Privacy News Highlights

01–15 January 2010



CA – Not all Thumbs Up For Palm Scanning. 3

US – Behavioral Identification Can Help Stop Terrorists Like Abdul Mutallab: Researcher 3

WW – New Computer Vision System for the Analysis of Human Behavior 3

CA – Bill S-4 Tightens Noose Around Identity Thieves. 4

CA – Anti-Spam, Lawful Access Bills to Die With Parliament Prorogation. 4

CA – Report Rips Federal Officials’ No-Fly List 4

CA – Specially Trained Personnel, Body Scanners to Join Terrorism Fight 4

US – Opinion: Government Agencies Need Privacy Definition (Schwartz) 5

AU – Vinnies ‘Misused’ Donor Data. 5

IN – Information Law Could Expose Personal Tax Info. 5

CA – Intelligence Loopholes Threaten Canada-US Border 5

KR – Snooping on Spouses’ Emails Illegal 6

US – U.S. Issues Standards to Spur E-Health Records. 6

UK – Consent Defined Differently by Patients and Researchers: UK Health Dept Survey. 6

AU – E-Prescribing Tender Cancelled. 6

CA – Ontario Commissioner Orders Encryption of Health Info on All Mobile Devices. 6

WW – USB Flaws Prompt NIST Review of Cryptographic Module Certification Process. 7

WW – Google to Enable HTTPS on All Gmail Traffic by Default 7

UK – Privacy Concerns Likely to Impede Body Scanners in Europe. 7

UK – ICO Will Have Authority to Levy Fines Up to £500,000. 7

EU – France Ponders Right-to-Forget Law.. 7

WW – Understanding Privacy in the Age of Facebook: Study. 8

WW – Malice Outpaces Error as Breach Cause. 8

WW – Google Considering Leaving China. 8

CN – China Defends Censorship After Google Threat 8

US – California Software Maker Sues China for $2.2 Billion. 8

US – Court Skeptical of FCC’s Comcast Ruling. 9

EU – Year-Change Confounds Some German Payment Cards. 9

EU – 2010 Date Recognition Problems Spread. 9

CA – New Privacy Rules for Crown-run Casinos In Sask. After Complaint Investigation. 9

US – Heartland and Visa Reach Settlement 9

US – ABA Recommends Using Dedicated PC for Online Banking. 9

US – Connecticut AG Sues Health Net for HIPAA Violations. 10

US – Health Care Provider Sued Over Privacy Issue. 10

AU – Charity Accused of Abusing Trust 10

US – Online STD Testing Raises Concerns. 10

US – HITECH May Pose Challenge for Healthcare Orgs. 10

US – Intruders Steal Bank Login Data. 11

US – Northern California Kaiser Suffers Breach. 11

US – Preliminary Settlement Approval in Class Action. 11

UK – National ID Registry Includes National Insurance Data. 11

US – 1 in 6 Massachusetts Residents Affected by Data Breaches from 2008 Through 2009. 11

CA – Manitoba Ombudsman Concerned About New Licence. 12

EU – France Three Strikes Law Delayed by Govt’s Own Data Watchdog. 12

WW – Google Aims to be Keeper of All Secrets. 12

US – FTC Roundtable Will Address Cloud Computing Privacy Issues. 12

WW – Consortium Outlines Cloud Definition, Components, Guidelines. 13

UK – Number of Crimes Caught on CCTV Falls by 70%, Metropolitan Police Admits. 13

US – Police Fight Cellphone Recordings. 13

US – Mass. Police Arresting Call Recorders. 13

EU – ‘Monster’ German Employee Database Goes Online. 14

CN – China Passes Privacy Protections Law.. 14

MA – Marianas Call For Alien Registry. 14

EU – Israel Receives Adequacy Status. 14

WW – Privacy No Longer a Social Norm, Says Facebook Founder 14

WW – Profile Purgers Come Under Fire. 14

EU – German Justice Minister Lashes Out at Google Over Data Protection. 15

EU – Schaar Proposes Grading Agency for Social Networks. 15

WW – Social Media Data Not Yet Useful For Analytics. 15

WW – Pepsi Social Network Launches into Privacy Storm.. 15

EU – German Murderers Sue to Remove Name in News Accounts. 15

SG – New Law OKs Research Access to Public Data. 16

US – FCC Wants Comments on Privacy. 16

US – Full Body Scanners Used by TSA Present Privacy Concerns. 16

US – Rockyou Sued Over Data Breach. 16

US – HHS Wants Contractor to Test Privacy of ‘Anonymous’ Data. 16

US – NH House Votes to Bar Implanting Tracking Devices. 17

US – Rhode Island Legislature Passes RFID Bill Vetoed by Governor 17

PH – Philippines High Court Stops RFID, Tells LTO to Refund Fees. 17

US – Pentagon’s Planned Cyber Command Faces Questions From Lawmakers. 17

EU – German Pirate Party Protests ‘Naked’ Scanners in Their Underpants. 17

US – Airport Scanners Can Store, Transmit Images. 18

SK – South Korean Military to Ban USB Drives. 18

US – Beware Who Fixes That Broken Laptop. 18

AU – Qld Ticketing ‘Theft’ Investigated. 18

CA – Public not Worried About Increased Public Surveillance: Report 19

NZ – Law Enforcement and Intelligence Agents Get Increased Surveillance Powers. 19

US – Bank Thieves Foiled by GPS-Spiked Cash. 19

CA – Would You Track Your Kid by GPS?. 19

AU – Fury at Telstra Over Phone Privacy Breach. 19

IN – High Court to Telecoms: Respect Consumer Privacy. 20

US – FTC Set to Examine Cloud Computing. 20

US – FTC Seeks Public Comment on New COPPA Guidelines. 20

US – Maine Legislature Presents New Marketing-to-Minors Law.. 20

CA – Airlines Say Secure Flight Forces Privacy Law Violations. 20

US – FTC: Businesses Liable for Employee Statements on Social Networking Sites. 21




CA – Not all Thumbs Up For Palm Scanning

In a move that has prompted at least three complaints to Canada’s privacy czar, a growing number of professional programs such as medicine and business now require students to give a digital print of their finger, thumb or even veins in their palm to write the high-stakes entrance tests designed and run out of the United States. The latest version is the new infrared scan of the blood vessels in your palm required by all 266,000 students around the world - 8,000 in Canada - who write the four-hour GMAT admissions test each year for a master’s of business administration (MBA) program. So offended was Toronto student Ajanthy Arasaratnam last summer at having to hold her palms before the small gizmo to write her GMAT that she asked the Office of the Privacy Commissioner of Canada to investigate it as an invasion of privacy. She is hoping it will rule the same way it did two years ago over a complaint that the LSAT entrance test for law school was violating Canadian students’ right to privacy by requiring a digital thumbprint - and the commission agreed. Now, the 7,000 Canadians who write the LSAT each year must provide a digital photo, not a thumbprint. The privacy commissioner’s office also is investigating a complaint about the use of digital fingerprints by the MCAT for medical school. [Source]


US – Behavioral Identification Can Help Stop Terrorists Like Abdul Mutallab: Researcher

University of Buffalo (UB) professor Mark G. Frank says that current technologies could have detected and preemptively stopped the recent terrorist attempt on Northwest Flight 253. “Behavioral science techniques could have detected him once he got to the airport,” Frank says. He says security is best achieved in a multi-faceted approach when examining would-be airline passengers. “No single security technique, on its own, is a panacea, although that would be great,” Frank says. The goals of anti-terrorism security start with employing intelligence and investigatory processes to stop a would-be terrorist from traveling in the first place. If a potential terrorist does travel, the next goal becomes forcing him or her into a group marked for secondary screening. This is where behavioral science could have been used to stop terrorist Farouk Abdul Mutallab from boarding the Northwest plane. “There exist excellent scientific techniques to spot such suspects, and they don’t employ ethnic screening or the random screening of passengers,” Frank says. The U.S. DHS uses the Screening of Passengers by Observation Technique (SPOT) and Future Attribute Screening Technology (FAST) to identify suspicious behavior. SPOT is a behavioral observation technique used by the U.S. Transportation Security Administration and is based on a successful Israeli program. FAST is a sensor-based program that analyzes body reactions indicative of hostile intention and uses this information to identify who should be required to pass through additional screening. “The immutable fact is that any effective international terrorist security system must address myriad psychological, social, and political issues,” Frank says. [Source]


