Privacy News Highlights

16–22 January 2010



CA – PCC Announces New Privacy Research Funding Priorities. 3

CA – Commissioner Seeks Input on Social Networking and Privacy. 3

CA – Loukidelis Leaving Post to Become Deputy AG.. 3

CA – Privacy Complaint Filed Against Youth-Oriented Website. 3

CA – CAPAPA Celebrates Data Privacy Day Across Canada. 3

US – Ad Groups Write to Senate Committee on FTC Powers. 4

UK – Tim Berners-Lee To Launch British Government’s Free Data Web Site. 4

US – NIST Awards Contract to Create EHR Certification System.. 4

US – Heartland Will Move to End-to-End Encryption. 4

EU – Art 29 WP Publishes Five Documents on 12 Jan 2010. 4

EU – Irish Privacy Commissioner Issues Data Protection Audit Resource. 5

EU – Irish Privacy Commissioner Issues Data Protection Checklist 5

EU – Irish Privacy Commissioner Issues Guidelines for Website Privacy Statements. 5

US – Breach Media Reports Down. 6

US – Hillary Clinton Calls for Web Freedom, Demands China Investigate Google Attack. 6

CN – China Slams Clinton’s Call for Internet Freedom.. 6

EU – Turkey Blocking 3,700 Websites, Reform Needed: OSCE. 6

EU – EU Threatens Block of U.S. Bank Data Transfer 6

US – Bank Shares Customer Info Against Her Wishes. 7

US – Tweeting for Better Credit 7

EU – New Irish Legislation Requires Suspects, Prisoners to Provide DNA Samples. 7

CA – Alberta Health Act Proposed by Government Committee. 7

CA – Border Agents to Disclose Names of Doping Athletes. 8

EU – Germany Fines Drug Chain for Data Retention. 8

US – Health Net Breach Could Be Costly. 8

US – Lincoln National Warns Customers of Potential Data Security Breach. 8

WW – Background Checks? There’s an App for That 8

US – MN to Probe Background Check Controversy. 9

CA – Fraud Detection “Unacceptable Reason” to Collect DL Numbers for Memberships. 9

EU – Proposed Web Video Restrictions Cause Outrage in Italy. 9

WW – Microsoft Calls for Cloud Law.. 9

WW – Microsoft Reduces Search Data Storage Limit 10

WW – Google Calls for EU Privacy Panel 10

US – Hospital Releases Phone Numbers for Survey. 10

EU – Greek Privacy Watchdog Likely to Allow Street View.. 10

EU – Article 29 WP Issues Opinion on Online Social Networking, Working Paper 163. 10

WW – New Service Hamstrings Google Data Hoarding. 11

WW – UN Issues Call for International Privacy Agreement 11

UN – Official Calls for Int’l Declaration on Data Protection. 11

US – Ad Groups Write to Senate Committee on FTC Powers. 12

US – Court Rules for State in Montana Privacy Challenge. 12

EU – Europe Publishes RFID FAQ.. 12

EU – Commission Provides Privacy Guidance for RFID Applications. 12

US – Mexican Border Patrol, State Governments Leverage RFID Vehicle Registration. 13

WW – Does Your Password Say “Hack Me?”. 13

US – Password Error May Have Exposed 1.2 Million. 13

CA – Pearson Gets First Full-Body Scanner 14

EU – EU Puts Off Reply to U.S. Request for Airport Body Scanners. 14

UK – Body Scanner Favoured in Poll 14

CA – Most Canadians Support Use of Naked Airport Scanners: Poll 14

AU – ALRC Renews Data Loss Financial Penalty Call 14

EU – Spain Issues Strict New Limitations on Video Surveillance. 14

UK – Virgin to Test Deep Packet Inspection Technology to Look for Illegal Downloading. 15

US – FBI Broke Law for Years in Phone Record Searches. 15

US – DHS Privacy Office Releases Data Mining Report 15

US – Law Would Ban Broad Information Gathering by Police. 16

US – Bill Would Close Access to Gun Permit Database. 16

UK – Most Employers Screening Candidates Online: Report 16

CA – Ring Agrees with Workers at Iron Ore Co. 16







CA – PCC Announces New Privacy Research Funding Priorities

The PCC welcomes extension of federal funding program that has supported more than 50 privacy-related research initiatives since 2004 up to $500,000 in funding will be available for research and public awareness initiatives related to important trends and influences affecting the privacy of Canadians. The PCC is especially interested in receiving grant applications from researchers examining, from a scientific or technical standpoint, the impact of information technologies on privacy. The OPC is also inviting research proposals that would explore privacy in three other priority contexts: identity integrity and protection; genetic privacy; and national security. [Source] [Applicant’s Guide] [Application Form] [Eligible Costs – Schedule B] [Project Expenditures Report – Schedule C]


CA – Commissioner Seeks Input on Social Networking and Privacy

Federal Privacy Commissioner Jennifer Stoddart is accepting public input on the ways personal information on social networking sites can lead to the tracking and targeting of consumers. Stoddart says the focus is on “issues that we feel pose a serious challenge to the privacy of consumers, now and in the near future.” In preparation for Parliament’s review of the Personal Information Protection and Electronic Documents Act, Stoddart is accepting written submissions through March 15. The Canadian Internet Policy and Public Interest Clinic is praising the plan, which also includes public discussion panels to be held in Toronto in April and Montreal in May. [Globe & Mail]


CA – Loukidelis Leaving Post to Become Deputy AG

British Columbia Information and Privacy Commissioner (IPC) David Loukidelis will become the province’s deputy attorney-general. Effective February 1, Loukidelis will replace Acting Deputy Attorney General Jerry McHale. According to a BC government press release, an all-party legislative committee will select the new privacy commissioner. Meanwhile, an acting privacy commissioner will be named. Loukidelis has been BC’s IPC since 1999. [Vancouver Sun]


