Privacy News Highlights

17–31 July 2010



CA – Banking Group Will Stick to Letter of Law.. 3

CA – Surveillance for Evidence Collection Does Not Fall Under Privacy Law: Court 3

CA – New Brunswick Names First Commissioner 3

CA – BC Privacy Chief Too Soft on Gambling Botch. 3

UK – Web Users Unlikely to Pay for Content: Survey. 4

US – Consumers and Marketers have Differing Privacy Expectations: Study. 4

UK – Consumer Regulator Outlines Plans to Protect Online Shoppers. 4

UK – DMA Updates Code of Practice with New Rules on Children’s Data. 5

US – Stronger Privacy Provisions Needed for Electronic Records: Opinion. 5

UK – United Kingdom Guidelines for Protection of Privacy Online. 5

EU – EU Outlines Principles to Govern Future Data Sharing. 6

EU – Data Transfers: Privacy Chiefs’ FAQ on New Model Clauses. 6

IR – Commissioner Investigates Insurance Industry Database. 7

WW – Cars and Fax Machines on the At-Risk List 7

CA – PIPEDA for Business Video Released. 7

US – Verizon’s Data Breach Investigation Report 7

IN – Indonesia Finds Banning Pornography Is Difficult 8

US – Homeland Security Sends Information Requests to Advisers. 8

US – Court Rules Privacy Advocate Can List Private Information. 8

UK – Scottish Government Outlines Proposed Extension to FOI Laws. 8

WW – Researcher Releases Facebook Profile Data. 9

NZ – Nw Zealand Pizza Chain Suffers Data Breach. 9

US – Massachusetts Hospital Backup Files Lost 9

US – Lawsuit Filed Over Flash Memory Cookie Resurrection. 9

US – Privacy Implications of Cyber Attack Attribution Technology. 9

WW – Google Obtains Government Security Clearance for Cloud Services. 10

US – Google, CIA Invest in ‘Future’ of Web Monitoring. 10

WW – Apps Privacy. 10

EU – EU Information Sharing Systems. 11

NZ – Police Breach Privacy by Giving Out Criminal Record. 11

CA – Tweeting Vacation Plans Can Lead to Burglary, Police Warn. 11

WW – White House Proposal Would Ease FBI Access to Records of Internet Activity. 12

WW – Microsoft Quashed Effort to Boost Online Privacy. 12

US – FTC Proposes Do-Not-Track Mechanism.. 12

US – Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies. 13

AU – New Privacy Commissioner Appointed. 13

HK – Postal Staff Stamp on Privacy Chief 13

US – Ohio Court Dismisses Joe the Plumber’s Suit 13

WW – Google Android Apps Reportedly Stealing Data. 14

US – White House Seeks to Add Internet Activity to List of Info Demanded With NSLs. 14

US – Second Pennsylvania High School Student Files Suit Over Webcam.. 14

US – Rite Aid Settles FTC Case. 14

US – States Seek Details About Google Data Collection Code. 14

EU – World’s First Pirate ISP Launches In Sweden. 15

WW – Bad Guys Could Read RFID Passports at 217 Feet, Maybe a Lot More. 15

US – Wal-Mart to Track Clothing With RFID Tags. 15

WW – Privacy Breaches in the Clouds? Blame the Customer 15

WW – Internal Threats Double As Attackers Shift Strategy. 16

US – FBI Rings Organizers Over Defcon Contest 16

HK – Hong Kong’s Cashless-Payment Operator Under Fire. 16

US – Washington Post In-Depth Report: Top-Secret America. 17

AU – Go Cards Used for Police Work. 17

CA – Crime Cameras Should Go, Says Alberta Privacy Czar 17

US – FBI Backs Record-Keeping on Prepaid Cell Phones. 17

US – Cyberspace Policy Review Progress Report 17

US – Senators Introduce 2010 Data Security Act 18

US – Former NSA Exec Tried to Voice Concerns Before Talking to Reporter 18

US – Tech Firms Warn Privacy Bill Will Harm Economy. 19

CA – Prison Staff Win Legal Case After Personal Info Leaked to Inmates. 19





CA – Banking Group Will Stick to Letter of Law

A spokesperson for the Canadian Bankers Association says the organization will adhere to privacy laws when handling police photographs of violent demonstrators at the recent G20 summit. The association will run the photographs through its facial recognition software in attempt to identify the perpetrators. “We’re just running it through our software and giving it back to police,” said Maura Drew-Lytle. [Ottawa Citizen]




CA – Surveillance for Evidence Collection Does Not Fall Under Privacy Law: Court

Using surveillance to help mount a defence in a civil legal action is not a “commercial activity” under Canada’s privacy law and is therefore not bound by PIPEDA, the Federal Court of Canada has ruled. Nevertheless, the Privacy Commissioner does have jurisdiction to investigate the claim, the court also found. In State Farm Mutual Automobile Insurance Company and Privacy Commissioner of Canada, State Farm collected surveillance and evidence on Gerald Gaudet on behalf of its insured policyholder, Jennifer Vetter. Gaudet launched a civil tort suit against Vetter related to a 2005 automobile accident. Gaudet demanded that State Farm hand over any and all documentation the insurer had collected on him, arguing that to collect evidence and to use surveillance without his knowledge or permission is a violation of his rights under PIPEDA. State Farm argued the evidence fell outside the scope of PIPEDA and that it was protected by client-attorney privilege. The insurer argued further that it was not within the privacy commissioner’s jurisdiction to investigate the claim. Federal Court Justice Robert Mainville concluded the primary activity at the centre of the case was the collection of evidence on a plaintiff by a defendant in order to mount a defence, which is not a commercial activity. “Then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct it on his or her behalf.” Justice Mainville went on to say the insurer-insured and attorney-client relationships “are simply incidental to the primary non-commercial activity or conduct at issue, namely the collection of evidence... But, the Court would not go so far as to say the matter was beyond the privacy commissioner’s jurisdiction to investigate. “Indeed, though the reports and related documents and videos are not subject to PIPEDA, there must nevertheless still be mechanisms in place to test the bona fides of the exemption or non-application claim.” [The Canadian Underwriter]


CA – New Brunswick Names First Commissioner

New Brunswick Premier Shawn Graham has named Fredericton lawyer Anne Bertrand as the province’s first access to information and privacy commissioner. Bertrand begins her new role September 1, when the office is officially created, but must be confirmed by the legislature after the September 27 election. As commissioner, Bertrand will be responsible for overseeing two new pieces of legislation governing access to information and health information privacy and will advocate for information and privacy issues, the report states. “I am confident that the breadth of her experience in the field of law, along with her work in the community and strong values of justice and integrity, will serve New Brunswickers well as she fulfils the commissioner’s responsibilities,” said Graham. [CBC News]


