Privacy News Highlights
08–14 March 2010
Passport Canada has confirmed it will schedule consultations to gather public input before a plan to incorporate biometric technology into passports moves forward. The consultations are expected to begin in early April. Proponents of the plan say biometric passports, which include such data as fingerprints, facial recognition or iris scans, would improve border security. Critics, meanwhile, are raising privacy concerns and question the reliability of the technology, the report states. “Nobody has suggested these things are absolutely foolproof,” says Welland NDP MP Malcolm Allen, who noted he is worried personal information encrypted into the documents could fall into the hands of criminals. [Welland Tribune] [Niagara Falls Review]
The tongue is a unique organ in that it can be stuck out of mouth for inspection, and yet it is otherwise well protected in the mouth and is difficult to forge. The tongue also presents both geometric shape information and physiological texture information which are potentially useful in identity verification applications. [Source]
A Seekonk, Massachusetts company wants to pilot its GPS and facial recognition technology on the district’s school buses. School committee members are reportedly weighing a proposal from Volpe Industries Inc. (VPI), which is developing a system that combines monitoring and biometric technologies, the report states. “The concept is to mount two small cameras, a mini computer and GPS tracking in each bus,” VPI’s president wrote in a proposal to district officials. He says the system could give school adminstrators real-time bus location information as well as a glimpse of the interiors of all buses on which the technology is deployed. [EastBayRI.com]
Amidst privacy concerns surrounding the Secure Flight program, which transfers passengers’ personal information from domestic airlines to the U.S. Department of Homeland Security, Air Canada officials have confirmed using the U.S. no-fly list to screen passengers on nonstop flights passing over the U.S.. “Canada’s approach will continue to balance the privacy rights of travellers with the need to keep the public safe from terrorist and other threats to the air transportation system,” says Public Safety Canada spokesperson David Charbonneau. Anne-Marie Hayden of the Office of the Privacy Commissioner (OPC) has said the office is looking into Secure Flight and “trying to ascertain the situation” regarding privacy protection. [Montreal Gazette]
The Office of the Privacy Commissioner has announced the winners of its second annual “My Privacy & Me” national video competition. Entrants between the ages of 12 and 18 produced video public service announcements exploring the importance of privacy. First, second and third-place winners were selected in four categories, and the videos will be posted on the OPC’s youth Web site. “Protecting personal privacy on the Internet is a relatively new behaviour that people are still getting used to--and with the prevalence of tools that are available to bring young people online, this issue is more important than ever before,” said Assistant Privacy Commissioner Elizabeth Denham. “The high caliber of videos we received this year is heartening because they demonstrate that Canadian youth really seem to ‘get’ it.” [News Release]
Western industrial countries are becoming more willing to spy on their citizens, according to an analysis of snooping that says that the UK is sixth in a world ranking for electronic state surveillance. Privacy technology company CryptoHippie has produced its second annual report on surveillance trends and says in it that countries that previously showed restraint in their monitoring of individuals have lost some of that self-control. “When we produced our first Electronic Police State report, the top ten nations were of two types: those that had the will to spy on every citizen, but lacked ability [and] those who had the ability, but were restrained in will,” it said in its 2010 report. “This is changing: the able have become willing and their traditional restraints have failed.” “The United States, with the UK and France close behind, have now caught up with Russia and are gaining on China, North Korea and Belarus,” it said. CryptoHippie said that the activity that it monitored and ranked in its report was quite specific: activity that made a country an electronic police state. “In an Electronic Police State, every surveillance camera recording, every email sent, every Internet site surfed, every post made, every check written, every credit card swipe, every cell phone ping... are all criminal evidence, and all are held in searchable databases,” it said. “The individual can be prosecuted whenever the government wishes.” “Long-term, the Electronic Police State destroys free speech, the right to petition the government for redress of grievances, and other liberties. Worse, it does so in a way that is difficult to identify,” said the report. The company said that its report did not measure police or government censorship of internet use or traffic, or corruption. It said that neither did it measure electronic evidence gathering that was conducted with court-issued warrants. The report did measure factors such as whether the state could search and record financial transactions; whether it could gag the subjects of surveillance; whether it outlawed cryptography; whether governments forced internet service providers (ISPs) to store data for them; whether they stored mobile phone records; and whether covert hacking was carried out. The countries least like electronic police states were Philippines, Brazil, Romania and Thailand. [The report] [Source]