CA – Privacy Complaint Filed Against Youth-Oriented Website

An Ottawa-based consumer advocacy group wants Canada’s privacy commissioner to go after a youth-oriented social networking site for alleged privacy breaches. The Public Interest Advocacy Centre has filed a complaint with Jennifer Stoddart about Nexopia’s alleged “unnecessary and non-consensual use and disclosure of personal information.” Lawyer John Lawford says the Edmonton-based website should be held to a higher standard than other social networking sites since many of its users are minors, some as young as 13. He complains that Nexopia profiles, by default, can be accessed by any Internet user and show up in Google’s search results. [Source] [PIAC News Release and redacted complaint]


CA – CAPAPA Celebrates Data Privacy Day Across Canada

CAPAPA (Canadian Association of Professional Access and Privacy Administrators), Canada’s leading association of privacy and access professionals, is leading the nation-wide Data Privacy Day campaign among a broad audience of Canadians. “Data Privacy Day is important to raise awareness and generate discussion about data privacy rights and practices,” said Sharon Polsky, National Chair of CAPAPA. “Through CAPAPA Connexions networking and educational events across Canada, CAPAPA invites the public to celebrate this 4th International Data Privacy Day.” Events are being held in major centers across Canada from January 25 to January 28, with the generous support and participation of Federal and Provincial Privacy Commissioners, government agencies, and private sector organizations [Details]




US – Ad Groups Write to Senate Committee on FTC Powers

A coalition of 29 advertising industry trade groups has expressed concern that the Federal Trade Commission could become too powerful. The groups—including the Interactive Advertising Bureau, Online Publishers Association and others—sent a letter to the Senate Committee on Commerce, Science and Transportation yesterday. “While we support the FTC’s mission to prevent and punish unfair and deceptive acts or practices, we believe that the current limits on the FTC’s discretion are appropriate...” the letter states. The FTC has called for a more streamlined rulemaking process and, according to the report, there are indications that the agency may receive greater rulemaking authority in the future. [ClickZ]




UK – Tim Berners-Lee To Launch British Government’s Free Data Web Site

Sir Tim Berners-Lee, the inventor of the World Wide Web, is expected to lead the formal launch Thursday of, a new British government Web site offering free access to a huge amount of public-sector data for private or commercial reuse. The aim is to encourage British Web developers and companies to create Web sites and information feeds that combine the data with other information such as time, maps or other datasets – and potentially to discover hidden patterns that may not be obvious from the raw information. [Guardian]


Electronic Records


US – NIST Awards Contract to Create EHR Certification System

The National Institute of Standards and Technology (NIST) has awarded a $400,000 contract to Booz Allen Hamilton to develop a framework that will be used to test electronic health records (EHRs) for security and interoperability. The contract is part of a $20 million American Recovery and Reinvestment Act appropriation for the development of a national health information network. The framework, once approved and in place, will be used to certify EHRs—a requirement for healthcare organizations seeking federal Medicare and Medicaid incentives for participating in the federal healthcare network. [FierceHealthIT] [Government Health IT]




US – Heartland Will Move to End-to-End Encryption

Heartland Payment Systems is moving to an end-to-end encryption system so merchants will not ever store cleartext card data on their computers. Last January, Heartland acknowledged that it suffered a massive data security breach, compromising a significant number of payment cards. The end-to-end encryption is right now an opt-in choice for merchants because it requires purchasing new hardware. However, if the merchant has the new technology correctly deployed and still suffers a breach, Heartland will assume liability. [Source]


EU Developments


EU – Art 29 WP Publishes Five Documents on 12 Jan 2010

§         The Future of Privacy: Joint Contribution to the Consultation of The European Commission on the Legal Framework For The Fundamental Right to Protection of Personal Data (WP 168)

§         Opinion 8/2009 on the protection of passenger data collected and processed by duty-free shops at airports and ports (WP 167)

§         Opinion 7/2009 on the level of protection of personal data in the principality of Andorra (WP 166)

§         Opinion 6/2009 on the level of protection of personal data in Israel (WP 165)

§         Contribution of the article 29 working party to the public consultation of DG MARKT on the report of the expert group on credit histories (WP 164)


EU – Irish Privacy Commissioner Issues Data Protection Audit Resource

Privacy audits have become a standard assessment tool deployed by regulatory authorities and standards bodies when monitoring external organisations under their authority; audits referred to as ‘self-checks’ are frequently conducted in-house by internal control units within organisations themselves or with the assistance of external expertise. The purpose of an audit is to detect any irregularities or system weaknesses regarding how an organisation handles the personal data of its customers and employees. Audits conducted by the Office of the Data Protection Commissioner (“ODPC”) are compliance-based and will involve issuing the organisation a letter of intention to audit which will specify any advanced requests for documentation; the audit can vary in duration from one to several days and the authorised officers will present official photo identification the day of the audit. The organisation is expected to volunteer information freely, assist the authorised officers and provide access to in-house data and databases and confidential documentation involving third party contracts. Self-audits can use a series of sample questions and internal security checklists to identify the types and repositories of personal data held within the organisation, chart the personal information data flows both internally and externally and examine access rights to data and determine whether they are appropriate. [Source]


EU – Irish Privacy Commissioner Issues Data Protection Checklist

The self-help checklist provided by the Office of the Data Protection Commissioner (“DPC”) should exact a “yes” to all of the questions if an organisation is in good shape from a data protection viewpoint; if not, then the checklist can help identify the areas requiring improvement. In developing a compliance strategy, an organisation should examine whether it can describe its data-collection practices as open, transparent and up-front in its customer privacy policy, how it obtains people’s consent for any secondary uses of personal data which may not be obvious to them, if it has named an individual responsible for handling access requests in the organisation and if there are clear procedures in place for dealing with such requests. In addition, is the organisation clear about whether it needs to register with the DPC, has it appointed a data protection co-ordinator and compliance person, are computers and databases password-protected and encrypted, where appropriate, is there a clear data retention policy in place, are employees aware of their data protection responsibilities and is data protection a part of the organisation’s training programme. [Source]