CA – BC Privacy Chief Too Soft on Gambling Botch

The province’s new information and privacy commissioner is displaying an alarming degree of equanimity about the B.C. Lottery Corp.’s privacy botch. Elizabeth Denham spoke with reporters after the full scope of the PlayNow disaster had become apparent. Her overall tone was a little too understanding about the pitfalls of starting up an online gambling empire and a little light on the outrage. The commissioner sounded a touch too laid back about the lottery corporation’s troubles, given what’s come to light so far. She said she was pleased with its response to the crisis so far and credited the Crown corporation with being responsible in how it handled the problem. She said her role now is to monitor the repair job and the redress to clients. Her general attitude seemed to be that there are always risks in doing things online and these things happen. She’s probably right. But it would be a bit more comforting to see some bite. What about using the powers invested in her office to march into the lottery corporation and get to the bottom of this mess? What about launching a full-scale investigation or audit? [Source]


CA – BCLC Admits Privacy Breach At Playnow.Com

The British Columbia government’s online gambling site was shutdown because of a privacy breach, B.C. Lottery Corp. officials confirmed in a news release. Company officials said that when was relaunched as the first government-sanctioned online casino in North America, 134 accounts were left exposed and open to any other player to access. Twelve of the accounts had “a measure of sensitive personal information viewed by another player,” officials added, giving no further details. All players who were affected by the breach have been contacted, officials said. “The bottom line is (BCLC) was not prepared to go online,” he said. “Whether they were not prepared with enough technology, underestimated the number of users, or did not expect to get attacked . . . they just underestimated what they were doing.” In the Tuesday news release, BCLC said will be restored “when a solution is implemented that meets the highest levels of player protection and receives third party approval and regulatory certification.” [Source]




UK – Web Users Unlikely to Pay for Content: Survey

The majority of internet users in the UK is not ready to pay for content according to a survey carried out by bean counting firm KPMG as part of its annual “Consumers and Convergencereport. The research showed that more than four fifths of UK web users would switch allegiance to another site if a free website they frequently use start to charge for content. Surprisingly, UK fares fairly badly when it comes to the propensity to pay for online content although nearly 75% of those questioned said that they wouldn’t mind seeing online ads if this means cheaper subscriptions. Furthermore, 48% of users would allow their personal data to be monitored even if concerns about individual’s privacy have come in the limelight lately and despite the fact that 90% of UK respondents were worried about online security and their own privacy. The poll, which was carried out amongst more than 5600 people in 22 countries, revealed that 43% of people are willing to pay for content that they often access, a share that rises to almost six out of ten the Asia-Pacific region. [Source]


US – Consumers and Marketers have Differing Privacy Expectations: Study

A recently released study shows that when it comes to new technology, consumers have higher privacy expectations than marketers and most often prefer an opt-in method for collecting personal information. The University of Massachusetts Amherst study looked at cookies, RFID, text messaging, pop-up ads, telemarketing, SPAM, biometrics and loyalty cards. This is the first study to directly compare the privacy expectations of consumers and marketers. The researchers also discovered that many consumers don’t understand the tools used by online companies and marketers and don’t know how much, or how often, detailed information is gathered about them. [Source]


UK – Consumer Regulator Outlines Plans to Protect Online Shoppers

UK consumers still need to be educated about online shopping to prevent them falling victim to scams and problems, consumer protection regulator the Office of Fair Trading (OFT) has said. The OFT has published plans to improve the protections available for consumers when they are shopping online. It does not recommend the creation of new laws or regulations, but has said that consumers must be better educated; that Government guidance for companies must be improved; and that companies and enforcement agencies should work more closely together. The OFT has published a document setting out its approach to e-consumer protection at the request of the Government. It wants its strategy to come into force by the end of 2010 and responses to the consultation are due before 13 October.[OUT-LAW News] [The strategy]


UK – DMA Updates Code of Practice with New Rules on Children’s Data

Companies engaged in direct marketing to consumers must not use the internet to gather data about children under 12 and must be able to back up any green claims they make, according to a new code of practice for the industry. The Direct Marketing Association has published a new version of its Code of Practice, the set of rules governing members’ activities. Though the Code has no legal status, members of the DMA must abide by it according to the Association’s rules. The Code advises companies not to collect personal information from children under 12 without parental consent or information about other people from children under 16. The previous Code contained different age cut-offs for online and offline activities, a distinction that has been abolished in the new Code. The guidance on children’s data brings the Code into line with rules set by the Committee of Advertising Practice (CAP), which sets the rules governing advertising in the UK and recently published its own revised guidance. The new version of the Code is the DMA’s fourth since the creation of the Code in 1992 and updates the trade body’s rules in the light of changes in legislation since the third edition. [OUT-LAW News] [The Code] [Hear: Collecting children’s data, OUT-LAW Radio]




US – Stronger Privacy Provisions Needed for Electronic Records: Opinion

Attorney Marty Robins addresses concerns about the privacy and security of electronic medical records (EMRs). Though the private sector customarily employs firewalls, encryption and intrusion detection protocols, Robins says the government largely ignores security in its EMR regulations, only “strongly encouraging” encryption. “It is difficult to see how the public can be confident that their records will be handled properly when there is no explanation of the steps taken to make this true,” Robins writes. He urges the administration “to publicly commit to and make a high priority the development and use of only state of the art technology and practices...” Center for Democracy & Technology health privacy expert Deven McGraw said, “The HIPAA security rule allows providers some flexibility with respect to implementing certain specific safeguards like encryption. The risk of this approach is that it doesn’t allow for us to confidently say to the public that a strong baseline of protections exists for electronic health information. It’s hard to reassure the public with that level of uncertainty.” [Huffington Post editorial]


EU Developments


UK – United Kingdom Guidelines for Protection of Privacy Online

In pursuance of its duty to promote good practice under the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) has published a new Code which contains numerous “do’s and don’ts” for the processing of personal data gathered online. This includes information such as names, addresses and contact details, as well as information gathered about an individual using cookies or IP addresses. Whilst the Code itself is not legally enforceable and therefore compliance with it not mandatory, data controllers are well advised to follow the Code where at all possible in order to avoid falling foul of the provisions of the DPA.A summary of the main guidance it provides is as follows:

§         Do not be secretive or misleading when you collect personal data.
People will not trust you and will go somewhere else.

§         Do be clear about the purposes for which you use or disclose personal data,
and do not change these purposes without consent once the data has been collected.

§         Do not collect personal data you don’t need or collect it too early in the process.
People do not like organisations that collect too much information about them.

§         Do not keep records about people that are inaccurate or out of date.
Everyone expects their information to be correct.

§         Do not keep personal information for longer than you need to in a personally identifiable form. People do not like too much information being retained about them.

§         Respect individuals’ rights over the information you hold about them;
for example, do not deny them access to their personal data.

§         Make sure you have adequate security and maintain responsibility for the personal
data you collect. Everyone expects their information to be looked after properly.

§         Ensure the personal data you are responsible for is protected properly if it is transferred overseas,
i.e. using cloud computing.

