Privacy News Highlights

12–30 June 2010



CA – Water Park Pioneers Use Payment by Fingerprint 3

CA – Tories Scrap Mandatory Long-Form Census. 3

CA – Opposition Rails Against Bill Giving U.S. Say Over Canadian Air Travellers. 3

CA – Govt Introduces Bill to Amend the Federal Private Sector Privacy Legislation. 3

CA – Cabinet Secrecy Opens Door to Legal Challenge. 4

CA – OPC Gathers Input on Privacy and Cloud Computing. 4

CA – Privacy Commissioner of Canada Establishes Toronto Office. 4

US – Study: Tech Firms More Trusted than Social Networks. 4

US – Survey Rates Consumers’ Willingness to Share Data. 5

US – Grocery-Card Data Used to Warn Buyers of Recalls. 5

US – Privacy Protection Firm Raises $15M... 5

US – Survey: Teens Engage in Risky Behaviors Online. 5

CA – Tax Workers Use Govt Computers to Snoop on Ex-Spouses, Family Members. 6

WW – Google Changes Encrypted Search Engine’s Address. 6

WW – World Cup Data Networks Protected by Quantum Encryption. 6

EU – Commissioner to Launch Consultation on Data Laws. 6

EU – Reding: Data Laws Should Put Individuals First 6

EU – Working Party Clarifies Online Ad Rules. 6

UK – Browser Settings Don’t Imply “Cookie Consent”. 7

EU – EDPS Lists Concerns about New SWIFT Draft 7

EU – Commission Gives UK Two Months to Ramp Up ICO Powers. 7

UK – ICO Does Not Plan to Make Breach Reporting Mandatory. 7

EU – EU and U.S. Agree to Share Financial Data in Terror Investigations. 8

NZ – Sweeping Changes to Credit Reporting. 8

CA – Supreme Court Upholds Restrictions on Government Documents. 8

AU – Opening of the Office of the Australian Information Commissioner 8

IS – Icelandic Parliament Backs ‘Free Speech Haven’ Plan. 9

CA – Police Need More Power to Gather DNA, Senators Say. 9

US – Proposed NY Law Would Expand DNA Collection. 9

US – New Suits Could Chill Writers’ Use of Own Experiences. 9

AU – Health ID Legislation Passes. 10

UK – GPs Agree to Waive Privacy of Mentally Ill Gun Owners. 10

US – Cyber Thieves Stoles Hotel Customers’ Credit Card Data. 10

US – Community Hospital of San Bernardino Fined For Data Breach. 10

US – 200,000-Plus Customers Receive Breach Notice. 10

US – University Alerts Nearly 20,000 of Data Breach. 11

US – Patient Sues Hospital Over Breach. 11

US – White House Releases Draft Plan for National Online ID.. 11

AU – Web Snooping Policy Shrouded in Secrecy. 11

EU – French Data Protection Authority Finds Passwords and eMail Text in Google’s Data. 12

WW – International Police Call for Stronger Domain Name Registration Rules. 12

WW – Cloud Computing Study Portends Ubiquity, Big Breaches. 12

CA – Ontario Sets Best Practices for Smart Grids. 12

SW – Convicts Choose Prison Over Electronic Tag. 12

IN – New Indian Law to Protect Individual Privacy. 13

AU – Senate Probe Into Online Privacy, Gov’t Plans. 13

WW – Open Letter to Facebook: More Privacy Improvements Needed. 13

US – Twitter Settles FTC Privacy Charges. 13

US – Referendum Backers Don’t Get Privacy, Top Court Says. 14

WW – A Site for the Videos You Don’t Want Everyone to See. 14

NZ – Shroff to Law Commission: Federal CPO Needed. 14

WW – System Will Alert Companies When Stolen Customer Data are Found on Internet 14

MY – Commission Clarifies Data Protection Rules. 14

US – ACLU Fights North Carolina Quest for Amazon Customer Data. 15

US – Privacy Certifer Levels the Playing Field. 15

US – Conn. AG Will Lead Multi-State Investigation Into Google Data Collection. 15

UK – Fading Data Could Improve Privacy. 15

WW – Privacy Add-Ons Merged to Create Powerful Tool 15

UK – PI Launches New Technology Site. 16

US – Sudy: Board Members Increasingly Distanced from Cyber Security Governance. 16

US – InfoSec Budgets Stable or Rising at Many Financial Institutions. 16

US – Physical and IT Security Integration Tied to Better Risk Management 16

CA – More than 50 Schools Use Surveillance Cameras in Metro Vancouver 17

US – Supreme Court Ok’s Policy to Ease Searches of Students. 17

UK – Flyers Beware! Every Move Under Watch. 17

AU – Preliminary Review: Google WiFi Collection Not So Bad. 17

US – FCC Seeks Comments on Broadband Regulatory Proposals. 18

CA – Woman Who Blames Rogers for Exposing Affair Says She’s Not Alone. 18

WW – Despite iTunes Policy Updates, Legislators Concerned. 18

WW – Jobs: iPhone Ad SDK Changes for User Privacy, Not Anti-Competitive. 18

US – AT&T Contacts Apple iPad Victims of AT&T Security Breach. 18

US – Marketers Debut Self-Regulating Icon. 19

US – New Legislation Proposed: Protecting Cyberspace as a National Asset Act of 2010. 19

US – Missouri Passes Privacy Bill 19

US – Supreme Court Rules Police Dept. Within Rights to Read Employees’ Texts. 20

CA – Calgary Board of Education Appeals Privacy Ruling. 20

CA – Edmonton Business Breached Employee’s Privacy Rights. 20

US – Whitepaper: Five Risks CIOs Must Consider 20





CA – Water Park Pioneers Use Payment by Fingerprint

The hundred or so bathers braving the cold temperatures and rainy weather last week for the grand opening of the Calypso water park in Limoges, Ont., about 160 kilometres from Montreal, were also pioneers of a brand-new technology. The water park is the first in North America to allow bathers to pay for food and merchandise with their fingerprints while their wallets stay stored in a locker or even at home. Calypso, which calls itself the largest themed water park in Canada, installed fingerprint scanners at all 55 point-of-sale terminals in the water park’s restaurants, bars and boutiques. When they first arrive, guests can register a credit card or debit card or deposit cash, and their money is then linked to their fingerprints, which are scanned and turned into a binary code stored on Calypso’s central computer system. When they leave, the information is either deleted or it can stay in the park’s systems for a future visit. [Source] See also: [European commission is fence-sitting on body scanners: Ludford]




CA – Tories Scrap Mandatory Long-Form Census

The federal government is scrapping the mandatory long census form in favour of a voluntary survey – a move some critics blame on a Conservative campaign to slash analytical work done by Statistics Canada. For the first time in 35 years, the census will not feature a detailed, long form that Canadians are obliged to send back to the government. Instead, a mandatory short form will go out to everyone for next year’s census, with basic questions about how many people live in the household and their ages and genders. The voluntary “national household survey,” with detailed questions about ethnicity, income and education, will be sent to one-third of homes. That’s an increase from the 20% of homes that used to get the mandatory long-form. The move is a response to protests from some Canadians who resented the personal questions in the long form. Similar opposition has been raised in the United States by some Republicans opposed to Washington collecting and analyzing data. [Source]