EU – Irish Privacy Commissioner Issues Guidelines for Website Privacy Statements

Organisations that fail to meet the legal requirement of posting a privacy statement on its website could be subject to an investigation and enforcement action by the Data Protection Commissioner or a private civil action if an individual has been damaged by the manner in which their data was processed. A company should aim for a clear and concise privacy statement which includes the organization’s identity, the type of information collected, the purposes for which the information is used, and any third parties to whom the information is disclosed. In addition, individuals must also be informed of their rights to access any data held on them and the right to have it corrected if necessary; if financial details are taken to do a transaction then security assurances may be given in the statement. Additional information that could be included in a privacy statement are a reference to data security measures, a defined retention policy and a complaint resolution mechanism. The use of cookies is a potential concern as it can lead to a user’s browsing habits being profiled without the user’s knowledge or consent; a user should be informed if it is not necessary to use cookies in the context of a transaction and should be given an opportunity to refuse to have cookies placed on his/her computers. [Source]


Facts & Stats


US – Breach Media Reports Down

The number of data breaches reported to the media has declined significantly over the past 18 months. The article cites an Open Security Foundation blog post that says the number of breaches reported in global media has dropped from about 1,000 per month between 2005 and 2008, to about 500 per month. The blog speculates that boredom in the press may be a cause. “Just another data breach” isn’t news anymore, the report states. []




US – Hillary Clinton Calls for Web Freedom, Demands China Investigate Google Attack

In a sweeping Internet freedom speech, U.S. Secretary of State Hillary Clinton called for a global Internet free of censorship in response to claims that hackers targeted Chinese human rights activists’ Google accounts. The U.S. State Department has sent a formal request to the Chinese government asking for a review of the claims. Clinton also called for all nations to work together to punish cyberattacks aimed at silencing citizens and disrupting businesses. “Countries or individuals that engage in cyberattacks should face consequences and international condemnation,” Clinton says. The rise in social networking has led some countries such as Iran, Uzbekistan, Vietnam, and Tunisia, to try to block online traffic. The United States will push to preserve the ability of everyone to communicate freely over the Web, Clinton says. The State Department also plans to work with non-government organizations and technology companies on solutions to the problem of Internet censorship abroad. [Washington Post] See also: [Google Has No Immediate Plans to Leave China] and [China tried to hack our computers, says India’s security chief M.K. Narayanan]


CN – China Slams Clinton’s Call for Internet Freedom

China slammed remarks made by U.S. Secretary of State Hillary Clinton promoting Internet freedom worldwide, saying her words harmed U.S.-China relations. China resolutely opposes Clinton’s remarks and it is not true that the country restricts online freedom, Chinese Foreign Ministry spokesman Ma Zhaoxu said in a statement on the ministry’s Web site. Clinton’s speech and China’s response both come after Google last week said it planned to reverse its long-standing position in China by ending censorship of its Chinese search engine. Google cited increasingly tough censorship and recent cyberattacks on the Gmail accounts of human rights activists for its decision, which it said might force it to close its offices in China altogether.China blocks Web sites including Facebook, Twitter and YouTube, and has long forced domestic Internet companies to censor their own services. Blog providers, for instance, are expected to delete user posts that include pornographic content or talk of sensitive political issues. On Thursday in Washington, D.C., Clinton unveiled U.S. initiatives to help people living under repressive governments access the Internet for purposes such as reporting corruption. The U.S. will support circumvention tools for dissidents whose Internet connections are blocked, she said. [Source]


EU – Turkey Blocking 3,700 Websites, Reform Needed: OSCE

Europe’s main security and human rights watchdog said on Monday that Turkey was blocking some 3,700 Internet sites for “arbitrary and political reasons” and urged reforms to show its commitment to freedom of expression. [Reuters]




EU – EU Threatens Block of U.S. Bank Data Transfer

The European Parliament has threatened to block financial data transfers between EU member nations and the U.S. under the SWIFT agreement unless it gets answers to questions it has asked of Spain and Switzerland. The financial data transfers are part of a U.S.-European anti-terror program which some EU officials have protested as a threat to privacy and have threatened to scrap altogether if Spain does not provide the requested information. In a statement, the coalition opposed to the SWIFT agreement said two clear conditions must be satisfied before a longer term agreement can be considered. [EU Observer]


US – Bank Shares Customer Info Against Her Wishes

A Chase Bank customer, who regularly told the bank that she did not wish for it to share her personal information with other organizations was dismayed recently when she received a letter from the bank informing her that information about her that had been shared with another company was exposed online. Victoria Afonina, a computer programmer, said she was upset when she read the notification. “I know that it only takes a fraction of a second for someone to copy files that appear on a Web site,” she said. A Chase representative contacted by the paper declined to give specific details of the incident. [Los Angeles Times]


US – Tweeting for Better Credit

Some organizations have taken to analyzing consumer chatter over popular social networking channels such as Twitter, Facebook and LinkedIn as part of their credit evaluation process. Comments and profiles available publicly on social platforms, as well as the profiles of others in a person’s network, can be used in part to determine if an individual is a good credit risk. “We use social chatter as a way to bring risk down. It’s a wealth of information about a person,” said Rob Garcia, director of product strategy for Lending Club. “If a person says he lives in a different area than the one on the application, it could be a flag. But if it matches, it greatly increases confidence.” []




