Privacy News Highlights

01–11 June 2010



CA – Privacy Commissioner Releases 2009 PIPEDA Report 3

CA – Privacy Commissioner Awards $500,000 to 13 Privacy Research Projects. 3

CA – Anonymous Web Posters Sometimes Protected. 4

CA – Canadian Profs Warn Privacy Laws Don’t Reach Cyberspace. 4

CA – Saskatchewan Gov’t Considering Breach Disclosures. 4

UK – Advocates: Businesses “Spying” for Online Complaints. 4

CA – Anti-Plagiarism Program Turnitin Coming to Ontario High Schools. 5

CA – Toronto: Councillors Going to Court in Bid for Access to Database. 5

CA – FISA: New Anti-Spam Bill Introduced. 5

CA – Telus Launches Health Space Service for Patients Medical Files Online. 6

AU – Government Amends Healthcare Identifiers Bill 6

AU – No Strong Safeguards in HI Bill, Says Australian Privacy Foundation. 6

EU – EU Close to U.S. Data Deal 6

EU – Europe Warns Search Companies Over Data Retention. 7

EU – Declaration Would Store Web Inquiries for Two Years. 7

UK – ICO Does Not Plan to Make Breach Reporting Mandatory. 7

UK – Loss of Unencrypted USB Drive = Violation of Data Protection Act, Says ICO.. 7

EU – Hustinx: Privacy Should Be Default in “Smart” Environment 7

UK – NHS Tops ICO’s List of Breach Reports. 8

CA – Privacy Czar Finds Breaches at Mortgage Brokers. 8

US – Colorado E-Retail Law Rankles Privacy Advocates. 8

US – How Paid-Off Loans Can Haunt You. 8

US – PlainsCapital Bank and Hillary Machinery Settle Suit Over Security Breach and Theft 8

CA – PM Nominates Legault as Information Commissioner 9

CA – Canadian Newspaper Association Finds FOI Under Pressure in Ontario. 9

US – Customers Receive Wrong DNA Results. 9

AR – Adoptees Balk at DNA Testing. 9

US – Google Balks at Turning Over Private Internet Data to Regulators. 10

HK – Google Ceases Using Street View Mapping Cars in Hong Kong. 10

WW – Third-Party Audit of Google Street View Data Collection Practices Released. 10

US – Cyber Thieves Stole $644,000 from NY Dept. of Education. 10

US – Bank of America Employee Pleads Guilty to Bank Fraud. 11

CA – Class Action Filed Over Infant Blood Samples. 11

US – California Hospitals Fined for Data Breaches. 11

US – Lawmakers Seek Prepaid Cell Crackdown, Cite Terror 11

CA – Copyright Bill Makes it Easier to Target Illegal File-Sharing. 12

UK – Communications Regulator Publishes Draft Anti-Piracy Code for ISPs. 12

US – Judge Questions Validity of Copyright Suits Naming Thousands of John Does. 12

AU – Cyber Security Code for Australian ISPs. 13

AU – AG Considers Requiring ISPs to Record Browsing Histories. 13

CA – Modelling Cloud Computing Architecture Without Compromising Privacy: Paper 13

UK – Met Lab Claims ‘Biggest Breakthrough Since Watergate’ 13

CA – BC Utility Not Made to Reveal Customer Records to Police. 14

WW – Firefox Has New Plans for Third-Party Cookies. 14

WW – Yahoo to Turn Subscribers’ E-Mail Contact Lists Into Social Networking Base. 14

IR – Code on Data Breaches Published. 15

US – TRUSTe Receives $12 Million. 15

AU – Calls for Privacy Reform Follow Facebook Brothel Threat 16

US – Appeals Court Upholds Ruling Denying Damages in Data Exposure Case. 16

US – FTC Holds Hearings on COPPA.. 16

US – Report: Education Needed to Protect Kids Online. 16

US – FTC Says No to COPPA Safe Harbor Proposal 16

WW – Microsoft Researchers Propose Privacy Sensor ‘Widget’ 16

US – Cyber Chief Warns of Network Sabotage; Defines Need for Continuous Monitoring. 17

WW – Open Source Could Mean an Open Door for Hackers. 17

US – AT&T Bug Discloses iPad Owners’ E-Mail Addresses. 17

US – Physical and IT Security Integration Tied to Better Risk Management 17

UK – Google Accused of Deliberate Snooping by Privacy Watchdog. 18

CA – Canada Launches Investigation into Google Wi-Fi Data Gathering. 18

US – FTC Reaches Settlement with Spyware Purveyor 18

US – Legislators to Re-Examine Communications Act and Role of FCC in Broadband. 18

WW – Smartphones are Smarter Than You Are. 19

US – Judge Disallows Evidence Gathered From Laptop Six Months After Seizure. 19

US – Judge Limits DHS Warrantless Laptop Searches. 19

US – New Legislation Proposed: Protecting Cyberspace as a National Asset Act of 2010. 20

US – CA Senate Passes Bill to Protect Drivers’ Data. 20

US – CDT Recommends Rewrite for Boucher Bill 20

CA – Air France Tapes Must Stay Secret, Canada Board Says. 20





CA – Privacy Commissioner Releases 2009 PIPEDA Report

For the Office of the Privacy Commissioner (OPC), “2009 was a watershed year,” Commissioner Jennifer Stoddart writes in her report to parliament on PIPEDA. “The dominant theme of our work in 2009 was the protection of privacy in an increasingly online, borderless world,” she notes. The report, which was submitted to parliament Tuesday, highlights such key issues as the “exponential growth” in technology-based investigations. Stoddart notes that while the OPC has been able to apply PIPEDA to tools and business models that did not exist when it came into force, it is essential to review privacy laws and administrative structures to ensure they keep pace with technology. “It is increasingly clear that if data protection authorities want to remain relevant,” she writes, “the online world is where they need to be.” [Source]


CA – Privacy Commissioner Awards $500,000 to 13 Privacy Research Projects

Privacy Commissioner Stoddart announced the recipients of her Office’s 2010-11 Contributions Program, which funds privacy research and public education initiatives. This year, the OPC will make available $500,000 to fund 13 research and public education initiatives. Subject areas funded include:

§         Targeted online advertising

§         Data-sharing between governments and commercial organizations through national security programs at the border and at airports

§         Video surveillance in public spaces by commercial organizations

§         Privacy implications of patient websites, online health record databases and other “Health 2.0” tools

This year’s projects involve research initiatives that focus on the Office’s 4 key privacy priority areas: national security, identity integrity and protection, information technology, and genetic privacy. [Full list of successful recipients and their projects from 2010-11] [Office of the Privacy Commissioner of Canada]


Project title: A Privacy Protective “Proportionate ID Digital Wallet” for Canadians: Open Prototyping and Public Policy Alternatives

Project description: Researchers at the University of Toronto propose to demonstrate the value of a digital device (mobile wallet) as a privacy-protective alternative to current identification. They propose a digital wallet device that supports selective disclosure along with verification of the party requesting the identity information. The architecture is based on U-Prove technology from Credentica. They plan to: develop scenarios for everyday use; survey related work in this domain; create digital wallet prototypes (using a fabrication workshop and Arduino technology); hold workshops and forums on this topic to engage with stakeholders; and disseminate the results through video, the web, and research papers.


Project title: “Smart” Private Eyes in Public Places? Video Surveillance Analytics, New Privacy Threats and Protective Alternatives

Project description: University of Toronto researchers propose to examine the use of video analytics (“smart” processing) in the area of video surveillance. The research will review state-of-the-art video analytics technologies, and assess a privacy protection scheme developed by the university in laboratory. Researchers also plan to survey businesses in the Toronto area that are using video surveillance, and to assess compliance with PIPEDA for video records that should be available under the Individual Access Principle. The results will be shared in a report and public forum.