CA – Opposition Rails Against Bill Giving U.S. Say Over Canadian Air Travellers

The Harper government has quietly presented a bill in the House of Commons that would give U.S. officials final say over who may board aircraft in Canada if they are to fly over the U.S. en route to a third country. “Canadian sovereignty has gone right out the window,” Liberal Transport critic Joe Volpe told the Montreal Gazette in a recent telephone interview. “You are going to be subject to American law.” Bill C-42 amends Canada’s Aeronautics Act to allow airlines to communicate passenger information to “a foreign state” for flights over that country without landing. At present, airlines are only required to give passenger information to the U.S. government on flights landing in the United States. Bill C-42 would comply with U.S. Homeland Security’s Secure Flight program, which requires airlines to submit personal information about passengers 72 hours before a flight’s departure. Secure Flight has already been introduced for U.S. airlines, and U.S. Homeland Security wants to implement it internationally, including on Canadian airlines, by the end of 2010. If Bill C-42 passes, then passengers leaving Canada on a flight to Cuba or France, for example, while flying over the U.S. would have their name, birthdate and gender subject to screening by U.S. Homeland Security, which involves running that information through various government databases to determine whether there is a terrorist threat. If you have the same name as someone on a no-fly list, you may be questioned, delayed or even barred from the flight. If your name does not match, Homeland Security tells the airline that you may have a boarding pass. Currently, Canadian airlines check names against no-fly lists provided by the U.S. and Canadian governments. But the airlines decide who gets a boarding pass. [Source]


CA – Govt Introduces Bill to Amend the Federal Private Sector Privacy Legislation

On May 25, 2010, the Government of Canada introduced significant amendments to the federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). The amendments, introduced as Bill C-29, reflect recommended changes to PIPEDA made after a parliamentary review of the legislation in 2007. Amendments of particular significance for businesses include the mandatory reporting of data breaches, provisions permitting personal information to be used and disclosed for business transactions an expanded carve-out for business contact information and new consent exceptions for employee information and work product information. Highlights of the proposed amendments and recommendations for businesses about how to respond to the changes are set out in the article link below. [Mondaq News] [Changes to Privacy Laws Vague]


CA – Cabinet Secrecy Opens Door to Legal Challenge

As crews dismantle the massive security fence from the G20 summit, questions are piling up about a secret cabinet decision giving police immense power to search and arrest anyone within five metres of the barrier. Legal experts say a regulation authorizing the searches could be vulnerable to attack not just for potentially violating Charter protections against unreasonable search and seizure. It could also be challenged on the grounds the public was not given adequate notice of the sweeping changes that required them to identify themselves to police officers or agree to be searched. Another potential avenue of legal challenge is to question whether Toronto’s streets and sidewalks could even be defined as “public works” under the legislation, and therefore places where people could be stopped and searched [Source] [Just being near the G20 security zone can get you arrested] [How I was detained by G8 security] [Man charged in G20 probe sought to monitor police, associate says] and [Surveillance too heavy, G20 protesters say]


CA – OPC Gathers Input on Privacy and Cloud Computing

In preparation for the next review of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the Office of the Privacy Commissioner of Canada (OPC) has been hosting a series of one-day panel discussions in cities across Canada. Following discussions in Montreal and Toronto on topics such as online tracking, profiling and targeting, the 2010 Consumer Privacy Consultations recently stopped in Calgary to discuss the privacy implications of cloud computing. The OPC is asking whether PIPEDA is the right framework and model or if new technologies are stretching Canadian law, said Denham. The OPC needs to think about what is happening to people’s privacy in the cloud and how they can gain control over their personal data, she said. [Source]


CA – Privacy Commissioner of Canada Establishes Toronto Office

It has long been a priority for the Office of the Privacy Commissioner of Canada to build stronger connections with Canadians, wherever they happen to live and work. One concern is that the Office may be perceived as either too Ottawa-centric or unaware of issues outside of the National Capital Region. One of the areas where a gap has been identified is in the Toronto region, where a significant number of Canadian businesses have established their headquarters. Over the past two years, almost half of respondent organizations for PIPEDA complaints have had addresses in the GTA. The Privacy Commissioner believes her Office could be doing more to conduct outreach and some PIPEDA investigation work on the ground in the Toronto area. In conjunction with the International Association of Privacy Professionals (IAPP) Canadian Symposium, the OPC officially announced it was opening a Toronto office. They also announced that the new Director, PIPEDA, would be Robin Gould-Soil, CIPP/C, who joins the OPC as part of the Government of Canada’s Executive Interchange Program from TD Bank Financial Group, where she was Chief Privacy Officer. [Source]




US – Study: Tech Firms More Trusted than Social Networks

According to a Zogby Interactive survey, Americans trust big tech firms such as Apple, Google and Microsoft more than social networking sites. Nearly half of the 2,100 respondents said they trust the big tech firms. Adults aged 18 to 29 showed somewhat higher levels of trust in social sites--seven percent higher than adults of all ages. John Zogby, president and CEO of Zogby International, said, “I think to a great degree, it’s all about privacy,” noting that the tech firms have a longer history and have built brand equity. However, both big tech and social networking scored higher among respondents than traditional media. [Source]


US – Survey Rates Consumers’ Willingness to Share Data

Privacy remains a burning issue for online marketers, but a recent study sponsored by Equifax indicates that consumers are more willing to share their information than expected, provided they trust the companies seeking their data. “Three-quarters of consumers are happy to share their personal information for marketing purposes with companies that they have a relationship with,” the report states, noting that consumers “believe the brands they know well will treat their personal data with respect.” However, the study found that the overwhelming majority of respondents would not share their details with companies they did not have a prior relationship with and that social networking sites made consumers “feel the most wary about providing information.” [Marketing Week]


US – Grocery-Card Data Used to Warn Buyers of Recalls

Grocery-store loyalty cards, it turns out, are good for more than a 40-cent discount on a package of Oreos. Retailers such as King Soopers and Safeway increasingly are using data from frequent-shopper cards to notify customers of product recalls. Card information even has been used by federal agencies to help investigate sources of food-borne illnesses. Contacting customers and mining data from their food purchases were key investigative tools that allowed the Centers for Disease Control and Prevention to crack the source of a recent salmonella outbreak. The CDC determined that many of the sickened people had shopped at Costco. Information from Costco membership cards allowed the CDC to identify common products that afflicted customers had purchased. After receiving permission from Costco customers to be interviewed by CDC investigators, the agency discovered that the salmonella came from black and red pepper in salami from Rhode Island-based manufacturer Daniele International. Privacy advocates who have been critical of grocery stores for collecting information on customers’ purchases say that using it for food- and product-safety notifications may be the only valid purpose for the cards. [Source]


US – Privacy Protection Firm Raises $15M

ReputationDefender, a California-based company aimed at helping its customers take control of their online information, announced it has secured $15 million in venture capital. The company plans to use the funds to expand its management team, develop new products and improve sales efforts. Users pay the company a monthly fee of $9.95 or more to “take charge of their online identity and privacy,” the report states, and in return, ReputationDefender pledges to remove online content--including clearing user information from marketing databases--as well as altering browser settings and optimizing search results. In the past year, the company has raised $24 million from investors. [The San Francisco Chronicle]


US – Survey: Teens Engage in Risky Behaviors Online

Survey results indicate teenagers often participate in risky behaviors online. Released this week, The Harris Interactive survey, commissioned by McAfee and titled “The Secret Online Lives of Teens,” polled 955 teens ages 13-17. Of those polled, 69% said they divulged their physical location while online and 28% said they chatted with strangers. Girls often were more willing to divulge information than boys, with 32% saying that they chat with strangers online compared with 24% of male respondents. “This is a wake-up call to the real dangers our teens face when they make themselves vulnerable online,” said McAfee’s chief cyber security mom. [USA Today] [Survey results]