In September, the City of Vancouver launched a beta open-data section on its website, which now includes data sets for drinking fountains, elementary school boundaries, graffiti reports, homeless shelter locations, sewer mains and a bunch of Olympic plans. “By freely sharing its data in accessible formats – while respecting privacy and security concerns – Vancouver is joining many government agencies in moving to harness the energy and involvement of citizens, community-based organizations and private businesses in everything from creative community problem-solving to the development of new service delivery ideas and solutions,” the website says. The City of Toronto published its first data sets in November on a web page that says its mission is “building a city that thinks like the web.” In its first week, the toronto.ca/open homepage received almost 10,000 visits. That week, transit information was the most sought-after download. Toronto’s data includes business improvement area boundaries; the locations of licensed childcare centres, parks and places of worship; transit routes and city ward boundaries. [Source]
According to The Institute for Health Freedom, the proposed federal rule to create and exchange electronic health records without patients’ consent threatens Americans’ health privacy, warns the Institute for Health Freedom. If adopted, the rule will provide higher federal payments to doctors and hospitals for creating and exchanging electronic health records (EHRs), and in a few years will actually penalize doctors and hospitals that do not do so. It will affect all types of patients, not just those on Medicare and Medicaid. Patients’ consent is not required before their personal health information is compiled and shared electronically for many purposes. The Institute for Health Freedom encourages Americans to submit their comments about the proposed federal rule before the March 15 deadline.
· More than 600,000 physicians, hospitals and other providers (chiropractors, dentists, optometrists, and podiatrists) – and their patients -- will be affected.
· Patients’ consent will not be required before personal health information is compiled in EHRs and exchanged electronically with many third parties including government agencies. The data will include weight, body mass index, race, ethnicity and other key pieces of highly personal information.
· Doctors will have to spend about $54,000 each to purchase certified EHR technology and approximately $10,000 annually for maintenance.
· Doctors will be financially rewarded for using electronic health records and could be paid up to $41,000 over five years for using such records. Then they would be penalized after 2015 if they don’t create electronic health records and exchange information as required by the Centers for Medicare and Medicaid Services.
· The Congressional Budget Office estimates that adopting health-care IT will reduce costs in the health-care system by only 0.3 percent during the 2011-2019 period.
[Summary of the EHR rule’s implications on privacy] [Copy of the proposed federal rule] [Individuals and organizations should submit their comments online here by March 15] [Institute for Health Freedom Press Release]
The British Medical Association has called for an immediate halt to the multibillion pound rollout of electronic records for NHS patients. The doctors’ association lambasted the state of the £13 billion NHS IT rollout and warned that the “break-neck speed” deployment of the records risked “further” eroding doctors’ and patients’ belief in electronic records. The entire programme was facing “failure”, it said, unless the rollout was properly evaluated. It also said it no longer wanted to be associated with the scheme on a promotional publicity video used by the NHS to demonstrate staff support. In an angry letter to health minister Mike O’ Brien, the BMA expressed “serious concern” that the rollout was being accelerated across the country, in spite of government-commissioned research that found seven in 10 patients did not understand an NHS information pack about the scheme. The rollout is also being accelerated ahead of the publishing of another official study on the records. Simultaneously, the BMA has written to doctors asking them to boycott the record, and to refuse to upload data to the national database. The association also criticised the quality of information on the records, after GP data accreditation was ended in 2009 with many surgeries that had not been approved in time. Patients have only 12 weeks to opt out if they do not want their records on the national data ‘spine’. Concerns have been raised by a number of doctors and patients over the security of the record, who will access it, and the format of the data. The Department of Health provided an immediate public reaction to the letter, stating it was “surprised” that the five-year rollout time frame was being called “break neck” pace, especially “when the programme had been previously criticised for its slow uptake.” “We absolutely support the right of any patient to opt out of having a summary care record and have provided various options to make this process straightforward,” it said. It also reminded patients that their records could only be accessed with their consent each time, and insisted no records were being created without patients being informed at least three months beforehand. [ComputerWorld]