Project title: Incorporating Privacy into the Smart Grid

Project description: Researchers at Ryerson University, Ted Rogers School of Management propose to provide greater understanding of the privacy implications of Smart Grid initiatives in Canada, through in-depth interviews with utility executives and privacy regulators. Questions will focus on how personal information is collected and disclosed by utilities, and whether the personal information handling practices (currently in use and proposed) are compliant with PIPEDA. [Source]


CA – Anonymous Web Posters Sometimes Protected

On May 3, 2010, an Ontario Divisional Court appeal decision addressed the issue of whether a web site operator should be required to produce information that could identify individuals who posted allegedly defamatory comments on that website. The decision made clear that Canadian courts will order the release of information to identify anonymous posters - but only if certain tests are met first. The court relied on the Sony BMG v. Doe case, where the Canadian Recording Industry Association tried to get the names of online music file sharers. After taking into account five factors cited in that case, the Ontario Divisional Court unanimously held that although the motions judge was alert to the need to take the privacy interests of the unknown alleged wrongdoers into account, the need to consider the interest in freedom of expression was not raised by the parties or considered by the motions judge. The court ruled judges must consider the following factors whether information on anonymous posters should be revealed in defamation cases:

1.       Whether the unknown alleged wrongdoer could have a reasonable expectation of anonymity in the particular circumstances;

2.       Whether the plaintiff has established a case against the unknown alleged wrongdoer and is acting in good faith;

3.       Whether the plaintiff has taken reasonable steps to identify the anonymous party and has been unable to do so; and

4.       Whether the public interest favouring disclosure outweigh the legitimate interests of freedom of expression and right to privacy of the persons sought to be identified if the disclosure is ordered.

The Court allowed the appeal and sent it back for re-consideration. [Today’s Business Law]


CA – Canadian Profs Warn Privacy Laws Don’t Reach Cyberspace

The proliferation of online college and university course offerings is raising concerns about privacy, a pair of Nova Scotia educators warn. A paper presented at the 2010 Congress for the Humanities and Social Sciences suggests Canada’s PIPEDA is neither specific nor stringent enough to protect Canadians online. It’s also difficult to enforce Canadian privacy laws in cases where local institutions store data on servers located in other countries - an increasingly common practice. University privacy policies are also inadequate, Young said. “The whole problem with the online world is the policies really can’t keep pace with the technology,” he said. “Technology advances so quickly that the policies lag behind almost instantly.” The researchers said students and institutions need to understand that privacy may be expected, but it should never be assumed, even if sites are password-protected. And because data stored online are essentially there forever, it’s difficult to delete erroneous information, they said. [Source] See also: [Geist: Security Breach Disclosure Bill Has Bark But No Bite]


CA – Saskatchewan Gov’t Considering Breach Disclosures

The Saskatchewan government is considering the mandatory disclosure of privacy breaches. The announcement follows recent high-profile incidents involving data breaches at government entities. Justice Minister Don Morgan said disclosure is optimal for “any kind of significant breach,” adding, “I think it would be beneficial for the government to try and develop a practice as to what kind of information would be released when there is a breach.” Saskatchewan Privacy Commissioner Gary Dickson has also supported the idea. Without a disclosure system for privacy breaches, he said, “there’s really a lack of data showing how often it happens.” [The StarPhoenix]




UK – Advocates: Businesses “Spying” for Online Complaints

Privacy advocates are concerned about UK companies tracking conversations on social networking sites to monitor customer comments and then contact complainants with solutions. Critics are saying those unsolicited calls could breach data protection laws, while business executives maintain that the information being gathered is not private. “These are all discussions that can be seen by anyone on the Web,” said Warren Buckley of BT. “I would liken it to someone having a conversation in a pub--it’s just a very big pub.” Simon Davies of Privacy International offered a different perspective, calling the practice “nothing short of outright spying...It may not be illegal but it is morally wrong. And it is unlikely to stop there.” [Daily Mail]


CA – Anti-Plagiarism Program Turnitin Coming to Ontario High Schools

Controversial plagiarism detector Turnitin, which has been the subject of privacy concerns at Canadian universities in the past, is coming to Ontario high schools this fall. The Oakland-based creator of the system, iParadigms, said in a statement that the Ontario Ministry of Education has licensed Turnitin for use in all public and First Nations secondary schools in the province, effective Sept. 1, 2010. Turnitin works by scanning and comparing student assignments against a database to determine how much of the text is original. This database is built on past student essays, as well as other sources from the Internet and various journals and books. However, students at Canadian universities such as Ryerson University have railed against the software, saying it violates their copyright by keeping their assignments in a database for profit. Mount Saint Vincent University in Halifax was the first Canadian school to ban the software in 2006. As well, students have expressed privacy concerns as essays and assignments are stored on U.S.-based servers, making them vulnerable to the U.S. Patriot Act. Ryerson University currently allows students to opt out of Turnitin, but they are required to set up alternative arrangements with their professor. [Canwest News Service]




CA – Toronto: Councillors Going to Court in Bid for Access to Database

A trio of city councillors is going to court seeking access to a computerized database of information. The city’s clerk, solicitor and two high-profile lawyers all argue councillors have no right to the system, which contains information subject to municipal freedom of information and protection of privacy legislation. The three insist the city’s 44 councillors need access to the database, which contains information on everything from permit applications to bylaw infraction investigations, in order to do their job. But councillor Doug Holyday, head of the city’s audit committee, says their protracted and pricey quest for information is becoming an unnecessary drain on taxpayer resources. [Source] [Details of controversial P.E.I. immigrant program will remain private]




CA – FISA: New Anti-Spam Bill Introduced

The Canadian government introduced Bill C-28, the “Fighting Internet and Wireless Spam Act” or FISA. It is essentially the same as the “Electronic Commerce Protection Act” that was proposed previously. Here is Industry Canada’s news release and the bill itself. It targets the sending of what we would typically call spam, or unwanted commercial email, as well as spyware and phishing. The bill essentially defines spam as a commercial message sent via email, IM, phone, or similar method. Sending spam is prohibited unless the recipient has consented, and the message contains certain prescribed information identifying the sender and how to unsubscribe. It goes on to describe several exceptions, such as providing requested information, or warranty or product recall information, or where there is a specifically defined “existing business relationship”. [Source]


Electronic Records


CA – Telus Launches Health Space Service for Patients Medical Files Online

Telus has announced a new consumer electronic health service that will give patients instant online access to all their medical files. Taking a leaf from social networking, the new platform will let patients and their health care providers input and share information in a high-security, high-bandwidth online database. Telus’s new health space, which is being piloted with 750 Telus employees and will initially be available for health organizations and companies, is the first international deployment of Microsoft’s HealthVault platform. It’s launching with 12 partners and sponsors, including the Heart and Stroke Foundation, MedicAlert, Sunnybrook Health Service, Juvenile Diabetes Research Foundation, the Asthma Society of Canada, the Canadian Diabetes Association, the Canadian Mental Health Association, Shepell-fgi and others in the health field. The service is expected to be available for individual consumers by the end of this year. [Vancouver Sun] See also: [When Patients Meet Online, Are There Side Effects?] and also: [Dr. Gordon Atherley Opinion article in The Medical Post: EHRs pose an ethical trap for physicians]


AU – Government Amends Healthcare Identifiers Bill

The federal government has amended its Healthcare Identifiers Bill to address privacy and data security concerns. The bill would see the storage of all Australians’ health records in a national database and has been controversial due to what some have described as a lack of data protection considerations. The new amendments are designed to address those concerns. The bill now includes a right-of-review provision and streamlined requirements around monitoring for unauthorized access to healthcare records, the report states. Health and ageing minister Nicola Roxon said the amendments will make the legislation safer and more secure. [Computerworld]