EU – New Irish Legislation Requires Suspects, Prisoners to Provide DNA Samples

A 143-page bill published this week in Ireland will allow gardaí (police) to take DNA samples from suspects and prisoners currently serving sentences for serious crimes. Justice Minister Dermot Ahern calls the move “a major step forward in the fight against serious crime.” Irish Council for Civil Liberties Director Mark Kelly acknowledges that, but says the bill “requires special safeguards to ensure that the private lives of innocent people are protected.” Ahern says he is considering privacy implications and steps will be put in place to purge from the database those samples provided by suspects who are either acquitted or not ultimately charged. [Irish Examiner]


Health / Medical


CA – Alberta Health Act Proposed by Government Committee

A provincial advisory committee is recommending that Alberta have its own legislation governing how its health-care system operates, a reform it says would work within the Canada Health Act. An Alberta health act would enshrine the principles Albertans agreed should be in the provincial health-care system, Edmonton Conservative MLA Fred Horne said at the release of a report by the advisory committee on health. “The preamble to the act should clearly affirm that Alberta ‘s health-care system will operate within the parameters of the Canada Health Act and its principles of public administration, comprehensiveness, universality, portability and accessibility,” the report said. “The Alberta health act should address the much broader range of health services within the province, both those that receive public funding and others within the overall continuum of services that enable healthy people and communities.” The committee also proposed that Alberta create its own charter of rights for patients and define principles of accountability, access and transparency that must be maintained in the health care system. The province should consolidate a number of provincial health-care laws, including the Hospitals Act, the Nursing Homes Act and the Health Insurance Premium Act, the committee said. [Source]


CA – Border Agents to Disclose Names of Doping Athletes

The Canada Border Services Agency has agreed to give the International Olympic and International Paralympic Committees the names of athletes and support personnel caught bringing performance-enhancing drugs into the country. The agreement, signed recently following two years of protracted negotiations, will cover substances listed under both Canadian controlled-drug and substance laws and the World Anti-Doping Code. With less than a month before the Olympics, the deal gives the IOC a potent weapon in its fight against doping. But it also highlights the absence, in Canada, of a specific law that criminalizes doping in sport, unlike a number of European countries that recently enacted legislation after repeated doping scandals. The deal also brushes up against Canada’s stringent privacy laws. Under the terms of the agreement, the CBSA will only disclose information it collects between Jan. 25 and March 25 if the athletes or support personnel involved have given written consent to the IOC and IPC to share the information, said Faith St. John, a CBSA spokeswoman. But the IOC says those waivers are standard requirements for anyone wanting to participate in their Games. [Vancouver Sun]


EU – Germany Fines Drug Chain for Data Retention

Germany’s Data Protection Authority (DPA) has fined pharmaceutical chain Müller Group €137,500 for retaining illegally collected healthcare data, and for failing to hire a data protection officer. The chain, which employs 20,000, had required employees returning from sick leave to inform the company of the reason for their absence by filling out a form that was collected and stored in a central HR database. In all, Müller had collected more than 24,000 such forms in a practice that the DPA said was not justified in the vast majority of cases. [Hunton & Williams Privacy and Information Security Law blog]


Horror Stories


US – Health Net Breach Could Be Costly

The data breach that affected 1.5 million members of health insurance provider Health Net may end up costing the company millions of dollars. Costs associated with extending two years of identity theft insurance will add up, but the paper says a lawsuit filed by Connecticut Attorney General Richard Blumenthal for HIPAA violations is likely to prompt AGs in other states affected by the breach to bring similar charges. If found guilty, Health Net will face penalties that could amount to tens of millions of dollars, according to The Register. The breach stems from the loss of a hard drive containing more than 27 million pages of unencrypted data, including sensitive subscriber information. [The Register] [Health Net Sued for HIPAA Violations]


US – Lincoln National Warns Customers of Potential Data Security Breach

Lincoln National Corp. has begun notifying about 1.2 million customers of an incident that may have compromised the security of their personally identifiable information. The Financial Industry Regulatory Authority (FINRA) learned of the breach last August when an unidentified source provided the organization with a username and password that allowed access to Lincoln’s portfolio management system. An investigation conducted by Lincoln found other instances of shared usernames and passwords at one of its subsidiaries. The shared passwords were established a decade ago to perform administrative activities. All shared access information has been changed. The management system in question is not used to conduct transactions, but does contain SSNs, account numbers and balances and other personal information valuable to identity thieves. [Dark Reading] [ComputerWorld] [DoJ]


Identity Issues


WW – Background Checks? There’s an App for That

A new iPhone application gives users the ability to conduct up to three free background checks using their mobile device. Tony Bradley, author of the article, contacted the company’s CEO to ask whether he thought the company’s new product might be viewed as an intrusion on an individual’s perceived right to privacy.The company said that while it anticipated some controversy, no complaints have yet arisen from the launch, and 400,000 users have downloaded the application to date with more than a million background checks conducted so far. [PCWorld]


US – MN to Probe Background Check Controversy

Minnesota’s legislative auditor said this week he plans an investigation into a Texas company’s problematic background-checking program that resulted in a data breach affecting 500 new state employees. The trouble began last year when the state engaged Lookout Services to conduct background investigations on job candidates at the urging of Governor Tim Pawlenty. In October, a state employee notified a supervisor of a security flaw that gave employees access to sensitive information and in December the state began the process of notifying individuals whose personal information may have been exposed. Auditor Jim Nobles expects to finalize the incident report in the spring. [Minnesota Public Radio]