CA – Tax Workers Use Govt Computers to Snoop on Ex-Spouses, Family Members

Dozens of workers at Canada’s tax agency have been caught snooping on their ex-spouses, mothers-in-law, creditors and others by reading confidential tax files. Internal reports at the Canada Revenue Agency show that rogue employees are improperly reviewing the private financial affairs of taxpayers without their knowledge. And some are using agency computers to give favoured treatment to colleagues, friends, family - and themselves. In one egregious breach last October, a woman accessed 37,500 emails and 776 documents containing confidential financial information about ordinary Canadians. She downloaded the files onto 17 compact discs for her personal use, inexplicably helped by agency technicians. Documents outlining the forbidden invasions into private tax data were obtained by The Canadian Press under the Access to Information Act. [Source]




WW – Google Changes Encrypted Search Engine’s Address

Google has changed the address of its encrypted search engine to make it easier for schools and universities to block the site without blocking access to other Google services. Many educational institutions ban the use of encrypted search engines because they allow students to bypass the schools’ content filters. Users wanting to access the encrypted search engine can find it at [Source]


WW – World Cup Data Networks Protected by Quantum Encryption

The data networks being used at the World Cup Soccer Tournament are being protected with quantum cryptography. This type of encryption is thought to be in use by government intelligence agencies and military organizations. Proponents claim the technology “ensure[s] not only the confidentiality but the integrity.” [Fox News] [Technology Review] [Physics World] [U of T paper on hacking Quantum Cryptogrpahy]


EU Developments


EU – Commissioner to Launch Consultation on Data Laws

European Commissioner for Justice and Fundamental Rights Viviane Reding plans to launch a public consultation on whether to introduce a European contract law on the use of personal data, Research Magazine reports. In a speech at the American Chamber of Commerce to the European Union, Reding outlined a three-point plan to ensure the safety of data protection and privacy amongst all EU countries, though she noted industry self-regulation should remain at the core of any new legislation. “I am very much aware that this sector needs clarity, not red tape,” Reding said. “I am considering this approach as a way to have codes of conduct” and “the incorporation of ‘privacy by design’ principles.” [Source]


EU – Reding: Data Laws Should Put Individuals First

Europe needs to put individuals at the heart of its data protection laws to ensure the safety of personal data, according to Viviane Reding, European Commissioner for Justice and Fundamental Rights. In a speech at an American Chamber of Commerce to the European Union event, Reding said, “We need to find new ways to empower Web surfers. Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will.” Reding added the EU needs to have unified consumer rights, despite the interference of national contract laws. She plans to launch a public consultation on various long-term possibilities this summer. [The Wall Street Journal] [Speech]


EU – Working Party Clarifies Online Ad Rules

The Article 29 Working Party has released its opinion clarifying the way EU rules apply to online behavioral advertising. According to the European Data Protection Authorities’ opinion, when online behavioral advertising providers use cookies, they are bound by the new EU ePrivacy Directive, which “introduces the obligation for informed consent of users before tracking devices such as cookies are installed on users’ computers.” The opinion calls for “simple and effective mechanisms for users to affirmatively give their consent for online behavioral advertising.” Future of Privacy Forum Director Jules Polonetsky, CIPP, told the Daily Dashboard that in some ways the opinion was not a surprise as the Article 29 Working Party has previously indicated that behavioral profiles “are personal information and, therefore, require a specific opt in.” However, he said, the opinion does “leave the window open...for companies to develop innovative ways” to inform users and obtain consent. Polonetsky added, “It is also interesting to note that they focused on behavioral ads across multiple Web sites, reserving judgment on first-party behavioral ads.” [Opinion 2/2010 on online behavioural advertising]


UK – Browser Settings Don’t Imply “Cookie Consent”

Web sites cannot comply with the new EU law governing Internet cookies by relying on users’ browser settings, according to the Article 29 Working Party’s interpretation of the revised Privacy and Electronic Communications Directive. While online companies have claimed that advertising behavior will not need to change, experts believe Web sites will have to receive visitors’ permission before using cookies. According to the Working Party’s interpretation, “Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user.” Prior consent can, however, be given to advertising networks covering thousands of Web sites and need not be given to every individual site, the report states. [OUT-LAW.COM] [Art 29 WP Opinion]


EU – EDPS Lists Concerns about New SWIFT Draft

European Data Protection Supervisor Peter Hustinx has issued his opinion on the European Commission’s draft agreement to allow U.S. authorities access to European financial data for anti-terrorism investigations, and while he cites improvements over an interim agreement rejected by the European Parliament, Hustinx is raising concerns. Hustinx’s announcement said that while the fight against terrorism “may require restrictions to the right to the protection of personal data,” such provisions as the transfer of banking data in bulk to the U.S., data retention periods, enforceability of data protection rights and independent supervision need improvement “in order to meet the conditions of the EU legal framework for data protection.” [Eurasia Review]


EU – Commission Gives UK Two Months to Ramp Up ICO Powers

The European Commission has notified the UK government that it has two months to increase the powers of the Information Commissioner’s Office (ICO) before the commission will pursue legal action through the European Court of Justice. To comply with the Data Protection Directive, the commission says the ICO must have the power to conduct random checks on organizations and, where appropriate, take action. The commission has also stated the UK must change its law on people’s rights to have their information deleted by organizations, the report states, and the ICO must be given the ability to assess the data protection laws of other countries before transferring information. []


UK – ICO Does Not Plan to Make Breach Reporting Mandatory

The UK’s Information Commissioner’s Office (ICO) will not require organizations to report data breaches despite the Irish Data Protection Commissioner’s plan to seek mandatory breach reporting in that country.

The UK’s ICO expects that organizations will report breaches to them as part of their best practices, but has no plans to make it mandatory. At a conference in April, Deputy UK Information Commissioner David Smith noted that companies in the Telecoms industry may have to report breaches concerning personal data of customers following the review of the European Privacy and Electronic Communications Directive which is due to come into effect sometime in 2011. [Source]




EU – EU and U.S. Agree to Share Financial Data in Terror Investigations

The European Union and the United States signed a long-awaited deal to share financial data in suspected terrorist cases, after the U.S. agreed to major concessions to allay European concerns over privacy. The five-year agreement is due to take effect within weeks. It allows U.S. officials to request financial data from European banks if they suspect accounts are being used by individuals with terrorist links. The U.S. can keep that information for five years. However, U.S. officials must provide European authorities with reasons for their suspicions, delete or rectify inaccurate data and grant legal redress in U.S. courts if financial information is abused. The agreement also sets out criteria for transferring data to third countries. The accord is designed to head off disagreements between the U.S. and EU over where personal privacy takes precedence over security investigations. The European Parliament last year rejected extending an interim deal because it said there were not enough safeguards for civil liberties. [Source] [SWIFT: Rapporteur announces last-minute agreement] [E.U. Tries to Balance Terror War and Privacy]


NZ – Sweeping Changes to Credit Reporting

The Privacy Commissioner is expected to announce sweeping proposals to change the way credit information is reported, including allowing credit agencies to collect and use a person’s driving licence number to match up information on them. The proposals, in an information paper on an amendment to the Credit Reporting Privacy Code 2004, would allow credit agencies to collect information on the type of credit account a person has, the limit on each account, who is providing the credit and the status of the account. Now credit agencies can only collect information on credit defaults, judgments and bankruptcies, data considered to give only a “negative” picture of someone’s credit history. [Source]




