Privacy News Highlights

01–12 February 2010



US – New Hampshire Bill Would Ban Biometrics in ID Cards. 3

CA – Alberta Court Decision “Bad For Albertans”: Privacy Commissioner 3

CA – Canada Privacy Commissioner Launches New Facebook Probe. 3

CA – Commissioner Launches Public Consultation on Consumer Profiling. 3

CA – Commissioner Launches Public Consultations on Cloud Computing Privacy. 4

CA – The Future of Privacy Regulation: Remarks by Privacy Commissioner of Canada. 4

CA – Commissioner Issues Fact Sheet on Privacy Rights at Airports & Border Crossings. 4

CA – Acting Commissioner Says Breach Highlights Need for New Chief Privacy Officer 4

CA – Following Breach Scandal, BC May Create CPO Post 4

CA – N.B. Justice Minister Quits After Privacy Breach in Email From Former Dept 5

SK – Privacy Commissioner Calls Meeting to Address Request Backlog. 5

CA – Report Critical of Abusive Border Controls and No-Fly Lists. 5

US – Study Shows That Consumer Awareness of Online Threats is Growing. 5

US – Study Finds Link Between Privacy and Successful Advertising. 6

US – Massachusetts Consumer Data Protection Law Set to Take Effect Next Month. 6

UK – UK Could Get Icons On Behavioural Ads. 6

EU – We’ve got a File on You - Dutch Privacy Under Threat 6

US – OPM Drops Plan to Stop Using SSNs as Government Employee Identifiers. 6

CA – BC Health Records System Full of Holes: Auditor General 7

US – Security Chip That Does Encryption in PCs Hacked. 7

US – Failure to Secure Wireless Network Defeats ECPA Claims. 7

EU – EU Commission Outlines Plans to Strengthen Privacy Law.. 8

EU – ICO Seeks Stakeholder Input on Draft Consultation on Audit Powers. 8

EU – EC Updates Model Clauses. 8

UK – Labour ‘Cold Calls’ by Coronation Street Star Breached Privacy Rules. 8

WW – More than One-third of Facebook Users Reviewed Privacy Settings. 9

US – Study Shows US $100,000 Increase in Costs Associated With Average Breach. 9

AU – Internet Filter Protesters Attack Australian Government Websites. 9

AU – Australian ISP Not Liable for Customers’ Illegal Downloading. 9

EU – Italian Govt Considering Law That Would Require Monitoring of Internet Content 9

EU – EU Parliament Votes Down Interim US-EU Banking Data Agreement 10

EU – European Parliament Blocks Bank Data Transfer Deal With U.S. 10

UK – Flaws Found In 3D Secure Credit Card Scheme. 10

EU – Swiss Banking Data on Sale for €2.5 Million. 10

CA – Political Aide Disciplined for Error in Handling Access to Information File: Minister 11

US – Health Groups Seek Exclusion from Red Flags Rule. 11

US – Health Net Reviewing Connecticut AG’s Lawsuit 11

AU – Healthcare Identifier Bill Expected to Help Protect Privacy. 11

US – Healthcare’s New Branch: Patients 2.0. 12

US – New Hampshire Lawmakers Considering Patient Privacy Bill 12

US – Capitol Alert: Adult Day Health Services Patients Hit By Major Privacy Breach. 12

CA – B.C. Officials Waited Too Long to Inform Victims of Massive Privacy Breach: Report 12

NZ – ACC in Privacy Breach. 13

US – Federal Office Offers $50,000 Reward for Missing External Drive. 13

AU – Crime Body Granted Access to Medical Files. 13

US – E-mail Releases Data on State Personnel 13

US – Ceridian Corp. Data Breach. 14

US – Iowa Casino Workers’ Data Compromised. 14

US – Identity Fraud Climbed 12% Last Year 14

UK – Legislative Committee Concerned About Pending Anti-Piracy Law.. 14

US – Thomas-Rasset Rejects RIAA’s Settlement Offer 15

US – Judge Reduces Penalty in Jammie Thomas-Rasset Filesharing Case. 15

US – Thomas-Rasset Case Offers Glimmer of Hope to BU Student 15

US – Google, NSA Partnership Raises Privacy Hackles. 15

US – NSA to Help Google Analyze Attack, Improve Security. 15

CA – OPC Approves Transfer of Gun Registry Data to Polling Firm.. 16

CA – Google Street View expands across Canada. 16

WW – Google adds Google Buzz: Location-Aware Social Networking. 16

WW – WARNING: Google Buzz Has A Huge Privacy Flaw.. 17

WW – Most Journalists Use Social Media Such as Twitter and Facebook as a Source. 17

UK – Facebook Deletes 30 Pages Used by British Criminals to Taunt People. 17

EU – Official Wants Clearer Privacy Lines on Street View.. 18

HK – New Body to Scrutinise Privacy Watchdog. 18

IN – Privacy Concerns Stall National Security Database. 18

US – EPIC Names International and U.S. 2010 Privacy Champions. 18

US – Another Letter to Obama on Privacy Oversight Board. 18

US – Critics Slam Proposed Privacy Settlement 19

US – Jurors: Stop Twittering. 19

US – Judge Rules FACTA Does Not Extend to E-Confirmation. 19

EU – Ad Deal Sparks Privacy Concerns. 19

WW – Privacy Concerns Prompting Users to Abandon Social Networking. 20

US – Customers Sue ISP For Installing NebuAd ‘Spyware,’ Offering Defective Opt-Outs. 20

US – US Legislators Pass Cyber Security R&D Bill 20

WW – P2P Users Still Leaking Sensitive Data. 20

US – Study: Banking Passwords Often Used for Other Sites. 20

UK – People Leaving USB Drives in Clothing Pockets, Say Cleaners. 20

US – Critical Infrastructure Computer Systems Under Constant Attack. 21

US – No Easy Deterrent for Cyber Warfare. 21

UK – UK Airports Implement Compulsory Use of Full Body Scanners. 21

HK – Official Says “Smart Card” Payment System Poses No Risk to Privacy. 21

US – FBI Wants ISP to Retain Sites Visited Data for Two Years. 22

US – Police Want Backdoor to Web Users’ Private Data. 22

CA – Nearly 1,000 Olympic Security Cameras Go Live. 22

US – Remembering Who, What, Where and When--Digitally. 22

WW – Researcher Exposes Smartphone Privacy Threat 23

EU – Sweden: Justice Minister Reluctant to Store Data. 23

US – Census Bureau’s Privacy Practices Spur Accuracy Questions. 23

US – South Dakota Law to Require Websites to Collect Info on Anonymous Sources. 23

US – 70% of Hiring Managers Reject Job Applicants Because of Info They Find Online. 24

CA – We Don’t Want to Be in Pictures: Union. 24





US – New Hampshire Bill Would Ban Biometrics in ID Cards

Acting out of concerns for residents’ privacy, the New Hampshire Legislature is considering a bill that would ban the use of biometrics data in identification cards. But at least two trade groups oppose the legislation, saying biometrics technology has a number of security benefits, namely around ID management. Introduced in January, HB1409 would prohibit biometrics data, including fingerprints, retinal scans and DNA, from being used in state or privately issued ID cards, except for employee ID cards. In addition, it would ban the use of ID devices or systems that require the collection or retention of an individual’s biometric data. Under the bill, biometric data would also include palm prints, facial feature patterns, handwritten signature characteristics, voice data, iris recognition, keystroke dynamics and hand characteristics. “That’s the kind of information the government shouldn’t generally require to be gathered about an individual,” New Hampshire Rep. Daniel Itse, who co-sponsored the bill. [Source] [SCMagazine]




CA – Alberta Court Decision “Bad For Albertans”: Privacy Commissioner

Alberta’s highest court says the province’s backlogged Information and Privacy Commissioner can no longer take “routine extensions” in privacy cases, a decision that extends to complaints under health and access to information laws. In a 2-1 decision released last week, the Court of Appeal said the commissioner can extend the legislated 90-day time limit only if he can justify the extension in each case. “The time rules intend to promote inquiry efficiency and the expeditious resolution of privacy claims. Timeliness is a necessary feature of how (the law) serves the public interest. ... Both claimants and respondents have a reasonable expectation of timely resolution of complaints.” Information and Privacy Commissioner Frank Work said the decision will undermine the work of the commission and he intends to appeal to the Supreme Court of Canada. “The consequences of this decision are really bad for Albertans, and for this office,” he said. “It looks like hundreds of Albertans are going to lose the privacy remedies they thought they had gotten under (the Personal Information Protection Act).” Work expects at least 180 current cases will be derailed by the ruling, and he anticipates “a tidal wave of judicial review applications,” he said. “This is a huge new avenue to defeat and delay the process.” [Source]


CA – Canada Privacy Commissioner Launches New Facebook Probe

The Canadian Office of the Privacy Commissioner has announced that it will launch a new probe of Facebook to investigate privacy issues in response to a recent complaint. Facebook’s privacy tool, which it introduced in December, requires users to review their privacy settings. The complaint alleges that these default privacy settings ‘have made his information more readily available than the settings he had previously put in place’. Elizabeth Denham, the assistant privacy commissioner who led last year’s investigation, noted that the complaint reflected concerns currently held by the office and reported to Facebook in recent months. [Source]