CA – Fraud Detection “Unacceptable Reason” to Collect DL Numbers for Memberships

The Assistant Commissioner noted that although organizations deem certain pieces of information convenient to collect for certain purposes, this convenience must not supersede an individual’s right to privacy; although the convenience of using a driver’s licence number as a unique identifier is recognized, only limited personal information may be collected to detect fraud (the stated reason for the collection), which is not in itself a legitimate purpose for recording a driver’s licence. The organization did not provide compelling evidence to substantiate that it has a significant problem with fraud nor that the collection of the full birth date of applicants for store membership is an effective means of deterring and detecting fraud. With respect to the other purpose for collection (to conduct credit checks of customers with cheque-writing privileges) credit reporting agencies advised that the minimal amount of information required to perform a credit check is the individual’s name and address. Recommendations for the organization included verifying an applicant’s age and authenticating their identity by visually inspecting a piece of photo identification without recording the information for this purpose and obtaining an applicant’s meaningful consent for a credit check by providing applicants with notice that a credit check may be required before cheque-writing privileges are granted and that the applicant’s name, address and full date of birth will be collected and used for this purpose. [OPC Decision]


Intellectual Property


EU – Proposed Web Video Restrictions Cause Outrage in Italy

New rules to be introduced by Italian government decree will require people who upload videos onto the Internet to obtain authorization from the Communications Ministry similar to that required by television broadcasters, drastically reducing freedom to communicate over the Web, opposition lawmakers have warned. The decree is ostensibly an enactment of a European Union (EU) directive on product placement and is due to go into effect at the end of January after being subjected to a nonbinding appraisal by parliament. [The Standard]


Internet / WWW


WW – Microsoft Calls for Cloud Law

Microsoft has called on Congress to pass new legislation regulating cloud computing in order to establish standards for privacy and security. Microsoft’s proposal, the Cloud Computing Advancement Act, was made during a presentation at the Washington, DC-based Brookings Institute by the company’s general counsel, Brad Smith. “We need government to modernize the laws, adapt them to the cloud, and adopt new measures to protect privacy and promote security,” Smith said. The FTC has already indicated an interest in exercising more regulatory control over cloud computing. [InformationWeek]


WW – Microsoft Reduces Search Data Storage Limit

Microsoft has announced that it will further reduce the length of time it holds data entered into its Bing search engine. The policy until this point had been to remove data from the retained information that could be used to identify the individuals requesting the information, but other data, including the associated IP address, remained accessible for 18 months. The decision comes in response to criticism related to search data management from within the European Union and will be implemented over the next 18 months for users everywhere, not just in the EU. Professor Hendrik Speck of the University of Applied Sciences in Kaiserslautern, Germany predicts that the move will prompt Bing competitors to follow suit, saying, “Google and other engines are starting to realize that consumers around the world are placing an increasing value on privacy and that can have business consequences.” [New York Times] [The Register] [ComputerWorld] [Silicon Republic] [ZDnet]


WW – Google Calls for EU Privacy Panel

Google says that the recent hack of its Chinese operation shows why it needs to retain user search data and will this week call on the Article 29 Working Party to establish a privacy and security panel to encourage productive dialogue on the proper use and protection of such data. “You can’t discuss privacy in a vacuum,” said Google global privacy counsel Peter Fleischer. Google retains search users’ full IP addresses for nine months. “We find it incomprehensible that a company would throw away useful data when holding it poses no privacy threat,” Fleischer said. [PCWorld]


Law Enforcement


US – Hospital Releases Phone Numbers for Survey

St. Joseph’s Hospital in Dickinson, North Dakota makes a practice of sharing patient names and phone numbers with a Maryland-based survey company, and the hospital says it is legal under HIPAA—and that failing to do so may result in a loss of federal Medicare and Medicaid reimbursement. St. Joseph’s says patient surveys are too expensive to conduct on its own. Paulette Thomas, in-house council for St. Joseph’s parent company, Catholic Health Initiatives, told the paper, “It is a permissible use of their information [under HIPAA] in order to improve the quality of care that is delivered to patients.” [Dickinson Press]




EU – Greek Privacy Watchdog Likely to Allow Street View

A privacy watchdog lifted its objections Monday to a Greek Web site publishing panoramic street-level images online, making a similar decision in favour of Google’s Street View service more likely. Greece’s Data Protection Authority, or DPA, said it was satisfied by assurances given by operators of the Greek Internet site, including its use of face-blurring technology and limits on storing original images. [Siliconvalley.Com]


Online Privacy


EU – Article 29 WP Issues Opinion on Online Social Networking, Working Paper 163

Due to the increase of social networking sites, social network service (“SNS”) providers need to protect an individual’s personal data from major risks, including identity theft, financial loss, loss of business or employment opportunities, and physical harm. To ensure proper compliance with data protection laws, providers should implement privacy-friendly default settings, restrict access profiles should not be discoverable by internal search engines, publish of member names under a pseudonym instead of their real identity, limit access control, and implement authentication mechanisms. In relation to children, a multi-pronged strategy for data protection should be based on awareness raising initiatives that actively involve children, fair and lawful information processing and implementation of Privacy Enhancing Technologies (privacy-friendly settings by default, pop-up warning boxes, and age verification software). SNS providers should also inform users of their identity and the different purposes for which they process personal data (usage of the data for direct marketing purposes, possible sharing of the data with specified categories of third parties and use of sensitive data). [Source]