WW – New Computer Vision System for the Analysis of Human Behavior

European researchers, coordinated by the Autonomous University of Barcelona, have developed a cognitive computational system using video cameras and software, which is able to recognize and predict human behavior. Human Expressive Graphic Representation of Motion and their Evaluation in Sequences (HERMES) analyzes human behavior based on three levels of video recording sequences. The information is processed by computer vision and artificial intelligence algorithms, which allow the system to recognize movement trends. The researchers say that HERMES uses two new ideas in the field of computer vision. First, it can describe the movement captured by the cameras in natural language using simple and precise phrases. Second, the system can analyze and discover potentially unusual behavior and give off warning signals. Researchers anticipate that HERMES can be used in several different fields, especially intelligent surveillance and accident and crime prevention, as well as marketing and psychology. [Source]




CA – Bill S-4 Tightens Noose Around Identity Thieves

A Canadian bill came into force last week that makes early stages of identity-related crime an offense in the Criminal Code, thereby granting Canadians greater protection against identity theft. Bill S-4 creates three new core offenses in the Code: obtaining and possessing identity information with the intent to use it in a crime; trafficking of identity information knowing it will be used in a crime; and unlawfully possessing or trafficking government-issued identity documents. Bill S-4, an act to amend the Criminal Code, was introduced in the Senate on Mar. 31, 2009. David Fewer, lawyer and acting director of Ottawa-based Canadian Internet Policy and Public Interest Clinic (CIPPIC), thinks this legislation is a good first step, but that victim remediation is one of many other things still requiring attention. Bill S-4 requires offenders to pay damages to victims, such as the cost of applying for a new passport. [Source]


CA – Anti-Spam, Lawful Access Bills to Die With Parliament Prorogation

Reports indicate that the government plans to prorogue Parliament, effectively shutting it down until March. One of the effects of prorogation is that all bills that have not received royal assent die and must be restarted from the beginning when a new Parliament begins. While the government can try to move bills with broad support quickly back through the process (reinstatement requires approval in the House), the delays are significant. Only 27 of the 64 Government bills introduced during the current session have received royal assent, leaving 37 bills in need of a restart. Of those, at least four involve technology law: C-27 (anti-spam, electronic commerce), C-46 (lawful access), C-47 (lawful access), and C-58 (ISP child pornography reporting). The anti-spam bill was the most advanced, having cleared the House of Commons and slated for review by a Senate Committee early in the new year. [Michael Geist]


CA – Report Rips Federal Officials’ No-Fly List

Transport Canada should carry out a sweeping review of its no-fly list, say independent consultants hired by the department who found a Montreal-area student should never have been barred from an Air Canada flight. In a stinging assessment of the no-fly list, known as Passenger Protect, independent security advisers Allan Fenske and Wendy Sutton recommend that Transport officials remove Hani Al Telbani’s name from the roster. The report was commissioned by Transport Canada’s Office of Reconsideration, which reviews complaints from people prevented from flying because of their presence on the no-fly list. Though completed in October 2008, it has only now come to light through the Federal Court of Canada, where Al Telbani is suing the government. The consultants’ report, which calls on Transport Canada to review the process for placing people on the no-fly list, could have serious implications for the entire program. The consultants found:

·         The deputy minister of transport, responsible for names on the no-fly list, “was not provided with the information necessary” to place Al Telbani on the roster due to “serious deficiencies” in the file.

·         Subsequent decisions of an advisory group that includes transport officials, the RCMP and Canadian Security Intelligence Service to keep him on the list were “made without legal authority.”

·         The officer who issued the emergency direction to bar Al Telbani from flying was not authorized to do so.

In an affidavit filed with the Federal Court in December, Al Telbani says the government withheld the consultants’ report from his lawyers until June 2009, and undertook the reconsideration process without properly taking the report into account. Roch Tasse, of the Ottawa-based International Civil Liberties Monitoring Group, said Friday the consultants’ report confirms the worst fears of opponents, who have long said the no-fly list was established without parliamentary scrutiny. “It was introduced by back door so the policymakers would not even be aware what bureaucrats were doing.” [Source] see also [Statement congratulating former Privacy Commissioner Bruce Phillips on his appointment to the Order of Canada] see also: [No-fly Concerns Growing]


CA – Specially Trained Personnel, Body Scanners to Join Terrorism Fight

Transport Minister John Baird has announced that a passenger behaviour observation program will be developed to screen travellers through Canada’s major travel hubs. The new security measures will also involve the purchase of 44 full-body screening machines; with a price tag of $250,000 each, the technology will cost $11-million. The machines will be installed in airports in Toronto, Vancouver, Calgary, Edmonton, Winnipeg, Montreal, Ottawa and Halifax. A dozen scanners are expected to be delivered by the manufacturer within a week, with the rest to come in six to 10 weeks. Security experts from the European Union will meet in Brussels to discuss the introduction of full body scanners at airports across the continent, a move that has previously been scrapped due to privacy concerns. Britain and the Netherlands have said they will introduce scanners, and Germany and Italy support tougher security, but the executive European Commission has insisted that privacy concerns must be answered before changes are made. Spanish Transport Minister Jose Blanco said his country would not allow scanners until there is EU-wide agreement, and that any new security measures must be “compatible” with the freedom and privacy of individuals. Mr. Baird said the Canadian government’s privacy concerns about the scanners have been addressed. [Source] See also: [UK: New scanners break child porn laws]




US – Opinion: Government Agencies Need Privacy Definition (Schwartz)

Center for Democracy and Technology Vice President and COO Ari Schwartz says he believes consumer protection agencies need standardized language in order to clarify consumer complaints. Schwartz’s opinion follows an essay published by IAB president Randall Rothenberg, which claimed that a lack of consumer privacy complaints gives clear evidence that self-regulation online is working. Schwartz counters that thousands of complaints related to spyware, identity theft and Internet fraud have clear privacy implications. “Consumer concerns on privacy will continue to grow until we can be sure that we are addressing the basic complaints,” Schwartz writes. “If agencies cannot even tell each other what these complaints are, progress will not be possible.” [The Hill]


AU – Vinnies ‘Misused’ Donor Data

THE St Vincent de Paul Society has been accused of breaching public trust and aspects of the Privacy Act after entering into an agreement that allowed one of the world’s largest data companies to gather information through a Christmas mail-out from the charity. The society defended its relationship with Acxiom but admitted to allowing it to write half the questions in the survey - and to collecting only limited data from the four-page questionnaire. It paid for the printing and mailing of the survey in exchange for a targeted mailing list from Acxiom. The survey, sent to 20,000 people on behalf of the charity’s Matthew Talbot Homeless Services, asked about relationship status, household income, home ownership, children and other interests. Only four questions asked directly about Matthew Talbot’s services. The chairman of the Australian Privacy Foundation, Roger Clarke, said the preparation of the survey might have breached the Privacy and Trade Practices acts. A spokesman for Acxiom said the company had complied with privacy legislation. [Source]




IN – Information Law Could Expose Personal Tax Info

A recent Right to Information Act ruling could result in making individual tax returns available to any citizen who asks for a copy. The information commissioner’s decision on a request filed by Rakesh Kumar Gupta against executives of Escorts Heart Research Institute stated that, “information provided by an assessee to the department for purposes of income tax assessment is information disclosed in relation to a public activity and, therefore... section 8(1)(j) is inapplicable in the present case.” The ruling, certain to be appealed, could have broad implications for private citizens. [DNA India]