And finally, remember that the provisions of the DPA apply to the “processing” of “personal data”. “Processing” is very broad in scope, and includes everything that happens to personal data that is collected online. “Personal data” is information which relates to a living individual who can be identified from that data. [Source]


EU – EU Outlines Principles to Govern Future Data Sharing

The European Commission has published a set of principles it says will guide it when formulating future policy on the sharing of personal information. It has also outlined all existing EU rules which order the sharing of data. Individuals’ rights to privacy will be central to the development of any new EU rules, the Commission said. When a new policy has an impact on these rights it said that it will explain what that impact is and why it is necessary. The Commission has listed all the ‘instruments’ – systems, schemes, co-operation agreements and EU directives – which order the collection or transmission of personal data. It lists the purpose of each as well as an assessment of how useful it is. The Commission said that it would examine all the rules and schemes that mandate data collection and assess which of them need to be reviewed and when. [OUT-LAW News]


EU – Data Transfers: Privacy Chiefs’ FAQ on New Model Clauses

A committee of Europe’s data protection watchdogs has published advice on how companies can use new model contract clauses regulating the transfer of personal data outside the EU. The Article 29 Working Party has published a ‘frequently asked questions’ guide to the new clauses, which were published in February and came into effect in May. The rules ensure that the first company outside of the EU to which the data is sent remains responsible for its security, even if it sub-contracts some functions to other companies. The Working Party’s advice clarifies that the model clauses do not apply when the first transfer of data happens to a company inside the EU, but outlines ways in which companies could clarify responsibility for data in those circumstances. The advice also covers the degree to which consent for sub-processing should be general or specific; and in what circumstances new agreements and clauses need to be made. See: [OUT-LAW News] [The advice] [Model clauses for transferring personal data overseas: the May 2010 changes, an OUT-LAW guide]


EU – EU Plans to Limit Its Use of Private Personal Data

The war on terror won’t become a war on privacy, the European Commission says. The European Union is to impose stricter rules on its own use of private citizens’ data for all future anti-terrorism measures. The European Commission currently oversees a large number of mechanisms designed to combat crime, in particular terrorist activity. The vast majority of these instruments involve the collection, storage or exchange of personal data for law enforcement or migration management. “Citizens should have the right to know what personal data are kept and exchanged about them,” said Cecilia Malmström, E.U. Commissioner for Home Affairs, announcing the new rules on Tuesday. All future policy proposals will be assessed for their expected impact on individuals’ rights and their proposers must prove that the initiatives are necessary, proportionate and safeguard fundamental rights. There must also be a clear allocation of responsibilities, as well as structured review procedures. Compliance with these rules on personal data protection will be subject to control by an independent authority at national or E.U. level. [Source]


UK – UK Headed for Data Breach Disclosure Law Within Four Years

A law forcing all organisations to publicly declare data breaches is expected to be in place in the UK within four years. According to lawyers at law firm Field Fisher Waterhouse (FFW), legislation requiring organisations to notify the relevant authorities as well as individuals affected in the event of a serious security breach involving personal data will be introduced across Europe. The Information Commissioner’s Office (ICO) powers to fine companies up to £500,000 for serious breaches of the Data Protection Act, which the ICO gained in April this year, are also discouraging companies from owning up to data breaches. “Voluntary notification falls down substantially if the company feels that they will put their head in the noose through this behaviour.” Room however supported the idea of an uncapped fine once a mandatory data breach notification law is in place. The roundtable event coincided with the release of the ICO’s annual report, which found there has been a 30% increase in data protection complaints and requests for information over the past year. [Source]


IR – Commissioner Investigates Insurance Industry Database

The Office of the Data Protection Commissioner is investigating insurance companies’ use of an industry-wide database, which may breach data protection laws. The database, which companies lawfully use to post the personal details of people who make an official insurance claim, includes data on customers who have consulted an insurer but never made an official claim, which is not permitted under the law. The commissioner’s office is also concerned about unregulated access to the database, the report states. Deputy Data Commissioner Gary Davis said the investigation, the office’s largest undertaking yet, was initiated following a large number of audits that gave the office “cause for concern.” [The Irish Times]


WW – Cars and Fax Machines on the At-Risk List

Used cars and fax machines have become information resources for identity thieves. The technology built into newer-model cars has the ability to store personal information such as Bluetooth contacts, garage door codes and more, and consumers aren’t necessarily removing that information prior to reselling their vehicles. Brian Cooley of CNET said, “Here’s the car you traded in, sitting on the used car lot. The garage door is programmed into the garage door opener, and your home address can be programmed into the GPS system. That’s a perfect, pre-made kit for a garage burglary.” Meanwhile, thermal transfer fax machines, which contain an imprint of all their fax transmissions--possibly including sensitive information--are being tossed, at times without destroying the data they hold. The FTC is currently investigating similar concerns with data storage on copy machines. [CNET]


Facts & Stats


CA – PIPEDA for Business Video Released

The Office of the Privacy Commissioner of Canada has created a new video for small businesses and organizations, “PIPEDA for Business: What You Need to Know About Protecting Your Customers’ Privacy.” You can view it on the OPC’s web site or on YouTube. [Source]


US – Verizon’s Data Breach Investigation Report

According to Verizon’s Data Breach Investigation Report from the Verizon Business RISK Team, 70 percent of breaches were committed by outsiders. The report comprises information from 57 private investigations conducted by Verizon in 2009 as well as from 84 cases the US Secret Service investigated in 2009. In more than a third of the breaches, cyber criminals used stolen login credentials, accounting for 86 percent of compromised records. In many cases, cyber thieves relied on configuration errors instead of security vulnerabilities to steal data. Internet Storm Center: [VerizonBusiness] [Krebs] [USAToday] [Register] [ComputerWorld]




IN – Indonesia Finds Banning Pornography Is Difficult

Last month, the country’s information minister, Tifatul Sembiring, said that local service providers would have to start blocking online pornography by the Muslim fasting month of Ramadan, which starts Aug. 11. That deadline is fast approaching, and Mr. Riyadi says he still has no idea how he is going to put a filter in place. Mr. Sembiring has won plaudits for pledging to curb online pornography in this Muslim-majority democracy of 240 million people, and for following regional peers like China, Thailand and Singapore into the fraught world of Internet screening. But the problem, Mr. Riyadi says, is that the minister’s plan is really no plan at all. No official decree has been issued, no list of banned sites has been published and no details have surfaced on who will pay for monitoring and screening of Web sites. The minister has, however, threatened the roughly 230 Internet service providers in Indonesia with closure if they fail to block pornographic sites for the country’s 40 million Internet users. [New York Times]




US – Homeland Security Sends Information Requests to Advisers

For at least a year, the Homeland Security Department detoured hundreds of requests for federal records to senior political advisers for highly unusual scrutiny, probing for information about the requesters and delaying disclosures deemed too politically sensitive, according to nearly 1,000 pages of internal e-mails. The department abandoned the practice after AP investigated. Inspectors from the department’s Office of Inspector General quietly conducted interviews last week to determine whether political advisers acted improperly. The Freedom of Information Act, the main tool forcing the government to be more open, is designed to be insulated from political considerations. Anyone who seeks information through the law is supposed to get it unless disclosure would hurt national security, violate personal privacy or expose confidential decision-making in certain areas. But in July 2009, Homeland Security introduced a directive requiring a range of information to be vetted by political appointees for “awareness purposes,” no matter who requested it. The government estimated fewer than 500 requests underwent such political scrutiny; the Homeland Security Department received about 103,000 total requests for information last fiscal year. [Source]