CA – Supreme Court Upholds Restrictions on Government Documents

The Supreme Court of Canada has refused to elevate public access to government information to a constitutional right. In a unanimous 7-0 decision, the court concluded that the freedom of expression protection in the Charter of Rights does not guarantee “access to all documents in government hands.” The ruling overturns a decision in the Ontario Court of Appeal. “Access to information in the hands of public institutions can increase transparency in government, contribute to an informed public, and enhance an open and democratic society,” wrote Chief Justice Beverley McLachlin and Justice Rosalie Abella. “Some information in the hands of those institutions is, however, entitled to protection in order to prevent the impairment of those very principles and promote good governance.” The ruling is a defeat for the Criminal Lawyers Association, which unsuccessfully argued that access-to-information laws, which permit the public to see documents that the state seeks to keep secret, are so restrictive that they violate freedom of expression. The massive legal challenge drew more than one dozen interveners and the court had been considering its decision for 18 months, making it the longest-running Supreme Court Appeal in many years. The hearing was held in December 2008. [Source]


AU – Opening of the Office of the Australian Information Commissioner

Cabinet Secretary, Senator the Hon. Joe Ludwig welcomed the Executive Council’s decision on the opening date of the Office of the Australian Information Commissioner. The Governor-General has proclaimed 1 November 2010 as the day the Australian Information Commissioner Act 2010 commences. “The OAIC will open its doors on 1 November 2010, with the Information Commissioner Designate, Professor John McMillan AO, starting as the first Australian Information Commissioner on the same day. The opening of this office represents a new era for Freedom of Information in Australia,” Senator Ludwig said. The OAIC will bring together the functions of information policy, privacy protection and freedom of information into the same agency for the first time, ensuring the development of a consistent workable information policy across all Australian Government agencies. [Source]


IS – Icelandic Parliament Backs ‘Free Speech Haven’ Plan

Iceland’s parliament has accepted a proposal which could see the country pass the world’s strongest freedom of expression and whistleblower protection laws. The Icelandic parliament voted late last week to demand that the Icelandic Government “[find] ways to strengthen freedoms of expression and information freedom in Iceland, [and provide] strong protections for sources and whistleblowers,” said the resolution. No member of the parliament opposed the resolution. The resolution is the work of the Icelandic Modern Media Initiative (IMMI), which has been advised by Wikileaks founder Julian Assange, who said that the proposal would create a “new media haven” in Iceland. [Source]




CA – Police Need More Power to Gather DNA, Senators Say

A committee of senators has recommended changes to the Criminal Code that would make it easier for police to obtain, test and share DNA samples obtained from convicts. The standing committee on legal and constitutional affairs has tabled a report stemming from a required review of the DNA Identification Act, which created Canada’s National DNA Data Bank. The report says the existing system works well and that no other forensic identification technique is as effective as DNA in providing evidence that leads to the conviction of criminals and the exoneration of the innocent. But Joan Fraser, the Liberal senator who chairs the committee, said in a release that it is important to strike a balance between protecting the public and safe-guarding personal privacy. The members of the committee recommended 22 changes to the system. Primarily, they said, the Criminal Code should be amended to allow for immediate and automatic collection of DNA samples from adults convicted of the most serious offences. That would remove the need for a court to issue a DNA-collection order. The senators also said the DNA-collection system should be different for young offenders and that a court order should be required to obtain samples for young people convicted of all but the most serious crimes. They said that accused people and their lawyers should be able to obtain information from the data bank to mount a defence, said the Senate report. And, senators said, the creation of a missing-persons’ index and an unidentified-human-remains index should be a priority. [Source] [Recommendations]


US – Proposed NY Law Would Expand DNA Collection

New York Gov. David Paterson has proposed expanding the state’s DNA database to include samples from “low-level offenders” convicted of misdemeanors. This would make New York the first state in the nation to collect DNA in such a broad fashion. New York’s database began in 1996 with DNA from convicted murderers and sexual predators, the report states, and has been expanded three times to now include samples from some 356,000 people convicted of felonies and certain misdemeanors. While some are praising the plan as a way to solve crime and exonerate those who have been wrongly convicted, the New York Civil Liberties Union is cautioning that the proposed expansion raises questions about privacy rights and requires independent study. [Source] see also: [FDA wants safety, accuracy data on consumer genetic tests]


US – New Suits Could Chill Writers’ Use of Own Experiences

The case of a woman who claims she is the real-life model for the character of a prostitute in a movie is one of three lawsuits filed last month which would punish writers for making creative use of their experiences. The film “Finding Amanda” stars Matthew Broderick as a screenwriter with a gambling problem who tries to redeem himself by rescuing his young niece, the “Amanda” of the title, from a life of prostitution and drug use in Las Vegas. Writer-director Peter Tolan has said the film is loosely based on a trip to Vegas to help his own niece. “This is painfully about me … The inspiration for it actually happened in real life,” he told an interviewer. But now Tolan’s real-life niece, Alix Daily, is alleging he caused her emotional distress and invaded her privacy by basing the character of Amanda on her without her permission, using “confidential and private information” he and his wife had obtained when they helped “deal[ ] with a family crisis concerning [her].” Libel-in-fiction cases have recently gained some traction in the courts — a Georgia jury last year awarded $100,000 to a woman who claimed she was falsely portrayed as an “alcoholic slut” in the novel “The Red Hat Club.” And writer Augusten Burroughs settled with a family who sued him in 2005 for misrepresenting them in his memoir “Running With Scissors.” [Source]


Health / Medical


AU – Health ID Legislation Passes

Australia Health Minister Nicola Roxon has announced the passage of legislation authorizing Medicare Australia to start issuing patients with individual 16-digit identifier numbers beginning July 1. The identifiers will contain “just enough information to identify a person, although each patient can determine whether or not they use it to create a personal e-health record.” The legislation had been amended due to concerns raised about privacy implications. “Healthcare identifiers are a key building block of the government’s plans to invest $466.7 million over the next two years to revolutionize healthcare delivery through the introduction of personally controlled electronic health records,” Roxon said in a statement released Thursday evening. The Australian Privacy Foundation is among those who have raised concerns over the introduction of the identifiers, the report states. [ZDNet]


UK – GPs Agree to Waive Privacy of Mentally Ill Gun Owners

Doctors have agreed to breach their duty of medical confidentiality to patients who own guns if they fear they have become so seriously mentally ill they may use their weapons on themselves or the public, the Guardian has learned. GPs say they will tell the police if a gun owner’s deteriorating health makes him or her a serious danger to the public, without the patient giving consent to their medical privacy being breached. In order for doctors to know which patients have guns, the medical records of patients holding or applying for firearms licences would be “flagged”. The agreement comes after months of talks between the Association of Chief Police Officers and the British Medical Association. [Source]


Horror Stories


US – Cyber Thieves Stoles Hotel Customers’ Credit Card Data

Cyber thieves stole credit card information of as many as 700 people who stayed at hotels operated by Destination Hotels & Resorts over the last several months and used it to run up hundreds of thousands of dollars in fraudulent charges. The vulnerability the attackers exploited has been fixed. Authorities believe some of the card numbers were sold online in batches. Destinations Hotels & Resorts operates more than 30 facilities in Washington DC, Denver, San Diego, L.A. and other major cities. [ABC News] [Statesman]


US – Community Hospital of San Bernardino Fined For Data Breach

For violations of patient confidentiality, the state Department of Public Health fined Community Hospital of San Bernardino $325,000. The hospital was assessed a $250,000 fine for unauthorized access of 204 patients’ medical information by one employee. A fine of $75,000 was added after the facility failed to prevent the unauthorized access of three patients’ medical information in a separate case. The hospital was one of five fined by the Department of Public Health. [Source]