AU – No Strong Safeguards in HI Bill, Says Australian Privacy Foundation

The Healthcare Identifiers Bill will allow health authorities to link every piece of a person’s medical information to a single number, without strong safeguards against deliberate or accidental abuse, the nation’s peak privacy body warns. “Amid all the fuss about networked privacy problems, consumers can’t afford to overlook the bill currently before the Senate,’’ says Australian Privacy Foundation health spokeswoman Juanita Fernando. “The bill authorises health services and workers to index all of your health information - and to use and disclose it, whether you want them to or not. “Have you ever used medication for a mild bout of depression, taken Viagra or had an STD? Sensitive information like this is already accidentally exposed all too often. “Can you imagine the damage to our health as patients start to distrust the confidentiality of their medical records and become more reluctant to be frank about their symptoms?’’ “There is a better alternative,’’ Dr Fernando said. “There are far safer ‘federated’ e-health systems working now in Western Australia, Victoria and Queensland. “These get the balance between convenience, clinical needs, privacy and security about right.’’ [Source] See also: [University Health Network Notifies Information and Privacy Commissioner (IPC) of stolen laptop with patient information]


EU Developments


EU – EU Close to U.S. Data Deal

The European Union said it is close to a five-year accord with Washington on financial-data sharing in antiterrorist investigations, stressing the deal will satisfy privacy concerns that led the European Parliament to void a previous draft. EU Interior Affairs Commissioner Cecilia Malmstrom said the new agreement contained far better privacy safeguards. If the European Union assembly approves it, it could take effect within weeks as the successor to a secret program launched after the Sept. 11, 2001, terror attacks that gave U.S. authorities access to European financial data by skirting Europe’s strict privacy rules. News of the program broke in 2006, angering EU legislators. The new draft “contains significantly stronger data protection guarantees,” Ms. Malmstrom told a news conference. In response to privacy concerns in the European Parliament, she said, U.S. authorities must delete or rectify inaccurate data and grant legal redress in American courts if data are abused. The European police organization Europol would verify if U.S. requests for data are needed “for the fight against terrorism and its financing” before data are released, she said. The agreement would have tougher rules on transferring data to third countries and ban U.S. law-enforcement agencies from randomly searching financial data without cause. “Access to individual data has to be related to an ongoing investigation on terrorism,” said Ms. Malmstrom. Ms. Malmstrom left unchanged a five-year period for retaining bank data. She said U.S. officials persuaded her that was a reasonable period for the purpose of tracking terrorists. [Source] UPDATE: [Bank Data Deal Coming Undone: Swiss parliament votes to shield UBS data from U.S.]


EU – Europe Warns Search Companies Over Data Retention

Google, Microsoft. and Yahoo are retaining detailed search engine data for too long and not making it sufficiently anonymous later, in violation of European law, the EU’s data protection advisory body has warned. The three companies received letters Wednesday from the Article 29 Data Protection Working Party, which oversees data protection issues in the E.U. The working party is calling for the companies to use an outside auditor to verify if search engine data is being adequately scrubbed. The working party has also sent a letter to the U.S. Federal Trade Commission asking if the companies’ practices are in conflict with the Federal Trade Commission Act, which deals with unfair and deceptive practices. [Source]


EU – Declaration Would Store Web Inquiries for Two Years

Civil liberty groups and some MEPs are calling an EU plan to store Web search inquiries for up to two years an intrusion into citizens’ privacy. Written Declaration 29 aims to serve as an early warning system to stop paedophiles. It would extend the Data Retention Directive—which allows EU member states to monitor and store personal e-mails and other Web activity for up to two years—to all Web search engines. “MEPs should have a serious re-think before supporting this declaration which would open up even more of citizens’ personal data to monitoring and abuse.” [Daily Mail]


UK – ICO Does Not Plan to Make Breach Reporting Mandatory

The UK’s Information Commissioner’s Office (ICO) will not require organizations to report data breaches despite the Irish Data Protection Commissioner’s plan to seek mandatory breach reporting in that country. The UK’s ICO expects that organizations will report breaches to them as part of their best practices, but has no plans to make it mandatory. At a conference in April, Deputy UK Information Commissioner David Smith noted that companies in the Telecoms industry may have to report breaches concerning personal data of customers following the review of the European Privacy and Electronic Communications Directive which is due to come into effect sometime in 2011. [Source] [ICO’s Fining Power Unused So Far]


UK – Loss of Unencrypted USB Drive = Violation of Data Protection Act, Says ICO

The UK Information Commissioner’s Office (ICO) has found a Welsh medical practice to be in violation of the Data Protection Act. A staff member at Lampeter Medical Practice downloaded unencrypted patient data to a USB drive; the device was then sent to the Health Boards Business Service Centre by post in March 2010, but the package never arrived. Downloading unencrypted data onto a removable storage device violates the practice’s data security policy. The head of the practice has agreed to implement safeguards to ensure that a similar incident will not happen again. All mobile devices, including laptops, will be encrypted and staff members will be re-educated about the data security policy. The breach affected 8,000 patients. [Source]


EU – Hustinx: Privacy Should Be Default in “Smart” Environment

Clear rules are needed to mitigate risks posed by a world of ubiquitous smart tags, according to European Data Protection Supervisor Peter Hustinx. At the annual Internet of Things conference, Hustinx said that smart objects such as appliances equipped with metering technology and geo-enabled devices must have data protection built in. Hustinx also stressed that privacy should be the default in the “smart” environment, and he called for more accountability on the part of manufacturers and vendors. “Controllers should be more in control,” Hustinx said. “This is happening in the financial sector, on environmental issues and it should also be the case in the context of data protection.” [Source]



Facts & Stats


UK – NHS Tops ICO’s List of Breach Reports

According to statistics from the Information Commissioner’s Office (ICO), the US National Health Service has reported 305 data security breaches since November 2007. During the same period, the private sector reported 288 breaches, local government reported 132 breaches, and central government reported 81 breaches. The most frequent cause of NHS breaches was hardware theft, which accounted for 116 incidents, followed by hardware loss, which accounted for 87 incidents. There were also 43 instances in which NHS information was disclosed improperly, 17 instances in which data were lost in transit, and 13 instances of improper technology disposal. In all, more than 1,000 data breaches have been reported to the ICO. In April the ICO was granted the authority to impose fines of up to GBP 500,000 (US $730,000) for serious data breaches. [Kable] [ZDNet] [ICO report | Spreadsheet]




CA – Privacy Czar Finds Breaches at Mortgage Brokers

The personal financial information of thousands of consumers across Canada has been seriously compromised because of lax security at several Greater Toronto Area mortgage brokerages, says the federal privacy commissioner. Stoddart said she launched an investigation into the brokerages after they reported 14 suspicious breaches in the space of a few months in 2008. According to the commissioner, thieves posing as legitimate mortgage agents were able to obtain employment at the brokerages. The “fraudulent agent” then gained access to hundreds of credit reports through an internal web based credit reporting system. [Source]


US – Colorado E-Retail Law Rankles Privacy Advocates

Internet Evolution reports on a bill passed by the Colorado legislature that would require all online retailers to furnish the state’s tax authorities with a list of residents who have purchased goods. The state wants the information in order to collect sales and use taxes. Critics of the legislation say that in addition to creating an “administrative burden” for online retailers, the requirement would violate the privacy of Coloradans. “Many customers would not be comfortable with the government having that detail of their online purchases,” Jerry Cerasale of the Direct Marketing Association suggests. [Source]


US – How Paid-Off Loans Can Haunt You

Loan data may be retained for decades after loans are paid off, and according to California-based Privacy Rights Clearinghouse, breaches of more than 354 million records of personal data have occurred in the past five years alone. Advocates believe it is “nearly impossible to trace just how much naked loan data is out there and who may have access to it,” The Wall Street Journal reports, cautioning, “it should never be assumed that data is deleted.” Even when the Federal Trade Commission’s Red Flags Rule goes into effect, the problems will remain, the report states, as the digital footprints we leave travel beyond financial institutions to include everything from automotive dealers to medical offices. [Source]


US – PlainsCapital Bank and Hillary Machinery Settle Suit Over Security Breach and Theft