CA – Commissioner Launches Public Consultation on Consumer Profiling

Privacy Commissioner Jennifer Stoddart is seeking the public’s input on the online tracking, profiling and targeting of consumers, where information from social networking, tracking cookies and global positioning systems (GPS) can be pieced together to create personal profiles. Canadians are invited to submit written comments on such practices by March 15, and have the opportunity to participate in formal discussion panels through the OPC. The focus, Stoddart says, is on “the privacy implications related to this modern industry practice, and the protections that Canadians expect.” The input will also be used to assist the next parliamentary review of the Personal Information Protection and Electronic Documents Act. [] [OPCC]


CA – Commissioner Launches Public Consultations on Cloud Computing Privacy

The consultation will give the PCC a comprehensive understanding of the privacy issues raised by cloud computing technology and will contribute to the development of new public education and outreach materials. It will also help shape the PCC’s input into the next parliamentary review of PIPEDA. Written submissions will be accepted until April 15. The PCC is also seeking expressions of interest from individuals wanting to take part in a formal discussion panel, to be held in Calgary in June. The intent is to canvass a broad range of views from business, government, academics, consumer associations and civil society. [New Release] [Notice of Consultation and Call for Submissions Privacy Implications of Cloud Computing]


CA – The Future of Privacy Regulation: Remarks by Privacy Commissioner of Canada

Remarks at the 11th Annual Privacy and Security Conference - Address by Jennifer Stoddart, Privacy Commissioner of Canada (Victoria, British Columbia - February 10, 2010) Discusses the following:

§         Challenges: technology; globalized data flows; social change

§         Anticipated changes to PIPEDA: discretion over which complaints to investigate; enabling the PCC to share information with other authorities (provincial commissioners, other federal institutions, or international authorities); obliging commercial entities to report large data breaches

§         Leading initiatives underway around the world: e.g., the Spanish Initiative; APEC; OECD; International Organization of Standardization; new EU Commissioner of Fundamental Rights; the Accountability Project [Source]


CA – Commissioner Issues Fact Sheet on Privacy Rights at Airports & Border Crossings

This fact sheet explains the law, describes the impact of security measures on travellers’ personal information and privacy rights, and lets travellers know where they can turn if they feel their rights have been violated. Topics discussed include:

§         Secondary Airport Screening (Physical searches; millimetre-wave full-body scans)

§         Collection of Traveller Data (Advance Passenger Information/Passenger Name Record Program; Integrated Customs Enforcement System)

§         Customs Searches

§         Canada’s No-fly List [Source]


CA – Acting Commissioner Says Breach Highlights Need for New Chief Privacy Officer

British Columbia Acting Privacy Commissioner Paul Fraser is pointing to last year’s breach involving the personal information of 1,400 welfare recipients as an example of why the provincial government should move quickly to appoint a new chief privacy officer (CPO). Fraser noted in a recent report on the breach that the ministries responsible for the data involved had failed to make adequate security arrangements to protect the information, and although the breach was discovered in April, nothing was done about it until October. Such breaches, he says, show the government needs a CPO to ensure privacy breaches are dealt with appropriately. [Canadian Press]


CA – Following Breach Scandal, BC May Create CPO Post

British Columbia’s provincial government will explore creating a new chief privacy officer position following a recent privacy breach scandal involving the personal information of 1,400 government clients. “It’s one of the things we are considering,” says Citizens’ Services Minister Ben Stewart. The announcement comes on the heels of a report this week from Acting Privacy Commissioner Paul Fraser calling for the creation of a new executive-level post to help educate government employees on what to do in the case of privacy breaches. Stewart has said he will spend the next 90 days assessing what changes are needed based on Fraser’s report and an internal review released earlier this month. [Times Colonist]


CA – N.B. Justice Minister Quits After Privacy Breach in Email From Former Dept

New Brunswick’s justice minister has resigned from cabinet as the result of a breach of privacy that occurred when he was minister of local government. The Opposition Conservatives called for the resignation of Bernard LeBlanc after an email was released identifying a complainant in an animal abuse case. The email, which was sent to a person convicted in the case in 2005, came from LeBlanc’s account and had his name at the bottom of the message. “While I was not made aware of this email until yesterday, as a minister I am of the view that this breach falls within the principle of ministerial responsibility,” LeBlanc said this week in the provincial legislature. “This is a question of accountability, responsibility and honour. For me, this is a matter of principle. For that reason, I have submitted my resignation as member of cabinet.” LeBlanc received a standing ovation in the house following his statement. Bonny Hoyt-Hallett, deputy minister of local government, says the complainant’s name was accidentally released and she’s working to tighten protocols surrounding correspondence and emails. She issued a statement, saying that while the email was sent with the minister’s name, he “neither approved nor had any knowledge of the email in question.” [Source]


SK – Privacy Commissioner Calls Meeting to Address Request Backlog

Saskatchewan privacy commissioner Gary Dickson will meet with a provincial committee to request more funding to address a growing backlog of information requests. Dickson blames a lack of funding, too many appeals and not enough staff for the backlog of about 375 Freedom of Information and Privacy requests to his office. The backlog means individuals could be waiting for up to four years for their request to be processed. “That’s an increase of about 60% more than what we had the same time a year ago,” Dickson said. Denied requests for information makes up most of the appeals. About 30-50% of the appeals deal with health-related issues, such as individuals wanted access to personal health records. The commissioner has three investigators assigned to handle all active cases. “In offices like ours across Canada, a typical case load for an investigator would be 30 to 40 files,” Dickson said. “In our office in Saskatchewan, it’s closer to 130 files for each one of those portfolio officers.” [Source] See also: [Pattern of delay: Ottawa’s Kafkaesque information denial]




CA – Report Critical of Abusive Border Controls and No-Fly Lists

The International Civil Liberties Monitoring Group (ICLMG), in cooperation with other civil liberties groups and partners from the labour movement, have released a report that is critical of abusive border controls and infringements to travellers’ rights. Based in part on personal testimonies collected during the course of a two-year research project, the report sheds light on the real impacts of “enhanced” border controls, no-fly lists and other government watch lists on the lives of real people. The report also highlights serious concerns with the upcoming new U.S. Secure Flight rules, and/or a similar air passenger screening program being developed secretly by Public Safety Canada under the radar of parliamentarians. [Source: ] [Report of the Information Clearinghouse on Border Controls and Infringements to Travellers’ Rights]


US – Study Shows That Consumer Awareness of Online Threats is Growing

A study from RSA indicates that consumers are more aware of online security threats than they were two years ago. Despite the fact that twice as many people were aware of the dangers of phishing attacks in 2009 than in 2007, over the same two-year period, the number of people who succumbed to the attacks increased six-fold. This can be attributed in part to the increased number of phishing attacks. Two-thirds of people who belong to social networking sites are reluctant to share personal information on those sites. In 2007, 63% of respondents were aware of the dangers of Trojan Horse programs; that figure rose to 81% in 2009. [Dark Reading]


US – Study Finds Link Between Privacy and Successful Advertising

A new study by researchers at the University of Toronto and Massachusetts Institute of Technology suggests companies need to consider consumers’ sense of privacy in advertising campaigns. Based on surveys of more than two million users of nearly 3,000 online ad campaigns, the study has found that while ads complementing Web site content and those that are highly visible are the most effective, that is not the case when the two forms are combined. The survey indicates negative reactions to such ads are linked to privacy issues, as those participants who refused to divulge certain personal information also tended to react adversely to highly visible ads related to Web site content. [Financial Post]


US – Massachusetts Consumer Data Protection Law Set to Take Effect Next Month

A stringent Massachusetts consumer data protection law is slated to take effect on March 1, 2010. It will require organizations conducting business with Massachusetts residents to encrypt consumer data stored on portable media devices and all data transmitted over public or wireless networks. Organizations will also be required to maintain records of exactly what consumer data they retain. The law was initially scheduled to take effect January 1, 2009, but the deadline has been extended twice. [Source]


UK – UK Could Get Icons On Behavioural Ads

The UK’s online advertising trade body says it will be working on an icon to be displayed every time behavioural advertising is used. The move would alert users to the fact that their browsing history has been used to profile them. Trade body the Interactive Advertising Bureau (IAB) has said it will create an icon that would alert UK web users every time their web surfing is used to decide what adverts they see. Current IAB guidelines say that giving notice of behavioural tracking is optional. Web users are rarely aware that they are being tracked, though, and 84% of them (27-page PDF) recently said that they objected to the activity. [OUT-LAW.COM]




EU – We’ve got a File on You - Dutch Privacy Under Threat

Few people realise how much of their private information is stored electronically. New research in the Netherlands shows that details on the average Dutch citizen are held in as many as 250 databases. Some people’s details are kept in thousands of places. Last Friday, the Dutch ‘Big Brother’ Awards will be presented to those judged responsible for the worst breaches of privacy in 2009. Many experts are worried about the threat this poses. Dr Bart Schermer of Leiden University has written a report about this issue entitled ‘Our Digital Shadow’. “Especially those big government projects, like the electronic dossiers on children or centralised passport database. I believe these are the kind of databases the government shouldn’t be trying to create in the first place, and which ordinary people wouldn’t want their details to end up in.” Bart Schermer says this information can quickly “lead a life of its own”. The dossier can even become more important than the child it relates to and have a stigmatising effect. The central passport database probably poses a greater threat to privacy. Although it is meant to prevent passport fraud, the police can access its records for other purposes too. If hackers managed to gain access, the consequences could be truly disastrous. Bart Schermer isn’t only worried about hackers and leaks, but also about bits of information being misinterpreted. There are many negative possibilities: people being refused insurance on the basis of incorrect data, or not getting a job because of an old photo showing them drunk that was posted on Facebook or another social networking site. [Source]