Healthcare records held in the UK could be shared with the US, as a result of an initiative being promoted by the EU presidency. The presidency, currently held by Spain, wants to lay the groundwork for a bilateral agreement between the EU and US for sharing digital healthcare data, according to a statement it issued this week. “The aim is to create a scenario for clinical information exchange and technical interoperability between the project promoted by the Obama administration and the European project,” said the presidency in the statement. The Spanish minister of health and social policy, Trinidad Jiménez, met her US counterpart Kathleen Sebelius in Washington last week to push for the agreement. The US intends to digitise all healthcare records within five years as part of the American Recovery and Reinvestment Act 2009. Several European countries, including Germany and the UK, have pilot projects for electronic healthcare records. One of the main NHS projects for sharing healthcare records is the nascent Summary Care Records system, designed to be accessed by medical staff across England. The system is part of the National Project for IT (NPfIT), which has had sustained criticism from IT security experts and doctors. The Department of Health declined to comment on the EU presidency’s push, but did say that the NHS technology office is engaged with international standards organisations, such as Health Level 7. In addition, the NHS’s IT body Connecting for Health has links with peers in the US, the department added. The European Data Protection Secretariat (EDPS) said that it had taken note of the EU presidency’s initiative. It added that any agreement to share data between the EU and the US would have to conform to data protection and privacy laws in Europe and in individual member states. [Source]
The Electronic Frontier Foundation (EFF) casts doubt about the sensibility of crafting different privacy rules for sensitive information. In an FTC filing, the EFF says it sees “considerable problems with attempting to regulate sensitive information more tightly than other consumer data in the general online environment...” The comments were in response to questions the commission posed to help shape the conversation at its privacy roundtable in Washington, DC. The EFF authors suggest “The online consumer privacy problem is sufficiently grave that the focus should be on consumer data in general.” [Source]
Terrorists and normal civillians residing in Saudi Arabia have something new to worry about this week — security in regards to BlackBerry Messenger and BlackBerry handhelds overall. It’s no secret that RIM has an amazingly secure platform and network with the BlackBerry. Sadly, the bad guys have realized this too and have made heavy use of the encrypted and untouchable platform, angering many governments around the globe. The Saudi gov’t has had enough however and is calling on RIM to let them have full access as to properly track and arrest terrorists and other criminals. [Source]
IT managers are typically well aware of the importance of data encryption, especially when trying to secure laptops and PCs. But, according to a new survey of Canadian IT and business leaders, business managers might actually be taking this point too far. The study - conducted by data security research firm Ponemon Institute LLC and sponsored by laptop theft protection vendor Absolute Software Corp. - found that 62% of responding Canadian business managers said encryption makes other data security measures unnecessary and irrelevant. This compares to 44% of surveyed Canadian IT leaders who answered the same way. “It shows that there’s still a reliance on myth,” said Mike Spinney, senior privacy analyst with the Ponemon Institute. “Unfortunately, one of those myths is that technology is the magic wand that protects us from everything going on.” The study, also found that 52% of responding Canadian business managers actually disengaged their PC’s encryption tools. The study concluded that while business executives appear to overvalue encryption and its role to stop data breaches, many of them are actually hindering its effectiveness by improperly circumventing the technology, creating weak passwords, or using insecure wireless connections. [Source]
The European Parliament Civil Liberties Committee has asked that a vote on the sharing of passenger name records with the U.S. be postponed. The committee says that a “no” vote would hamper carriers, which are required to provide passenger name records (PNRs) under U.S. law. The European Court of Justice ruled in 2004 that a temporary agreement to share air passengers’ names, itineraries, payment details and other information was illegal. Committee rapporteur Sophie In ‘t Veld said the EU needs “to systematically harmonise the set of principles [around PNR],” and that she would push for the PNR data provision to comply with EU data protection law, the report states. [ZDNet]