An unusual case regarding unauthorized funds transfers from a Texas bank has been settled. Cyber thieves made more than US $800,000 in fraudulent transfers from the PlainsCapital Bank account of Plano-based Hillary Machinery. About US $600,000 was recovered, and Hillary asked that the bank repay the balance. Hillary also wrote a letter to the bank saying that the theft occurred because PlainsCapital did not take adequate security precautions. The bank then sued Hillary; the lawsuit sought certification from the court that it had taken adequate security measures. Hillary filed a countersuit, alleging that the bank did not have adequate security measures in place and that it should have noticed the transactions were anomalous. Details of the settlement have not been released. [ComputerWorld]




CA – PM Nominates Legault as Information Commissioner

Prime Minister Stephen Harper has announced the nomination of Suzanne Legault as Canada’s new information commissioner. Legault has been interim information commissioner of Canada for the past year and, prior to that, served as assistant information commissioner since 2007. Harper said in his announcement that Legault “brings considerable expertise in access to information and privacy protection issues to the position as well as an in-depth understanding of law and the functioning of government. I am pleased that she has agreed to be nominated for this important role.” Also on the same day, Legault released her office’s annual report, raising concerns about the CBC and other agencies over “stonewalling“ access to information requests. [Source]


CA – Canadian Newspaper Association Finds FOI Under Pressure in Ontario

Not only are federal institutions processing their FOI requests at a slower rate than their provincial and municipal counterparts, but Ontario’s government departments have an increased tendency to charge a retrieval fee for information that should be public. Those are some of the findings of the Canadian Newspaper Association’s annual Freedom of Information Audit, released in May. The audit was led by Fred Vallance-Jones of King’s College Halifax’s School of Journalism. In late December 2009, students sent a total of 315 requests to 11 federal departments and crown corporations, 39 municipalities, departments and ministries of 10 provinces and the Yukon and 10 universities. “Ontario is the likeliest jurisdiction to charge a fee for what is public information,” says John Hinds. “Freedom of information should not be seen as a cost driver. Freedom of Information is an important indicator of transparency, and fees charged to retrieve that information negates both the intent and the spirit of Freedom of Information.” [The National Freedom of Information Audit 2009-2010] [Source] Canadian Newspaper Association




US – Customers Receive Wrong DNA Results

23andMe, a company that provides genome testing by mail to its customers, has announced that “up to 96” customer samples were incorrectly processed by the company’s contracted laboratory. As a result, customers received DNA results that were not their own. Jason Kincaid says the mix-up “led to some very confused customers and will doubtless help bolster the push to increase regulation for direct-to-consumer genetic testing.” 23andMe has notified those customers affected by the mistake and said it is in the process of adding “an extra layer of safeguards to help assure that similar incidents do not occur in the future.” [TechCrunch]


AR – Adoptees Balk at DNA Testing

Argentina’s National Genetics Bank was set to begin extracting DNA yesterday from the clothing of two citizens who are alleged to have been adopted illegally during the country’s Dirty War from 1976 to 1983, the Toronto Star reports. Their DNA will be compared to that of military prisoners from that period whose babies were kidnapped by the military junta. The group The Grandmothers of the Plaza de Mayo, which has been pushing to reunite the kidnapped with their families, wants to prove the parents of Marcela and Felipe Noble Herrera adopted them illegally under these conditions. But the Noble Herreras, now in their thirties, say the grandmothers group and Argentine authorities are violating their privacy.




US – Google Balks at Turning Over Private Internet Data to Regulators

Google has balked at requests from regulators to surrender Internet data and fragments of e-mail messages that it collected from unsecured home wireless networks, saying it needed time to resolve legal issues. In Germany, Google said it was not able to fully comply with the Hamburg data protection supervisor’s deadline to hand over data the company had collected - inadvertently, it said - while roving cars were compiling its Street View photo map archive. The company implied that German privacy laws were preventing it from turning over the information, even to a government agency. The Hamburg data protection supervisor, Johannes Caspar, expressed his disappointment. Meanwhile, the privacy commissioner in Hong Kong, Roderick B. Woo, threatened unspecified sanctions after Google did not respond to his request to inspect data collected in the territory by the roving cars. Mr. Woo said Google had ignored a deadline to turn over the information. Google, based in Mountain View, Calif., has offered to destroy the data but has not allowed regulators to see and verify what it collected. Google has destroyed data collected in Denmark, Ireland and Austria at the request of local regulators. But eight other European countries - Belgium, Britain, the Czech Republic, France, Germany, Italy, Spain and Switzerland - have asked Google to retain data collected in those nations, which may be used as evidence in future legal proceedings. In the U.S., the chairman of the FTC, Jon Leibowitz, told Congress last week that his agency would look into Google’s actions. Prosecutors in Hamburg may also have difficulty bringing charges because Germany has no legal concept of corporate criminal liability. Hamburg prosecutors would have to prove that individuals working for Google deliberately broke wiretapping laws. Proving that the driver of a Street View recording vehicle had such knowledge and intent may be difficult, Mr. Börger said. “This is not going to be an easy prosecution.” [Source]:


HK – Google Ceases Using Street View Mapping Cars in Hong Kong

Internet giant Google Inc. (GOOG) has ceased operating its Street View mapping cars in Hong Kong and pledged that when the cars start driving again in Hong Kong they won’t collect Wi-Fi data, Hong Kong privacy commissioner said. The comments come after Australia said Monday police are investigating whether Google breached privacy laws in obtaining information through wireless networks for its Street View mapping service, in a sign that the recent controversy over Internet companies and the private data they handle is rippling across the globe. The independent statutory body that oversees the enforcement of privacy law in the city also said Google pledged that future Street View car operations carried out in Hong Kong will comply with Hong Kong privacy law. Google also pledged to completely delete the data in question at the direction of the commissioner and to provide the commissioner with an independent third party’s verification of the deletion, said the Commissioner. [Dow Jones Newswires]


WW – Third-Party Audit of Google Street View Data Collection Practices Released

Google has released the results of an audit conducted by independent Internet security company Stroz Friedberg. Google selected the company to review the data collection process that caused sensitive data to be inadvertently gathered by the systems used to collect images and other data for Google Street View. The report found that while Google’s data collection system does save packets collected from unencrypted wireless networks to a hard drive, the company ‘does not attempt to analyze or parse that data.” [Source] [Source] [Report]


Health / Medical


US – Cyber Thieves Stole $644,000 from NY Dept. of Education

Cyber thieves have targeted the New York State Department of Education, electronically draining one of the department’s bank accounts of more than US $644,000. The account, which was designated for petty cash spending, was limited to US $500 purchases, but an oversight allowed transfers of any amount. The thieves made transfers for more than three years before the scheme was detected. Officials didn’t discover the problem because they neglected to reconcile their accounts regularly. Albert Attoh was sentenced to one year in prison and ordered to pay US $270,000 in restitution for his role in the thefts. In exchange for payments, Attoh gave bank routing and account data to other people who used it to pay student loans and make purchases. [The Register]


US – Bank of America Employee Pleads Guilty to Bank Fraud

Bank of America (BofA) call center employee Brian Matty Hagen has pleaded guilty to bank fraud. Hagen admitted he stole customer information and tried to sell it. Hagen’s scheme was uncovered when he attempted to make a data sale to an undercover FBI agent. Hagen targeted only BofA accounts with balances in excess of US $100,000. Hagen was keeping track of customers’ information and hoped to exchange it for 25 percent of the profits. The information was allegedly going to be used to establish credit lines at other financial institutions. [Source] [Business Week]


CA – Class Action Filed Over Infant Blood Samples

British Columbia’s Provincial Health Services Authority is facing a class action lawsuit for its collection and use of infants’ blood samples without parental permission. A mother of two says the authority is maintaining 800,000 samples collected from babies born in BC since 1999. Her complaint states that the samples have been accessed by researchers for “unknown research and testing purposes” and that “The blood sample storage facility amounts to a legally unauthorized fully functional DNA database.” The class is seeking destruction of the samples and damages, according to the report. [Courthouse News Service]