US – OPM Drops Plan to Stop Using SSNs as Government Employee Identifiers

The US Office of Personnel Management (OPM) is dropping a plan to stop using SSNs as unique identifiers. The plan was introduced to help prevent identity fraud, but OPM Director John Berry said that abandoning SSNs as identifiers would require assigning alternative identifiers to all government workers. The original plan would have prohibited government agencies from using SSNs as primary employee identification in data processing systems. [Source]


Electronic Records


CA – BC Health Records System Full of Holes: Auditor General

British Columbia’s auditor-general says he has found serious weaknesses in a computer system used by the Vancouver Coastal Health Authority and that highly sensitive personal information may have been compromised. “In every key area we examined – from the management and assignment of user access to security controls within the health authority’s computing environment – we found serious weaknesses,” John Doyle wrote in his report. Doyle said the problems were so serious he delayed the public release of his report so it “would not further expose the system to potential compromise.” As a result, Doyle said after releasing the report Wednesday, most of the significant problems now have been fixed. The computer program in question is called Primary Access Regional Information System (PARIS), which Doyle said has been used since 2002 to help provide health care services – including residential care, mental health and addiction services and health promotion – to more than 620,000 people. Doyle found users had unmonitored access to all client records, and there were inadequate controls to prevent external attacks. NDP health critic Adrian Dix said the report raises troubling questions. “The public has to have confidence that the information they provide health authorities is going to be used appropriately,” he said.

“In an area where privacy is essential, I think this is a significant failing on the part of the government.” Dix questioned the government’s ability to protect information in its push to create a broad system for electronic health records. [Source] [The PARIS System for Community Care Services: Access and Security February, 2010 - A report on the access and security of the clinical information system used by Vancouver Coastal Health Authority] See also: [B.C. government eyes creation of privacy office in wake of scandal]




US – Security Chip That Does Encryption in PCs Hacked

Christopher Tarnovsky discovered a way to crack the TCP chip on which many military and commercial security schemes rely. Without solid security at the client, there can be no confidence in the confidentiality or integrity of communications. Tarnovsky’s hack requires physical access to the chip; it cannot be performed remotely. [ABC News]


US – Failure to Secure Wireless Network Defeats ECPA Claims

A computer user’s failure to secure his wireless network contributed to the defeat of his claim that a neighbor’s unwelcome access to his files violated the Electronic Communications Privacy Act (ECPA). The ECPA places restrictions on unauthorized interception of, and access to, electronic communications. In United States v. Ahrndt, No. 3:08-cr-00468-KI (D. Or. Jan. 28, 2010), Ahrndt argued that his neighbor violated the ECPA when she connected to his unsecured wireless network and accessed his iTunes library while a police officer observed. The court noted that under the ECPA, it is not unlawful for any person “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” Because Ahrndt’s wireless network was broadcast in a 400 foot radius around his house, and because his iTunes program was configured to automatically share files with any computer that joined that network, the court held that the wireless network was “readily accessible to the general public,” and rejected Ahrndt’s ECPA claim. For similar reasons, the court also denied the defendant’s Fourth Amendment claim, finding that he had no reasonable expectation of privacy in his wirelessly broadcast iTunes files. [Source: Hunton & Williams]


EU Developments


EU – EU Commission Outlines Plans to Strengthen Privacy Law

The European Commission is planning to beef up the Data Protection Directive, strengthening the enforcement of the EU law and including introducing new demands that technologies and processes include ‘privacy by design’. The Directive is implemented in the UK by the Data Protection Act and governs the use that can be made of people’s personal data. EU Information Society and Media Commissioner Viviane Reding said in a speech yesterday that the Commission would soon publish plans to revise the Directive. The Commission has been conducting a consultation on the law. “I can tell you that most responses [to that consultation] call for stronger and more consistent data protection legislation across the Union,” she said. “We need to clarify the application of some key rules and principles, such as consent and transparency, in practice.” “We need to ensure that personal data are protected regardless of the location of the data controller [and] promote Privacy Enhancing Technologies (PETs), by introducing new evolving principles, such as ‘privacy by design’,” she said. Reding also spoke of the need to strengthen the enforcement of the Directive and to extend it into the areas of policing for which the EU has responsibility. [OUT-LAW]


EU – ICO Seeks Stakeholder Input on Draft Consultation on Audit Powers

A draft code for consultation related to the Information Commissioner’s Office’s (ICO) extended data protection audit powers is now open on the ICO’s Web site. A Code of Practice for Assessment Notices will be published in April providing the framework for how audits will be conducted through the ICO’s new powers under the Coroners and Justice Act of 2009. The ICO has reported that the new powers of assessment will improve “assurance to individuals that those holding their personal information respect their privacy and do not abuse their trust.” The ICO is seeking input from stakeholders before the consultation closes on March 24. [Source] SEE ALSO: [How to appeal an ICO decision: new guidance published - The new body which has taken over the power to rule on appeals from decisions of the Information Commissioner’s Office (ICO) has issued guidance on how to conduct an appeal.]


EU – EC Updates Model Clauses

European companies will have to use new standard clauses in contracts controlling overseas data transfers as a result of a decision adopted by the European Commission (EC) last week. The changes require that some companies obtain written permission to subcontract the processing of personal data, among other provisions. “This updated version of the standard contractual clauses takes account of new business models and the growing trends to global processing and outsourcing,” said Jacques Barrot, commission vice president. “The updated standard contractual clauses ensure a balance between global business needs and protection of EU citizens’ personal data.” [OUT-LAW.COM]


UK – Labour ‘Cold Calls’ by Coronation Street Star Breached Privacy Rules

Cold calls made by the Labour Party which urged people to vote were in breach of privacy rules, the information watchdog ruled today. The party targeted 495,000 people despite having agreed not to use unsolicited, automated telephone calls in its campaign. Householders receiving the calls heard a message recorded by Liz Dawn, who played Vera Duckworth in Coronation Street, urging them to vote in the local and European elections in June last year. David Smith, the Deputy Information Commissioner, said that such calls could cause annoyance and disruption to those receiving them. He ordered Labour to ensure that no more automated direct marketing calls are made without consent, warning that failure to comply would be a criminal offence that could lead to prosecution. Mr Smith said: “The Information Commissioner’s Office has consistently made clear that the promotion of a political party counts as marketing. We have previously issued detailed guidance to all major political parties on this subject. “The Labour Party has breached privacy rules by making automated marketing calls to individuals who have not consented to receiving such calls. The Labour Party has 28 days to appeal against the enforcement notice under the Privacy and Electronic Communications Regulations, which were introduced by the Labour Government in 2003. A Labour Party spokesman said: “The Labour Party considered advice from the Information Commissioner’s Office prior to making these calls and believed that we had abided by this advice. [Source]


Facts & Stats


WW – More than One-third of Facebook Users Reviewed Privacy Settings

Approximately one in every three Facebook users customized their settings when the site rolled back its privacy shields in December and notified users to review what they share online. “They took control of their data, perhaps for the first time,” says Facebook Director of Public Policy Tim Sparapani, adding, “35% of 350 million users is an extraordinary number.” The Register report states that Facebook’s privacy notice did not indicate the site had lowered its privacy settings, however, and contends that the remaining 65% of those 350 million users continue to share personal photos and information “without anything like informed consent.” [The Register] [MediaBistro]


US – Study Shows US $100,000 Increase in Costs Associated With Average Breach

According to a study from the Ponemon Institute, the costs associated with data security breaches rose US $100,000 between 2008 and 2009, from US $6.65 million to US $6.75 million. The figures were formulated based on 45 reported breaches of sensitive customer data in 2009 at companies that were willing to discuss the incidents. The average cost per compromised record in 2009 was US $204, up just US $2 from 2008 figures, but over the five years that the study has been conducted, cost per record has increased $66. The factors considered in figuring the cost of a breach include cost of lost business; legal fees; disclosure expenses; consulting; and remediation. The study divides the breaches into three main causes: negligence, accounting for 40 percent of the incidents; system glitches, which account for 36 percent; and malicious attacks, which account for 24 percent. [PC World]




AU – Internet Filter Protesters Attack Australian Government Websites

Protesters have launched distributed denial-of-service (DDoS) attacks against Australian government websites to express their objection to proposed Internet filters. The filters will prevent access to pornographic and criminally-related websites. One statement indicated the group behind the attacks does not believe the government has the right to control what people view on the internet. The plan calls for the filters to be installed by early next year. The group behind the attacks also launched similar attacks on the Scientology website in the past. [BBC] [The Register] [Wired] [Secure Computing]


AU – Australian ISP Not Liable for Customers’ Illegal Downloading

An Australian judge has ruled that iiNet, Australia’s third-largest Internet service provider (ISP), is not responsible for the online activity of its customers. Specifically, iiNet cannot be held liable for its customers’ illegal downloading. A group of file companies represented by the Australian Federation Against Copyright Theft (AFACT) sued iiNet, maintaining that the ISP was guilty of copyright infringement because it did not stop its customers from downloading movies illegally. [BBC] [The Australian]


EU – Italian Govt Considering Law That Would Require Monitoring of Internet Content

Italian Prime Minister Silvio Berlusconi’s government has proposed legislation that would require all video uploaded to YouTube, blogs and news media outlets to be vetted for pornographic or excessively violent content. The law could go into effect as soon as February 4, 2010. Opponents say that not only would the law violate freedom of expression, but monitoring all content uploaded is virtually impossible. [Source]




EU – EU Parliament Votes Down Interim US-EU Banking Data Agreement

The European Parliament has voted down an interim agreement that would have allowed the US access to EU residents’ banking transaction information held in the SWIFT system, voicing concerns about the need for additional privacy safeguards. The US has been analyzing European banking transactions since late 2001 as part of its efforts to fight terrorism, but that fact was not made public until 2006. European Ministers had passed the interim agreement to allow continued U.S. monitoring of SWIFT late last year; the European Parliament’s rejection of that agreement appears to be focused on privacy issues. Parliament’s decision means the U.S. must now rely on agreements with individual EU nations to access financial data. [The Register] [Heise-Online] [BBC] See also: [Clinton Calls Buzek about SWIFT Deal]


EU – European Parliament Blocks Bank Data Transfer Deal With U.S.