US – 200,000-Plus Customers Receive Breach Notice

Approximately 230,000 Anthem Blue Cross customers received notification this week that personal information--including Social Security and credit card numbers--may have been accessed. The breach involved customers with pending insurance applications that could be viewed through a Web site tool that allows users to track their status online, the report states. An Anthem spokeswoman said the confidential information was accessed primarily by attorneys seeking information for a class action lawsuit against the insurer. While she said it is not known how many customers’ information was viewed, letters were sent to 230,000 Californians out of an “abundance of caution.” The company said it has made security changes to prevent such a breach from happening again. [OC Register]


US – University Alerts Nearly 20,000 of Data Breach

A Florida university is notifying 19,407 students and 88 faculty members that their personal data may have been exposed. The possible breach occurred via a database’s external search function at Florida International University in May. It was discovered during an internal review of a previous and unrelated hacking incident at the university. The potentially exposed data includes grade point averages and Social Security numbers for both students and faculty, though the university says it does not appear that the data has been used. A university letter to those affected said that the school “took immediate steps to remove the database from any external search capability” and to prevent another breach. [Infosecurity]


US – Patient Sues Hospital Over Breach

WAVE reports on a patient suing a psychiatric hospital after a flash drive containing 24,600 patient files went missing in April. The Our Lady of Peace Hospital files included patient names, names of insurers and hospital stay details. The lawsuit accuses the hospital of negligence, invasion of privacy and emotional distress. A hospital spokeswoman said the hospital took the appropriate actions after the breach, including notifying affected patients and the Office for Civil Rights. “Patient confidentiality is sacred to us and our patients. We have taken this breach seriously,” she said. [Source]


Identity Issues


US – White House Releases Draft Plan for National Online ID

The White House has released a draft plan for protecting personal information while conducting online transactions. Rather than presenting a detailed plan, the proposed National Strategy for Trusted Identities in Cyberspace is painted in broad brush strokes. The proposal involves having consumers use secure identifiers, such as smart identity cards or digital certificates, to authenticate their identities before online transactions are conducted. The plan would be voluntary and would allow consumers to choose their identifiers from a range of public and private services. The White House is seeking comments on the proposal. [MSNBC] [InformationWeek] [ComputerWorld] [NextGov] [GovInfoSecurity] []


Intellectual Property


AU – Web Snooping Policy Shrouded in Secrecy

The Australian federal government is hiding controversial plans to force ISPs to store internet activity of all Australian internet users - regardless of whether they have been suspected of wrongdoing - for law-enforcement agencies to access. Political opponents and other critics of the scheme have described the draft policy as “alarming” and accused the government of going “on a fishing expedition for as much data on the public as they can get”. One ISP executive has described the plan as “a nanny state gone totally insane”.The Attorney-General’s Department has been holding consultations with industry about implementing a “data retention regime”, similar to that adopted by the European Union after terrorist attacks several years ago. Reports last week suggested data that ISPs would be required to store included contents of communications such as web browsing history. Yesterday, a spokesman for Attorney-General Robert McClelland denied web browsing histories would be stored, saying the government was only seeking to identify “parties to a communication”, such as senders and receivers of emails and VoIP calls. However, it is difficult for the public to get a clear picture of the policy because the government has sworn all parties to secrecy. Peter Coroneos, chief executive of the Internet Industry Association, criticised the government for not being transparent and open with the public about its intentions. “[Users] have legitimate privacy expectations and assume that their online communications and browsing activities are private unless they’ve been clearly informed otherwise,” he said. “Secondly, there’s a question of whether the harm being being addressed is outweighed by the economic or social burden of the measures proposed. Are we cracking a nut with a sledgehammer here?” Coroneos also raised concerns about security of the information that will be stored by ISPs and the expected high costs of implementing any scheme, which would inevitably be passed on to end users. [Source]


Internet / WWW


EU – French Data Protection Authority Finds Passwords and eMail Text in Google’s Data

French data protection authority French National Commission on Computing and Liberty (CNIL) reports that Google collected passwords and email messages while gathering images for its Street View feature. CNIL’s preliminary study included examination of some of the collected data collected in France. The study is being conducted to decide whether to prosecute Google for breach of privacy. Google was gathering information about Wi-Fi hotspots to improve location-based services. [The Register] [BBC] [ComputerWorld]


WW – International Police Call for Stronger Domain Name Registration Rules

Law enforcement officials from four agencies around the world said at a public meeting for ICANN (the Internet Corporation for Assigned Names and Numbers) that domain name registrars need to impose more stringent rules on registering domain names to help combat cyber crime. Cyber criminals have long been registering domains with phony information to avoid being tracked down. The groups suggested that if ICANN does not do something about the problem, they might turn to legislators. The group of law enforcement representatives provided a list of a dozen proposals, including requiring registrars to collect the IP addresses ad HTTP headers of users when they register the domains. The proposals acknowledge the need for privacy and proxy registration, but would require registrars to provide that information to law enforcement if they are investigating criminal activity. [The Register]


WW – Cloud Computing Study Portends Ubiquity, Big Breaches

A Pew Internet survey has revealed most experts agree that cloud computing will be ubiquitous by the year 2020. But some also caution that a massive data breach will cause a rethink on that move. “Expect a major news event involving a cloud catastrophe (security breach or lost data) to drive a reversion of these critical resources back to dedicated computing,” said the Mozilla Foundation’s Nathaniel James in the Pew report, which reflects widespread unease about the cloud. “Trust not the cloud for reliability, security, privacy,” said University of Toronto Professor Barry Wellman. [Ars Technica] [PEW Internet]


CA – Ontario Sets Best Practices for Smart Grids

Ontario Information and Privacy Commissioner Ann Cavoukian has partnered with two of Canada’s largest utility companies, Toronto Hydro Corp. and Hydro One Inc., to set the “gold standard” for protecting privacy in smart grids. Published today, Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid, outlines a set of best practices, includes case scenarios and creates a roadmap to show utility companies exactly how to protect privacy on the smart grid, said Cavoukian. [Source] [IPC paper]


Law Enforcement


SW – Convicts Choose Prison Over Electronic Tag

Every fourth convicted criminal offered the choice of prison or wearing an electronic tagging device in 2009 opted to go to jail, with the tag associated with stringent regulations and social isolation. A total of 5309 convicted criminals were offered sentenced tagging in 2009. Of the 3940 who elected for tagging several hundred later chose instead to go to prison after digesting the regulations associated with the penalty. Swedish convicted criminals can be offered the alternative of an electronic tag, also known as “intensive surveillance with electronic control”, if they have been sentenced to less than six months, or if they have already served a longer penalty. In order to be granted the alternative the prisoner must have an ordered residence, telephone and at least a half-time employment or schooling. [Source]




IN – New Indian Law to Protect Individual Privacy

Amid growing concerns over the potential misuse of personal data, the government is moving to enact India’s first law to safeguard privacy, a move aimed at least partly at deflecting worries over the immense amount of data it proposes to collect about its citizens. The United Progressive Alliance government has set up a panel of senior officials of the rank of secretary to prepare a blueprint laying down the ground rules for privacy and data protection and fixing the criminal liability of offenders. Once in place, the law will effectively recognize the right to privacy of an individual as a fundamental right. It will contain specific rules that will address any breach of a citizen’s right to privacy and include safeguards against potential violations of the law even by the government. [Source]


AU – Senate Probe Into Online Privacy, Gov’t Plans

The Senate Standing Committee on Environment, Communications and the Arts yesterday began an inquiry into online privacy following increasing concern about how companies are handling personal data online. “It is time the parliament took a proper look at the degree to which the privacy of Australians online is being eroded by governments and corporations alike,” said Green Sen. Scott Ludlam, who proposed the inquiry to parliament. The inquiry will also look into government plans to adopt European style data protection laws, including, says Ludlam, “plans to compel ISPs to collect the Web browsing history of all Australians, for purposes which are not at all clear.” The committee is currently accepting comments from the public and is expected to give a report by October 20. [IT News]