CA – Intelligence Loopholes Threaten Canada-US Border

Canada’s border guards fear that they may be letting in terrorists because of inadequate information-sharing agreements with other agencies, both federal and international. “We still don’t have access to the full disclosure of the information relevant to do our work,” Jean-Pierre Fortin, a VP with the Customs and Immigration Union, said this week. He said that about 11,000 federal guards in his union have only partial access to important intelligence databanks, a situation that increases the risk that trained terrorists may get through screening at Canada’s airports and land crossings. Fortin said that “CSIS has got their own bank, the RCMP has got their own banks, Ontario police ... We need to define some very clear parameters of what kind of information would be relevant for people to do their work.” The Customs and Immigration Union has lobbied for added powers and responsibilities over the years, and its officials say the Conservative government has granted them better access to some sensitive information. [Source]




KR – Snooping on Spouses’ Emails Illegal

Sneaking into email accounts of spouses is illegal even if they include stories indicating his or her infidelity, a court ruled Thursday, putting privacy protection ahead of the right to know. The Seoul Eastern District Court slapped a 42-year-old woman with a 300,000 won fine for opening her husband’s emails without his approval. The court said the woman began monitoring her husband’s email accounts in 2006 after she secretly acquired his ID and passwords. One day, she found two suspicious email correspondences between her husband and someone she assumed was his mistress. She printed them out and then asked for a divorce. The husband accused her of infringing upon his privacy. She claimed the letters contained information proving he was engaging in an extramarital affair. But the court said that privacy protection comes first and that she tried to sneak into the secret “territory” of another person, even if that person was her husband. [Source]


Electronic Records


US – U.S. Issues Standards to Spur E-Health Records

U.S. health officials released standards for electronic medical records last week, seeking to spur the technology in hopes of cutting health costs and reducing medical errors. Congress required the standards, partly as a condition of about $19 billion in February’s economic stimulus bill that is aimed at encouraging doctors and hospitals to convert paper records into digital files. [Washington Post]


UK – Consent Defined Differently by Patients and Researchers: UK Health Dept Survey

A survey by the Department of Health in England found that “about half of the general public (53%) and patients (46%) think that identifiable data should never be used without consent, while only about one in ten researchers (11%) think so, according to The Register. [The Register]


AU – E-Prescribing Tender Cancelled

Nine months after a tender aimed at resolving key management arrangements for new Australian electronic prescribing systems closed for consideration, the federal Health Department has quietly advised bidders by letter that the project has been canned. The tender was based on recommendations made by KPMG in its 2008 report, which found there was a “clear imperative that the issues of control, access, security and integrity of (these) systems are recognized as high priorities”. However, Canberra is widely believed to have lost control over e-prescribing initiatives in the past year, with several commercial offerings now carving up the marketplace between them. [The Australian]




CA – Ontario Commissioner Orders Encryption of Health Info on All Mobile Devices

Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, has ordered Durham Region’s Medical Officer of Health to ensure that all personal health information stored on mobile devices is strongly encrypted. A health order issued by the Commissioner addresses a recent privacy breach in Durham Region, but also goes beyond to focus on the province-wide issue of protecting personal health information stored on mobile devices. Commissioner Cavoukian’s Office conducted an in-depth investigation following the loss of a USB key, reported to her office on December 21, containing the personal information of nearly 84,000 people who had attended H1N1 immunization clinics in Durham Region. As the “health information custodian” ultimately responsible for the unencrypted memory stick that was lost, Dr. Robert Kyle, Durham’s Medical Officer of Health, was ordered to immediately implement procedures to ensure that any personal health information stored on any mobile devices (laptops, memory sticks, etc.) is strongly encrypted. Commissioner Cavoukian also made it very clear that she expects all personal health information stored on any type of mobile device in Ontario to be protected with strong encryption. [Source] [HO-007]


WW – USB Flaws Prompt NIST Review of Cryptographic Module Certification Process

The National Institute of Standards and Technology (NIST) is investigating security flaws in several brands of USB drives that were thought to be secure. The vulnerability can reportedly be exploited to allow attackers to read data on drives protected by the 256-bit Advanced Encryption Standard. The vulnerabilities lie not in the cryptographic module, but in the software that authorizes decryption. NIST will be considering whether it should make changes to its validation process, as the USB drives in question all met the criteria. SanDisk, Verbatim and Kingston, the three companies that acknowledged the vulnerabilities in their devices, have issued fixes for the problem. [SANS] [Security Focus] [GCN] [ComputerWorld] [SANS blog] [Secure USB Drives Not So Secure]


WW – Google to Enable HTTPS on All Gmail Traffic by Default

Google plans to start using HTTP technology to encrypt all Gmail traffic by default. HTTPS has always been used to protect login pages, but now users’ communications will have an added layer of protection as well. Prior to the change, users could choose always-on encryption in their account settings. Google says the change was not prompted by the recent Chinese attacks, but Google did note that the growing prevalence of Wi-Fi was a factor in the decision. [The Register] []


EU Developments


UK – Privacy Concerns Likely to Impede Body Scanners in Europe

Britain’s government wants to quickly deploy full body scanners at UK airports to fight an expanded terrorist threat, but privacy concerns - and fears that children may be exploited - seem likely to slow the plan. Privacy campaigners and children’s rights groups say the technology, now being tested at Manchester Airport, violates British and European law by producing sexually explicit images of children. [Washington Post] [EU Justice Chief-Designate Urges Caution On Scanners] See also: [Impact of imaging scanners on privacy needs scrutiny: Privacy Commissioner of Canada] and [Alberta Privacy boss pans scans] and [Full body scanners could be used without violating privacy, says expert]


UK – ICO Will Have Authority to Levy Fines Up to £500,000

As of April 6, 2010, the UK Information Commissioner’s Office (ICO) will have the authority to fine organizations up to GBP 500,000 (US $817,000) for violations of the Data Protection Act. The level of the fine in each case will be determined by the seriousness of the breach as assessed by the ICO. Factors that will be taken into account will include whether the breach was deliberate or accidental, how much distress the exposure of information caused, and what measures the organization had in place to prevent the breach. [BBC News] [] [BBC]


EU – France Ponders Right-to-Forget Law

Social networking websites have ensured that everyone who has an opinion can put it out in the public domain. The impact of all those online revelations has made France consider the length of time that personal information should remain available in the public arena. A proposed law in the country would give net users the option to have old data about themselves deleted. [BBC]


Facts & Stats


WW – Understanding Privacy in the Age of Facebook: Study

A paper by Kate Raines-Goldie, Curtin University of Technology, Australia explores how 20-something Facebook users understand and navigate privacy concerns. Based on a year-long ethnographic study in Toronto, Canada, this paper looks at how - contrary to many mainstream accounts - younger users do indeed care about protecting and controlling their personal information. However, their concerns revolve around what the author calls social privacy, rather than the more conventional institutional privacy. This paper also examines the somewhat subversive practices which users engaged in to enhance their own social privacy, and in some cases, violate that of others. Finally, this paper examines some of the reasons that users may continue using the site, despite privacy concerns. [Full paper] See also: [Facebook’s Zuckerberg Says The Age of Privacy is Over]


WW – Malice Outpaces Error as Breach Cause

In its annual report on data breaches The Identity Theft Resource Center (ITRC) says that 2009 marks the first time that malicious attacks have moved beyond human error as the leading cause of data breach, Dark Reading reports. According to the ITRC’s “2009 Data Breach Report,” hackers and insider theft accounted for 36.4 percent of breaches, human error 27.5 percent. The ITRC also found that compromised paper documents were involved in 26 percent of data breaches. In the 2009 report, the ITRC says that while the number of officially reported data breaches fell in 2009, it cannot determine if the overall breach rate is falling because of the number of unreported breaches. [Source] [ITRC Report]