US – Court Rules Privacy Advocate Can List Private Information

A federal court of appeals has upheld a privacy advocate’s right to post online public records that contain personal information, including Social Security numbers. Betty “BJ” Ostergren, founder of the Web site, posted the records to illustrate how easy it is for the public to access sensitive information. Many of the documents are public land records that contain unredacted Social Security numbers of elected officials. “Ms. Ostergren’s most powerful advocacy weapon has been to demonstrate to the public how bad a job the government is doing to protect our online privacy rights,” said Kent Willis, executive director of the ACLU of Virginia, which is representing Ostergren. “The government responded, but by trying to silence Ms. Ostergren. That’s hardly the answer any of us want to see, and besides, it violates the constitutional right of free speech.” “When a state seeks to punish a speaker for republishing state-published information, the state should be expected, in the words of a contemporary colloquialism, not simply to talk the talk, but to walk the walk, as well,” Judge Allyson Duncan wrote in the opinion. One person has pleaded guilty to using the Web site to obtain false credit cards. [Source]


UK – Scottish Government Outlines Proposed Extension to FOI Laws

The Scottish Government has asked the public and business to consider how far freedom of information (FOI) laws should be extended. The Government plans to ensure that organisations and companies that carry out public functions make information available to the public in the same way that public authorities do. Many activities previously carried out by public bodies are now conducted by companies under contract or by new organisations set up as trusts at arms-length from councils. “Many local authorities have outsourced [leisure, sport and cultural services] to such trusts and bodies,” said the Scottish Government’s statement. “An unintended consequence is that the public lose their rights to access information about those services from the local authority itself. These organisations deliver services of major public benefit, and receive significant public money.” It has launched a consultation on its decision, it said, because it did not want to burden private organisations with further regulation unless it was necessary. [OUT-LAW News] [The consultation]


Horror Stories


WW – Researcher Releases Facebook Profile Data

A security researcher has released a file containing the names, profile addresses and unique identification numbers of more than 100 million Facebook users. The information was corralled via a public directory Facebook makes available that lists users who are sharing at least some of their profile information with everyone on the Internet. It was collected and uploaded by Ron Bowes, a security researcher with Skull Security. Although the information in the 2.8-gigabyte file is freely available online through search engines and Facebook’s own directory, the organized list of names and identification numbers in it could make it easier for others to compile users’ e-mail addresses, location or other data they have made available. Facebook issued a statement via e-mail noting that the list of users’ names is not a threat to those who are comfortable sharing publicly: [The New York Times]


NZ – Nw Zealand Pizza Chain Suffers Data Breach

The personal information of as many as 230,000 New Zealanders, including a handful of celebrities, has been compromised following the theft of information from the database of a popular pizza chain. The compromised data include names and physical and email addresses, but no credit card information. The celebrity information was released by the attackers as proof of their exploit. [NetworkWorld] [NZHerald]


US – Massachusetts Hospital Backup Files Lost

Missing backup files contain personally identifiable information of about 800,000 people. Most were treated as patients at South Shore Hospital in Weymouth, Massachusetts between January 1, 1996 and January 6, 2010. In addition to patients, the files contain information about employees, physicians, volunteers, donors, vendors and partners. The compromised data include Social Security numbers (SSNs), diagnoses and treatments, and financial account information. The files were sent to a data management company to be destroyed, but only some of the files were received and ultimately destroyed. The hospital will begin notifying affected individuals soon. [SCMagazine] [] [eWeek] [BostonChannel]


US – Lawsuit Filed Over Flash Memory Cookie Resurrection

A lawsuit filed in federal court on Tuesday, July 27, 2010 alleges that a number of popular websites violated federal law by using Adobe Flash storage to recreate cookies that users had deleted. A company called Quantcast developed the technology that resurrected deleted cookies as part of an effort to accurately track web traffic. When Quantcast became aware of the inadvertent side effect of the technology last year, the company fixed the issue so the technology would no longer recreate cookies. Users can delete regular cookies with relative ease, but Flash cookies are more difficult to remove. [Wired] [BBC]



Identity Issues


US – Privacy Implications of Cyber Attack Attribution Technology

In testimony at a US House of Representatives Science and Technology Committee’s Subcommittee on Technology and Innovation hearing on cyber attack attribution, experts on cyber security and privacy say that efforts to identify those behind cyber attacks are likely to violate privacy rights. Some voiced concerns that new technologies could be abused by oppressive governments to identify those perceived as enemies. Proposed technologies that would assign Internet identifiers may not be legal in the US, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). [ComputerWorld] [GovInfoSecurity] []


Internet / WWW


WW – Google Complies With Laws to Satisfy China

China is satisfied that U.S. Internet giant Google is complying with Chinese laws after it tweaked the way it directs users to an unfiltered search page, a senior official said. The comments from a Ministry of Industry and Information official largely echoed previous Chinese statements, but are still likely to be seen as good news for the company as Beijing has been coy about its long-term future in China. Google is also in the process of ending its partnership with Chinese community site Tianya, in which it owns a stake, the firm said in a blog post. “As it was announced earlier this year, this week we will be ending technical co-operation with Tianya on Tianya Come and Tianya Questions,” Google said in its official Chinese language blog. Google bought the stake in in August 2007. Google is trying to achieve the delicate balance of ending self-censorship of searches while holding onto its business foothold in a country where control of information has been key to ensuring the Communist Party’s decades in power. Google’s market share in China continued to slip in the second quarter, falling to 27.3 per cent from 29.5 per cent in the first, according to data from research firm iResearch. [Source]


WW – Google Obtains Government Security Clearance for Cloud Services

Google has obtained security clearance to sell its cloud computing services to the US federal government. The clearance given to Google Apps for Government does not apply to classified government data. Google is hopeful now that it has obtained clearance for federal government use, government agencies at the state and local levels will also consider using its products. The clearance marks the first time the US government has given approval for the use of online software. [LATimes] [MSNBC] [Register]


US – Google, CIA Invest in ‘Future’ of Web Monitoring

The investment arms of the CIA and Google are both backing a company that monitors the web in real time - and says it uses that information to predict the future. The company is called Recorded Future, and it scours tens of thousands of websites, blogs and Twitter accounts to find the relationships between people, organizations, actions and incidents - both present and still-to-come. In a white paper, the company says its temporal analytics engine “goes beyond search” by “looking at the ‘invisible links’ between documents that talk about the same, or related, entities and events.” The idea is to figure out for each incident who was involved, where it happened and when it might go down. Recorded Future then plots that chatter, showing online “momentum” for any given event. [Source]