The European Parliament voted to block an agreement reached by the 27 E.U. national governments and the U.S. last month to allow European citizens’ personal financial data to be analyzed by American authorities investigating the financing of terrorism. The vote was immediately criticized by supporters of the agreement, who claim that Parliament’s veto impedes intelligence services tracking terrorist activities. A substantial majority of MEPs voted to block the EU’s interim agreement on banking data transfers to the U.S. via the SWIFT banking network, the Parliament said in a statement. The resolution rejecting the agreement was approved with 378 votes in favor, 196 against and 31 abstentions. MEPs’ objections to the deal are threefold: it breaches E.U. data protection rule; it is excessively invasive for its stated purpose; and it is one-sided because the U.S. isn’t required to share the banking data of its citizens with E.U. counterterrorism authorities. The Commission said it will start work drafting a new temporary agreement, which it said it hopes will be agreed on in the near future. “I hope we will be able to agree a text in the near future that will give us greater security, more data protection and a useful cooperation tool with U.S. authorities,” said commissioner for home affairs, Cecilia Malmström in a Commission statement. Meanwhile, Viviane Reding, who has just switched to being commissioner for justice and fundamental rights, after four years as telecom commissioner, said one way to win the confidence of the Parliament and E.U. citizens would be to involve the national data protection authorities in the process of drafting the new long-term agreement data sharing agreement. “I believe that the full involvement of national data protection authorities in the negotiations of the long-term SWIFT agreement will give citizens further assurances about the proportionality and the correct implementation of the agreement particularly with regard to its data protection safeguards,” she said. [Source]


UK – Flaws Found In 3D Secure Credit Card Scheme

University for Cambridge researchers say 3D Secure (3DS) better known as Verified by Visa and MasterCard SecureCode is fraught with security problems. The systems require a person to enter a password or portions of a password to complete an on-line purchase. Merchants who implement 3DS are stuck with fewer chargebacks. But the researchers say that banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability. [PC World]


EU – Swiss Banking Data on Sale for €2.5 Million

An unnamed person has offered the German government data on about 1,500 German taxpayers who hold Swiss bank accounts, and Berlin is said to be considering the offer. The data was stolen from a Swiss bank and Swiss officials are cautioning their German counterparts not to purchase it. “I consider it rather insidious that a state operating under the rule of law would make use of illegal data,” said Swiss President Doris Leuthard. The Swiss Bankers Association is also calling on Germany to return the data, the report states. [Wall Street Journal] [New York Times] Update: [TIME: Despite Concerns, Germany Will Buy Stolen Bank Data]




CA – Political Aide Disciplined for Error in Handling Access to Information File: Minister

A top political aide who blocked the release of a sensitive report requested under the Access to Information Act has acknowledged his error - and has been stripped of his duties reviewing such files, says his boss, Natural Resources Minister Christian Paradis. Last summer, Sebastien Togneri issued a terse email to officials in the Public Works Department telling them to “unrelease” a report on the government’s real-estate portfolio when he learned it was being sent uncensored to The Canadian Press. The news agency had asked for the 137-page document under the Access to Information Act, and had paid all photocopy fees. Togneri insisted that only 30 pages be released. The file contained sensitive information about the performance of the government’s real estate portfolio, such as missed targets and high maintenance costs. A bureaucrat had to dash down to the Public Works mailroom to retrieve the sealed package. And for the next three months, public servants, Justice Department lawyers and consultants all agreed there was no legal basis to withhold any of the document. Despite that consensus, Togneri’s view prevailed and the heavily pruned report was sent to The Canadian Press 82 days later than required by the law. A spokeswoman for Paradis said earlier that Togneri was simply trying to save the news agency photocopy costs of $27.40, by providing the option of a free 30 pages. Meanwhile, a British Columbia group has written to the federal prosecutions office asking them to consider charging Togneri under a section of the Access to Information Act that refers to concealing a record. The letter from the B.C. Freedom of Information and Privacy Association cites Public Works emails as evidence that Togneri may have committed an indictable offence under Section 67.1 of the act, which has never before been used in a prosecution. [Source]


Health / Medical


US – Health Groups Seek Exclusion from Red Flags Rule

Four national medical organizations representing dentists, physicians and veterinarians are asking the Federal Trade Commission (FTC) to exclude their members from a new regulation aimed at preventing identity theft, according to an American Medical Association (AMA) press release. The groups say the so-called “Red Flags Rule,” imposes an unjustified, unfunded mandate on health professionals for detecting and responding to identity theft. A U.S. District Court recently ruled in favor of an American Bar Association claim that lawyers should be exempt from the rule. That ruling, says AMA President J. James Rohack, M.D., “sends a clear signal that the FTC needs to re-evaluate the broad application of the Red Flags Rule.” [Source]


US – Health Net Reviewing Connecticut AG’s Lawsuit

Health Net is in the process of reviewing a lawsuit filed against the company by Connecticut State Attorney General Richard Blumenthal. The lawsuit filed last month alleges that Health Net did not adequately protect customer data that were on a disk drive reported missing last spring; the data were not encrypted. Approximately 446,000 customers are believed to be affected. The lawsuit also notes that Health Net waited six months after learning of the device’s loss to notify customers. Health Net maintains that there is no evidence that the data on the device have been misused. [Source]


AU – Healthcare Identifier Bill Expected to Help Protect Privacy

The introduction of a new national e-health identifier for all Australians is expected to assist with healthcare privacy issues. Under the Healthcare Identifier Bill introduced into Parliament on Wednesday, unique 16-digit numbers will be assigned to individuals and healthcare providers by the middle of this year with the goal of streamlining the transfer of patient information. Although officials hope the system will help address privacy issues, some concerns have been raised. The minister of Health and Ageing has stated that amendments will be made to the Privacy Act to allow the federal privacy commissioner to take action in cases where the identifiers are misused. [ZDNet Australia]


US – Healthcare’s New Branch: Patients 2.0

Patients are talking and the medical community is watching what is being dubbed Patient 2.0, an information-sharing movement that sees patients using the Internet to collaborate on health issues, even if it means sharing private information. TIME reports on the development, from which has emerged the Society for Participatory Medicine and other initiatives aimed at harnessing patient-driven data in an effort to improve health outcomes. “When you need help, privacy is a terrible thing,” said Jamie Heywood, founder of the Web site, where the ill share symptoms and treatment regimes for the greater good. [TIME] [Source]


US – New Hampshire Lawmakers Considering Patient Privacy Bill

New Hampshire lawmakers are scheduled to hear a bill on Tuesday that would give patients more control of their medical records. New Hampshire previously prohibited the sharing of medical records without patient permission, but the enactment of HIPAA “has been interpreted to override state law,” says Rep. Cindy Rosenwald (D-Nashua). House Bill 1649 seeks to give patients the right to request reports of specific instances when their electronic medical records have been accessed by healthcare providers within the prior three years. The bill affirms that consent must be sought or refusal to consent acknowledged before health information is shared, a principle endorsed by the American Medical Association, the report states. [Citizen of Laconia]


Horror Stories


US – Capitol Alert: Adult Day Health Services Patients Hit By Major Privacy Breach

The Department of Health Care Services said it may have breached the privacy of 49,352 state residents who receive adult day health care services from the state. In a terse news release, the department said that letters it mailed a week ago to 49,352 beneficiaries wrongly included those patients’ SSN on address labels. The Department said the incident took place Feb. 1. It was notified of the error on Feb. 4. It started to notify the 49,352 beneficiaries about the problem on Sunday. The department did not identify the mailing vendor involved in the news release. The SSNs didn’t have spaces or dashes and may have appeared to be a random nine-digit number to people other than recipients, the department said. [Source]


CA – B.C. Officials Waited Too Long to Inform Victims of Massive Privacy Breach: Report