WW – Google Considering Leaving China

In the wake of the attacks on Google and other companies, Google has indicated that it may no longer cooperate with Chinese censorship rules and that it may consider pulling out of China altogether. When Google opened operations in China in 2006, it operated under an agreement with the Chinese government that it would remove banned subject matter from search results. [NYT] [ComputerWorld] [Storm Center]


CN – China Defends Censorship After Google Threat

Chinese authorities on Thursday defended online censorship and encouraged Internet users to censor themselves in an apparent response to Google’s announcement that it would stop filtering out sensitive information from it Chinese-based Web site. Without mentioning Google, the Chinese government’s information office warned Internet media to guard against pornography, online fraud and “rumors,” while a Foreign Ministry spokesman said that China welcomes foreign firms that develop the Internet “according to law.” [Washington Post] [U.S., Google And China Square Off Over Internet] [Yahoo Backs Google’s Response To China Hackers] [Likely top EU Internet official backs Google’s threat to leave China] [Microsoft’s Ballmer: We’re staying in China] [NYT: Google Case Is Lightning Rod for Rights Advocates]


US – California Software Maker Sues China for $2.2 Billion

A Santa Barbara-area software maker is suing China and seven major computer makers, contending they pirated its Internet content filtering software. The federal lawsuit filed Tuesday in Los Angeles by Cybersitter seeks $2.2 billion. Cybersitter alleges the Chinese copied its codes and incorporated them into censorware used to block Chinese citizens’ access to sites deemed politically undesirable by the government. [Siliconvalley.Com] See also: [Brief Outage of China’s ‘Great Firewall’ Allows Glimpse of Facebook, Twitter] and also: [China Nabs 5,400 People For Online Porn In 2009]


US – Court Skeptical of FCC’s Comcast Ruling

Federal judges appeared unwilling to accept that the FCC has the authority it asserted to punish Comcast, when the cable company blocked its Internet customers from using file-sharing services. In a hearing Friday in a dispute between the agency and Comcast, the judges questioned whether the FCC acted properly when it ordered the Philadelphia-based cable giant to stop blocking subscribers from using file-sharing services. [WSJ]




EU – Year-Change Confounds Some German Payment Cards

A software glitch pertaining to the change from the year 2009 to 2010 prevented German shoppers from using their payment cards. Older payment cards with magnetic stripes appear to work as usual; it is the newer cards with data stored on microchips that are having trouble recognizing the new year. The problem affects roughly 30 million chip and pin cards. French card manufacturer Gemalto has acknowledged responsibility for the problem and is hoping to find a solution that will not require new cards to be issued. German consumer affairs minister Ilse Aigner said that bank customers should not be liable for any resultant charges. [ISC] [Guardian] [Bank Tech] [The Register] [h-online]


EU – 2010 Date Recognition Problems Spread

German payment cards are not the only technology to be hit with problems recognizing dates in the new year. (See story below.) Smartphone users running Windows Mobile are getting text messages dated 2016. Symantec’s Endpoint Protection manager is labeling signatures dated in the new year as being out-of-date; until the problem is addressed in an update, new malware signatures will be dated 12/31/2009 with increased revision numbers. Other vendors affected include Cisco, SpamAssassin. [ISC1] [ISC2] [h-online] [The Register]


CA – New Privacy Rules for Crown-run Casinos In Sask. After Complaint Investigation

Two Crown-run casinos in Regina and Moose Jaw, Sask., are no longer demanding personal information from people who pay cash for tickets to live stage shows. Gary Dickson, the province’s information and privacy commissioner, says Saskatchewan Gaming has adopted new privacy rules to stop the practice. He says his agency launched an investigation in 2008 after someone who tried to buy a ticket with cash was told they would still have to provide personal information, such as a home or email address. Dickson says Saskatchewan Gaming now has a senior official in charge of privacy issues, has developed new privacy policies, provided more training to staff and has developed signs and brochures telling customers that providing personal information is not mandatory. [Source]


US – Heartland and Visa Reach Settlement

Heartland Payment Systems will pay up to US $60 million to Visa payment card issuers affected by Heartland’s 2008 data security breach. The Visa settlement will go into effect once 80% of affected card issuers accept it. By agreeing to the terms of the settlement, the card issuers release Heartland and Visa from future liability. Heartland reached a similar deal with American Express last month. Several people implicated in the breach, including alleged ringleader Albert Gonzalez, have been charged. [ComputerWorld] [] [SC Magazine]


US – ABA Recommends Using Dedicated PC for Online Banking

The American Bankers’ Association (ABA) issued guidance to small and mid-sized businesses regarding how to protect themselves from the growing problem of unauthorized Automated Clearing House (ACH) transactions. Of special note is the recommendation that businesses use a dedicated PC that is never used for email or web browsing to conduct online banking transactions. [USA Today] [UPI]


Health / Medical


US – Connecticut AG Sues Health Net for HIPAA Violations

Connecticut Attorney General Richard Blumenthal plans to sue Health Net for failing to protect personally identifiable information of nearly 450,000 Connecticut residents. Blumenthal has the authority to sue Health Net for violations of the Health Insurance Portability and Accountability Act (HIPAA) under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Blumenthal is also seeking a court order that would require Health Net to encrypt all protected health information that resides on portable electronic devices. Health Net has acknowledged that in May 2009, it learned that a portable disk drive containing the information was missing from a Connecticut office. The unencrypted data include insurance claim forms, medical records, and Social Security and bank account numbers. In addition to the security failure, Blumenthal charges the company with a failure to provide prompt notice to breach victims following the discovery of a missing computer disk from Health Net’s Shelton offices. Blumenthal said the suit is the first by a state AG under HIPAA. [Health Imaging] [] See also: [CNN: Hospitals Hiding Behind HIPAA?]


US – Health Care Provider Sued Over Privacy Issue

A Wisconsin health care provider is being sued by several patients who claim the company violated their privacy when it disclosed their personal medical information in bankruptcy court. The class action lawsuits filed in federal and state court say Aurora Health Care Inc. included patients’ medical history when it routinely filed claims against debtors in bankruptcy court. Susan Dandridge filed for bankruptcy protection last year. Dandridge says she never thought her personal medical information would become “an open book.” Dandridge and others want the information taken out of debtors’ files. The Milwaukee Journal Sentinel reports they’re seeking $25,000 in damages for each person whose medical information was revealed. [Source]


AU – Charity Accused of Abusing Trust

The Australia Privacy Foundation has accused the St. Vincent de Paul Society of betraying donor trust by allowing a data broker to help develop a survey mailed to donors over the Christmas season, and then sharing the information with the company. The charity defended its actions--which may have violated aspects of the Privacy Act--by saying that it opened its donor list in order to build a mailing list which was then used to distribute the four-page questionnaire to 20,000 people. The survey was conducted under the data broker’s privacy policy, not the charity’s. For its part, the broker says it complied with privacy legislation. [The Age]


US – Online STD Testing Raises Concerns

A Chicago company has launched a new online service that uses the anonymity of the Internet to help individuals test for sexually transmitted diseases, but the service is also raising questions from some about the security of such sensitive information online. The service helps people find local clinics where they can be tested for one of eight STDs, and even provides online notice if a test returns negative. Patients may receive direct notification from a professional in the event of a positive test result. Mark Hodar of the Howard Brown Health Center in Chicago expressed concerns about the privacy and sensitivity of sharing information online, while acknowledging the potential advantages. [Medill Reports]


US – HITECH May Pose Challenge for Healthcare Orgs

The healthcare industry is sending mixed signals about its technical readiness to qualify for federal incentive payments under the HITECH Act. While many hospital administrators say their organizations are on track with the government’s technical requirements, healthcare professional organizations seem to think the new rules are complex and may hinder progress toward a national healthcare network. A recent survey by healthcare technology services provider CSC found that, while 98% of healthcare organizations have policies in place related to information security and privacy, only 52% are currently using encryption or data anonymization technology. [HealthLeaders Media]