Those wanting to own a McDonald’s or Subway franchise in Germany must be prepared to offer up intimate personal details, including health information. One German official says the questionnaires violate the law. According to information obtained by SPIEGEL, those wanting to partner with the fast-food chain Subway must agree to a background check “in accordance with anti-terror legislation” such as the US Patriot Act. The report must also include information about the applicant’s character, lifestyle and relationships. Future franchise owners are also asked whether they have ever been part of a terrorist organization. Potential McDonald’s franchise holders, meanwhile, are grilled about extra-marital affairs and health problems. Indeed, potential proprietors are asked about the date and the reason for their last visit to the doctor. Moritz Karg, a data-protection official in the German state of Schleswig-Holstein, says that the companies’ practices are “unacceptable under data-protection laws” on the books in Germany. [Der Spiegel]
Canadian border agents are routinely using confidential banking and credit card information to arrest illegal immigrant account-holders for deportation, a Toronto lawyer says. Mamann said the policy surfaced after a Toronto man facing removal to Costa Rica received two letters from his bank alerting him that the CBSA was searching for him. Mamann said he wasn’t aware the CBSA officers were using the bank to arrest people. He said most of those being targeted have been living in Canada illegally for more than 10 years and have bank accounts. They are sought on warrants. CBSA spokesman Anna Pape said her officers are required by law to investigate persons wanted on Canada-wide immigration warrants for violations of immigration law. Anne-Marie Hayden of the office of the Federal Privacy Commissioner said an individual’s banking or credit card information is considered personal. “It is not something we have had an opportunity to examine and, to the best of my knowledge, we haven’t been consulted,” Hayden said. [Toronto Sun]
Police will be given new powers to use people’s secret tax details against them in criminal trials, under legislation that weakens the privacy protection over Australians’ tax returns. For the first time, prosecutors will be able to use private tax information as evidence in court for “serious offences”, including identity theft, money laundering, drug-smuggling, corporate fraud, sexual slavery and terrorism. And the Australian Taxation Office will be allowed to hand secret taxpayer information to other government agencies to “prevent or lessen” a serious threat to public health or safety. Corporate watchdog the Australian Securities & Investments Commission will be given access to individuals’ tax details to probe insider trading, misleading and deceptive conduct, and insolvent trading. The Fair Work Ombudsman also will be able to obtain information on taxpayers “to better target compliance activity”. And state and territory workers’ compensation boards will be given tax information obtained under the pay-as-you-go scheme to ensure employers are paying their workers’ compensation levies. The changes are outlined in the Tax Laws Amendment (Confidentiality of Taxpayer Information) Bill, which has been referred to the Senate economics committee for scrutiny. The legislation would let tax officers hand over taxpayers’ information to law enforcement agencies, such as police, Australian Security Intelligence Organisation or ASIC, for the investigation and prosecution of a criminal offence punishable by more than a year’s jail. But the Commonwealth Director of Public Prosecutions wants even wider powers. In a submission to the Senate committee - which is due to report to federal parliament next week - the DPP warns that the definition of serious offence will not cover cases of social security and immigration fraud, which attract jail terms of a year or less. And the Australian Federal Police, in a submission to the inquiry, notes the changes would have “proven useful” in a number of recent money-laundering prosecutions by showing that the suspects’ incomes did not match their alleged proceeds of crime. Under existing secrecy laws, law-enforcement agencies can use tax information to probe a serious offence - but cannot use it as evidence in court unless the crime involves a tax rort. “Taxpayer information has proved to be a valuable source of intelligence information for the investigation of activities such as money laundering and social security fraud,” the legislation’s explanatory memorandum states. [The Australian]
The Canadian Imperial Bank of Commerce will compensate customers whose personal information was mistakenly sent to businesses in the U.S. and Quebec. A Toronto judge approved the deal last week, settling a class action lawsuit filed by customers whose names, social insurance numbers, account numbers and balances, addresses and signatures were exposed in faxes the bank sent to a Maryland auto accessory manufacturer and a Quebec business. In his decision, Ontario Superior Court Judge George Strathy said that class members’ claims are likely to be “fairly modest.” CIBC will offer settlements to each individual affected and will pay $100,000 to the Public Interest Advocacy Centre, the report states. [Bloomberg]