More than 1,400 people whose personal information was found by police in the home of a B.C. government supervisor last year should have been notified immediately of the privacy breach not seven months later, a new report said. B.C. acting privacy commissioner Paul Fraser said the length of time it took to alert income assistance clients was the “most significant failure” in the government’s response. “It is clear, beyond any doubt, that affected individuals should have been notified within days of the April 7, 2009, discovery,” Fraser wrote in the report. “A seven-month delay in notification meant that any reasonable opportunity for risk mitigation was lost.” Fraser also found that government officials failed to properly protect clients’ information in the first place. Neither the Ministry of Housing and Social Development nor the Ministry of Children and Family Development had any idea that the supervisor had kept clients’ records at home for months, and sometimes years, without authorization. Fraser’s report follows the discovery of records in the Victoria home of Richard Ernest Wainwright, a supervisor in the youth and special-needs office of the children’s ministry. Wainwright had a criminal record for counterfeiting offences and credit-card fraud, according to court records. He was also under RCMP investigation for allegations he might have used false identity documents in the name of Richard Ernest Perran to get his government job. Wainwright has not been charged with any offence. He was fired in October. Fraser concluded that the government failed to create a “culture of privacy,” and that too many civil servants aren’t getting the message about the need to protect people’s personal information. Of the 26 employees who could have flagged the privacy breach, only two recognized the problem, said Fraser. And those two failed to properly alert supervisors, he said. The report recommended the government immediately create an executive position called the chief privacy officer, to act as a “bright light” on privacy issues for confused civil servants. It would give government employees “a place where they can come and get some advice very quickly and get some direction in terms of where they should go in case an event occurs,” said Fraser. [Source]


NZ – ACC in Privacy Breach

Confidential information on individual workers’ injuries and cost of treatment has been sent in error to more than 2000 businesses, the Accident Compensation Corporation (ACC) has admitted. ACC says it provided businesses around the country with a report on injuries that occurred in their workplace. The report had two parts, a cover sheet and an attachment which included the name of the individuals, the type of injury they sustained and the cost to date. About 15,000 businesses received such a report each month. [Source] SEE ALSO: [Top Ten Data Breaches and Blunders of 2009]


US – Federal Office Offers $50,000 Reward for Missing External Drive

The National Archives and Records Administration (NARA) is still on the lookout for a missing external drive containing copies of personal data – including Social Security numbers – of former Bill Clinton administration staffers and people who contacted or visited the White House during the Clinton era. One of former Vice President Al Gore’s three daughters is among those affected. “To date, we’ve been unable to identify and recover the hard drive. It’s still outside of our control and custody as an agency,” said Paul Brachfeld, the NARA’s inspector general. Brachfeld began an investigation into the drive in March 2009, right after the data was discovered missing on March 24. He expects to have a report ready to go a few weeks from now. The data was stored on a 2 terabyte Western Digital MY BOOK external hard drive that went missing from an NARA processing room in Maryland. It was last seen somewhere between October 2008 and early February 2009. The drive was being used as a copy of originals that are still safe and sound. “It wasn’t original material. We’re not missing the material itself -- that’s at the archives, so we know exactly what was missing,” said Susan Cooper, a spokeswoman for the NARA. The office is willing to pay up to $50,000 for information leading to the copies’ recovery. “The archives takes this very seriously, and we’ve taken a number of steps to ensure that this never happens again,” Cooper said. Maloof thinks governments are held to a higher standard when it comes to safeguarding personal information than private companies. “I think there’s an expectation that you’re our government, and we must give you our information. I can choose which bank I want to do business with. I can choose which retailer I do business with, but if I want a passport, the Department of State’s got my information,” he said. [Source]


AU – Crime Body Granted Access to Medical Files

On January 29, the federal court granted the Australian Crime Commission (ACC) access to confidential medical files held by the largest medical clinic servicing remote Aboriginal communities in the Northern Territory — breaking doctor-patient confidentiality. The ACC has sought access to the files of eight Aboriginal women who are believed to be sexually active, but are under the legal age of consent. In February 2008, the ACC asked 20 such clinics to hand over medical files to find instances of child sexual abuse and threatened five-year jail terms to those who didn’t comply. Only one clinic, which for legal reasons can only be called NTD8, refused. An NTD8 nurses’ affidavit said there was “no evidence of suspicion of abuse”.Doctors are concerned the breach of privacy and subsequent investigations will discourage minors from seeking medical services from the clinic — dramatically worsening health outcomes. [Source]


US – E-mail Releases Data on State Personnel

Personal banking information on 6,000 state employees, including Gov. Ted Strickland, was inadvertently included in a Jan. 27 e-mail distributed to dozens of payroll officers of state agencies. Republicans are calling it a security breach, but the Strickland administration said it was simply a mistake that posed little, if any, risk. “This was legally and technically not a data breach,” said Ron Sylvester, spokesman for the Department of Administrative Services. “The data did not leave the state firewall,” he said. “It was sent to state employees who are authorized to have regular access to personal information, such as Social Security numbers and bank accounts.’ The e-mail from an unnamed administrative services employee included an attached spreadsheet listing 6,000 state employees whose bank accounts are to be moved from National City Bank, which was bought by PNC Bank. [Source]


US – Ceridian Corp. Data Breach

A cyber security breach at Bloomington, Minnesota-based payroll processing company Ceridian Corp. has compromised the personally identifiable information of 27,000 individuals at 1,900 companies. The compromised information includes names, SSNs and some bank account numbers. According to a notification letter, the breach occurred in December 2009. The incident was reported to police and the FBI immediately after Ceridian learned of it. [Star Tribune] [Minnesota Public Radio]


US – Iowa Casino Workers’ Data Compromised

The Iowa Gaming and Racing Commission has acknowledged that one of their servers was breached, compromising the security of personally identifiable information of approximately 80,000 casino employees. The compromised data include information was that required for issuing occupational licenses such as names and SSNs. According to the commission’s website, “the compromise took place January 26 [2010] when the state firewall functionality was circumvented due to network routing changes and a licensing database was breached.” [Chicago Tribune] [SC Magazine UK] []


Identity Issues


US – Identity Fraud Climbed 12% Last Year

Identity fraud hit more victims last year, increasing 12% to an estimated 11.1 million adults in the United States, according to new data. The total cost of identity fraud reached $54 billion, according to the “2010 Identity Fraud Survey Report” published last week by Javelin Strategy & Research. Each case cost an average of $4,841, though some totaled $50,000 or more. Victims were generally protected from fraudulent payment card charges because of existing zero-liability laws and policies by financial institutions. Still, the average cost to a victim of identity fraud reached $373 for out-of-pocket expenses to resolve the problem; that’s the lowest amount reported since Javelin started its annual study 7 years ago. The survey results suggest that payment-card-related fraud is the most common type of crime. About a third of the time, someone will open a new account in the victim’s name. The perpetrator is often someone the victim knows, such as a family member or presumed friend. Resolving identity fraud crime takes about 21 hours on average, down from 30 hours reported the year before. Roughly half the victims filed police reports and prosecuted fraudsters when they could. For the first time, Javelin asked about mobile phone-account fraud and found 29% of identity-fraud victims reported mobile phone accounts were fraudulently opened in their names. Young adults aged 18 to 24 years old took about twice as long to detect fraud compared to other age groups, the report asserts. These young adults may not be monitoring their credit reports frequently enough. [Source]


Intellectual Property


UK – Legislative Committee Concerned About Pending Anti-Piracy Law

The UK’s Joint Select Committee on Human Rights has expressed concern that pending anti-piracy legislation could violate Internet users’ rights. The Digital Economy Bill proposes cutting off the Internet connections of users who continue to download content in violation of copyright law after repeated warnings. The Committee is particularly concerned that the law would allow for “over-broad powers” and that the technical measures of the bill and how those measures would be applied are not “sufficiently specified.” [Source]


US – Thomas-Rasset Rejects RIAA’s Settlement Offer

Just days after a judge reduced the penalties levied against Jammie Thomas-Rasset for illegal file sharing from US $1.92 million to US $54,000, the Minnesota mother of four has rejected an offer from the Recording Industry Association of America (RIAA) to settle the case out of court for US $25,000. US District Judge Michael Davis reduced the penalty because he said it bore no “relation to the actual damages.” One of Thomas-Rasset’s attorneys, Joe Sibley, said his client rejected the RIAA’s settlement offer because the amount was still “exorbitant” and the RIAA was using the case to make an example of his client and “scare people into doing what they [the RIAA] want.” The offer from the RIAA was also contingent upon Thomas-Rasset asking Judge Davis to vacate his decision to reduce the penalty. [WIRED] [Cnet]


US – Judge Reduces Penalty in Jammie Thomas-Rasset Filesharing Case

A US District Court judge in Minnesota has reduced the monetary penalty imposed on Jammie Thomas-Rasset for illegal filesharing from nearly US $2 million to US $54,000. Saying that “the need for deterrence cannot justify a US $2 million verdict,” Judge Michael Davis called the US $1.92 million fine “monstrous and shocking,” and says he would have reduced it even further if he could. The initial fine imposed on Thomas-Rasset was US $220,000, but she appealed that verdict and the subsequent trial resulted in the US $1.92 million penalty. Judge Davis also ordered Thomas-Rasset never to infringe on music copyright again and to delete all files she had obtained illegally. [Computer World] [Cnet] [Wired] [BBC]


US – Thomas-Rasset Case Offers Glimmer of Hope to BU Student

Boston University graduate student Joel Tenenbaum is cautiously hopeful that the significant reduction of damages levied against Jammie Thomas-Rasset will prompt the judge in his case to reduce the US $675,000 fine he is facing for illegal filesharing. Tenenbaum says that the fines imposed in both cases were based on a law intended to punish commercial copyright infringers, not individuals. [ComputerWorld]


