies information to their computer.” [InfoSecurity] [NextGov]


US – GAO Report Finds Poor Public-Private Cyber Threat Information Sharing

According to a report from the Government Accountability Office (GAO), expectations for information sharing between the government and industry have fallen short of expectations. Private entities said the government is not providing them with “usable, timely and actionable cyber threat information and alerts,” and that when they do get information, it is often too vague to be useful. Part of the problem can be attributed to restrictions on what information the government is permitted to share with the private sector. The public/private information sharing is necessary because the majority of the country’s critical infrastructure is privately held. The information sharing audit was conducted between June 2009 and July 2010. [FCW] [NextGov] [GAO Report]




UK – Dog Squad: Police Train CCTV Cameras on Pet Owners

Police have ordered a CCTV blitz on dog walkers who let their animals foul the streets, it emerged last night. Camera operators have been instructed to watch for anyone walking their pet in case they do not clean up after them. Those caught failing to do so will be tracked down and hit with an on-the-spot fine. Civil liberties groups and residents attacked the action by Surrey Police, calling it intrusive and a waste of time and money. They said officers should be focused on cutting crimes such as burglary instead of snooping on dog walkers. However other forces, including the Metropolitan Police, last night said they could follow Surrey’s lead. [Source] See also: [Vancouver bar’s urinal TVs raise concern]


UK – Woman Who Tossed Cat in Garbage Bin Has Police Protection

A U.K. woman filmed throwing a cat into a garbage bin now has police officers stationed outside her house. Not to protect her from angry animal lovers baying for her blood on Facebook. “There are a number of officers outside her house. But that’s just to manage all the media who are standing there,” a Police spokesperson said. [Source]


US Government Programs


US – Legislators Seek Answers from US Marshalls About Stored Body Scan Images

US legislators want to know why US Marshalls Service stored images of body scans taken at a Florida courthouse. Senators Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) sent a letter to the agency expressing their concern that citizens’ privacy may have been violated. The letter was also signed by Senators Daniel Akaka (D-Hawaii), Thomas Carper (D-Delaware), Saxby Chambliss (R-Georgia) and Johnny Isakson (R-Georgia). The images stored were not accessed until the agency received a Freedom of Information Act (FOIA) request from the Electronic Privacy Information Center (EPIC). The Marshalls service says the images are not available without an administrative password. Despite the Marshall Service assurance that details were fuzzy enough so that people could not be identified, even by gender, the legislators want to know why the images were saved, if there are any other locations where full body imaging technology is being used, whether images from those locations are being stored, and if so, why. [NextGov] [Senate] See [Feds Admit that Body Scanner Machines Store Photos] [EPIC v. DOJ, EPIC’s Complaint] [EPIC v. DHS (FOIA)] [EPIC v. DHS (Suspension of Body Scanner Program)]


US – ‘Enhanced Patdown’ Tested at 2 Airports

Federal security screeners at two airports are using an “enhanced patdown” on passengers who decline to go through full-body scanning machines, a technique that is renewing the debate over how to balance privacy and security. The Transportation Security Administration says the technique -- a palms-forward, slide-down search -- is being tested at Logan International Airport in Boston and at McCarran International Airport in Las Vegas before a national rollout. It replaces the old back-of-the-hand patdown. The American Civil Liberties Union of Massachusetts is questioning whether the new technique is effective enough to justify what it calls a “seemingly constant erosion of privacy.” [Source]


US Legislation


US – California Legislators Send Improved Breach Notification Bill to Governor Again

California legislators have passed a bill that would specify what information companies must include in data breach notification letters. The measure now goes before Governor Schwarzenegger, who vetoed a similar measure last year. If passed, the legislation would require breach notification letters to include the type of information compromised, the date of the incident, a description of the incident and phone numbers of credit reporting agencies. In addition, the companies would have to explain what steps they are now taking to protect affected customers and provide suggestions about what customers can do to protect themselves. If the breach affects 500 or more people, the companies would be required to send an electronic copy of the notification letter to the state’s Attorney General. The measure would put California breach notification laws in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act’s notification requirements. [Dark Reading] [SC Magazine]


US – California Bill Would Protect Privacy of FasTrak Users

Drivers who use FasTrak or other automatic systems to pay tolls would enjoy more privacy under a bill passed Monday by the California Assembly. The bill, SB1268, would prohibit transportation agencies from selling or sharing personal data and set penalties for those that violate the rules. The bill also would require agencies to destroy data that could be linked to specific drivers. Democratic Senator Joe Simitian of Palo Alto says there’s no reason for government agencies to track the movements of Californians or store that information in a database. The bill now returns to the Senate for final action. [Associated Press]


US – Law Would Challenge Stop and Frisk Database

Two New York state lawmakers are introducing a bill that would bar the police from keeping the personal information of people who are stopped, questioned and frisked but not arrested. Assemblyman Hakeem Jeffries and Sen. Eric Adams said they will introduce legislation that targets the New York Police Department’s database of hundreds of thousands of people who have been stopped by officers over the last several years. The New York Civil Liberties Union filed a lawsuit last week asking that names and addresses of people in the database be sealed. [The Chronicle]


Workplace Privacy


EU – Law Would Ban Employers from Social Networking Site Research

Germany is drafting a law that would prevent employers from looking at job applicants’ social networking activities during the hiring process. The law, drafted by Interior Minister Thomas de Maiziére and expected to pass after the German cabinet vote, would radically restrict the information bosses can legally collect, though general information about the candidate available on the Internet would not be forbidden. The law would also restrict certain video surveillance in the workplace E-mail and telephone communication surveillance would be permitted only under certain conditions. Meanwhile, privacy advocates are voicing concern over the country’s plan to require citizens to carry RFID-equipped identification cards. [Der Speigel]


CA – Corrections to Pay Victims Of Breach Of Privacy

More than 360 people who worked at a federal prison in Kingston will get at least $1,000 each after a precedent-setting, six-year legal fight over a breach of their privacy. Correctional Service Canada has agreed to the payments to 366 people whose names appeared on a staff list at Joyceville Institution. The list, which included home addresses, home phone numbers, and the names of spouses, fell into the hands of convicts at the prison in 2003. This week, a Superior Court judge in Kingston endorsed the deal that puts an end to the class-action lawsuit launched in 2004 by staff. It originally sought $15 million in damages in a novel area where there have been only a handful of cases in Canada. In addition to the tax-free $1,000 payments, staff and their spouses who can establish they suffered serious psychological harm can seek bigger payments. Corrections also has to pay the legal bills of the plaintiffs, which will total more than $140,000, but it does not admit liability. “It is titled a compromise payment,” Edwards said. “They were very careful to negotiate it on that basis; there is no admission that there was a breach of privacy or that damages were warranted.” [Source]