WW – New Service Hamstrings Google Data Hoarding

Alarmed by the vast amount of personal information Google collects from its users, a hacker has unveiled an anonymization service that prevents the internet giant from tracking searches and websites visited by a specific individual. Dubbed GoogleSharing, the anonymizing proxy service is designed exclusively for communications with Google. It mixes together requests from many different users so the search engine’s data collectors are unable to tell where they originate. GoogleSharing is designed to hamstring Google’s data hoarding ways for all its services that don’t require a login. Using it is as simple as installing this Firefox plugin, which redirects Google-bound traffic to a proxy. There, requests are stripped of all identifying information and replaced with the details of a different GoogleSharing user. The Google response is then proxied back to the user. By sharing the identities of many different people, the requests become much harder for Google to correlate and analyze. “The result is that you can transparently use Google search, images, maps, products, news, etc... without Google being able to track you by IP address, cookie, or any other identifying HTTP headers,” Marlinspike explained. And only your Google traffic is redirected. Everything else from your browser goes directly to its destination.” Marlinspike has pledged that GoogleSharing will log absolutely nothing. All requests sent to the proxy - and all responses returned - are automatically encrypted using HTTPS, although traffic passing between the proxy and Google is often sent in the clear because Google, like most other websites, still doesn’t provide universal SSL support. [Source]


Other Jurisdictions


WW – UN Issues Call for International Privacy Agreement

A UN watchdog has called for a new international agreement on privacy following a review of the expanding global array of surveillance measures and databases advanced by governments in the cause of counter-terrorism. The special rapporteur on human rights, Martin Scheinin, said the UN should create “a global declaration on data protection and data privacy” in response. His report, delivered to the UN’s Human Rights Council, describes the expansion of watchlists, border checks, financial data sharing, interception of communications, biometrics and ID registers in recent years. “States no longer limit exceptional surveillance schemes to combating terrorism and instead make these surveillance powers available for all purposes,” he added. “Most worrying, however, is that these technologies and policies are being exported to other countries and often lose even the most basic protections in the process.” Scheinin noted that parliaments had generally been given little opportunity to debate such counter-terrorism powers. [The Guardian] [Full report]


UN – Official Calls for Int’l Declaration on Data Protection

A UN official has called for a new international agreement on privacy. In a report to the UN Human Rights Council, special rapporteur Martin Scheinin said “a global declaration on data protection and data privacy” is necessary to stopgap what he describes as the loss of basic privacy protections in the wake of expanded counter-terrorism efforts. European Data Protection Supervisor Peter Hustinx told the Daily Dashboard he considers this “a very welcome call for action that should be considered very carefully.” Hustinx said that global standards and global safeguards are required to limit increasing surveillance activities and to ensure a legitimate global use of new technologies. However, Martin Abrams, executive director of the Hunton & Williams Centre for Information Policy Leadership, said that until UN member states can find the balance between physical security and data protection within their own borders, it is unlikely they will be able to move forward with an international agreement. [The Register]


Privacy (US)


US – Ad Groups Write to Senate Committee on FTC Powers

A coalition of 29 advertising industry trade groups has expressed concern that the Federal Trade Commission could become too powerful. The groups sent a letter to the Senate Committee on Commerce, Science and Transportation yesterday. “While we support the FTC’s mission to prevent and punish unfair and deceptive acts or practices, we believe that the current limits on the FTC’s discretion are appropriate...” the letter states. The FTC has called for a more streamlined rulemaking process and, according to the report, there are indications that the agency may receive greater rulemaking authority in the future. [ClickZ]


US – Court Rules for State in Montana Privacy Challenge

The Montana Supreme Court has rejected a challenge to the state’s law that requires individuals to supply the last four digits of their Social Security numbers as part of the process to receive fishing or trapping licenses. The Montana Shooting Sports Association filed the suit, claiming the disclosure requirement was in violation of the fundamental right to privacy. Supreme Court Justice William Leaphart wrote that as the data is linked to federal child support funding, its collection is legitimate. He also termed the plaintiffs’ expectation of privacy as “unreasonable” as other avenues exist to apply for the required licenses without disclosing the Social Security information. [Courthouse News Service]




EU – Europe Publishes RFID FAQ

RFID technologies can store complex data and communicate information automatically while being embedded within products and being so small that they can hardly be seen by the human eye; one of the resulting concerns is that if unaware or uninformed of their use by retailers, RFID tags and readers can be used without the prior knowledge of consumers. As RFID tags play a greater role in daily life, the European Commission (“the Commission”) expresses the view that no European should carry a RFID chip in one of their possessions without being informed precisely what they are used for, with the choice of removing or switching it off at any time. The Commission recommends that organisations indicate the use of a tag through a sign on the product, packaging or the shelf where the product is located and that consumers are informed of the data that is being processed, including the data contained on the tag, how it is used and why it is used by retailers. Retail organisations can use the “opt-in” approach which allows the tags to be removed or deactivated if they present a threat to privacy or data protection unless consumers give their consent to keep their tags active; even if the tag does not present a threat to an individual’s privacy or personal data, and provided the tag was placed by the retailer, the Commission recommends that the individual can still ask the retailer to remove or deactivate the tags if they wish to do so. It is also recommended that employers inform employees if a RFID application is deployed in the workplace. In addition, every RFID operator must conduct privacy and data protection impact assessments to understand and act on the possible privacy and data protection threats that the presence of the tag creates. [Europa]


EU – Commission Provides Privacy Guidance for RFID Applications

The Commission of the European Communities (“CEC”) provides guidance regarding the design, deployment and operation of RFID applications due to the potential of the technology to be both pervasive and practically invisible; the interaction between the reader or writer and the tag may happen without users being aware of it. RFID applications with implications for the general public, such as electronic ticketing in public transport, require appropriate protective measures; applications that affect individuals by processing of sensitive data such as biometric identification data or health related data are especially critical with regard to information security and privacy and require specific attention. Organisations should build privacy and information security features into RFID applications prior to their widespread use, at an early stage of their development, using the principle of “security and privacy by design”. Privacy and security impact assessments can be used to identify and develop measures and techniques to safeguard the privacy and security of RFID systems, which will then need to be monitored throughout the lifetime of the RFID application. Raising awareness among the public about the features and capabilities of RFID will help mitigate the risks of it being used to the detriment of the public interest and enhance its acceptability; parties that deploy the technology also have a responsibility to provide individuals with information on the use of these applications. [Source]