Horror Stories


US – Intruders Steal Bank Login Data

Attackers gained access to a server at a small New York state bank and made off with login information for 8,600 accounts. The information was stolen over a period of six days last November; it was discovered during a security review in December. Suffolk County National Bank “isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server.” The bank has begun notifying affected customers by mail. [The Register]


US – Northern California Kaiser Suffers Breach

The personal and sensitive medical information of about 15,500 patients of Northern California Kaiser were compromised last month after an external storage drive was stolen from an employee’s car, according to the San Francisco Chronicle. The breach, which was disclosed this week, occurred in December and Kaiser officials say the compromised information may include names, addresses, telephone numbers, medical record numbers, age, gender and information related to treatment. No Social Security numbers or financial information was included on the drive, the hospital said. Kaiser said it has fired the individual responsible for the breach for unauthorized use of electronic medical data. [Source]


US – Preliminary Settlement Approval in Class Action

A federal judge in Kentucky last week granted preliminary approval to settle a class-action lawsuit related to the Countrywide Financial data breach that exposed the personal data of millions, reports SC Magazine. The settlement would provide victims with free credit monitoring and up to $50,000 remuneration for incidents of identity theft. Two Californians were charged with downloading batches of Countrywide customer data over a period of two years. A final approval hearing on the settlement is pending. [SC Magazine] see also: [Hacker in Heartland, Hannaford Breaches Pleads Guilty]


Identity Issues


UK – National ID Registry Includes National Insurance Data

UK Home Secretary Alan Johnson confirmed for Parliament this week that among the data included in the country’s National Identification Registry are National Insurance numbers as well as challenge questions used to speed the customer service process. The revelation is likely to reinvigorate critics of the program who maintain a mandatory national identification card is a threat to personal privacy. Currently the program is voluntary for UK residents and mandatory for non-resident skilled workers. Biometric data is also collected for the registry. [ZDNet]


US – 1 in 6 Massachusetts Residents Affected by Data Breaches from 2008 Through 2009

According to the Boston Globe, its review of state recorded data breaches showed that at least 1 million state residents - 1 in 6 Massachusetts residents - had their data compromised through credit card theft, unauthorized medical information disclosures, or other types of confidential data breaches. The Globe also provides a list of some of the more prominent data breaches reported to the state from June to November 2009 - there were 13 of them affecting over 88,000 residents. In 2007, Massachusetts passed a law requiring institutions such as banks, stores, universities, etc., must inform consumers and state regulators about security breaches that might result in identity theft. Since then, some 807 data breaches have been reported to state officials by the end of November 2009. The Globe said that 60% of the disclosed data breaches were caused by criminal acts, while 40% were due to negligence. [Source]


CA – Manitoba Ombudsman Concerned About New Licence

Manitoba’s ombudsman has again raised privacy concerns regarding the introduction of the enhanced identification card and this week’s introduction of the new enhanced driver’s licence. The documents allow Manitobans to cross the border into the United States by land or water without a passport. In a news release this morning, Irene Hamilton said after consulting her office, Manitoba Public Insurance has limited the amount of personal information it requires to process an application for the enhanced ID and drivers licence cards. “However, we are concerned that these policies may not be properly followed to protect third-party personal privacy,” Hamilton said. The ombudsman said that anyone holding a passport does not need a Manitoba enhanced ID card or an enhanced driver’s licence. [Source]


Intellectual Property


EU – France Three Strikes Law Delayed by Govt’s Own Data Watchdog

France’s “three strikes” law threatening Internet disconnections for repeat copyright infringers should have been in effect by now, but it hasn’t yet become law due to one French privacy agency. The sticking point is the new authority (referred to as HADOPI after its initials) that oversees the graduated response process. HADOPI will compile lists of (alleged) offenders, along with dates, number of infractions, penalties, etc. CNIL wants to make sure that this data collection safeguards privacy, and so it has refused to issue the necessary sign-off letter that the government needs to put the law into operation. [Ars Technica]


Internet / WWW


WW – Google Aims to be Keeper of All Secrets

Google yesterday announced it will begin allowing users to upload almost any digital file to its servers through its Google Docs service -- in essence offering anyone a free online storage drive. However, the new service represents one more area in which users will have to decide whether they trust the technology titan to protect and not misuse. Although users could already upload documents created by various programs such as Microsoft Office to their Google Docs account, the new changes will allow most files -- including photos, music and video files -- to be uploaded to the Web, stored “in the clouds” and made accessible from any computer with an Internet connection. But between its Gmail e-mail service, its YouTube video sharing site, its ubiquitous search engine and now the storage service, some observers are questioning whether users are trusting companies such as Google and Facebook with too much information about their online lives and Web habits. Google has gone to great lengths to assauge fears and encourage trust among its users with respect to how it handles their personal information. In November, Google unveiled Google Dashboard, a site on which any user with a Google account – such as a Gmail address – can log in and see what information and personal data the search engine powerhouse stores concerning their Web habits. With respect to the new Google Docs service, Google said it will not scan the contents of documents such as word files and that when a user deletes a file from the Google Docs server, it will not retain a copy of it. However, it could take up to 30 days for that file to be wiped from the company’s main servers, and an additional 60 days for it to come off the company’s offline backup servers. Although Google will charge some users for storage space, analysts said the company likely doesn’t view the new storage system as a means of generating revenue to complement its online advertising business. [Source]


US – FTC Roundtable Will Address Cloud Computing Privacy Issues

The US Federal Trade Commission (FTC) will hold a roundtable session on January 28 at the University of California, Berkeley to discuss the consumer privacy ramifications of cloud computing. The FTC will also seek input on cloud computing privacy issues from industry stakeholders. The focus on cloud computing comes in response to a Federal Communications Commission (FCC) Notice of Inquiry seeking information that will help the FCC formulate a National Broadband Plan. The FTC held a roundtable discussion in December that addressed privacy issues associated with online data collection and use and behavioral advertising. A third roundtable discussion will be held later this year. In a separate story, the FCC has asked for a one month extension for submitting its National Broadband Plan; it was originally supposed to be ready on February 17, 2010. [ComputerWorld] [ZDNet] [InformationWeek] [Washington Post] SEE ALSO: [EU ENISA Report]


WW – Consortium Outlines Cloud Definition, Components, Guidelines

In an effort to help establish clarity, the Cloud Security Alliance (CSA) has issued a paper that it hopes will help to create greater standardization around what cloud computing is. The CSA warns that security presents a number of challenges for companies moving operations to the cloud. “Integrating security into these solutions is often perceived as making them more rigid,” the paper states. “This rigidity often manifests in the inability to gain parity in security control deployment in cloud environments compared to traditional IT.” [Industry Week] [CSA Guidance page] [17 Dec 2009 version]


Law Enforcement


UK – Number of Crimes Caught on CCTV Falls by 70%, Metropolitan Police Admits

Prosecutions linked to CCTV have fallen in parts of Britain, raising questions about the true impact of the security cameras. The drop has raised fears that the effectiveness of CCTV has been exaggerated. Prosecutions in Britain’s largest force fell once it changed the way detections linked to cameras were recorded. The Metropolitan Police saw the number of solved crimes linked to CCTV drop by more than half in just five years. Other forces are expected to have seen a similar effect. Figures released under the Freedom of Information Act to The Daily Telegraph show a 71% fall in the number of crimes “in which CCTV was involved” in the Metropolitan Police area, from 416,000 in 2003/4 to 121,770 in 2008/9. The number of these crimes which resulted in a charge, summons or caution fell from 47,000 to 23,000 over the same period. The proportion of all crimes solved using CCTV in London also fell from half in 2003/4 to one in seven in 2008/9. A report by a House of Lords committee last year found that £500 million was spent on new cameras in the 10 years to 2006, money which could have been spent on street lighting or neighbourhood crime prevention initiatives. Last month the Home Office appointed the first ever CCTV regulator who will vet how camera images are used. [Source]