For the past four years, Ontario has been buying brand drugs for well below the going rate. But an elaborate payment system has been set up to prevent anyone else from finding out exactly how much the government has been paying. Now, that information might be on the verge of becoming public. And drug companies, fearing national and even international repercussions, appear to be in a panic. Because the Ontario Drug Benefit is one of the world’s largest purchasers of pharmaceuticals, manufacturers are prepared to cut deals they wouldn’t elsewhere. And according to industry insiders, there’s been a pattern in the negotiations since 2006, when the province passed legislation aimed at lowering its prescription costs. To maintain secrecy, both the government and the industry have had to spend a lot of time fighting freedom-of-information requests. But in late February, acting on orders from the province’s Information and Privacy Commissioner, the government finally released a big chunk of records. Those records don’t explicitly list off the discounts on specific drugs. So government officials seem to think they’ve held up their end of the deal. Manufacturers aren’t appeased. They’re afraid that from the available information – including the names of 47 drug companies, and the amount they gave back to the government in quarterly lump-sum payments – it will be possible for informed interests to deduce some of the specific discounts. In an urgently worded four-page letter to provincial officials, obtained by The Globe and Mail, the president of Canada’s Research-Based Pharmaceuticals Companies – the national association more commonly known as Rx&D – spelled out those fears. “It appears that highly sensitive and commercial information of our members has been disclosed, despite the [Health] Ministry’s attempts to resist disclosure,” Russell Williams wrote. [Source]
Health / Medical
For the second time in a month, British Columbia’s largest health authority has been criticized over its handling of computerized patient health records. According to Privacy Commissioner Paul Fraser, the personal health information database set up by the Vancouver Coastal Health Authority lacks privacy, as it accessible to about 4,000 users. The Primary Access Regional Information System, also known by its acronym PARIS, is compiled of information about patients’ finances, social insurance numbers, diagnoses, care and doctors’ and counsellors’ notes. From the privacy perspective, Fraser informs of major deficiencies found over the course of the three year investigation, in the implementation of PARIS. It is of major concern to see far too many people having access to too much of this information compiled over the last nine years, Fraser said of the database. Various health care providers working in community programmes, mental health, addictions, public health and communicable diseases access the system. Not only does the system lack adequate security, records are stored for too long without being archived or destroyed, even when no longer required. One of the eight databases in BC containing patient information, lessons learnt from the PARIS investigation will carry over into all other electronic health databases, Fraser said. He believes learning from the mistakes identified in this information, health authorities must ensure privacy is part of the entire functional design and not added on at the end. Similar findings were reported last month by John Doyle, Auditor General, who said far too many people had access to sensitive information, which he described as being vulnerable to hackers.Fraser’s 20 recommendations for the health authority include collecting only minimal personal information, with records archived annually and with limited access to them. As well, staff should complete privacy training every year, including signing confidentiality agreements on an annual basis, he recommends. [Source]
Saskatchewan’s Information and Privacy Commissioner is warning physicians and citizens about health record storage services being offered by an Ontario company. Commissioner Gary Dickson says that although DOCUdavit Services Inc. claims to provide safe and secure storage for medical information, the company does not appear to follow provincial health privacy laws. Dickson has shared his concerns with Saskatchewan Health and the Saskatchewan Medical Association, among others. [Winnipeg Free Press] [Source]
The Health IT Policy Committee’s Strategic Planning Workgroup is debating how to balance privacy concerns with improved healthcare. Patricia Brennan of the University of Wisconsin described the group’s work so far as “very restrictive” in terms of data exchange. Don Detmer, retired president and CEO of the American Medical Informatics Association, said the workgroup “should not force privacy to be more important than health.” Dr. Steve Stack of the American Medical Association Board of Trustees, however, said a presentation by Dan Ariely gave him the perspective that for the initiative to work, “preserving our rights, liberties and freedoms is essential.” [InformationWeek] [ONCHIT DRAFT Health IT Strategic Framework:: Strategic Themes, Principles, Objectives, and Strategies]
In the wake of a recent case where several hospital employees were disciplined for sharing cell phone photographs of a shark attack victim, medical professionals are questioning whether patient photos by friends and family could trigger HIPAA violations. One issue the report raises is whether visitors with camera phones in emergency rooms or hospitals are putting those facilities at risk. The report points out that while healthcare plans and providers are responsible for their employees’ actions, the Department of Health and Human Services’ Office of Civil Rights states that in general under HIPAA, they “would not be responsible for the actions by a patient’s friends or family.” [HealthLeaders Media]