WW – Apps Privacy

Lookout Inc., a mobile-phone security firm, scanned nearly 300,000 free applications for Apple Inc.’s iPhone and phones built around Google Inc.’s Android software. It found that many of them secretly pull sensitive data off users’ phones and ship them off to third parties without notification. The data can include full details about users’ contacts, their pictures, text messages and Internet and search histories. The third parties can include advertisers and companies that analyze data on users. “We found that not only users, but developers as well, don’t know what’s happening in their apps, even in their own apps, which is fascinating,” said John Hering, CEO of the San Francisco-based Lookout. Part of the problem is smart phones don’t alert users to all the different types of data the applications running on them are collecting. IPhones only alert users when applications want to use their locations. [Source] See also: [US: Citi Discloses Security Flaw in Its iPhone App]


Law Enforcement


EU – EU Information Sharing Systems

The European Commission has presented an overview of existing EU instruments regulating the collection, storage or exchange of personal data for the purpose of law enforcement or migration management. The communication clarifies the main purposes of these instruments, their structure, the types of personal data they cover, the list of authorities that have access to such data and the provisions governing data protection and retention. Cecilia Malmström, EU Commissioner for Home Affairs stated: ‘Citizens should have the right to know what personal data are kept and exchanged about them. One of my first actions as Commissioner for Home Affairs was, therefore, to order this overview, as called for by the European Parliament. I am happy to be able to present the overview today, together with a series of core principles for how our policy should develop in this area. This will help us keep the bigger picture in mind as we come to review the existing tools and adapt to change over time.’ Principles will guide the possible future development of instruments for data collection, storage or exchange, and cover issues such as fundamental rights, proportionality and accurate risk management as well as clear allocation of responsibilities, cost effectiveness and reviewing clauses. Safeguarding people’s fundamental rights as enshrined in the EU Charter of Fundamental Rights, particularly their right to privacy and personal data protection, will be a primary concern for the Commission when developing new proposals that involve processing of personal data. In all future policy proposals, the Commission will assess the initiative’s expected impact on individuals’ rights and analyse whether it is necessary and proportionate. Compliance with the rules on personal data protection will in all cases be subject to control by an independent authority at national or EU level. Future proposals will include, where appropriate, an annual reporting obligation, periodic and ad hoc reviews, as well as a sunset clause. Existing instruments will be maintained only if they continue to serve the legitimate purpose for which they were designed. [Source] [Overview]


NZ – Police Breach Privacy by Giving Out Criminal Record

A 51-year-old Pacific Island man has been awarded $6000 after police handed a list of his criminal record to the lawyer of his former partner. The Human Rights Review Tribunal ruled that in handing over the charge sheet, police breached the man’s privacy. The tribunal heard in Auckland that the man was involved in a Family Court proceeding involving access to his 14 month-old daughter in December 2008. The mother’s lawyer had written to police asking for details of any domestic violence relating to the man. But according to the tribunal, police provided much more besides. They included a complete list of relatively minor criminal matters with which the man had been charged even though all but four had occurred more than nine years earlier and in some cases the offences were more than 17 years old. In addition many had ended when the proceedings were discontinued, dismissed for want of prosecution, withdrawn, or after the plaintiff had been convicted but then discharged. [Source] [Growing Number of Prosecutions for Videotaping the Police]


CA – Tweeting Vacation Plans Can Lead to Burglary, Police Warn

Police in Toronto and Saanich, B.C. are warning people not to post their summer holiday plans on Facebook and Twitter, out of concern that would-be thieves are watching and waiting for the perfect opportunity to strike. “Don’t say exactly that you are not going to be at your house or your residence from a certain time,” said Toronto police Constable Scott Mills. “You are telling somebody who might be watching your house it is an opportunity to go in.” The advice from the Saanich police is similar. “It’s just not wise to advertise you are going away,” said Sergeant Dean Jantzen. “Some people have 2,000 friends.... you post you are going to Mexico for two weeks and you can’t have possibly vetted 2,000 different people.” [Source] See also: [People’s tweets crankiest on Thursdays, study finds]




US – Apple Lays out Location Collection Policies

Responding to questions from U.S. lawmakers about what kind of location data it collects, Apple said it gathers location information from some users every 12 hours. In a 13-page reply to questions posed by Representative Ed Markey from Massachusetts and Congressman Joe Barton from Texas, Apple said it collects GPS data daily from iPhones running OS 3.2 or iOS 4. The phones collect the GPS data and encrypt it before sending it back to Apple every 12 hours via Wi-Fi. Attached to the GPS data is a random identification number generated by the phone every 24 hours. The information is not associated with a particular customer, Apple said. Apple uses the data to analyze traffic patterns and density, it said. Apple collects such data from customers who have approved the use of location-based capabilities on the phone and who actually use an application that requires GPS. Apple similarly collects information about nearby cell towers and Wi-Fi networks. In older versions of the iPhone, Apple relies on databases maintained by Google and Skyhook Wireless to provide location-based services, it said. But starting with OS 3.2, Apple began using its own database. Apple also collects diagnostic information from randomly selected iPhones. It asks for consent first. If a user approves, Apple may collect information like the location of the phone at the beginning and the end of a call, to see if dropped calls happen often in a particular spot, for example, it said. [Source]


Online Privacy


WW – White House Proposal Would Ease FBI Access to Records of Internet Activity

The Obama administration is seeking to make it easier for the FBI to compel companies to turn over records of an individual’s Internet activity without a court order if agents deem the information relevant to a terrorism or intelligence investigation. The administration wants to add just four words – “electronic communication transactional records” – to a list of items that the law says the FBI may demand without a judge’s approval. Government lawyers say this category of information includes the addresses to which an Internet user sends e-mail; the times and dates e-mail was sent and received; and possibly a user’s browser history. It does not include, the lawyers hasten to point out, the “content” of e-mail or other Internet communication. [Washington Poast] [FBI access to e-mail and web records raises fears] [FBI and Department of Justice join forces, investigate Wikileaks]


WW – Microsoft Quashed Effort to Boost Online Privacy

In early 2008, Microsoft Corp.’s product planners for the Internet Explorer 8.0 browser intended to give users a simple, effective way to avoid being tracked online. They wanted to design the software to automatically thwart common tracking tools, unless a user deliberately switched to settings affording less privacy. That triggered heated debate inside Microsoft. As the leading maker of Web browsers, the gateway software to the Internet, Microsoft must balance conflicting interests: helping people surf the Web with its browser to keep their mouse clicks private, and helping advertisers who want to see those clicks. In the end, the product planners lost a key part of the debate. The winners: executives who argued that giving automatic privacy to consumers would make it tougher for Microsoft to profit from selling online ads. Microsoft built its browser so that users must deliberately turn on privacy settings every time they start up the software. [Wall Street Journal]


US – FTC Proposes Do-Not-Track Mechanism

FTC Chairman Jon Leibowitz surprised many industry watchers last week when he told the Senate that the commission might recommend a do-not-track mechanism for behavioural targeting. He elaborated that the system could take the form of a browser plug-in, and that either the FTC or a private group could oversee it; beyond that, further details will have to wait until the FTC issues a report later this year about online privacy. [Source]


US – Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies

A wide swath of the net’s top websites, including MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd, were sued in federal court last week on grounds they violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users. At issue is technology from Quantcast, also targeted in the lawsuit. Quantcast created Flash cookies that track users across the web, and used them to re-create traditional browser cookies that users deleted from their computers. These “zombie” cookies came to light last year, after researchers at UC Berkeley documented deleted browser cookies returning to life. Quantcast quickly fixed the issue, calling it an unintended consequence of trying to measure web traffic accurately. The lawsuit, filed in U.S. district court in Central Californa, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws. The lawsuit alleges a “pattern of covert online surveillance” and seeks status as a class action lawsuit. The lawsuit was filed by Joseph Malley, a privacy activist lawyer who also played key roles in other high profile privacy lawsuits, including a $9.5 million settlement earlier this year from Facebook over its ill-fated Beacon program and a settlement with Netflix after the co mpany gave imperfectly anonymized data to contestants in a movie recommendation contest. The case number is 10-CV-5484, U.S. District Court for the Northern District of California. [Source]


Other Jurisdictions


AU – New Privacy Commissioner Appointed

Timothy Pilgrim has been appointed to a five-year term as Australia’s new privacy commissioner. Sen. Joe Ludwig announced the appointment in a press release issued Thursday. Pilgrim, who has been deputy privacy commissioner since 1998, replaces former commissioner Karen Curtis, whose six-year term expired this month. Ludwig praised Curtis for her significant contributions to privacy in Australia and said that Pilgrim’s “experience and operational knowledge of the office will be of great assistance when the office transitions to form part of the new Office of the Australian Information Commissioner, which will open its doors on November 1, 2010.” Ludwig also announced the appointments of Barbara Robertson, Michael Kidd and Joan Sheedy as part-time members of the Privacy Advisory Committee. [Media Release]


HK – Postal Staff Stamp on Privacy Chief

Pressure is mounting on the Hong Kong government to revoke the appointment of incoming privacy commissioner Allan Chiang Yam-wang - with legislators, human rights groups and a postal workers’ union slamming the choice. Around 30 members of the Union of Hongkong Post Office Employees protested in Central against the choice of Chiang - postmaster general from 2003 to 2006 and due to take up his new post next week. They accused him of not being sufficiently aware of privacy protection needs. [Source]


Privacy (US)


US – Ohio Court Dismisses Joe the Plumber’s Suit

A federal court in Ohio has dismissed a lawsuit brought forward by Samuel J. Wurzelbacher, aka “Joe the Plumber,” that claimed former Buckeye State employees violated his privacy by accessing his personal information in state records. The suit named former Department of Job and Family Services Director Helen Jones-Kelley, alleging she allowed employees to conduct database checks of Wurzelbacher for no legitimate purpose. In dismissing the suit, the U.S. District Court in Columbus said that the privacy claims did not amount to constitutional violations, the report states. [Associated Press]


WW – Google Android Apps Reportedly Stealing Data

Dozens of wallpaper apps being sold for Google Android devices have been found to be gathering personal information and sending it back to the apps’ developers. Google has suspended one of the applications, which appears to send collected data to a server in China, while it investigates the situation. The application is called Jackeey Wallpaper and contains stolen copyrighted content. The issue underscores the importance of downloading applications only from known and trusted sources. [Source] [SFGate]


US – White House Seeks to Add Internet Activity to List of Info Demanded With NSLs

The White House is seeking to add language to a list of items the FBI can demand without a judge’s approval. The new language would allow FBI field offices to issue national security letters compelling companies to turn over records of individuals’ Internet activity. The information would include addresses to which email was sent, the time and date of sent and received email, and browsing history. The content of email messages would not be included. Officials say the change will eliminate ambiguity; privacy advocates see it as a continuation of the stripping away of privacy through national security letters. The letters may be issued by FBI field offices on their own authority and require that the entity to which they are issued not only supply the information requested, but keep the request a secret. [Wash Post] [NYTimes] []


US – Second Pennsylvania High School Student Files Suit Over Webcam

A second Lower Merion (Pennsylvania) High School student has filed a lawsuit against the school district, its board of directors, the superintendent and two school employees alleging a civil rights violation for the misuse of a laptop computer theft tracking program. In February 2010, the family of a student filed a lawsuit after the school used a remote webcam program to take pictures of him in his own home. Administrators alleged that the student was taking pills, but his family said he was eating candy. The district had the program installed on the laptops issued to its high school students to use if the computers were lost or stolen. However, in the more recent case, a student reported his computer missing. When it was found and returned to him, the webcam feature was not turned off, resulting in pictures of him being taken in his own home as well. The program also takes screen shots from the computer. [Wired] [Wired]


US – Rite Aid Settles FTC Case

Rite Aid Corp. agreed to pay $1 million to settle potential violations of government privacy rules after regulators said it failed to protect customers’ and employees’ financial and medical information. The drug-store chain’s agreement with the FTC requires the company to establish an information-security program and obtain a third-party audit of its compliance to that effect every two years for the next 20 years. The FTC investigated the company after news reports surfaced of Rite Aid using open dumpsters to discard trash containing items such as pharmacy labels and job applications. Meanwhile, HHS also began investigating the disposal of health information protected under the Health Insurance Portability and Accountability Act, or HIPAA. [The Wall Street Journal]


US – States Seek Details About Google Data Collection Code

A coalition of 38 US states working together to investigate Google’s wireless data gathering is asking the company for the names of the engineers who wrote the code. Earlier this year, Google acknowledged that a program created to gather information for its Street View feature inadvertently collected snippets of personal information from unprotected wireless networks. The states in the coalition also want to know if Google tested the code before using it actively. The group also wants to know where Google collected the data and what has been done with the stored information. [BBC] [Register]


Privacy Enhancing Technologies (PETs)


EU – World’s First Pirate ISP Launches In Sweden

The Swedish Pirate Party, who are at the forefront of anti-copyright lobbying in Sweden, are planning to shake up the country’s ISP market. After taking over the supply of bandwidth to The Pirate Bay, Piratpartiet will now partner in the launch of Pirate ISP, a new broadband service that will offer anonymity to customers and provide financial support to the Party. To defend the rights of BitTorrent users worldwide, the Swedish Pirate Party volunteered to provide bandwidth to The Pirate Bay after previous hosts got into legal trouble in May. At the beginning of July, the Pirate Party surprised again. Not only would they be The Pirate Bay’s new host, but they would use Parliamentary immunity to run the site from inside the Swedish Parliament. Now the Party have made another interesting announcement. Together with technology partners, they will enter the broadband market with Pirate ISP, a new service designed to deliver consumer Internet in line with the Pirate Party’s ideals. [Source]




WW – Bad Guys Could Read RFID Passports at 217 Feet, Maybe a Lot More

Radio frequency ID tags embedded in U.S. passports can be read hundreds of feet away, potentially making it inexpensive and easy to pick American tourists out of crowds for illicit purposes, a demonstration at Black Hat 2010 showed. Using off-the-shelf gear he bought in stores and on eBay for less than $2,500, researcher Chris Paget pieced together a system that he says has read the tags at 217 feet, but he believes the same apparatus set up under better conditions could read them at 1,000 feet. he same RFID chips are used in Canadian passports and in New York State drivers’ licenses, he says. They are also used for inventory control at Wal-mart. Paget says he is uncertain what personal data is included on the chips, but at the very least it would be possible to figure out based on batch numbers gleaned from these devices who issued the IDs and hence where the holder is from. The U.S. government says the chips contain all the information printed on the passport, including a digital copy of the photo. [Source]