US – Police Fight Cellphone Recordings

Simon Glik, a lawyer, was walking down Tremont Street in Boston when he saw three police officers struggling to extract a plastic bag from a teenager’s mouth. Thinking their force seemed excessive for a drug arrest, Glik pulled out his cellphone and began recording. Within minutes, Glik said, he was in handcuffs. The charge? Illegal electronic surveillance. There are no hard statistics for video recording arrests. But the experiences highlight what civil libertarians call a troubling misuse of the state’s wiretapping law to stifle the kind of street-level oversight that cellphone and video technology make possible. [Full article]


US – Mass. Police Arresting Call Recorders

Police in Massachusetts have begun arresting individuals who have recorded their phone conversations with on-duty police officers without the officer’s consent. Individuals arrested have been charged with violating the state’s wiretapping laws which require two-party consent, in keeping with a 2001 state supreme court ruling that said, “Secret tape recording by private individuals has been unequivocally banned, and, unless and until the Legislature changes the statute, what was done here cannot be done lawfully.” Boston police argue in support of the arrests by stating that the recordings violate their privacy rights, and interfere with their ability to do their jobs. [Reason Magazine]




EU – ‘Monster’ German Employee Database Goes Online

In what has been described as Germany’s “largest ever data acquisition program,” ELENA--a new employment database--began operation on January 1. Employers are required to submit employee income data monthly to the country’s ELENA system to track eligibility for social payment programs. Deutsche-Welle reports income data will be aggregated beginning in 2012 whether or not individuals qualify for social welfare benefits. Peter Schaar of Germany’s Data Protection and Freedom of Information Commission has sharply criticized the project, saying “I’ve got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed.” [Source]




CN – China Passes Privacy Protections Law

The Chinese government has enacted a sweeping tort liability law--the PRC Tort Liability Law--that includes provisions specific to the protection of personal privacy. The law, passed on December 26 and expected to take effect on July 1, covers not only privacy, but also environmental damage and animal bites while establishing parameters for liability in cases where organizations are found to have mishandled personal information. For the first time, PRC Tort Liability Law creates specific private rights of action for citizens in cases where they believe their privacy has been violated. [Hunton & Williams Client Alert]


MA – Marianas Call For Alien Registry

The Fitial Administration of the Commonwealth of the Northern Mariana Islands (CNMI) has called for a mandatory national registry for any aliens who remain in the islands for more than 90 days. The registry has been proposed in response to a change in U.S. law that places CNMI immigration under the direct control of the U.S. federal government and was drafted in cooperation with the U.S. Department of Homeland Security. Registration would likely include biometric data, such as fingerprints, photographs and other personal information. The public comment period for the policy ends on January 8. [Saipan Tribune]


EU – Israel Receives Adequacy Status

The Article 29 Data Protection Working Party has deemed that Israel offers an adequate level of data protection. The party released its Opinion 6/2009. “The Working Party believes that Israel guarantees an adequate level of protection according to provision 6 of Article 25 of Directive 95/46/EC...on the protection of individuals with regard to the processing of personal data...” the document states. The principality of Andorra also has received adequacy status from the Working Party. [Source]


Online Privacy


WW – Privacy No Longer a Social Norm, Says Facebook Founder

The rise of social networking online means that people no longer have an expectation of privacy, according to Facebook founder Mark Zuckerberg. Talking at the Crunchie awards in San Francisco, the 25-year-old chief executive of the world’s most popular social network said that privacy was no longer a “social norm”. His statement may not be a surprise, particularly since it helps to justify the company’s recent – and highly controversial – decision to change the privacy settings of its 350 million users. [Guardian] See also: [Leibowitz Feels that FTC May Lean Towards Online Opt-In] and [Privacy Threatened by Online Life]


WW – Profile Purgers Come Under Fire

Services that help social networkers expunge their accounts have come under the scrutiny of Facebook. According to the report, last month the company sent a cease-and-desist letter to Les Liens Invisibles, the company behind the platform that assists users in committing “Facebook suicide.” A Facebook spokesperson said the service causes users to violate Facebook terms of service and breaks anti-hacking and spam laws, among others. The Los Angeles Times reports that Facebook is also blocking the IP address of Web 2.0 Suicide Machine, another deactivation platform, and has filed a lawsuit against social networking data aggregator, [MediaPost]


EU – German Justice Minister Lashes Out at Google Over Data Protection

Germany’s minister of justice has chastised Google over its business strategy and “lack of transparency” regarding user data. In an interview with German magazine Spiegel, Sabine Leutheusser-Schnarrenberger said the company must clearly inform users of what is happening with their data. “If this does not occur, then perhaps we will be required to step in as lawmakers,” she said. [DW]


EU – Schaar Proposes Grading Agency for Social Networks

German data protection commissioner Peter Schaar has proposed an independent ratings agency to alert users to the risks of social networking, reports Deutsche Welle. Peter Schaar says that the privacy policies of many social networks fail to protect users’ data, and that an independent consumer protection agency could grade social networks on their privacy offerings. “What’s important to me,” Schaar said, “is that people are aware of what they’re doing, what information they’re putting on the Internet and the problems associated with certain activities.” [DW-World]


WW – Social Media Data Not Yet Useful For Analytics

While the number of users on Twitter, Facebook and other social-networking sites continues to grow, business intelligence practitioners remain skeptical about the value of knowledge such services could generate, if one survey by a data warehousing firm is any indication. Kognitio surveyed 125 people on its sales contact list about the potential value of social-networking tools, in terms of providing raw data that could be analyzed. Respondents were ambivalent about this possible new source of intelligence, however. Only 14% of the respondents said they have any desire to incorporate social-networking data into their current data analysis efforts. A total of 63% of the respondents were “undecided” about the potential value of aggregated social-networking data, and 23% called social media “overrated.” Kognitio released the results of the survey at the National Retail Federation’s annual conference, being held this week in New York. Thompson said while organizations have started using social-networking sites as marketing tools, less thought has been thus far dedicated to analyzing feedback such sites could generate. Thompson speculates that most BI practitioners are too busy refining the existing systems to look into new sources of raw data. Once upper management starts to see the strategic value in analyzing the chattering of the many, however, then we might see more social media-based BI. [Source]


WW – Pepsi Social Network Launches into Privacy Storm

Rather than invest in a Super Bowl advertising campaign, Pepsi instead has invested $20 million in a social networking marketing strategy called Pepsi Refresh that, within hours of its launch, faced serious technical and privacy concerns, reports the Washington Post. In addition to encountering errors with the interface used to submit ideas to Pepsi Refresh, users reported that the personally identifiable information of other subscribers became linked to ideas they submitted. Pepsi acknowledged the problem in a statement that said: “We are aware of site issues and are working towards getting everything resolved.” [Source]


EU – German Murderers Sue to Remove Name in News Accounts

Wolfgang Werlé and Manfred Lauber, half brothers who were imprisoned for killing an actor in a celebrated 1990 case in Germany, are suing the online encyclopedia that relies on volunteers, Wikipedia, to forget them. Now out of prison, the pair claims in a lawsuit that German court precedents allow the suppression of a criminal’s name in news accounts once he has paid his debt to society. Their attorney has already successfully pressured German publications to remove the killers’ names from their online coverage. German editors of Wikipedia have scrubbed the names from the German language version of the article about the victim, Walter Sedlmayr. The highest court in Germany ruled last month that the legal principle in Germany does not require all Web sites in the country to erase the names. Now the attorney is suing in Germany to compel the American organization that runs Wikipedia to erase the names in the English-language version of the encyclopedia. The attorney pressured The New York Times to delete the names from an article in November about the lawsuit but did not succeed. [Privacy Journal]