Internet / WWW


US – Google, NSA Partnership Raises Privacy Hackles

The revelation that Google Inc. is partnering with the National Security Agency to probe a widespread cyber attack has quickened the pulse of privacy advocates. The Washington Post broke the story last week, citing sources with knowledge of the arrangement and cyber experts. The newspaper said the NSA will help the Mountain View Internet giant analyze sophisticated digital espionage efforts that targeted Google and more than 30 other large companies, and are believed to have originated in China. The sources said the organizations will share data to aid the investigation, but stressed that the NSA will not view the search or e-mail information of Google customers. Private sector partnerships with the NSA have proven a particularly touchy topic since the warrantless wiretapping controversy following the 9/11 terrorist attacks, in which phone companies allowed the agency to access the content of certain calls. Against this backdrop, Consumer Watchdog said Google and the NSA must provide clear explanations of their plans. Advocate John Simpson said in a blog post: Undoubtedly Googlers can learn something from NSA’s master-spy eavesdroppers, but how much of consumers’ data will Google share with the spy agency? So far Google and NSA aren’t commenting on the details of what’s under consideration. [Source]


US – NSA to Help Google Analyze Attack, Improve Security

Google is reportedly enlisting the help of the National Security Agency (NSA) to analyze the recently disclosed attack on the company’s computer networks with the ultimate goal of protecting the company and its customers from attacks in the future. The arrangement is still being finalized; the terms of any agreement between Google and the NSA will maintain Google customers’ privacy. [Source] [Source] See also: [New York Times: Director of National Intelligence Warns of Security Threats]


Law Enforcement


CA – OPC Approves Transfer of Gun Registry Data to Polling Firm

Last fall, then-federal public safety minister Peter Van Loan said it was “offensive and inappropriate” that the RCMP had handed over the personal information of gun owners -- collected by the Canadian Firearms program -- to a polling agency. Van Loan said gun owners’ privacy rights had been abused and, as a result, he filed what seemed to be a well-founded complaint to federal privacy commissioner Jennifer Stoddart. It turns out the RCMP gave a master CD containing the personal information of 37,495 licensees from the Canadian Firearms Database to the EKOS polling firm. Van Loan also pointed out that the federal Public Safety Department had not been consulted by the RCMP and would never have allowed the force to pass along such sensitive information -- essentially a detailed checklist of tens of thousands of weapons and where to find them – to a third party. “Contrary to policy, the minister of public safety was not asked to approve the polling, said Van Loan. “The government expressly disapproves of what occurred.” Surprisingly – unbelievably is a better word – Stoddart has ruled that the RCMP didn’t violate anyone’s privacy rights. “The complaint is not well-founded,” said Stoddart. “The investigation confirmed that EKOS properly safeguarded the information under its control.” The issue is not EKOS, a reputable firm that was doing its job. The issue is the way the RCMP handled the information. Stoddart said in her view the RCMP was justified in giving the information to EKOS because the RCMP wanted to survey client satisfaction in order to improve services, which she determined is acceptable under terms of the privacy act. That seems a real stretch from what the privacy act says: “That personal information shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.” For years there has been significant debate about whether or not the long-gun registry has made citizens safer from gun violence. The debate must now expand to whether or not the gun registry has actually increased the threat of gun violence. It seems clear that it has -- by exposing gun owners and their families to a potential threat that did not exist prior to the gun registry. [Source] [Privacy commissioner shoots down gun registry complaint]




CA – Google Street View expands across Canada

Google has updated its Street View service with increased coverage to more than 150 cities and towns across Canada. The database of ground-level panoramic photographs now offers images from streets and highways in every province and territory except Labrador and Nunavut, including most of the Trans-Canada Highway system. The update announced Tuesday also added ski runs in Whistler, B.C., and other Olympic venues. Those images were taken using a new vehicle — the Google Street View snowmobile — following in the trail of the car- and trike-mounted cameras. Google Canada said the service added more than 130 Canadian towns and cities Tuesday. [Source]


Online Privacy


WW – Google adds Google Buzz: Location-Aware Social Networking

Google launched its latest bid for info-ubiquity, a sweeping social-networking service called Google Buzz built on its Gmail service. Buzz incorporates functions already offered by such popular sites as Twitter, Facebook, Yelp and FourSquare – among many others. As a short introductory video explains, Buzz requires an active Gmail account and Google Contacts list. It uses those ingredients to plot its “social graph” of your friends: Buzz assumes the people you talk to the most in e-mail are the ones you want to hear from the most on this new service. Once Buzz is active in your Gmail account – something that will happen gradually as Google deploys it – you’ll be able to choose between publicly or privately posting comments, links, photos and videos. Public posts, or buzzes, will show up on your Google Profile and can appear in Google Web searches – much as Twitter updates do today. Private buzzes will show up only for other Buzz users who are on your Google Contacts list, or a subset that you designate for each buzz – just as Facebook lets you choose who will see each status update. Buzz appears more ambitious, and a tad creepier, on a mobile device. It ties into the location-aware capabilities Google has built into such sites as Google Maps to determine your location, then goes a step further to try to map those coordinates to real-world places and establishments – so instead of placing you at 1600 Ampitheatre Pkwy. in Mountain View, it knows you’re at the Googleplex. [Source]


WW – WARNING: Google Buzz Has A Huge Privacy Flaw

There is a huge privacy flaw in Google’s new Twitter/Facebook competitor, Google Buzz. When you first go into Google Buzz, it automatically sets you up with followers and people to follow. A Google spokesperson tells us these people are chosen based on whom the users emails and chats with most using Gmail. That’s fine. The problem is that – by default – the people you follow and the people that follow you are made public to anyone who looks at your profile. In other words, before you change any settings in Google Buzz, someone could go into your profile and see the people you email and chat with most. When you first post to Google Buzz, there is a dialogue box that reads “Before participating in Buzz, you need a public profile with your name and photo.” It also says – albeit in tiny gray letters against a white background, “Your profile includes your name, photo, people you follow, and people who follow you.” But it does not say that these publicly viewable follower lists are made up of people you most frequently email and chat with. Even if it did say that, we doubt most users bother to read the text in the dialogue box before clicking “save profile and continue.” This is why it’s always safest for Web services providers to make it so sharing information is always an “opt-in,” rather than “opt-out,” setting. [Source - with illustrations and updates]


WW – Most Journalists Use Social Media Such as Twitter and Facebook as a Source

Social media is becoming viewed as a relevant part of journalistic research, study reveals. A US survey has revealed that an overwhelming majority of reporters and editors use social media sources for researching their stories as 56% say social media is important for reporting and producing the stories they wrote. However, with 84% most journalists use information delivered via social media rather cautious as they think it is less reliable than information delivered via traditional media. According to the research conducted by Cision and The George Washington University, for their online research all journalists are using Google, followed by 61% which are turning to Wikipedia. Among social media 89% of journalists make use of blogs while conducting their online research, while 96% turn to corporate websites. Social networking sites like Facebook or LinkedIn by comparision are only slowly keeping up as two-thirds of the journalists turn to them during their online research, while only about half of them make use of the micro-blogging site Twitter. [The Guardian] [News Release] [Report]


UK – Facebook Deletes 30 Pages Used by British Criminals to Taunt People

Facebook has agreed to delete 30 pages of prisoners who used their sites to threaten people or boast of their crimes, British Justice Minister Jack Straw said this week. The British government also wants Facebook to create a better method to more quickly delete such pages and will look at changing parole rules to restrict how released prisoners can use Facebook, he said. He spoke after meeting the families of murdered youngsters Jimmy Mizen and Damilola Taylor. One jailed killer, Jade Braithwaite, used his site to say he wanted a remote control to “mute or delete people when I need to,” the BBC reported. Gangster Colin Gunn, who is serving time for ordering the murders of a couple in Lincolnshire, said on his site, “I will be home one day and I can’t wait to look into certain people’s eyes and see the fear of me being there,” according to the Sunday Times. “Some (of you) have let me down badly and will be named and shamed.” [Source]


EU – Official Wants Clearer Privacy Lines on Street View

German Consumer Minister Ilse Aigner wants more privacy safeguards for Google’s Street View, calling it a “million-fold violation of the private sphere.” Although Google has agreed to blur identifying images such as faces and license-plate numbers in Street View’s online tours of cities and towns, such details are only obscured in the company’s raw images by formal request. Aigner is now exploring legal avenues to require Google to obtain consent for all the raw images it collects for Street View, the report states. A Google spokeswoman, meanwhile, has pointed out the company has spent a year using the current data protection stipulations to govern how it collects and manages images. [The Local]


Other Jurisdictions


HK – New Body to Scrutinise Privacy Watchdog

The Hong Kong Constitutional & Mainland Affairs Bureau says it supports the Office of the Privacy Commissioner for Personal Data’s plan to form a group to enhance the body’s compliance and management work, and strengthen its governance. In response to the Legislative Council Public Accounts Committee’s report tabled in LegCo, the bureau said it will monitor the body’s performance, checking its expenditure, financial and operational reports, and holding regular progress reviews. Additional resources will be allocated to the body in 2009-10 and 2010-11 to enhance its enforcement and promotion work. To provide the organisation with greater flexibility in using its resources, its reserve ceiling will rise from $5 million to 20% of its annual recurrent subvention. [Source]


IN – Privacy Concerns Stall National Security Database

Privacy concerns have stalled the home ministry’s plans to set up the National Intelligence Grid (NATGRID). NATGRID is a proposed national security database, which will include individuals’ personal information, such as banking, immigration and electronic communication details. The Cabinet Committee on Security (CCS) wants security mechanisms built into the grid before its implementation. “A more detailed proposal carrying specific points relating to the safeguards mechanism will be presented before the CCS as early as possible,” said an official, who added, “The ministry has taken all care to have an inbuilt safeguard mechanism within NATGRID so that the available data is not misused.” [Times of India]