US – Mexican Border Patrol, State Governments Leverage RFID Vehicle Registration

Neology, a provider of RFID-based applications including border control, vehicle registration, high-value pharmaceutical control, electronic toll collection, supply chain, passports and secure documents, has announced it has been awarded a multimillion-dollar extension to its existing contract with Banjercito, the Mexican Army Bank, which is responsible for controlling every entry and exit point into and out of Mexico, including seaports. Under the terms of the contract, Neology will provide passive RFID tags, interrogators and software integration to Banjercito. The contract, now in its tenth year, will incorporate license plate recognition (LPR) technology for the first time. Banjercito first began working with Neology to develop a fully integrated passive RFID-based electronic vehicle registration solution, in order to control the import and export of vehicles, immigration and security. Currently, according to Neology, every vehicle that enters or exits the country is issued a personalized permit, and Neology’s fully integrated EVR solution has enabled Banjercito to automate and track tax transactions, compliance and tolling for both temporary and permanent vehicle importation. The integration of LPR technology will enable Banjercito to instantly cross-reference inputs from an RFID-based windshield tag and the LPR system. Neology’s RFID-based windshield tags can be read on tagged vehicles traveling at 100 mph, the company reports. Neology has also announced that it has been awarded contracts by three states in Mexico to supply passive RFID tags, readers, handheld devices and integrated software. The contracts are some of the first to be awarded as part of the nation’s REPUVE (National Public Vehicle Registry) initiative, the first phase of which was awarded to Neology in late 2008. [Source]




WW – Does Your Password Say “Hack Me?”

Last month’s theft of 32 million passwords from a social networking software company has given researchers a unique window into just how insecure many security passwords may be. Among the passwords examined, the top five include “123456,” “12345,” “123456789,” “password” and “iloveyou.” When it comes to creating easy passwords, “I guess it’s just a genetic flaw in humans,” says Amichai Shulman, chief technology officer at Imperva, a company that develops software to block hack attacks. “We’ve been following the same patterns since the 1990s.” Hackers, however, have mastered the art of breaking into many accounts at once, often just by choosing from those most commonly used passwords. [New York Times]


US – Password Error May Have Exposed 1.2 Million

Financial services firm Lincoln National has begun notifying as many as 1.2 million customers after discovering that a policy of shared passwords, established a decade ago, may have exposed their confidential data. According to a letter posted to the New Hampshire Department of Justice Web site, an anonymous source provided the agency with a shared username/password combination that gave Lincoln National employees access to customer files. Lincoln National says it is voluntarily notifying its customers even though it does not believe the situation constitutes a data breach under New Hampshire state law. [PCWorld]


CA – Pearson Gets First Full-Body Scanner

The first full-body scanner in Canada is up and running at Pearson International Airport, federal transport security officials said this week. Posing for the electronic strip-search is voluntary, for adults only and produces images seen by a screener “in a remote room.” “They have no way of seeing the passenger. The image they look at doesn’t have any identification. There is no name, no flight number.” The scanner is used for secondary screening, meaning someone marked for a pat-down can opt for the machine instead, on “all U.S. bound flights.” CATSA is rolling 11 of the millimeter-wave machines at major airports including Montreal, Vancouver, Calgary, Ottawa, Halifax and Winnipeg. Another 30 scanners are scheduled to be installed “later in the spring.” [Source]


EU – EU Puts Off Reply to U.S. Request for Airport Body Scanners

The EU will decide on a US request that Europe install body scanners at its airports after studies into their effects on health and privacy are completed, EU officials meeting in Spain said this week. “Once we have these studies on the table we will make a decision,” Spanish Interior Minister Alfredo Perez Rubalcaba, whose country holds the rotating presidency of the EU, told a news conference with US Homeland Security Secretary Janet Napolitano following talks with interior ministers from across the 27-nation bloc in the central Spanish city of Toledo. [Source]


UK – Body Scanner Favoured in Poll

A recent poll by SkyScanner has revealed that 66% of those asked were in favour of the new body scanners that will be hooked up at UK airports in the coming year. The scanners have caused a mixed reaction since they first went on trial at Manchester Airport. Many equality groups have said that that only certain people will be targeted to pass through this because of their race and/or religion. Other concerns raised were over minors passing through the X-ray machine as it would violate indecency laws against children. Out of the remainder of the people who voted against the introduction of the scanners, 30% said they did so because of privacy and health grounds. The other 4% could not give a defining answer as to what they thought of the machines. [Source]


CA – Most Canadians Support Use of Naked Airport Scanners: Poll

A new poll indicates most Canadians accept new airport scanners that can see through the clothes of travellers. A survey conducted by The Canadian Press Harris-Decima earlier this month found four in five respondents said the use of the scanners was reasonable. Almost three-quarters of those surveyed said the technology was likely to be effective in reducing the risk of a terrorist attack. The pollsters say the numbers suggest Canadians feel airport security is as strict as it needs to be and, if anything, it is not strict enough. Just before the poll was taken, the government announced plans to install 44 machines across the country that will generate three-dimensional images of air travellers’ bodies. [Source]




AU – ALRC Renews Data Loss Financial Penalty Call

The Australian Law Reform Commission (ALRC) has renewed its call for fines for failing to notify the privacy commissioner of data breaches after the UK introduced penalties of up to half a million pounds. The ALRC initially made the call in its report: For Your Information: Australian Privacy Law and Practice released in 2008. ALRC research manager Jonathan Dobison said the penalty method would be effective in the current information age, where there is an increasing number of ways information can be leaked through technology such as flash drives and laptops. [Computerworld]