Other Jurisdictions


SG – New Law OKs Research Access to Public Data

Following a change to its Statistics Act earlier today, Singapore’s Department of Statistics will allow researchers to access data collected by public agencies provided the information contains no personal identifiers, reports Parliament made the change despite lingering privacy and ethics concerns. West Coast GRC MP Ho Geok Choo said: “There is a concern of accidentally revealing the identity or sensitive information. It is imperative that Singapore safeguards the data obtained and ensure that it does not fall into unauthorised hands.” [Source]


Privacy (US)


US – FCC Wants Comments on Privacy

The Federal Communications Commission (FCC) is seeking public comments about online privacy. The move follows a Center for Democracy & Technology request for the commission to include an exploration of privacy issues as it creates a national broadband plan. The Federal Trade Commission made a similar urging in September. The FCC asks for comments about “the use of personal information and privacy in an online, broadband world,” according to the report. The commission is also seeking comments about online privacy as it relates to cloud computing. [MediaPost News] From Sept 2009: [FTC Urges FCC To Consider Behavioral Targeting In Broadband Plan | FTC Comments]


US – Full Body Scanners Used by TSA Present Privacy Concerns

According to documents obtained by the Electronic Privacy Information Center (EPIC) under a Freedom of Information Act (FOIA) lawsuit, the full body scanners currently being used by the Transportation Security Administration (TSA) are capable of retaining and transmitting images. The documents indicate that the Windows XP-based machines may be vulnerable to tampering. According to the Department of Homeland Security (DGS) website, the machines are delivered to airports without the ability to store, print or transmit images. The ability to store and send images was reportedly enabled only during the machines’ testing period. The scanners are not connected to each other, nor are they connected to the Internet. The machines are currently used in about 20 airports nation-wide; the TSA plans to deploy them at all major airports. [ComputerWorld] [WIRED] and: [NYT: Anti-Scanner Sentiment Builds Overseas]


US – Rockyou Sued Over Data Breach

An Indiana man filed a lawsuit against RockYou alleging that the provider of social-networking apps failed to secure its network and protect customer data, enabling a hacker to grab passwords of 32 million users earlier this month. [CNET]


Privacy Enhancing Technologies (PETs)


US – HHS Wants Contractor to Test Privacy of ‘Anonymous’ Data

The United States Department of Health and Human Services (HHS) plans to hire a contractor to test whether de-identified data—records stripped of information tying it to specific individuals—can truly protect the privacy of individuals. De-identification and re-identification of healthcare records has become an important issue as the U.S. moves to create a national electronic health data network. Data de-identification is a critical component to maintaining privacy under HIPAA rules. According to the HHS notice, “The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude ‘brute force’ matching, demonstrate the ability or inability to re-identify the data.” [Source]




US – NH House Votes to Bar Implanting Tracking Devices

The New Hampshire House of Representatives has voted to prohibit the implantation of tracking devices in humans without their written consent. The bill, approved by a 186-170 vote yesterday, also includes a provision banning the use of RFID tags to track consumers, and would require consumer notice for any goods implanted with an RFID tag. Furthermore, the bill would prohibit cloning of RFID-enabled debit and credit cards. The bill must now be considered by the Senate before being signed into law. [Source]


US – Rhode Island Legislature Passes RFID Bill Vetoed by Governor

The Rhode Island legislature on Jan. 5 overrode a veto by Gov. Donald Carcieri, his third, of a bill to restrict use of radio-frequency ID (RFID) tags on school children. The bill, S. 211, also declares that RFID information in E-Z Pass toll systems is not public information and may be provided to law enforcement only with a court order [Privacy Journal].


PH – Philippines High Court Stops RFID, Tells LTO to Refund Fees

The Philippines’ Supreme Court has stopped the Land Transportation Office (LTO) from implementing the radio frequency identification (RFID) system for motor vehicles. In an en banc session, the Supreme Court issued a status quo ante order — or one applying the existing situation before the implementation of the contested program — on the RFID. Deputy Court Administrator Jose Midas Marquez, Supreme Court spokesperson, told reporters that Bayan Muna’s and Piston’s petition against the RFID remained pending before the Supreme Court. The Philippines Land Transportation Office (LTO) Chief Arturo Lomibao had assured that the agency’s traffic enforcers are properly trained to enforce the electronic tagging of motor vehicles. This was in response to the recommendation of Commission on Human Rights (CHR) for the LTO to give proper training to all personnel who will handle critical roles in the implementation of the project to prevent any abuses which can result to possible human rights violations. Lomibao has also assured the CHR that the agency’s RFID does not pose any threat to individual privacy as proper safeguards has been installed to prevent any violation of human rights and possible abuses of enforcers. According to the LTO, the system can only retrieve data from a tagged vehicle within a radius of 10-12 meters. [Source] [Philippines Motorists Assured on RFID Plan]




US – Pentagon’s Planned Cyber Command Faces Questions From Lawmakers

Efforts to establish the Pentagon’s computer network defense command have been slowed by congressional concerns about privacy and clarity about the command’s mission. A major concern is how the command will “mesh” with existing agencies and organizations, particularly the National Security Agency (NSA). The command was originally slated to launch on October 1, 2009. [Washington Post]


EU – German Pirate Party Protests ‘Naked’ Scanners in Their Underpants

Scantily clad Pirate Party supporters demonstrated over the weekend at several German airports to show their opposition to controversial “naked” scanners planned for security checks. Despite the frigid temperatures outside, the protesters assembled nearly naked groups at airports in Berlin, Frankfurt and Düsseldorf on Sunday afternoon. The participants stripped down to their underpants, marching behinds signs that read: “No need to scan us - we’re already naked.” A statement on the party’s website said they opposed the new security scanners because they threaten the “private sphere and the personal rights of passengers.” Germany’s data protection commissioner, Peter Schaar, warned officials last week not to rush the implementation of the full-body scanners at airport security stations. Meanwhile Chancellor Angela Merkel’s conservatives said use of the scanners would be fast-tracked for introduction within the year. The German Pirate Party was inspired by the Swedish Piratpartiet and founded in 2006. In the September 2009 federal election they garnered two percent of the vote. [Source and photograph]


US – Airport Scanners Can Store, Transmit Images

Contrary to public statements made by the Transportation Security Administration, full-body airport scanners do have the ability to store and transmit images, according to documents obtained by the Electronic Privacy Information Center. The documents, which include technical specifications and vendor contracts, indicate that the TSA requires vendors to provide equipment that can store and send images of screened passengers when in testing mode. The TSA has stated publicly on its website, in videos and in statements to the press that images cannot be stored on the machines and that images are deleted from the scanners once an airport operator has examined them. The administration has also insisted that the machines are incapable of sending images. But a TSA official acknowledged to CNN that the machines do have these capabilities when set to “test mode.” The official said these functions are disabled before the machines are delivered to airports and that there is no way for screeners in airports to put the machines into test mode to enable the functions. The official, however, would not elaborate on what specific protections, if any, are in place to prevent airport personnel from putting the machines in test mode. The TSA also asserts that the machines are not networked, so they cannot be accessed by hackers. [Source]


SK – South Korean Military to Ban USB Drives

The South Korean military says it will ban the use of USB drives. The South Korean military is building a new data transfer system; once that system is complete, use of USB drives will no longer be permitted. The decision comes in the wake of attempts to infiltrate South Korean military computer systems. Last year, information about a joint South Korea/US military contingency plan was compromised due to the use of a portable storage device. [GCN]


US – Beware Who Fixes That Broken Laptop

Data-recovery services are responsible for a surprisingly large chunk of privacy breach incidents, in which companies lose control of personal data pertaining to employees or customers, according to a study released last week by the privacy-focused group the Ponemon Institute. Data-recovery services are responsible for as many as one in five of the data-loss incidents at companies that hire the services, the report says. The Ponemon study surveyed 636 information technology professionals who had used data-recovery services or had knowledge of them. Of the 83% of respondents whose organizations had at some point lost their customers’ sensitive data, 19% said they had experienced a data breach when they hired a third-party data-recovery firm. [Source]