US – Wal-Mart to Track Clothing With RFID Tags

Wal-Mart is planning to test the placement of RFID tags on individual clothes beginning in August. Once in place, Wal-Mart workers will then be able to use a hand-held scanner to check what size clothing may need to be restocked on the floor shelves as well as to keep an eye on a store’s backroom clothing inventory, which the WSJ story implies, is susceptible to employee theft. Wal-Mart believes that the ability to compare its on-the-floor inventory to its back room inventory will be the beginning of a transformation of its business. The WSJ goes on to say that if the RFID test is successful, Wal-Mart will roll the system out to all of its 3,750+ stores. Privacy advocates are wary of the plan, and are insisting that RFID tags be removed from the clothing upon their sale so they cannot be tracked outside of a store, which Wal-Mart says it intends to do. Advocates also worry the Wal-Mart’s hand-held scanners may be able to pick-up information from customers who have embedded RFID chips in their driver’s licenses, which New York and Washington State already use and many other states will likely have in the next few years. A more “troubling” issue may be that the information on the RFID tags could be combined with a customer’s credit card information to create an even more detailed profile of that customer. The WSJ reports that many other US store chains such as J.C. Penny and Bloomingdale’s are experimenting with placing RFID tags on clothing, as have several European retailers. [Wall Street Journal]




WW – Privacy Breaches in the Clouds? Blame the Customer

When it comes to computing in the cloud, the default contract from many major cloud providers puts the onus for any privacy problems on the customer—even if the provider is at fault for the breach. “You should ask questions about data security and privacy during the preliminary stages, even before you get to the contract,” warns Tanya Forsheit, CIPP, of Info Law Group. “You should ask them what kind of privacy and security controls they have, whether they’ll let you audit their security and what they will agree to in regards to liability. When it comes to cloud computing, it’s better to be safe than sorry regarding both the legal and technical issues.” [SFGate]


WW – Internal Threats Double As Attackers Shift Strategy

While cyberthreats from external sources are still the dominant vector, criminals have begun shifting tactics and more often are partnering with rogue insiders, according to a report released this week from Verizon Business and the U.S. Secret Service. As a result, data thieves, mostly going after credit card numbers, are becoming less reliant on software vulnerabilities as an attack vector. The “2010 Data Breach Investigations Report,” which takes into account more than 900 breaches and 900 million compromised records probed by Verizon and the Secret Service last year, found that 69% of data-loss incidents were linked to outsiders, while 49% were caused by insiders. But the percentage of breaches attributed to outsiders has dropped 9% since last year’s study, while breaches caused by threats originating from within an organization more than doubled. Overall, 48% of all breaches in 2009 were attributed to users who abused their rights to access corporate information for malicious purposes. In addition, 90% of insider threat cases resulted from deliberate malicious activity, while just six percent each were caused by unintentional activity or inappropriate conduct. A majority of internal breaches were caused by regular employees, as opposed to accounting personnel, system administrators or upper management, who traditionally have more access rights to sensitive data. 51% of insider threat cases involved regular employees or end-users, while 12% involved both accounting staff and system administrators. Upper management caused 7% of insider incidents. [Source]


US – FBI Rings Organizers Over Defcon Contest

A Defcon contest that invites contestants to trick employees at U.S. corporations into revealing not-so-sensitive data has rattled some nerves. Contest organizers have been called by the U.S. Federal Bureau of Investigation and seen warnings issued by security groups and the Financial Services Information Sharing and Analysis Center, (FS-ISAC) an industry group that provides information on security threats affecting the banking industry. Over the next three days participants will try their best to unearth data from an undisclosed list of about 30 U.S. companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees. [Source]


Smart Cards


HK – Hong Kong’s Cashless-Payment Operator Under Fire

The operator of a Hong Kong cashless payment system has come under fire after it reversed itself and admitted to selling the personal data of nearly two million customers to business partners, sparking public demands for better regulation of how personal information is handled. Late Monday, Octopus Holdings Ltd. said it earned about 44 million Hong Kong dollars (US$5.7 million) over 4½ years from the sharing of personal information with six companies for marketing purposes. Earlier, the private company denied any such sale took place. A Hong Kong privacy law regulates how such data should be collected and used, but it doesn’t forbid sharing it with third-party companies. At issue is whether Octopus acquired genuine consent from its clients to share their data, and whether more personal data was shared than necessary. [Source]


HK – Octopus Company to Review Privacy Issues

The Octopus Card Company has admitted that it had shared personal details of its 2.4 million card holders with two partner companies involved in a reward scheme. It’s now set up a special committee to review its handling of customers’ personal information. The company’s Chief Executive Officer, Prudence Chan, said its partners will be told to keep all customer data strictly confidential. [Source]




US – Washington Post In-Depth Report: Top-Secret America

In the wake of the September 11 attacks, the US created a world of top-secret organizations “so large, so unwieldy and so secretive that no one knows ... exactly how many agencies do the same work,” according to a two-year investigation by the Washington Post. Although just a few people within the US Defense Department are designated Super-Users, meaning they are permitted to know about all activities within the department, one of them noted, “I’m not going to live long enough to be briefed on everything.” Because there is no process to coordinate all the counterterrorism, intelligence and related efforts, there is also no way to determine if the efforts are making the country any safer. This is the first in a series of articles. [WashingtonPost] [WashingtonPost]


AU – Go Cards Used for Police Work

Queensland police are tracking public transport passenger journeys using electronic fare Go Cards to investigate crime. Police can use Go Card journey information because they have an exemption to the Information Privacy Act. A TransLink spokesman, Andrew Berkman, said commuters should not be worried about their privacy if they register their Go Cards. “We’ve had 46 requests in the past 12 months.” “Probably less than one a week, and that’s against 75 million trips taken on Go Cards, it’s a fairly low percentage there.” He said most of the police requests to use the Go Card records were to help find missing people or locate lost or stolen cards. Chief superintendent Mike Condon said strict circumstances govern police access to the data. Australian Council for Civil Liberties president Terry O’Gorman told AAP he’s angry commuters were not told police would have access to Go Card data when the system was introduced. “People identified by the Go Card data can be forced by police by subpoena or ... the CMC to become witnesses against their will,” he said. [Source]


CA – Crime Cameras Should Go, Says Alberta Privacy Czar

Declining crime rates should prompt cities like Calgary to consider switching off surveillance cameras in public places, Alberta’s privacy commissioner said. Responding to figures released by Statistics Canada this week, privacy commissioner Frank Work said people shouldn’t be so quick to accept the intrusion of surveillance cameras in public places. “The barbarians aren’t loose in the streets – maybe we can afford to be a bit more skeptical,” Work said. Using what it calls a “crime severity index,” Statistics Canada reported violent and serious crime declined in Calgary during 2009 and are the lowest of any city in Western Canada. [Source]