Online Privacy


WW – Open Letter to Facebook: More Privacy Improvements Needed

The Electronic Frontier Foundation (EFF), the ACLU of Northern California, and a coalition of privacy groups are urging Facebook to give users true control over their personal data by taking six critical steps to protect members’ information. In an open letter sent to CEO Mark Zuckerberg today, the coalition asks Facebook to close its “app gap” and allow users to decide which applications can access their personal data. The group also asks Facebook to make “instant personalization” an opt-in service and use an HTTPS connection for all interactions by default, among other steps. In addition to EFF and the ACLU of Northern California, other groups signing the open letter include the Center for Democracy and Technology, the Center for Digital Democracy, Consumer Action, Consumer Watchdog, Privacy Lives, and the Privacy Rights Clearinghouse. [Source]


US – Twitter Settles FTC Privacy Charges

Twitter has agreed to a settlement with the US FTC over privacy issues stemming from two attacks that compromised Twitter accounts. The FTC complaint says that Twitter’s stated privacy policy at the time led users to believe that stronger privacy protections were in place than were actually in use. On two separate occasions in 2009, attackers gained unauthorized access to administrative control of the Twitter service. In January 2009, an attacker gained administrative access to Twitter through a brute force dictionary attack. The intruder reset user passwords and posted some of the passwords on a website, where others accessed them and used them to send phony messages from those accounts. In April 2009, a Twitter employee’s account was compromised, compromising Twitter user’s personal information and messages sent. At the time, Twitter had no policy against easy-to-guess administrative passwords, nor did it suspend or disable account access after a certain number of failed log-in attempts. Twitter has now implemented many of the FTC’s security recommendations. The terms of the agreement prohibit Twitter from “misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information.” Twitter will also be required to undergo third-party security audits. [Washington Post] [WIRED] [MSNBC] [ComputerWorld] [Source]


US – Referendum Backers Don’t Get Privacy, Top Court Says

People who sign a petition to put a referendum before voters generally don’t have a constitutional right to keep their names from being made public, the U.S. Supreme Court said, ruling against opponents of same-sex marriage. The justices, in an 8-1 ruling, upheld a Washington state law that would allow disclosure of the names of 138,000 people who supported putting an initiative on the ballot last year. The case tested the balance between privacy interests and transparency. The case is Doe v. Reed, 09-559. [Source]


WW – A Site for the Videos You Don’t Want Everyone to See

Some people post videos to YouTube and Facebook with the hope that they will go viral. But for many others, the idea of the whole world viewing a personal video is a nightmare. VidMe, a new video site, is for the latter group. It lets people share videos privately with only a chosen group of friends; the videos cannot be forwarded or downloaded. “The real main thing was creating a service that puts privacy and control in the center of the sharing experience, as opposed to an afterthought,” said Greg Siegel, founder and chief executive of VidMe. VidMe’s target audience is broad, Mr. Siegel said. He predicts an explosion in digital video, with more people using cellphones and digital cameras to record video instead of taking photos. On VidMe, people can upload video to the site from their computers, iPhones or directly from a Webcam recording. [Source]


Other Jurisdictions


NZ – Shroff to Law Commission: Federal CPO Needed

Privacy Commissioner Marie Shroff has called for the creation of a federal chief privacy officer position. In a hundred-page submission to the Law Commission, Shroff said a federal CPO would provide “leadership, expertise and help create a culture of respect for privacy across government.” The submission was in response to the Law Commission’s proposed changes to the Privacy Act. In it, Shroff largely backed the commission’s proposed changes, saying that while the act is fundamentally sound, there are areas where it is ineffective. Shroff also called for the creation of “anonymity,” “openness” and “accountability” principles in accordance with international data protection statutes. [Source]


WW – System Will Alert Companies When Stolen Customer Data are Found on Internet

Microsoft and the National Cyber Forensics Training Alliance have jointly launched the Internet Fraud Alert system, a portal that alerts companies quickly if their customers’ credentials or credit card information are found in online caches of stolen data. Researchers and law enforcement authorities will be able to report compromised data; banks, social networking sites, retailers and other companies can register with the system to receive alerts if their customers’ data are discovered. The system fills a need because there has been no formal procedure for notifying companies about caches of stolen data. [Internet Storm Center] [SC Magazine] [MSNBC]


MY – Commission Clarifies Data Protection Rules

The Malaysia Communications and Multimedia Commission (MCMC) has clarified its consumer code governing the sharing of personal information. The General Consumer Code governs all communication service providers and requires that they not disclose customers’ personal information to third parties without consent and that they meet Fair Information Principles on data collection and retention. The report also states that a personal data commissioner and an advisory committee will be appointed to enforce the Personal Data Protection Bill 2009, passed by parliament last April. [The Star]


Privacy (US)


US – ACLU Fights North Carolina Quest for Amazon Customer Data

A request by the North Carolina Department of Revenue for personally identifiable information (PII) on customers from an online retailer violates privacy rights, according to the American Civil Liberties Union (ACLU). The ACLU has intervened on behalf of Amazon customers in a lawsuit the company filed in April over the request for purchase records for customers with North Carolina shipping addresses. The company did provide such information as product codes and shipping areas, but its decision to withhold specific user information prompted the state agency to threaten legal action, the report states. According to Katy Parker, legal director of the ACLU of North Carolina Legal Foundation, “There is no legitimate reason why government officials need to know which North Carolina residents are reading which books.” [Source] ACLU filing.


US – Privacy Certifer Levels the Playing Field

After more than a decade operating as a non-profit, and usually making just about enough money to cover salaries and operating expenses, Truste changed its business model in 2008 and set about raising venture capital to expand its customer base. So far, the San Franciscobased provider of website privacy certification services has raised two rounds of financing. In 2008, Truste raised US$10-million in Series A funding from Accel Partners. Last week, it closed US$12-million in a Series B round led by Jafco Ventures, with participation from DAG Ventures, Baseline Ventures and Accel. The main reason the 13-year-old company switched its model from a non-profit and raised funding was to help make its services more broadly available to small and medium-sized online merchants and Web companies, said Chris Babel, the company’s chief executive. [Source]


US – Conn. AG Will Lead Multi-State Investigation Into Google Data Collection

Connecticut Attorney General Richard Blumenthal has said that attorneys general from more than 30 states have expressed interest in joining an investigation into Google’s collection of personal information over unsecured Wi-Fi networks. Google is also facing investigations in a number of European countries. In a press release, Blumenthal noted that Google “must provide a complete and comprehensive explanation of how this unauthorized data collection happened, why the information was kept if collection was inadvertent and what action will prevent a recurrence.” The investigation will look into whether laws have been broken, and also consider “whether changes to state and federal statutes may be necessary.” [ComputerWorld] [MSNBC] []


Privacy Enhancing Technologies (PETs)


UK – Fading Data Could Improve Privacy

Privacy could be enhanced if data was allowed to fade, suggests research. Dutch researcher Dr Harold van Heerde is looking into ways to gradually “degrade” the information that sites gather about visitors. Slowly swapping details for more general information can help guard against accidental disclosure, he said. The research project carried out by Dr van Heerde from the Centre for Telematics and Information Technology (CTIT) at the University of Twente looked into ways to change the way databases manage information about users and customers. The ability of those databases to gather information tempts companies and organisations to hoard information just in case it proves valuable. The dangers of having data about us stored more or less permanently in many different places around the web have been proved many times when that information is leaked by accident or design, said Dr van Heerde. [Source]