Members of the Arkansas National Guard are learning this week that their personal information may have been exposed. 35,000 guardsmen are impacted by the breach, which involves a misplaced external hard drive at Camp Joseph T. Robinson base in North Little Rock. The unencrypted drive contains information--including names and Social Security numbers--on guard personnel dating back to 1991, the report states. “This inappropriate handling of our soldiers’ personal information is an isolated incident, which is now under investigation to help ensure steps are taken to help prevent such an incident from occurring in the future,” the National Guard said in a statement. [ESecurity Planet] See also: [HSBC: Data theft incident broader than first thought]
The Westin Bonaventure Hotel and Suites in Los Angeles is offering free credit monitoring services for customers whose payment card information may have been exposed. A letter on the Westin’s Web site alerts customers that hackers may have accessed the point-of-sale systems for the hotel’s four restaurants and its valet parking operation. Hotel officials contacted law enforcement after discovering that customer payment card information--including names, card numbers and expiration dates--may have been exposed between April and December. Concerned guests are “encouraged to review their statements from that time period,” hotel officials said. They are also encouraged to place a fraud alert on their credit files. [Computerworld]
Lawmakers working to craft a new comprehensive immigration bill have settled on a way to prevent employers from hiring illegal immigrants: a national biometric identification card all American workers would eventually be required to obtain. Under the potentially controversial plan still taking shape in the Senate, all legal U.S. workers, including citizens and immigrants, would be issued an ID card with embedded information, such as fingerprints, to tie the card to the worker. The ID card plan is one of several steps advocates of an immigration overhaul are taking to address concerns that have defeated similar bills in the past. The uphill effort to pass a bill is being led by Sens. Chuck Schumer (D., N.Y.) and Lindsey Graham (R., S.C.), who plan to meet with President Barack Obama as soon as this week to update him on their work. An administration official said the White House had no position on the biometric card. The biggest objections to the biometric cards may come from privacy advocates, who fear they would become de facto national ID cards that enable the government to track citizens. “It is fundamentally a massive invasion of people’s privacy,” said Chris Calabrese, legislative counsel for the American Civil Liberties Union. “We’re not only talking about fingerprinting every American, treating ordinary Americans like criminals in order to work. We’re also talking about a card that would quickly spread from work to voting to travel to pretty much every aspect of American life that requires identification.” Mr. Graham says he respects those concerns but disagrees. “We’ve all got Social Security cards,” he said. “They’re just easily tampered with. Make them tamper-proof. That’s all I’m saying.” [The Wall Street Journal]
LifeLock, the company that broadcast its chief executive’s Social Security number as part of its claim that it could protect anyone against identity theft, agreed this week to pay $12 million to settle charges that it misled consumers about the effectiveness of its service. The settlement, announced by the Federal Trade Commission and a group of 35 state attorneys general, requires LifeLock to refrain from making further deceptive claims and take more stringent measures to safeguard the personal information that it collects from customers. Jon Leibowitz, the chairman of the trade commission, said that “several hundred persons, at least,” who were LifeLock customers had become victims of identity fraud while using the company’s service. Customers typically paid $10 a month for the service, he said. The commission also claimed that the “fraud alerts” LifeLock placed on individuals’ credit files protected against only certain types of identity theft, mainly the opening of new accounts, which is the cause of fewer than one in five cases of identity theft. LifeLock’s customers were left vulnerable to misuse of their current accounts, the most common form of the crime. “This was a fairly egregious case of deceptive advertising from our perspective,” Mr. Leibowitz said. Lisa Madigan, the Illinois attorney general, who joined Mr. Leibowitz in announcing the action at a news conference in Chicago, said that while LifeLock did provide some legitimate services, “most of what they did, you can do on your own and you can do it free.” The biggest problem with the company’s claims, she said, was its guarantee to prevent identity theft from ever happening. “There is nothing you can do or you can purchase that is a 100% guarantee against identity theft,” Ms. Madigan said. Mr. Davis knows the truth of that. After he began broadcasting his Social Security number, dozens of attempts were made to secure credit or identification using the information. At least one attempt succeeded, when a man in Texas secured a $500 payday loan in 2007 using Mr. Davis’s Social Security number [The New York Times]