Telecom / TV


US – FBI Backs Record-Keeping on Prepaid Cell Phones

FBI Director Robert Mueller has endorsed anti-terrorism legislation that would require prepaid cell-phone sellers to keep records of buyers’ identities. The bill sponsored by Sens. Charles Schumer, D-N.Y., and John Cornyn, R-Texas, would require purchasers to present identification at the point of sale. At a Senate Judiciary Committee hearing, Mueller said the bureau would be very supportive of such a reporting requirement and that it would be essential to the success of investigations. [Source]


US Government Programs


US – Cyberspace Policy Review Progress Report

The White House has issued a progress report on what has been done to improve the nation’s cyber security in the 14 months following the release of the Cyberspace Policy Review. Among the accomplishments listed are new guidance from the Office of Management and Budget (OMB) regarding revised compliance with the Federal Information Security Management Act (FISMA); the appointment of a Cybersecurity Coordinator; and the creation of a Cybersecurity Directorate. [] [ComputerWorld] []


US – Senators Introduce 2010 Data Security Act

US Senators Tom Carper (D-Delaware) and Bob Bennett (R-Utah) have reintroduced data protection legislation that would take precedence over current state laws governing data protection and breach notification. The legislation was originally introduced in 2007, but failed to pass. The 2010 Data Security Act would require public and private entities to protect personal data they hold and to notify individuals if the security of their information is compromised. Two other bills that address data privacy and breach notification - the Data Breach Notification Act introduced in January 2009 and the Personal Data Privacy and Security Act introduced in July 2009 - have already cleared the Senate Judiciary Committee and will be considered by the full Senate. [NextGov]


US – Former NSA Exec Tried to Voice Concerns Before Talking to Reporter

Former National Security Agency (NSA) executive Thomas A. Drake fruitlessly pursued several sanctioned paths to address his concerns about the exorbitant cost and neglect of privacy concerns in a new data mining tool before deciding to approach a journalist. Drake was concerned that the NSA was planning to replace a data mining system known as ThinThread with one called Trailblazer. ThinThread protected privacy by encrypting identifying information; only when there was ample evidence to justify a warrant would the information be decrypted. Trailblazer did not have the same privacy protection in place and cost ten times more. Thwarted at each turn, Drake at last turned to Baltimore Sun journalist Siobhan Gorman and gave her documents that supported his case. Drake is presently awaiting trial for mishandling classified information and obstruction of justice. He could face up to 35 years in prison. [Wash Post] [Wired]


US Legislation


US – Rush Introduces Opt Out/In Privacy/Notification Bill

A House bill was introduced that would require companies to get Web surfers’ permission to collect sensitive information--health, finances--or share less sensitive (but still personal) information with third parties. It would require an opt-out regime for other personal information collection. Sensitive information that would trigger opt-in would also include race or ethnicity and Social Security numbers. The bill, dubbed the “Best Practices Act,” was introduced by Rep. Bobby Rush (D-Ill.), chairman of the House Commerce Subcommittee on Commerce, Trade, and Consumer Protection. The Subcommittee has scheduled a July 22 hearing on the bill, as well as a draft of a similar bill introduced by Reps. Rick Boucher (D-Va.), chairman of the Communications Subcommittee, and Communications Subcommittee ranking member Cliff Stearns (R-Fla.). According to a briefing memo on the bill, its creation was prompted by, among other things, changes to Facebook privacy settings and the collection of data from WiFi networks by Google Street View cars. “The purpose of this bill is to foster transparency about the commercial use of personal information and provide consumers with meaningful choices about the collection, use, and disclosure of such information,” says the memo. The bill would require companies to provide “concise, meaningful, timely, prominent, and easy-to-understand notice to users about their privacy policies, including what information is being collected and why. Among the criticisms of current online privacy policies is that they are buried inside lengthy statements. The FTC would be charged with coming up with templates for the kind of notice companies would have to provide of their data collection policies. And while the FTC’s expedited rulemaking authority was excised from the Financial Services bill before it passed, this bill would reinstate it, at least for online privacy. “The bill grants enforcement authority to FTC and the states, including civil penalty authority, and grants FTC streamlined rulemaking authority to implement the bill,” according to the memo. Scheduled to testify at the hearing are David Vladeck , director of the FTC Bureau of Consumer Protection; Ed Mierzwinski, consumer program director, U.S. PIRG; Leslie Harris, president, Center for Democracy and Technology; David Hoffman, Global Privacy Officer, Intel Corporation; Ira Rubinstein, adjunct professor, New York University School of Law. [Source]


US – Tech Firms Warn Privacy Bill Will Harm Economy

A new 55-page privacy bill introduced in the U.S. Congress this week would have serious unintended consequences and could even harm the nation’s economy unless its Democratic sponsor rewrites it, Internet industry representatives warned. The proposed “Best Practices Act” introduced by Rep. Bobby Rush of Illinois, slaps fines of up to $5 million on businesses and even some individuals unless they abide by a complex set of new regulations to be administrated by the FTC. That legislation “would turn the Internet from a fast-moving information highway to a slow-moving toll-road,” Michael Zaneis, vice president of public policy at the Interactive Advertising Bureau, told Rush’s committee on Thursday. “Such a move would hinder, not facilitate e-commerce.” The group’s board members include representatives of Google, Facebook, Microsoft, AOL, Comcast,, Fox Interactive, and CBS Interactive, which publishes CNET. Zaneis took pains to compliment some portions of the legislation (H.R. 5777) drafted by Rush, the chairman of a House consumer protection subcommittee. But, Zaneis added, “our industry is a major component of the national economy,” and burdensome regulations would retard its growth and cause economic harm. Rush’s legislation is called the Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act, or Best Practices Act of 2010. [Source]


US – Proposed Animal Abuser Registry

NYS currently has a bill pending, A10387, that would create central and county registries for convicted animal abusers “guilty of violence, torture, mutilation, intentional killings, bestiality and animal fighting as well as neglect and hoarding.” Abusers would be photographed and fingerprinted, have relevant personal data entered, and would need to re-register annually for 15 years. The county sheriff’s office would “contact every residence, school, humane society, animal shelter and any other business within a half mile radius of the animal abuser’s residence or location” and provide the abuser’s information (excepting social security number), which “shall be made available to the public” for the 15-year period. “An animal abuser who intentionally or knowingly fails to comply…or provides false information…is guilty of a felony,” punishable by up to four years. [Full article]


Workplace Privacy


CA – Prison Staff Win Legal Case After Personal Info Leaked to Inmates

A group of federal prison guards has won a landmark legal case against the government of Canada after an employee list with home phone numbers, addresses and names of spouses circulated through the penitentiary housing dangerous psychopaths and sociopaths. Up to 400 staff of Ontario’s Joyceville Institution - from correctional officers right up to the warden - will receive a financial award for the breach of privacy that left many worried for their personal safety. The tentative settlement, which also requires the Correctional Service of Canada to impose safeguards to better protect employee privacy and security, will go before a Kingston court Aug. 23 for formal approval. [Source]