WW – Privacy Add-Ons Merged to Create Powerful Tool

A browser extension for Firefox has been combined with a set of privacy applications that give users more control over how their personal information is shared online. The extension is the Targeted Advertising Cookie Opt-Out or TACO, developed by Christopher Soghoian. TACO is aimed at stopping online advertising networks from setting cookies, or small data files, on a person’s computer that record information about their Web surfing, which can the be used to serve targeted advertisements. Many of the online advertising companies offer an “opt-out” cookie, which will exempt a particular user from being tracked, but the user often must visit a Web site in order to obtain that cookie, according to Soghoian’s Web site. Also, if a user inadvertently deletes the cookie, in some cases they may have to go to obtain specific opt-out cookies again. The latest 3.0 version of TACO can now block a total of 95 advertising networks. It also shows more granular detail on what tracking systems Web sites are using and displays them in a console when a person visits a new Web page. Further controls allow people to block particular tracking systems while allowing others. TACO 3.0 can also show if the site has had a recent data breach. Soghoian has also partnered with Abine, a company started in 2008 that specializes in creating consumer privacy applications that have have been wrapped into the extension. Albine built privacy extensions for both Firefox and Internet Explorer. [Source]


UK – PI Launches New Technology Site

Privacy International has launched “Cracking the Black Box“, a site devoted to discovering the answers to key technical mysteries behind some of the world’s most controversial IT systems. The site encourages experts and whistleblowers to help resolve crucial questions about how technology is designed and deployed. The first two issues being addressed are the Google Wi-Fi controversy and the EU proposal to retain search data. Cracking the Black Box aims to expose technology that is being used in inappropriate ways. Privacy International hopes to bring together the insights of experts and whistleblowers to shine a light into the dark recesses of systems that are responsible for causing many of the privacy problems faced by millions of people. [Source]




US – Sudy: Board Members Increasingly Distanced from Cyber Security Governance

The 2010 Governance of Enterprise Security Study found that board involvement in security governance has declined. The report, from Carnegie Mellon University’s CyLab, found that board members at Fortune 1000 companies are becoming increasingly distanced from decisions regarding information security and privacy. A survey of 66 board members and senior executives found that none ranked computer and data security as a top priority of the board, although 56% of respondents did say that risk management improvement is a top priority. 65% of respondents said their boards do not review their organizations’ cyber security incident insurance coverage. On a brighter note, respondents indicated that IT experience and risk and security experience are important criteria to consider when recruiting new board members. The report offers 10 suggestions for “improv[ing] organizations’ security posture and reduc[ing] risk,” including the recommendation that boards have IT governance expertise represented in their membership. [SC Magazine] [Gov Info Security] [Report]


US – InfoSec Budgets Stable or Rising at Many Financial Institutions

Financial organizations around the world are reporting stable or even increasing information security budgets, according to Deloitte’s annual survey of security spending and priorities at financial institutions.

Fifty-six percent of respondents said their information security budgets had increased. The percentage of respondents who reported insufficient budgets as a barrier to effective information security fell from 56% in 2009 to 36% in 2010. The security priorities most cited by respondents are identity and access management; data protection; security infrastructure improvement; regulatory and legislative compliance; and compliance remediation. This marks the first year in the survey’s seven year history that information security compliance ranked among the top five priorities; this is likely driven by regulators stepping up compliance enforcement. [SC Magazine]


US – Physical and IT Security Integration Tied to Better Risk Management

A survey of more than 250 attendees at the GovSec Conference in Washington, DC in March found that cyber attacks are viewed as the top threat to US national security, followed by terrorist activity, insider threats and information security breaches. Sixty-five percent of respondents said their organizations are “focused on integrating IT security and physical security.” Those who said their organizations were focused on integrating physical and IT security also had the highest opinions of their organizations’ security monitoring and risk response. [FCW] []




CA – More than 50 Schools Use Surveillance Cameras in Metro Vancouver

Hundreds of surveillance cameras monitor students at least 50 Metro Vancouver schools, with some buildings having as many as two dozen each. Although B.C.’s privacy czar insists video cameras should only be used in schools as a last resort, their installation has not been particularly contentious and hasn’t generated the polarized debate that was triggered when cameras were set up in downtown Vancouver for Winter Olympics security. Only three Metro school districts – Vancouver, Richmond and North Vancouver – are completely free of surveillance cameras (apart from those that are installed temporarily as part of a police investigation). [Source]


US – Supreme Court Ok’s Policy to Ease Searches of Students

The Oregon State Supreme Court ruled that warrantless searches of students in public schools by officials need only “reasonable suspicion” rather than “probable cause,” making it easier for school officials to search property of students. The opinion of the Court, released June 10, stated that the Article I Section 9 rights of the Rex Putnam High School student had not been violated when David Pogel, a teacher at Rex Putnam, reached into the student’s pocket and removed the contraband inside. The student, known as M.A.D., and his defense asked that the evidence be thrown out, arguing it had not been legally obtained. This was allowed by the Appellate Court, but denied by the trial and Supreme Court. [Source]


UK – Flyers Beware! Every Move Under Watch

In a move that has alarmed privacy advocates, airlines plan to monitor every move of passengers, including conversations, through a new security system which is being developed to tackle terror threats on flights. Experts at Reading University are working on to develop a software to detect suspicious behaviour of passengers on board aircraft with the help of a combination of cameras, microphones, explosive sniffers and a sophisticated computer system. The research team, headed by James Ferryman, has already conducted trials of the camera system on a British Aerospace plane and the computer system on a mock airbus. The software can scan unusual behaviour or events, such as unattended luggage or an individual going against the crowd flow. Microphones would eavesdrop conversations and alert the deck if anything suggests terrorist behaviour. Explosive sniffers would be able to detect if a bomb is planted. All this information would be analysed by computer and if it spotted something untoward, the flight deck would be told instantly, the paper said. The research has alarmed Gus Hosein of campaign group Privacy International and London School of Economics lecturer. “This is getting out of control. An aeroplane is not a privacy-free zone,” he said. A department for transport spokesman said: “We have no plans to instruct airlines to install this system on their planes”. [Source]


AU – Preliminary Review: Google WiFi Collection Not So Bad

Australian Privacy Commissioner Karen Curtis shared preliminary comments on Google’s collection of data from unsecured wireless networks, rejecting the idea that banking transactions could have been captured because financial institutions use secure Internet connections. “At this stage, it appears payload data that has been collected comprises only fragments--0.2-second snatches,” she said, adding that her office has not examined the data and has told Google not to review it. Curtis said her office is working with its international counterparts as the investigation continues. In the U.S., meanwhile, as many as 30 states are considering taking part in a joint investigation led by Connecticut Attorney General Richard Blumenthal to determine whether any laws were broken when the data was collected. [The Sydney Morning Herald]


Telecom / TV


US – FCC Seeks Comments on Broadband Regulatory Proposals

The US Federal Communications Commission (FCC) is seeking comments on three proposals regarding broadband regulation. The FCC was dealt a blow in April when a federal court of appeals ruled that it had exceeded its authority when it ordered Comcast to stop throttling BitTorrent traffic on its network. The first of the proposed plans would change nothing about the FCC’s ability to regulate broadband; the second would reclassify broadband as a telecommunications service, subject to stringent regulatory requirements; and the third, favored by FCC chairman Julius Genachowski, would reclassify broadband as a telecommunications service, but relax certain restrictions that the reclassification would impose. The proposals would supersede an older commission ruling that classifies broadband as a lightly regulated information service. Genachowski said the FCC has no intention of regulating Internet content or broadband service pricing. [BBC] [NY Times] [eWeek] []