Privacy (US)


US – EPIC Names International and U.S. 2010 Privacy Champions

EPIC has announced it will present the 2010 International Privacy Champion Award to the Honorable Michael Kirby for his role in the development of the OECD Privacy Guidelines of 1980, which have provided the basis for national laws, international agreements and privacy frameworks around the world. EPIC’s 2010 U.S. Privacy Champion Award went to Beth Givens, founder and director of the Privacy Rights Clearinghouse in San Diego, California. [Source]


US – Another Letter to Obama on Privacy Oversight Board

Two more lawmakers have written to President Obama about reinstituting the Privacy and Civil Liberties Oversight Board. Last week, Rep. Bennie Thompson (D-MS) and Rep. Jane Harman (D-CA) urged the president “to appoint individuals to the Privacy and Civil Liberties Oversight Board immediately.” The board was created in 2004 based on the recommendation of the September 11 commission, but has since languished. In their letter, the representatives assert that the “need for the oversight panel is particularly urgent given the recent events of December 25, 2009, and the...potential expansion of watch lists and widespread use of body-scanning technology...” Ben Rhodes, a national security spokesman, said the White House “looks forward to appointing [the board’s] leadership soon.” [Washington Times]


US – Critics Slam Proposed Privacy Settlement

Critics are calling Facebook’s settlement offer in a privacy lawsuit involving its Beacon behavioral tracking service “meaningless” while the company contends it is fair and adequate. The disagreement stems from a 2008 lawsuit alleging the social-networking site and its Beacon affiliates violated federal privacy laws by sharing data about Facebook users. The proposed settlement includes $9.5 million to fund a privacy foundation. The recent complaints filed in U.S. District Court, however, argue the company would be paying itself to fund a privacy foundation under its own control. Facebook spokesman Barry Schnitt says that suggestion is “absurd” as the privacy foundation’s bylaws establish it as an independent entity to be run by privacy advocates. [Computerworld]


US – Jurors: Stop Twittering

A federal court policy-making body is belatedly entering the internet age by proposing that judges clearly inform jurors they must not electronically discuss cases they are hearing. It’s standard procedure to inform jurors to remain mum and not conduct any research about the case until a verdict. But recent gadget use by jurors has forced the hand of the Judicial Conference of the United States, the policy-making body of the federal courts. The model jury instructions the Judicial Conference released to the federal judiciary in late January specify: You may not communicate with anyone about the case on your cellphone, through e-mail, Blackberry, iPhone, text messaging, or on Twitter, through any blog or website, through any internet chat room, or by way of any other social networking websites, including Facebook, MySpace, LinkedIn and YouTube. A federal drug trial in Florida ended in a mistrial last year when eight jurors admitted they were doing internet research on the case they were hearing. Among other examples, there was a call — although unheeded — for a mistrial when a juror was discovered tweeting and publishing trial updates on Facebook in the prosecution of Vincent Fumo, a former Pennsylvania state senator convicted of graft. There are no nationwide instructions for the state courts, because each state adopts its own set of jury instructions. Florida, for instance, is recommending that its judges instruct jurors multiple times “that they cannot perform outside research using the internet, or use electronic devices to communicate about the case.” [Source]


US – Judge Rules FACTA Does Not Extend to E-Confirmation

A judge in the Northern District of Illinois has ruled that the Fair and Accurate Credit Transactions Act (FACTA) does not apply to electronic displays or e-mail confirmations of Internet transactions, reports Multichannel Merchant. David Almeida, a partner at Drinker Biddle & Reath, LLP, highlights the case Shlahtichman v. 1-800 Contacts, Inc., in which the plaintiff alleged that the inclusion of his credit card’s expiration date on a computer-generated receipt violated the act, which restricts the disclosure of such information on electronically printed receipts. Judge John Darrah dismissed the claim, saying that an e-mail order confirmation does not fit the criteria for “electronically printed receipt,” and that the confirmation was not generated at the point-of-sale, among other factors. [Source]


EU – Ad Deal Sparks Privacy Concerns

The potential purchase of a firm specializing in mobile device advertising by a popular Internet search engine has privacy advocates bringing their concerns to the FTC. Consumer Watchdog and the Center for Digital Democracy have called on the FTC to block the proposed acquisition of AdMob by Google, due in part to concerns about the creation of “super data profiles” of their users. Citing the ability to combine user location and other information, John Simpson of Consumer Watchdog is questioning how such data could be “used and manipulated.” AdMob Chief Executive Omar Hamoui, meanwhile, says the industry is taking privacy concerns seriously. The FTC has issued a “second request” for information. [San Francisco Chronicle]


Privacy Enhancing Technologies (PETs)


WW – Privacy Concerns Prompting Users to Abandon Social Networking

Concern over access to personal messages and photos is one of the reasons some former social networking fans are putting an end to their online lives. Whether it’s privacy issues or a desire to limit the time spent online, the urge to “unplug” has spurred the creation of new Web services like Seppukoo and Web 2.0 Suicide Machine designed to kill off online personas. “We are not anti-social-networking,” says Walter Langelaar, one of the creators of Web 2.0 Suicide Machine. “We do, however, feel things are getting so messy in that world.” Meanwhile, such programs are prompting some social networking sites to take action to keep their users’ information from being automatically deleted. [USA TODAY]


US – Customers Sue ISP for Installing NebuAd ‘Spyware,’ Offering Defective Opt-Outs

Two customers have filed a lawsuit against their Kansas-based Internet service provider (ISP) for allegedly sharing their online information with a defunct behavioral targeting company. The complainants, who are seeking class-action status, allege that ISP Embarq installed NebuAd spyware without providing adequate notice. MediaPost reports that Embarq was one of six ISPs allowing NebuAd to monitor subscribers’ Web activity and target advertising to those consumers based on the data collected over a period of time in 2007 and 2008. “Offering its users little warning and no choice” the legal complaint states, the “defendants merely amended their online privacy policy with misleading information.” [MediaPost]




US – US Legislators Pass Cyber Security R&D Bill

The US House of Representatives has passed the Cyber Security Research and Development Act by a 422 to 5 vote. The legislation allocates US $395 million to the National Science Foundation (NSF) for cyber security research projects; it also gives the NSF US $108.7 million for a cyber security scholarship program, and authorizes additional activities at the National Institute of Standards and Technology (NIST). The bill now goes to the Senate. [The Caucus] [NextGov] [CNET] [PCWorld] [The Register]


WW – P2P Users Still Leaking Sensitive Data

Researchers gave a presentation at ShmooCon last week that indicates that people using peer-to-peer (P2P) filesharing programs are unaware of exactly what information they are making publicly available. Larry Pesce and Mick Douglas gave a presentation in which they said they were able to access people’s driver’s licenses, passports and tax returns. The researchers activity was prompted by recent disclosures that sensitive government information, including communications, navigation and management systems data for Marine One, the President’s helicopter. The researchers were able to locate the sensitive files using simple search terms such as “doctor,” “passport,” “license,” and “visa,” as well as a number of different file extensions. [CSO Online]


US – Study: Banking Passwords Often Used for Other Sites

Nearly three-quarters of computer users have the same password for their online banking accounts that they have for other, less secure websites. Data drawn from 4 million users of Trusteer’s Rapport browser security service indicates that 47% of users have the same usernames and passwords for multiple sites, including financial account sites. The implications are serious; if cyber thieves obtain login information for someone’s social networking account, they have a good chance of being able to access that person’s online financial accounts as well. [Source] [Source]


UK – People Leaving USB Drives in Clothing Pockets, Say Cleaners

A UK survey found that 4,500 USB drives have been found in people’s clothing pockets when they were taken to dry cleaners. That number is half what it was a year earlier, but this could be explained by a shift to users downloading data to smartphones and netbooks as opposed to increased vigilance about data security. USB drive security was in the news recently when several manufacturers acknowledged a vulnerability in the access control mechanism of their devices. [Source]


US – Critical Infrastructure Computer Systems Under Constant Attack

According to a report from The Center for Strategic and International Studies, utility companies’ and other critical infrastructure components’ computer systems are constantly under attack worldwide. The report, which was commissioned by McAfee, compiles information gathered from 600 IT and security executives at companies around the world. More than half of respondents believe that their countries’ laws are not effective in deterring cyber attacks, and nearly half believe that their countries do not have the ability to prevent cyber attacks. [DarkReading] [InformationWeek] [NYTimes] [DailyTech] [SMH]


US – No Easy Deterrent for Cyber Warfare

In a far ranging and insightful article, New York Times reporters Thom Shanker, David Sanger, and John Markoff analyze the United States’ currents capabilities in deterring cyber attacks. Not very encouraging. [NYT]


UK – UK Airports Implement Compulsory Use of Full Body Scanners

On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights. The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators. The privacy policy should include as a minimum:

-          rules regarding the location of the equipment;

-          a process for identifying who will read the screen
(i.e., a person of the same sex as the person selected for scanning);

-          a process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);

-          a prohibition on copying or transferring the images in any way;

-          instructions for the images of the passenger to be destroyed and rendered irretrievable
once the image has been analyzed; and

-          a process to call on an appropriate Security Officer if an image suggests there is
a viable threat to passenger or staff security.