Horror Stories


US – California Hospitals Fined for Data Breaches

The California Department of Public Health (CDPH) announced that five California hospitals have been fined a total of US $675,000 for failing to protect patient information. The largest breach involved personal data of 204 patients. The penalties were imposed under new state legislation that allows a US $25,000 penalty for each patient whose information is compromised. Once the penalties are imposed, the hospitals have 10 days to submit a correction plan to prevent breaches in the future. [Dark Reading] See also: [Privacy breaches resulted in job losses] and [Penn State University Says Additional 25,000 May Be Affected by Breach]


Identity Issues


US – Lawmakers Seek Prepaid Cell Crackdown, Cite Terror

Alarmed by the use of hard-to-track prepaid cell phones by terror suspects, New York Sen. Chuck Schumer and Texas Sen. John Cornyn have introduced legislation requiring consumers to produce identification before buying such phones. The bill has been praised by law enforcement and has bipartisan support, even as civil liberties groups have raised privacy concerns and some terror experts say it won’t deter bad behaviour. Schumer, a Democrat, and Cornyn, a Republican, are hoping to schedule hearings on the bill through the Judiciary Committee. “If law enforcement has a legitimate need to surveil, let them surveil,” Schumer told The Associated Press, adding, “you can make sure privacy is protected.” That’s not a view necessarily shared by civil liberties groups and other advocates of digital privacy, who say they have both legal and practical objections. “The Supreme Court has always upheld the principle that you have the right to speak anonymously — that the decision to identify yourself as a speaker is an aspect of speech itself,” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. Tien also noted that many people, especially younger ones, regularly swap phones and SIM cards and buy used cell phones, further blurring the identity of the phones’ users and owners. “For a variety of reasons, this doesn’t sound like a `get off the ground’ kind of idea,” he said. Schumer disagreed, saying the identity of prepaid cell purchasers would be kept private by phone companies in the same way the identities of regular cell and landline phone owners are protected. So far, no major phone company has objected to the legislation and some say they fully embrace it. [Source]


Intellectual Property


CA – Copyright Bill Makes it Easier to Target Illegal File-Sharing

Canada’s copyright law is so outdated, it is illegal for people to copy CDs onto iPods or to record television shows to be viewed later. But all that will change if a new copyright law introduced in the House of Commons Wednesday is passed. Other than legitimizing common practices, however, the new law comes down hard on piracy, making it easier for recording companies and film studios to go after those who share files illegally. Under the proposed law, Internet service providers would be required to notify their users if they receive notice that a copyright has been infringed. The ISPs would then be required to hold on to the personal information of the infringing member, and to turn it over if a court orders them to do so. Under the current law, ISPs only notify copyright infringers on a voluntary basis. Penalties for consumer-based file-sharing will be eased under the law, which will distinguish between those who share files for commercial purposes versus those who do it for their own use. The latter category will have reduced fines. Among other changes, the law makes it illegal to circumvent digital locks - even for personal or educational purposes. Altering a DVD bought in one of five other regions, such as Europe, in order to enable it to be played on a North American DVD player would also constitute a copyright infringement - a practice that is currently legal. The new bill also relaxes many of the copyright rules for educational purposes, as part of what’s called a fair-dealing clause. For example, it will allow teachers to use copyrighted materials as part of a lesson, unless there is a digital lock. This is the second time the Conservative government has introduced changes to the copyright law. Introduced in 2008, Bill C-61 died when the government called an election. Clement said the new law strikes a balance between the rights’ of consumers and copyright holders, but renowned copyright expert Michael Geist, of the University of Ottawa, called it “regressive.” “Especially around the issue of digital locks,” Geist said, pointing to the example of book-sharing. Under the proposed law, he said, people would be able to share books for educational purposes - but not digital books, if they are protected by a digital lock. Furthermore, teachers would not be allowed to photocopy and distribute books if there is also an electronic version that is digitally locked. The Business Software Alliance, the Entertainment Software Association of Canada, and the Canadian Film and Television Production Association all welcomed the bill. [The Montreal Gazette]


UK – Communications Regulator Publishes Draft Anti-Piracy Code for ISPs

UK communications regulator Ofcom has published a 74-page draft code of practice that would require large ISPs in the UK to compile lists of customers who violate copyright laws. The ISPs would keep track of who has violated the laws and how many times they have violated the laws. Users suspected of illegal filesharing would receive three warnings before any action can be taken. Anonymized lists will be available to movie and music studios, which can then decide if they want to pursue legal action against infringers; they can seek the users’ identities with a court order. The code would initially affect only those ISPs with 400,000 or more subscribers. The code was mandated under the new Digital Economy Act that was passed earlier this year; Ofcom will take comments on the draft document through July 30, 2010. [BBC] [SC Magazine] [Guardian] [Ofcom] [Ofcom Code]


US – Judge Questions Validity of Copyright Suits Naming Thousands of John Does

A federal judge has given attorneys representing film studios until June 21 to provide a convincing argument why two lawsuits they have filed against thousands of alleged copyright infringers should not be dismissed for misjoinder. Judge Rosemary Collyer is asking the plaintiffs to explain why she should not dismiss their lawsuits under Federal Rule of Civil Procedure 20, which requires, in part, that defendants named in such a suit must all be party to the same “transaction of occurrence.” Judge Collyer’s order comes just days after the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) filed an amicus brief complaining of improper joinder in the two cases. [Ars Technica] [The Register] See also: [RIAA Seeks to Reduce LimeWire to Pulp]


Internet / WWW


AU – Cyber Security Code for Australian ISPs

The Australian government and the country’s Internet Industry Association have drafted voluntary code of practice for Internet service providers and customers. Among other suggestions, the code recommends throttling of Internet connections of users whose computers are infected. The document includes recommendations for educating customers, detecting malicious activity, taking action against infected machines, and reporting to the Australian Federal Police and CERT Australia. Australian communications minister Stephen Conroy suggested that if ISPs did not voluntarily comply with the code, it might become mandatory. [ComputerWorld] [SecureComputing] [Text of code] See also: [National Cyber Security Awareness Week Continues]


AU – AG Considers Requiring ISPs to Record Browsing Histories

The Australia Attorney General’s Department has confirmed it is looking to the European Directive on Data Retention in considering whether ISPs should be required to log and retain customers’ Web browsing histories to provide for law enforcement access as needed. Internet Industry Association (IIA) CEO Peter Coroneos confirmed there have been preliminary discussions with the Attorney General’s Department, but the IIA has not “seen any firm proposals yet from the government.” If such a plan should come forward, he said, the IIA would “engage not only with the industry but also the community in a proper discussion.” Colin Jacobs of Electronic Frontier Australia said such a move would be “a step too far” for data retention laws. [ZDNet]


CA – Modelling Cloud Computing Architecture Without Compromising Privacy: Paper

Summary: As the Internet has evolved, we have seen the emergence of “Cloud computing.” Organizations have begun to leverage the connectivity created by the Internet to optimize the utility of computing. Ever-cheaper and more powerful processing and storage capabilities are allowing data centres to act as viable, large scale central computing hubs. Simultaneously, increasing network bandwidth and reliable yet flexible network connections make it possible for clients – both individual and enterprise – to utilize high quality services which reside solely on these remote central hubs. These services will often include data storage (and real time access) or processing (by remote software and computing resources). This possibility, however, forces clients to re-think the data protection schemes developed for the point-A-to-point-B data flow. [full paper]


Law Enforcement


UK – Met Lab Claims ‘Biggest Breakthrough Since Watergate’