EU – Spain Issues Strict New Limitations on Video Surveillance

Summary: Data controllers must be aware that when processing personal data by means of video surveillance systems; the data subject’s consent is required. Organisations must notify the Spanish Data Protection Authority of their intention to create video surveillance files, prior to creating any databases that contain video surveillance files. In addition, those data subjects whose images are to be captured, must be provided with information regarding the processing of their personal information - at least one sign in zones that are under video surveillance notifyng individuals that they are under surveillance (these signs must be placed in visible locations and in open as well as enclosed spaces). If video surveillance systems are used for security purposes organizations must have technical and organisational measures are in place to guarantee the security of the data. Video surveillance files can only be stored for a maximum of one month unless data are needed for purposes of criminal or administrative investigations. Video cameras for workplace monitoring of employees is allowed without employee consent to ensure employees fulfill their work obligations (but there must be no other alternatives to accomplish such purpose) and video surveillance systems cannot be located in facilities meant for employees’ private use (e.g. toilets, restrooms or recreation rooms). Organisations must fully respect their employees’ information rights by, notifying the employees’ union representatives that a video surveillance system is to be put in place, placing information signs to provide notice, and by providing personalised notice. The Spanish Criminal Code allows imprisonment for certain violations of the Spanish Data Protection Act, such as unauthorized access, use or theft of personal data. [Morrison & Foerster]


Telecom / TV


UK – Virgin to Test Deep Packet Inspection Technology to Look for Illegal Downloading

Virgin Media will test a system that uses deep packet inspection to find out if its broadband customers are downloading media files illegally. Once traffic has been identified as being of the file sharing variety, the content will be tested against a database of music and movies. The system currently does not note the associated IP address of the downloader, but Virgin would not rule out the possibility of identifying copyright violators in the future. The test will monitor traffic of about 40% of Virgin Media broadband customers; they will not be made aware that their activity is being monitored. [The Register] [Network World]


US Government Programs


US – FBI Broke Law for Years in Phone Record Searches

The FBI illegally collected more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews. FBI officials issued approvals after the fact to justify their actions. E-mails obtained by The Washington Post detail how counterterrorism officials inside FBI headquarters did not follow their own procedures that were put in place to protect civil liberties. The stream of urgent requests for phone records also overwhelmed the FBI communications analysis unit with work that ultimately was not connected to imminent threats. A Justice Department inspector general’s report due out this month is expected to conclude that the FBI frequently violated the law with its emergency requests, bureau officials confirmed. FBI general counsel Valerie Caproni said in an interview Monday that the FBI technically violated the Electronic Communications Privacy Act when agents invoked nonexistent emergencies to collect records. [The Washington Post]


US – DHS Privacy Office Releases Data Mining Report

The Department of Homeland Security Privacy Office released its 2009 Data Mining Report to Congress on January 4, 2010. The annual report, which is required by statute as part of the Implementing Recommendations of the 9/11 Commission Act of 2007, contains the office’s report regarding all DHS activities that meet the law’s definition of “data mining.” The report identifies three such programs. The first is the Customs and Border Protection’s Automated Targeting System, which analyzes traveler, cargo and conveyance information and compares it against law enforcement information. The second, Immigration and Customs Enforcement’s Data Analysis and Research for Trade Transparency , “analyzes trade and financial data to identify statistically anomalous transactions that may warrant investigation.” The third identified program is the Transportation Security Administration’s Freight Assessment System, which analyzes freight transportation data to identify cargo that might present a risk to passenger aircraft. The report concluded that for each project, “necessary privacy protections have been implemented.” [DHS: Data Mining Reports]  


US Legislation


US – Law Would Ban Broad Information Gathering by Police

A Maine senator has introduced legislation in response to a new surveillance system employed by Maine police, citing its infringement on privacy. Sen. Dennis Damon (R-Trenton) says the system, which automatically reads license plates and checks them in a national database, could be misused to track people. “To me, it’s too much of a concern that I might lose my privacy and freedoms that are afforded to me as a citizen of this state and nation,” he said. Police say the system will help find wanted criminals and missing persons more quickly. [Boston Globe]


US – Bill Would Close Access to Gun Permit Database

Public access to the Indiana state database of people with permits to carry guns would be closed under a bill on its way to the floor of the Indiana House. The bill was filed following complaints over newspaper stories that used information from the database to scrutinize how gun permits are issued, including one that found a permit wound up in the hands of a man who had pressed the barrel of a loaded handgun into the chest of a woman holding a baby. The House Natural Resources Committee unanimously approved the bill Thursday. “Individuals have a right to privacy,” said Rep. Dave Cheatham, D-North Vernon, vice chairman of the panel. [Source]


Workplace Privacy


UK – Most Employers Screening Candidates Online: Report

According to a new report, 53% of all UK employers review the public profiles of job candidates before making a hire, and 20% say they have rejected candidates based on what they have found. The study, conducted by CareerBuilder, found that both social networking sites and popular search engines are commonly used to evaluate a job candidate; and of the organizations not using them, 12% said they plan to in the future. The study also found that 28% of companies surveyed said that they had fired an employee because of negative information about the company or a coworker posted to a social networking site. [PC Advisor]


CA – Ring Agrees with Workers at Iron Ore Co.

Union workers at the Iron Ore Company in Newfoundland say the company’s demand that certain workers sign over full access to their medical records is an invasion of their privacy. A company spokesman says it needs the records to assess who is fit for which jobs in order to provide a safe working environment. But the provincial privacy commissioner, Ed Ring, says requesting all medical records is excessive, and if information is required, it should be a minimal amount, only enough to satisfy the company’s purpose. “The disclosure of an entire medical record is, in my view, way and beyond what would be considered reasonable,” Ring said. [Daily Business Buzz]