The use of body scanners caused alarm in the privacy community when it was first mooted several years ago. The concern was that scanners could violate the European Convention on Human Rights and that their use would raise sensitivities (or even result in the commission of criminal offenses) when used to capture images of children. Towards the end of 2008, the European Commission withdrew a proposal to roll out body scanners across the EU after Members of the European Parliament called for a detailed impact assessment study. This resulted in the formation of a Body Scanners Taskforce, appointed to advise the Commission. A report, or any specific legislative proposals, have yet to be published. [Source]


Smart Cards


HK – Official Says “Smart Card” Payment System Poses No Risk to Privacy

A top official has stated that Hong Kong and Shenzhen residents who use the smart card payment system when it is introduced later this year have no reason to worry about their privacy. KC Chan, secretary for financial services and the treasury, told the Legislative Council last week that smart card readers will “only capture transaction-related information, including the date and time of the transaction, the identity of the relevant service provider, the transaction value, the remaining balance on the card and the card number.” According to Chan, as no personal data are involved in the process, “personal data won’t be leaked through cross-boundary card readers.” [Computerworld Hong Kong]




US – FBI Wants ISP to Retain Sites Visited Data for Two Years

The FBI wants Internet service providers (ISPs) to keep records of which websites its customers visit and to retain the data for two years. The agency believes that the information could prove useful in investigations of serious crimes. Existing federal regulations require telecommunications providers to keep records of toll calls for 18 months; the information logged includes the “name, address, and telephone number of the caller, telephone number called, date, time and length of call.” The FBI is not seeking the content of communications, just “non-content transactional data.” [CNET]


US – Police Want Backdoor to Web Users’ Private Data

Anyone with an e-mail account likely knows that police can peek inside it if they have a paper search warrant. But cybercrime investigators are frustrated by the speed of traditional methods of faxing, mailing, or e-mailing companies these documents. They’re pushing for the creation of a national Web interface linking police computers with those of Internet and e-mail providers so requests can be sent and received electronically. CNET has reviewed a survey scheduled to be released at a federal task force meeting which says that law enforcement agencies are virtually unanimous in calling for such an interface to be created. 89% of police surveyed, it says, want to be able to “exchange legal process requests and responses to legal process” through an encrypted, police-only “nationwide computer network.” (See one excerpt and another.) The survey is part of a broader push from law enforcement agencies to alter the ground rules of online investigations. Other components include renewed calls for laws requiring Internet companies to store data about their users for up to 5 years and increased pressure on companies to respond to police inquiries in hours instead of days. But the most controversial element is probably the private Web interface, which raises novel security and privacy concerns, especially in the wake of a recent inspector general’s report (PDF) from the Justice Department. The 289-page report detailed how the FBI obtained Americans’ telephone records by citing nonexistent emergencies and simply asking for the data or writing phone numbers on a sticky note rather than following procedures required by law. The police survey is not exactly unbiased: its author is Frank Kardasz, who is scheduled to present it at a meeting (PDF) of the Online Safety and Technology Working Group, organized by the U.S. Department of Commerce. Kardasz, a sergeant in the Phoenix police department and a project director of Arizona’s Internet Crimes Against Children task force, said in an e-mail exchange on Tuesday that he is still revising the document and was unable to discuss it. Jim Harper, a policy analyst at the free-market Cato Institute, says that he welcomes the idea of a police-only Web interface as long as it’s designed carefully. “A system like this should have strong logins, should require that the request be documented fully, and should produce statistical information so there can be strong oversight,” he says. “I think that’s a good thing to have.” [Source] SEE ALSO: [Forbes: Cisco’s Backdoor for Law Enforcement and Hackers]


CA – Nearly 1,000 Olympic Security Cameras Go Live

With just 10 days to go until the opening of the 2010 Winter Games, nearly 1,000 security cameras have been turned on to monitor the crowds, which are already starting to fill the streets. About 900 of the cameras were installed by the RCMP-led Olympic security team around venues for the Games, while another 90 cameras were installed by the City of Vancouver around public sites in the downtown area. The Integrated Security Unit team said without the cameras more police officers would be needed to keep an eye on Olympic visitors. But privacy watchdogs have expressed concerns the monitoring tramples civic rights. But the RCMP and the city have both said the cameras will be dismantled after the Paralympic Games end in March and the recordings will only be kept for a limited time. [Source]


US – Remembering Who, What, Where and When--Digitally

Two computing pioneers are recording every aspect of their lives digitally, prompting questions about the potential dangers these “lifelogs” pose to personal privacy. Gordon Bell and Jim Gemmell, both Microsoft researchers, suggest the biological ability to retain memories can be augmented with an electronic memory they call “Total Recall.” Proponents tout the ability of storing away mundane information and making interesting facts and experiences easily accessible. Others question whether using Total Recall could lead to a “life without privacy,” where authorities could demand access to such memory storage banks. Bell, who has spent years compiling an electronic memory that comprises everything from letters and photographs to biometric data, says, “We need to adapt to reap the benefits.” [The Times]


Telecom / TV


WW – Researcher Exposes Smartphone Privacy Threat

A Swiss researcher is warning users of a popular smartphone that insufficient security and a design flaw could put their personal data at risk. Nicolas Seriot, a software engineer and scientific collaborator at the Swiss University of Applied Sciences contends that the “App Store” for Apple’s iPhone lacks adequate protection to prevent malicious applications from being distributed to millions of users and accessing personal information on the devices. During a presentation on Wednesday, Seriot explained ways that innocent-looking applications can harvest personal data and send it to a remote server without the user knowing it. [CNET News] [Seriot White paper]


EU – Sweden: Justice Minister Reluctant to Store Data

The European Court of Justice has told Sweden that it must implement a 2006 measure requiring telecom operators to store information about their customers’ phone calls and emails. The EU directive, known as the Data Retention Directive, was approved by Brussels in March 2006, but Sweden has yet to implement the measure more than three years after its passage. The Swedish government conceded to the court that it had not fulfilled its obligations and assured the court that the EU directive 2006/24 can be expected to pass into Swedish law on April 1st 2010. But hours after the verdict was made public, Justice Minister Beatrice Ask told news agency TT that the government would not be preparing a legislative proposal on the issue prior to this autumn’s general election. “The extent to which private companies should be forced to store information about the activities of individuals is an important matter of principle. That’s exactly what this is about,” Ask told news agency TT. The minister added that the government would at least wait until the completion of an inquiry into police methods, the findings of which are expected to come at the start of the summer. [Source]


US Government Programs


US – Census Bureau’s Privacy Practices Spur Accuracy Questions

Director Robert M. Groves has ordered a review of the Census Bureau’s identity protection practices after researchers found evidence that “masking” techniques have resulted in instances of flawed data. “We have a very sacred burden to protect identities,” Groves said. “We have given our pledge that nothing we ever do could identify who a record belongs to.” However, a paper published by the National Bureau of Economic Research indicates certain census statistics released as “microdata” for research purposes between 2000 and 2005 might have been off by as much as 15% due to the Census Bureau’s efforts to protect personal information. [Washington Post]


US Legislation


US – South Dakota Law to Require Websites to Collect Info on Anonymous Sources

A South Dakota lawmaker wants to require bloggers and operators of other Web sites to collect information about the source of anonymously posted content so the information can be used in libel and slander lawsuits. Republican Rep. Noel Hamiel, who represents Aurora and Davison counties, introduced the legislation as a two-bill package last week in the state House of Representatives. “The purpose of the bills,” Hamiel, of Mitchell, said in an interview with The Daily Republic, “is to provide some recourse for people who are defamed anonymously online.” One of the measures, House Bill 1278, requires any person who allows Internet posts to “keep a record of the internet-protocol logs adequate to provide identification and location of otherwise unknown, anonymous, or pseudonymous persons who leave or upload content.” The logs could be used, for example, to trace an anonymously posted blog comment to a particular Internet account or even a specific computer. The other measure, House Bill 1277, would allow a person who is suing for libel or slander to name the blogger or other “online content provider” as a co-defendant, but only for the limited purpose of obtaining information about the source of the anonymously posted content. The main defendant would be the person who posted the content anonymously or under a pseudonym. Hamiel said he hopes his legislation will start a conversation about what he considers to be a “serious problem in cyberspace.” Both bills have been assigned to the House State Affairs Committee but, as of Monday, had not been scheduled for a hearing. [Source]


Workplace Privacy


US – 70% of Hiring Managers Reject Job Applicants Because of Info They Find Online

If there was ever a doubt that those party pictures on Facebook can come back to haunt you, take a look at this statistic: 70% of hiring managers say they’ve decided not to hire an applicant because of information they’ve found online. The data come from a survey of 1,200 human relations managers and consumers in the United States, Britain, Germany and France. Microsoft commissioned it last November. Those surveyed said they almost all go online to research candidates to hire and think they are justified in doing so. Conversely, only 7% of consumers think recruiters check out potential candidates online in considering hiring decisions. Recruiters said they search for information about candidates through search engines, on social networking sites, personal Web sites and blogs, gaming sites, online classified sites and through professional background checkers. What kind of information prompts hiring mangers to reject a candidate?


CA – We Don’t Want to Be in Pictures: Union

Videos and photos of them sleeping on the job, taking unauthorized breaks in the middle of bus routes, abusing passengers on métro platforms and dumping recyclables in with garbage are finding their way online. Citing Quebec’s strict privacy laws, the head of Montreal’s bus drivers’ union says he would sue if a passenger posted a photo or video of him on the Internet. But a media lawyer says Quebecers have the right to publish such images if the workers are breaking rules. The video phenomenon is expected to grow as more people carry cellphones that can shoot photos and videos. [Source]