Police scientists have hailed a new technique that recently played a pivotal role in securing a murder conviction as the most significant development in audio forensics since Watergate. The capability, called “electrical network frequency analysis” (ENF), is now attracting interest from the FBI and is considered the exciting new frontier in digital forensics, with power lines acting as silent witnesses to crime. In the “high profile” murder trial, which took place earlier this year, ENF meant prosecutors were able to prove that a seized voice recording that became vital to their case was authentic. Defence lawyers suggested it could have been concocted by a witness to incriminate the accused. ENF relies on frequency variations in the electricity supplied by the National Grid. Digital devices such as CCTV recorders, telephone recorders and camcorders that are plugged in to or located near the mains pick up these deviations in the power supply, which are caused by peaks and troughs in demand. At the Metropolitan Police’s digital forensics lab, scientists have created a database that has recorded these deviations once every one and a half seconds for the last five years. Over a short period they form a unique signature of the electrical frequency at that time, which research has shown is the same in London as it is in Glasgow. On receipt of recordings made by the police or public, the scientists are able to detect the variations in mains electricity occuring at the time the recording was made. This signature is extracted and automatically matched against their ENF database, which indicates when it was made. The technique can also uncover covert editing - or rule it out, as in the recent murder trial - because a spliced recording will register more than one ENF match. The Met emphasised that ENF analysis is in its infancy as a practical tool, having been used in only around five cases to date. Proponents are optimistic about its uses in counter-terrorism investigations, for example to establish when suspects made reconnaissance videos of their targets, or to uncover editing in propaganda videos. Dr Alan Cooper, the leader of the Met’s ENF project, said the technique is proving invaluable in serious cases, where audio and video evidence and its authenticity is often questioned. “ENF has basically been made possible by the move to digital recording,” Dr Cooper said. “The Americans are very interested. It’s fair to say this is the most significant development in the field since techniques were developed to analyse the Watergate Tapes.” The field of audio forensics was largely established as a result of the Watergate scandal. In 1973 a federal court commissioned a panel of audio engineers to investigate the infamous 18 and a half minute gap in President Nixon’s Watergate Tapes, the magnetic recordings he secretly made of his White House conversations. The probe gave rise to a range of new techniques that showed that in fact as many as nine separate sections of a vital tape had been erased. Their report went on to form the basis of audio forensics for decades. In contrast to the months of painstaking work on the Watergate Tapes, the computer power now cheaply available means the Met’s ENF lab could authenticate a month-long digital audio or video recording in 10 to 12 minutes. [Source]




CA – BC Utility Not Made to Reveal Customer Records to Police

BC Hydro will not be required to turn over more than a thousand homeowners’ energy consumption records to the Royal Canadian Mounted Police (RCMP). The RCMP withdrew its request for the records last week after BC Hydro fought a judge’s order to hand them over. Though RCMP didn’t specify its reason for requesting the records, it is believed they were intended to help identify marijuana grow operations, which typically require large amounts of electricity. A court affidavit expressed BC Hydro’s concern that the order could force the company to hand over records of law-abiding citizens and subject them to police investigation, the report states. [Global Toronto]




WW – Firefox Has New Plans for Third-Party Cookies

Mozilla, creator of Web browser Firefox, is updating its browser code to “dramatically change the handling of third-party cookies,” writes Jules Polonetsky, CIPP, of the U.S.-based Future of Privacy Forum. Comments from Dan Wittes of Mozilla on the company’s message board explained that third-party cookies will now only be persistent for a given session, while those who opt out of the default to accept cookies would completely disable them. “So if a user keeps their computer on and browser open, tracking across sites will continue,” Polonetsky writes, “but if a user closes their browser, tracking cookies will be deleted.” [Source]


Online Privacy


WW – Yahoo to Turn Subscribers’ E-Mail Contact Lists Into Social Networking Base

Yahoo plans to announce that it is jumping into social networking by using its massive population of e-mail subscribers as a base for sharing information on the Web. Over the next few weeks, its 280 million e-mail users will be able to exchange comments, pictures and news articles with others in their address books. The program won’t expose a user’s contact list to the public, as was done by Google through its social networking application, Buzz. But unless a user proactively opts out of the program, those Yahoo e-mail subscribers will automatically be part of a sweeping rollout of features that will incorporate the kinds of sharing done on sites such as Facebook and MySpace. The plan could spark criticism from Yahoo e-mail users, who signed up for the free service perhaps never imagining the people they e-mailed would become friends for sharing vacation videos, political causes and random thoughts throughout the day. And the move comes amid growing concern by federal lawmakers and regulators over how firms such as Facebook, Google and Microsoft have handled the privacy of Internet users. To allay privacy concerns, Yahoo said it would give users a week’s notice before launching the new features and provide a single button on the site for opting out entirely. [Source] See also: [‘I Know Where You Work’: Blogger Fired For Contacting ‘Anonymous’ Commenters]


Other Jurisdictions


IR – Code on Data Breaches Published

Theft or loss of personal data relating to more than 100 individuals would have to be reported to the Data Protection Commissioner under a draft code of practice outlined this week. Data Protection Commissioner Billy Hawkes published a draft code in response to the recent recommendations of the Data Protection Review group established by Minister for Justice Dermot Ahern “to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations”. The code provides that all instances of the loss of personal data must be reported to the commissioner where it affects more than a hundred individuals or where it involves any loss of sensitive personal data or personal financial data that could be used to carry out identity theft. It provides for an exception to this where the data can be considered inaccessible due to proper security. In situations where 100 or fewer people are affected there will be no need to report to the commissioner’s office provided those individuals are fully informed by the organisation and no sensitive personal data or personal financial data that could be used to carry out identity theft is involved. The Data Protection Review Group recommended that the reporting obligations of those who control personal data in relation to security breaches should be set out in a statutory code of practice. It also recommended that failure to comply with the disclosure obligations could lead to prosecution by the commissioner. Where a breach needs to be reported to the commissioner’s office under the code, this must be done within two working days of the data controller becoming aware of the incident. The controller will have to provide a detailed report on the security breach, including on the amount and nature of the data that has been compromised, and will have to outline what action is being taken to limit “damage and distress”. The organisation or individual will also have to issue a further report on the measures being taken to prevent repetition of the security breach. The commissioner will investigate the issues surrounding the data breach and may use his legal powers to compel the data controller to take certain action to address it. [Source]


Privacy (US)


US – TRUSTe Receives $12 Million

Online privacy trustmark company TRUSTe announced today that it is receiving $12 million in funding from investors aimed in part at several initiatives including new certification initiatives in social networking, mobile and advertising, according to a company release. Jeb Miller of Jafco Ventures, one of TRUSTe’s new investors, described “trust and privacy as the next big wave of online security.” According to TRUSTe CEO Chris Babel, “Recent events have shown that consumer privacy remains a hot button for usage of any online service--whether it is social tools or the purchasing of business goods.” He said the company plans to “raise the bar and broaden the scope” of its online privacy services. [Source]


AU – Calls for Privacy Reform Follow Facebook Brothel Threat

Civil libertarians have called for privacy laws to be updated in the wake of threats to post photos of men entering a Queensland brothel on a social networking website. The Facebook group ‘Busted - Toowoomba’ threatened to publish photographs of clients of the city’s first and only legal brothel, Deviations. Today, the Facebook page appears to have been removed after brothel owner Jim Welch threatened legal action against its creator, believed to be a 22-year-old Toowoomba landscape gardener. However, Australian law does not formally recognise any general “right to privacy”. In Queensland, a person can’t prevent a third party taking their photograph, even if it is taken while the person is engaged in private activity, but the person may be able to prevent or take action over certain uses of the photograph. [The Age]


US – Appeals Court Upholds Ruling Denying Damages in Data Exposure Case

The Ninth US Circuit Court of Appeals has ruled that a man whose personal information, including his SSN, was exposed by a third party has no legal standing to seek damages because he did not suffer materially as a result of the breach. Joel Ruiz had submitted the data as part of a job application. Vangent, the company that processed that application, was holding the data on a laptop that was stolen. The appeals court upheld a lower court ruling that “Ruiz had failed to establish sufficient appreciable, nonspeculative, present harm to sustain a negligence cause of action under California law.” [The Register] [Leagle] See also: [Shaky Legal Case For Recent Facebook Privacy Suits]