Smart Cards


AU – Qld Ticketing ‘Theft’ Investigated

Two Australian call centre operators have been stood down after an incident cast doubt on the security of the Queensland government’s paperless public transport ticketing system, the go card. Acting Premier Paul Lucas said an investigation was under way to determine why a commuter’s go card was stripped of funds and the money transferred to another commuter’s account. [The Australian]




CA – Public not Worried About Increased Public Surveillance: Report

The use of surveillance cameras on city streets in Canadian cities is “mushrooming,” but so far the public appears unconcerned, according to a new report by the Surveillance Camera Awareness Network (SCAN). Among other things, the Ontario Provincial Police is acquiring surveillance cameras with automated licence-plate-recognition technology, and the RCMP has installed hundreds of cameras at Vancouver Olympic venues and tourist sites. As well, Montreal, Toronto and Vancouver have deployed thousands of surveillance cameras on their transit systems, and half a dozen Canadian cities, including Ottawa, have adopted taxi cameras. Surveillance cameras “generally seem to be accepted without demur,” the report says. Indeed, “public opinion is generally very favourable to their installation.” A nine-nation survey found “the overwhelming majority” of those polled believe camera surveillance is effective at reducing crime. In Canada, nearly three in four hold that view. What’s lacking, says the report, is evidence to support that belief. “Plenty of rhetoric and promotional hype is available, but very little by way of serious and solid study.” SCAN, whose report is to be presented at a workshop at Queen’s University in Kingston, Ont., Friday, is a group of academics operating under the banner of Queen’s Surveillance Studies Centre. The new report builds on research in a report released a year ago. [Source] [A Report on Camera Surveillance in Canada - Part One - Surveillance Camera Awareness Network (SCAN) - January 2009] [A Report on Camera Surveillance in Canada - Part Two - Surveillance Camera Awareness Network (SCAN) - December 2009]


NZ – Law Enforcement and Intelligence Agents Get Increased Surveillance Powers

Police and Security Intelligence Service agents in New Zealand now have expanded powers of surveillance over citizens’ online activity. All mobile phone calls and texts, email and Internet activity, including chatting and social networking, can be now monitored anywhere in the country. Officers must still obtain warrants for information gathering, but phone, email and internet activity can now be addressed with a single warrant. The changes were deemed necessary because criminals are turning to new technology to communicate. Documents obtained by a news source suggest that the changes were made not because of domestic needs, but because of pressure from the US for standardized surveillance capabilities around the world. Technology for monitoring the activity has been installed. []


US – Bank Thieves Foiled by GPS-Spiked Cash

Forget exploding dye packs. Three thieves who made off with about $9,000 in cash from an Illinois bank were thwarted by a GPS device inserted in the cash that led authorities straight to their door. The three made off with a nylon bag full of money. But unknown to them, the bag contained two GPS-tracking devices hidden among the bills. Signals from the devices led police to the home of one of the suspect’s parents, where the thieves were arrested about an hour after the robbery. [Source]


CA – Would You Track Your Kid by GPS?

A portable GPS device that can be inserted into a backpack and used to monitor a child’s whereabouts is being tested in Canada. Word of the device, called the Entourage PS, has sparked discussion over the advantages and disadvantages of parental surveillance, including the possibility of obsessively checking a child’s location on a handheld device, sending police after a lost child should there be a bag mix-up at school or using the device to surreptitiously track other people. The question of security was also raised, including the potentially negative implications of a data security failure, allowing other people to also track a child. [Wired]


Telecom / TV


AU – Fury at Telstra Over Phone Privacy Breach

TELSTRA is under fire for a serious privacy breach after a Melbourne man’s personal contact list ended up on another man’s brand new iPhone. Nathan Fallon was given an iPhone as a gift two days before Christmas and was shocked to find it already contained 182 contact names and numbers. Staff at the Watergardens T(life) store, from where the phone was bought, advised him to immediately delete the contacts, but he called the number marked “home” in the phone. The number belonged to Stan Soutaris, who lived in a neighbouring suburb, and was distressed to think his contact list may have been distributed to other iPhone buyers. “If the supposed premier carrier is doing this to people, what are smaller, dodgy ones doing to us?” Mr Soutaris said. [Source]


IN – High Court to Telecoms: Respect Consumer Privacy

Cellular telecommunications companies in India this week received a sharp reprimand from a Bombay court which ruled Vodaphone violated consumer privacy rights by sharing database information with call centers and other organizations. In his ruling, Justice S.D. Dharmadhikari made a distinction between the type of information formerly made publicly available through telephone directories and the kind of information being sold by the cellular telephone company: “Subscribers’ numbers are made available to call centers and other agencies. It appears that unlike telephone directories, which were maintained in earlier days, all the details of subscribers are put up [for sale] by service providers.” [DNA India]


US Government Programs


US – FTC Set to Examine Cloud Computing

The FTC is investigating the privacy and security implications of cloud computing. In a filing with the Federal Communications Commission, FTC Consumer Protection Bureau chief David Vladeck wrote that while the commission recognizes the cost-savings potential of the cloud, “the storage of data on remote computers may also raise privacy and security concerns for consumers.” The FTC is also examining identity management systems, according to the report. [The Hill]


US – FTC Seeks Public Comment on New COPPA Guidelines

The Federal Trade Commission (FTC) this week issued a call for public comment on a set of proposed guidelines to help businesses comply with the Children’s Online Privacy Protection Act (COPPA). The proposed guidelines were submitted by iSafe, a nonprofit organization dedicated to promoting a safe online experience for children. If adopted by the FTC, the guidelines--designed to encourage better self regulation among Web sites targeting children under the age of 13, or sites that knowingly collect information from children under the age of 13--would constitute a safe harbor program under COPPA. The public comment period will last 45 days from January 6. iSAFE’s safe harbor application and the public comments received will be posted on the FTC’s Web site. [Source: Pogo was right]


US Legislation


US – Maine Legislature Presents New Marketing-to-Minors Law

The Maine legislative session opened this week with the introduction of a new predatory marketing bill--LD 1677. According to a NetChoice summary, the bill would repeal the beleaguered LD 1883, which was signed to law last year, but faced major opposition from industry groups, leading Maine’s attorney general to promise not to enforce the law. The new bill applies to online information only and is limited to pharmaceutical marketing. It gives the attorney general the power to adopt rules to determine its scope. Violation of the law would be considered an unfair trade practice. [Source]


CA – Airlines Say Secure Flight Forces Privacy Law Violations

Canada’s major airlines say they will be forced to either break privacy laws or ignore new American air security rules unless the federal government steps in. The U.S. Secure Flight program requires the collection of certain personal details of international air travelers who fly through American airspace on Canadian carriers. But the National Airlines Council of Canada says that sharing such data with U.S. authorities would force carriers to breach PIPEDA. The council wants the federal government to come up with a solution. [Source]


Workplace Privacy


US – FTC: Businesses Liable for Employee Statements on Social Networking Sites

New FTC guidelines that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites like Facebook, Twitter, LinkedIn, MySpace, personal blogs, and other sites – even if the company had no actual knowledge those statements were being made. Specifically, if an employee makes comments about the business’ products and services and that employee fails to disclose their employment relationship with the business, the business may be subject to an enforcement action for deceptive endorsements. To reduce the potential for liability for these types of employee statements, businesses should adopt social networking policies that make clear only authorized spokesmen may speak on behalf of the company, that all other employees must avoid making any statements that could be viewed as official communications of the company or endorsements of its products and services, and that the employee must make clear their relationship with the company when making statements online. For example, “I am an employee of XYZ Corporation. These comments represents my own opinions and not those of my employer. I am not a company spokesman.” The company should also implement procedures to monitor compliance with its policies and the use of its name online. [Source]