CA – Woman Who Blames Rogers for Exposing Affair Says She’s Not Alone

The Toronto woman who blames a Rogers cellphone bill for breaking up her marriage says she is launching a campaign to improve privacy protection in Ontario. Gabriela Nagy is also looking for other frustrated customers to join her lawsuit against the telecommunications giant for what she claims was a breach of her privacy. Nagy claims a unilateral decision by Rogers to consolidate her household’s bills allowed her husband to discover she was having an affair. That, she says, led to the “destruction” of her marriage. She is suing the telecommunications giant for $600,000, claiming invasion of privacy and breach of contract. [Source]


WW – Despite iTunes Policy Updates, Legislators Concerned

Apple has updated its iTunes privacy policy to let users opt out of its iAd platform. The updated privacy section includes options to let users choose not to receive targeted advertising, according to the policy, which notes that those who choose to opt out of the tailored advertising campaigns “will continue to receive the same number of mobile ads, but they may be less relevant because they will not be based on your interests.” While Apple has also announced changes to its privacy policy related to location-based services, members of the U.S. House Bi-Partisan Privacy Caucus sent a letter to Apple CEO Steve Jobs asking about the updated privacy policies and raising concerns about the use and collection of geographic location information. [eWeek]


WW – Jobs: iPhone Ad SDK Changes for User Privacy, Not Anti-Competitive

Changes made to the iPhone SDK which restrict app developers from forwarding private data to advertising analytics companies were made to protect users’ privacy, Steve Jobs said. The change supports Apple’s existing privacy policy, which was being violated by developers, perhaps unintentionally, when they included ad network code into their apps, which subsequently began to forward private data about the device and the user’s location to a third party network. The change was triggered by reports published by Flurry Analytics, which harvested the data and found evidence of unreleased devices on Apple’s campus, which it subsequently published on its website. [Source]


US – AT&T Contacts Apple iPad Victims of AT&T Security Breach

Dorothy Attwood, a senior VP and CPO at AT&T, recently sent an email message to owners of the Apple iPad 3G. Ms. Attwood explained that the AT&T web site was manipulated to expose their email address and corresponding iPad’s ICC-ID (the iPad’s identification number) to the public. Apple iPad owners who had this information publicized include politicians, military officers, business leaders, celebrities and journalists. How they did this is a story in itself. AT&T apologized for this security breach and laid full blame for this incident on what it said are “self-described hackers”. AT&T went on to say these “unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster” and “deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses”. This group “then put together a list of these e-mails and distributed it for their own publicity”. The F.B.I. is investigating this matter to see this group broke the law. AT&T’s affirmed its support for this investigation by stating in its email, “We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.” [Source]


US Government Programs


US – Marketers Debut Self-Regulating Icon

Beginning this week, dozens of major companies will “pull the veil off their Web ads,” with the first trial of a self-regulation plan aimed at staving off government regulation while giving consumers added control over targeted advertising. The new system, one of several competing to win the support of advertising industry coalitions and the Council of Better Business Bureaus, will only apply to ads that use data from third parties. The self-regulatory approach features a “power eye” icon included with ads. When consumers access the icon, they “get a view of all the data that was used to target the ad, as well as the option to opt out of future targeting by those companies,” the report states. [Advertising Age]


US Legislation


US – New Legislation Proposed: Protecting Cyberspace as a National Asset Act of 2010

Last week, US Senators Joseph Lieberman (I-Connecticut), Susan Collins (R-Maine) and Thomas Carper (D-Delaware) introduced the Protecting Cyberspace as a National Asset Act of 2010 (S.3480), “comprehensive legislation to modernize, strengthen, and coordinate the security of federal civilian and select private sector critical infrastructure cyber networks.” If it passes, the legislation would establish an Office of Cyber Policy in the White House and a National Center for Cyber Security and Communications at the Department of Homeland Security (DHS). It would also update the Federal Information Security Management Act (FISMA) so federal agencies can move away from generating compliance reports and toward real-time monitoring that leads to rapid vulnerability reduction and risk reduction. The newly proposed US legislation would give the President emergency powers to take certain actions to protect private networks that support critical infrastructure if they face imminent attack or are actively under attack. The legislation would not allow the President to take control of the private networks, but would grant authority to order that a patch be applied or that the network(s) block incoming data from certain countries. Organizations that comply with the order would be immune from liability that arises from the actions they were required to take. The legislation has raised concerns among members of a trade group “about the unintended consequences that would result from the [bill’s] regulatory approach.” Of particular concern are the regulatory powers allotted to the Department of Homeland Security. [CNN] [FCW] [] Senate Committee Passes CyberrSecurity Bill [SCMagazine] [NextGov]


US – Missouri Passes Privacy Bill

Missouri Governor Jay Nixon has signed a bill aimed at protecting citizens’ Social Security and taxpayer identification numbers. House Bill 2056 requires that child support and garnishment documents contain only the last four digits of such identifiers, whereas previously they may have contained the entire number. “The people of Missouri deserve a state government that operates with maximum efficiency and protects the vital interest that citizens have in the privacy of their personal information,” Nixon said. The bill will take effect August 28. [InfoZine]


Workplace Privacy


US – Supreme Court Rules Police Dept. Within Rights to Read Employees’ Texts

The US Supreme Court has ruled that the Ontario, California Police department did not violate a police sergeant’s rights when it read transcripts of messages from his work-issued pager. The high court said that even if the police sergeant had a reasonable expectation of privacy, a departmental audit of messages on the work-issued device was not unreasonable. The issue was whether or not Sgt. Jeff Quon could sue the police chief, the police department and the city for reading personal messages that he sent and received on his work-issued pager. An unwritten policy within the department indicated that employees’

messages would not be read if they paid for any overages, which Quon had done regularly. The audit of employee messages was conducted to see if the limit of 25,000 characters per month was adequate for employees to conduct official business. [CS Monitor] [WIRED] [MSNBC] [ComputerWorld]


CA – Calgary Board of Education Appeals Privacy Ruling

The Calgary Board of Education is appealing a ruling by Alberta’s privacy commission ordering it to waive more than $6,000 in fees it was going to charge an employee to access his employment records. The school board has filed a motion at Court of Queen’s Bench asking for the order to be quashed. In its motion, the school board’s lawyers argued the teacher, Mark Abrams, didn’t establish that he can’t afford the search and photocopying fees associated with his access-to-information request. A board spokesman said the school board has a duty to deal with access requests, but must also ensure public money isn’t wasted in the process. The school board said the fees are necessary to retrieve and copy 10,600 pages relevant to five access-to-information requests. [Source]


CA – Edmonton Business Breached Employee’s Privacy Rights

An Edmonton business has been ordered to educate its employees about privacy laws after two managers sent out a memo that a “difficult” staffer quit to take a new job and that her new boss would need some luck to deal with her. Information and Privacy adjudicator Keri Ridley ruled managers at Insight Psychological violated the former employee’s privacy rights by releasing personal information without her consent. [Source]


US – Whitepaper: Five Risks CIOs Must Consider

Companies should embrace social media while encouraging employees to make themselves aware of the risks involved. That’s according to the Information Systems Audit and Control Association (ISACA), which this week released a whitepaper on social networking risks CIOs should be aware of, CIO reports. “Companies should embrace it, not block it,” said ISACA Vice President Robert Stroud. “But they also need to empower their employees with knowledge to implement sound social media governance.” The whitepaper cites viruses and malware, brand hijacking, lack of control over content, unrealistic consumer expectations of “Internet-speed” service and noncompliance with records management regulations as the top five risks. [Source] [ISACA whitepaper]