US – FTC Holds Hearings on COPPA

At the FTC public roundtable this week, panelists offered differing views about which aspects of the Children’s Online Privacy Protection Act (COPPA) are sufficient and which should be modified to better protect children. The FTC is considering updates to its COPPA rule to address new geolocational technologies and behavioral targeting, among other advancements. Panelists were divided on topics such as the efficacy of the law’s “e-mail plus” standard as well as its “actual knowledge” standard, which some say isn’t enough to verify a child’s age. [Source]


US – Report: Education Needed to Protect Kids Online

As Congress and the Federal Trade Commission reexamine the Children’s Online Privacy Protection Act, a government-appointed review group says parents and educators need to place a greater emphasis on safe Internet practices for children. The Online Safety and Technology Working Group, appointed by the National Telecommunication and Information Administration, delivered recommendations to Congress last week. The group recommends that educators coordinate with law enforcement to create a consistent message about online safety and calls for the establishment of a Web-based clearinghouse that would compile frequently updated research. [Washington Post]


US – FTC Says No to COPPA Safe Harbor Proposal

The FTC has rejected a proposal by an Internet safety education group to operate a self-regulatory program that would allow firms that enroll to comply with the Children’s Online Privacy Protection Act (COPPA). In a letter to iSAFE’s chief operations officer, the FTC said it rejected the group’s application because it failed to meet the FTC’s requirements for a safe harbor program and that iSAFE’s safe harbor guidelines “would result in lesser protections for children than provided by COPPA itself.” According to the commission’s requirements, a safe harbor program must provide “substantially similar” requirements to those included in the COPPA rule, among other provisions. [Tech Daily Dose]


Privacy Enhancing Technologies (PETs)


WW – Microsoft Researchers Propose Privacy Sensor ‘Widget’

Microsoft researchers have developed a sensor widget concept that issues alerts and lets users control what others see from their webcams, microphones, and other live data streams. Microsoft’s Jon Howell and Stuart Schechter say their research grew out of concerns that applications are able to access multimedia peripherals even after the user’s activities are finished. The researchers envision a sensor tool that provides an animated representation of how an application is gathering the user’s data. “The moment the application attempts to access these sensors, three sensor-access widgets will appear within the application, informing the user of the data that is about to be revealed,” Schechter says. The researchers recommend a configuration that lets applications access only webcams, microphones, and global positioning systems after users have had time to notice the application is about to gather data from them. “We believe this is an important issue given the emerging class of application platforms that can enforce restrictions on the resources that can be accessed by applications,” Schechter says. [Dark Reading]




US – Cyber Chief Warns of Network Sabotage; Defines Need for Continuous Monitoring

In his first public remarks since his confirmation last month, the head of the Pentagon’s Cyber Command, General Keith Alexander, said that there are signs that US military networks are being targeted for remote sabotage, and that “the potential for sabotage and destruction is now possible and something we must treat seriously.” Speaking on June 1 at the Center for Strategic and International Studies (CSIS) in Washington, DC, Alexander spoke of the need to establish clear rules of engagement for cyber space and the need for improved real-time monitoring and threat-data sharing. General Alexander is also the director of the National Security Agency (NSA). [Washington Post] [Business Week] [Executive Gov] [Google] See also: [Cyber Attacks a Top Risk for US Power Grid] and [Necessary Cyber Security Measures Taking Back Seat to Short-Term Economic Gains] and also: [Does Averting Cyberwar Mean Giving Up Web Privacy?] and [Barr Opinion: Outlawing Anonymity? ]


WW – Open Source Could Mean an Open Door for Hackers

Flaws in open source software are exploited more quickly and more often than flaws in closed software systems, according to a paper by Boston College (BC) researchers that analyzed two years of attack data. “If you think about this whole thing as a game between the good guys and the bad guys, by reducing the effort for the bad guys, there is much greater incentive for them to exploit targets earlier and hit more firms,” says BC professor Sam Ransbotham. The researchers used alert data taken from intrusion-detection systems managed on behalf of 960 companies by SecureWorks. Ransbotham also found a correlation between the existence of signatures, which are used by various security products to match a known pattern with a flaw, and earlier attacks, suggesting that the updates used to improve defenses actually help the attackers. “That tells me that there is something about having that signature that is helping people ... giving them a clue about how to exploit the vulnerability,” he says. [Technology Review] see also: [Click-jacking Attacks Spreading Through Facebook]


US – AT&T Bug Discloses iPad Owners’ E-Mail Addresses

A glitch in AT&T’s Web site has exposed the e-mail addresses of more than 100,000 iPad buyers. The data was downloaded by a hacking group known as Goatse Security, which obtained the information after stumbling upon a program on AT&T’s Web site that would send back the iPad user’s e-mail address when given a unique SIM card identification number known as an ICC-ID (Integrated Circuit Card Identifier). By guessing ICC-ID numbers, the hackers were able to download 114,000 e-mail addresses, according to the Web site Gawker, which first reported the news. [Source] [Internet Storm Center] [FBI Investigating iPad Data Exposure] [Hacker defends going public with AT&T’s iPad data breach]


US – Physical and IT Security Integration Tied to Better Risk Management

A survey of more than 250 attendees at the GovSec Conference in Washington, DC in March found that cyber attacks are viewed as the top threat to US national security, followed by terrorist activity, insider threats and information security breaches. 65% of respondents said their organizations are “focused on integrating IT security and physical security.” Those who said their organizations were focused on integrating physical and IT security also had the highest opinions of their organizations’ security monitoring and risk response. [Source] [Source] See also: [Companies Including Cyber Risks in SEC Filings]




UK – Google Accused of Deliberate Snooping by Privacy Watchdog

Non-profit organisation Privacy International has repeated accusations that Google intentionally collected user Wi-Fi data for its own use. Privacy International’s claims are based on a report compiled by Stroz Friedberg, a third party hired by Google to conduct an audit of the data collected by the company. The organisation is using the report as the basis for a case against the company, which is currently under criminal investigation by prosecutors in Germany, France, Australia and the Czech Republic. In a statement Privacy International said: “The independent audit of the Google system shows that the system used for the Wi-Fi collection intentionally separated out unencrypted content (payload data) of communications and systematically wrote this data to hard drives.” It also added that the downloading of unsecured Wi-Fi payload data was not a ‘mistake’ as Google claims it to be but was a ‘criminal act’ mounted to breach the communication data. [ITProPortal] See also: [Watchdog alleges Street View employees improperly collected personal data] and [Aspen law firm, two attorneys take on Google]


CA – Canada Launches Investigation into Google Wi-Fi Data Gathering

Canada has joined Germany, Italy and France in launching investigations into Google’s inadvertent collection of data from unsecured wireless networks. Google collected the data by accident while gathering images for its Street View service. In April, Google said it was collecting only wireless network names and media access control (MAC) addresses, but an audit requested by German authorities proved they were collecting payload data as well. Google acknowledged the issue in May. The US FTC has also begun an informal investigation. Several countries have asked that Google be barred from destroying any of the data it has collected while they investigate the potential for criminal prosecution. Google has provided all the collected data to a third party company, ISEC Partners, for safekeeping. Google is facing several lawsuits as well. [ComputerWorld] [MSNBC] [Last Watchdog] see also: [FTC Asks Google Not to Destroy Collected Wi-Fi Data]


US – FTC Reaches Settlement with Spyware Purveyor

The FTC and CyberSpy software have reached a settlement regarding the company’s RemoteSpy product. In 2008, the FTC sued CyberSpy for selling RemoteSpy as a completely undetectable keystroke logger. The settlement allows CyberSpy to keep selling the product, but must not provide instructions for installing the software surreptitiously on others’ computers. The software must notify users when it is going to install and obtain their consent. The company must also inform users that abuse of the software may constitute violation of state or federal law. The company was also ordered to remove legacy versions of the software from machines on which it has already been installed. The software is now being touted as a tool to keep track of what happens on one’s own computer. [ComputerWorld] [Pogo was Right] [FTC] See also: [Voyeurism, surveillance and the camera | Images from the Exhibition]


Telecom / TV


US – Legislators to Re-Examine Communications Act and Role of FCC in Broadband

US legislators plan to hold meetings in June to look at how the Telecommunications Act needs to be updated to clarify the FCC’s enforcement scope and authority over broadband Internet service. The decision was prompted at least in part by a federal appeals court ruling earlier this spring that found the FCC had overreached its authority when it used the Telecommunications Act to impose sanctions on Comcast for throttling Internet traffic. The FCC then said it would reclassify broadband Internet service from an information service to a telecommunications service, which would give the FCC more authority to ensure net neutrality and introduce its national broadband plan. The decision to revisit the law, last revised in 1996, has met with approval from telecommunications companies and consumer groups alike. The FCC has received letters from legislators on both sides of the aisle expressing “strong reservations about the course the commission is presently taking with respect to the regulation of broadband access services.” [NY Times] [CNET] [Washington Post] [Washington Post]


WW – Smartphones are Smarter Than You Are

If you’ve ever wondered if your wireless provider was keeping tabs on what you were doing with your smartphone, you’re probably not alone. Everything from the apps you’re using to the ringtones you’ve downloaded creates a digital footprint, and Neuralitic Systems Inc. has developed a new market research system that allows mobile carriers to track their users – and market their products accordingly – like never before. Founded in 2007, the small Montreal-based company has spent the past three years developing and refining its SevenFlow platform, which involves installing a computer that captures and filters through all of the data that flows between the operator’s Internet servers and smart-phones on the network. Through a series of algorithms, the platform compiles the data into aggregate statistics that will tell carriers which phones are the most popular for accessing the Internet, the top apps downloaded, the most popular websites, or even the time of day with the most traffic. “It enables the operator to, from one system, retrieve all of the information already in the network,” Louis Brun, Mr. Larocque’s partner, said in an interview. The idea is to help operators figure out better ways to sell their products. For their part, Neuralitic’s owners defend their business, arguing that it is up to the carrier to ensure all data collected from subscribers is done legitimately, and that the carrier operates the platform. However, Neuralitic will consult on how to best use the results. Also the data, while stored for between three and six months on company servers, is only in aggregate form and cannot be traced. “I’ve found saying ‘aggregate’ is the first line of defence with these companies, but it’s not hard to go back a step,” Mr. Compeau said. He warned that consumers really should not be surprised if their carriers are looking over their shoulders. “We give up a lot of privacy for convenience,” he said. “People need to get their heads around the fact we just don’t have much privacy.” [Source] See also: [Mobile Data: A Gold Mine for Telcos]


US Government Programs


US – Judge Disallows Evidence Gathered From Laptop Six Months After Seizure

A US federal judge has ruled that evidence gathered in June 2009 from a laptop computer seized at a US border crossing in late January 2009 may be suppressed. Andrew Hanson was randomly selected for secondary baggage search in January 2009. Hanson is a US citizen who was returning from South Korea to the US through San Francisco. An image of child pornography justified seizure of his laptop; a subsequent scan of the hard drive several weeks later turned up more evidence. However, the laptop’s contents were not viewed again until June 2009. The judge allowed evidence discovered on the laptop in early February 2009 because the search was conducted within a reasonable time frame. The judge determined that evidence obtained during the June search, which was conducted without a warrant, was inadmissible; a search so long after the fact requires a warrant. [The Register] [PCMAg]


US – Judge Limits DHS Warrantless Laptop Searches

A federal judge has thrown out key evidence in a child pornography trial because the laptop alleged to contain more than 1,000 illegal images wasn’t searched until about five months after US customs officials seized it at a US border crossing. The ruling by US District Judge Jeffrey S. White of the Northern District of California is a rebuke to the federal government’s controversial search and seizure practices at US borders. Two years ago, a federal appeals court ruled customs officers had the right to rummage through electronic devices even when there was no reason to suspect the hardware held illegal contents. Last week’s ruling suggests the government’s latitude isn’t without limit. [The Register]


US Legislation


US – New Legislation Proposed: Protecting Cyberspace as a National Asset Act of 2010

Last week, US Senators Joseph Lieberman (I-Connecticut), Susan Collins (R-Maine) and Thomas Carper (D-Delaware) introduced the Protecting Cyberspace as a National Asset Act of 2010 (S.3480), “comprehensive legislation to modernize, strengthen, and coordinate the security of federal civilian and select private sector critical infrastructure cyber networks.” If it passes, the legislation would establish an Office of Cyber Policy in the White House and a National Center for Cyber Security and Communications at the Department of Homeland Security (DHS). It would also update the Federal Information Security Management Act (FISMA) so federal agencies can move away from generating compliance reports and toward real-time monitoring that leads to rapid vulnerability reduction and risk reduction. The newly proposed US legislation would give the President emergency powers to take certain actions to protect private networks that support critical infrastructure if they face imminent attack or are actively under attack. The legislation would not allow the President to take control of the private networks, but would grant authority to order that a patch be applied or that the network(s) block incoming data from certain countries. Organizations that comply with the order would be immune from liability that arises from the actions they were required to take. The legislation has raised concerns among members of a trade group “about the unintended consequences that would result from the [bill’s] regulatory approach.” Of particular concern are the regulatory powers allotted to the Department of Homeland Security. [CNN] [FCW] [HSGAC] James Lewis, senior fellow at the Center for Strategic and International Studies, provides an analysis of the bill’s strengths and weaknesses.


US – CA Senate Passes Bill to Protect Drivers’ Data

The California Senate passed a bill on Tuesday that aims to restrict the retention, sharing and sale of information collected through automatic vehicle identification systems. According to Sen. Joe Simitian (D-Palo Alto), the bill’s author, under current law, the state transportation department and Bay Area Toll Authority, among others, can keep and sell data they’ve collected on travelers. If passed by the assembly, the bill will require the destruction of any data that could be linked to a vehicle or driver within 60 days and prohibit entities from selling or sharing the data. [The San Francisco Chronicle]


US – CDT Recommends Rewrite for Boucher Bill

The Center for Democracy and Technology (CDT) has submitted written comments on the Boucher-Stearns draft privacy bill, recommending it be revised to include fair information practices. The CDT wrote in its comments that while it “generally agrees with the draft’s basic framework for notice and choice, including its opt-in and opt-out structure, we are concerned that the strong reliance on consent places the entire burden for privacy protection on consumers.” The Interactive Advertising Bureau (IAB), meanwhile, says the bill could put a damper on online advertising, while a group of consumer advocates says it doesn’t go far enough to protect consumers’ privacy. [MediaPost]


Workplace Privacy


CA – Air France Tapes Must Stay Secret, Canada Board Says

Recordings made aboard an Air France Airbus that overshot a runway in Toronto five years ago and crashed must remain secret to protect pilots’ privacy and ensure cooperation in investigations, a lawyer for Canada’s Transportation Safety Board told Ontario’s highest court. “That is their workplace,” Peter Pliszka told a three- judge panel of the Court of Appeal for Ontario at a hearing in Toronto today, referring to the cockpit. “It’s akin to a lawyer’s office.” The appeals panel reserved its decision. The board, supported by two pilots’ unions, is appealing a judge’s order to release to NAV Canada, which is responsible for Canada’s air- traffic control, cockpit voice recordings and transcripts of pilots’ conversation before the Aug. 2, 2005, crash. Under Canada’s Transportation Safety Board Act, cockpit voice recordings are privileged, to be used by the board for its investigation, and not to be released for use in litigation. An exception can be made if a judge determines “the public interest in the proper administration of justice outweighs in importance the privilege.” The protection provided to pilots by the law encourages their cooperation during investigations. The case is Societe Air France v. NAV Canada. C51542. Court of Appeal for Ontario (Toronto). []