The European Parliament delivered a political blow to Hollywood and the Obama administration, voting Wednesday 663 to 13 in opposition to a proposed and secret intellectual property agreement being negotiated by the European Union, United States and a handful of others. This week’s developments concerning the Anti-Counterfeiting and Trade Agreement are substantial because the European Union’s 27 countries vastly outnumber the remaining countries negotiating the deal. [Wired] See also: [Australia comes clean on ACTA role]
Internet / WWW
Ontario is changing the school curriculum to include Internet safety lessons. The Liberal government has approved changes to the health and physical education curriculum for elementary schools to help children better protect themselves online. [CP]
From 2004 through 2009, in a policy that has gotten completely out of control, New York City police officers stopped people on the street and checked them out nearly three million times, frisking and otherwise humiliating many of them. Upward of 90% of the people stopped are completely innocent of any wrongdoing. And yet the New York Police Department is compounding this intolerable indignity by compiling an enormous and permanent computerized database of these encounters between innocent New Yorkers and the police. Police Department statistics show that 2,798,461 stops were made in that six-year period. In 2,467,150 of those instances, the people stopped had done nothing wrong. That’s 88.2% of all stops over six years. Black people were stopped during that period a staggering 1,444,559 times. Hispanics accounted for 843,817 of the stops and whites 287,218. Police Commissioner Kelly has made it clear that this monstrous database, growing by a half-million or so stops each year, is to be a permanent feature of the department’s operations. [The New York Times]
The Electronic Frontier Foundation casts doubt about the sensibility of crafting different privacy rules for sensitive information. In an FTC filing, the EFF says it sees “considerable problems with attempting to regulate sensitive information more tightly than other consumer data in the general online environment...” The comments were in response to questions the commission posed to help shape the conversation at its privacy roundtable next week in Washington, DC. The EFF authors suggest “The online consumer privacy problem is sufficiently grave that the focus should be on consumer data in general.” [MediaPost] [EFF Comments] See also: [Schneier: Want Online Privacy? Be Ready to Fight for It]
Google is facing a new lawsuit over its Buzz social networking service. The complaint, filed last week in Rhode Island, alleges “Google intentionally exceeded its authorization to access and control confidential and private information,” violating the Stored Communications Act and Electronic Communications Act. Meanwhile, the FTC has expressed interest in a recent Electronic Privacy Information Center (EPIC) complaint about Google Buzz. The complaint raises issues “that relate to consumer expectations about the collection and use of their data,” FTC Bureau of Consumer Protection Director David Vladeck wrote in a letter to EPIC, noting, “it is critical that consumers understand how their data will be used and have the opportunity to exercise meaningful control over such uses.” [InformationWeek] [Amendment to Complaint]
A homeless shelter is a person’s home, at least when it comes to privacy protections under the state and federal constitutions, the state’s highest court ruled this week. The Supreme Judicial Court ruled in the case of a juvenile who was living with his mother in a homeless shelter in March 2006. Police searched the room the juvenile occupied after the shelter director unlocked the door. The officers found a loaded Glock .40-caliber gun. The juvenile was charged with delinquency by reason of unlawful possession of a gun and ammunition, but a Juvenile Court judge ordered the evidence thrown out. Prosecutors appealed. The high court, ruling against the prosecutors, said the room where the juvenile and his mother lived was their home and they had a “reasonable expectation of privacy” in it. That expectation meant it couldn’t be searched without a warrant. “The room that the juvenile and his mother shared at the shelter was a transitional living space, but it was nonetheless their home,” the court said in a 5-2 decision written by Justice Ralph Gants. The court said the police could have searched the room if they had permission of a co-inhabitant of the home or if a landlord had a contract entitling police to seize contraband or evidence on the property. But the court said that neither of those conditions applied. In a dissenting opinion, Justice Judith Cowin argued that shelter residents did not have a reasonable expectation of privacy. “The shelter services a transient population. it makes available a temporary place to live off the streets. In return, and for obvious reasons, the shelter requires that its residents surrender a considerable degree of personal freedom,” she wrote. Looking at life at the shelter, with its numerous rules, including one allowing the shelter director to enter any room essentially at will, Cowin said, “puts to rest any premise that a resident could conceivably harbor a reasonable expectation” of privacy. [Source]
A federal judge has dismissed a class action suit against Aetna Inc. after finding that a security breach resulted in “a mere possibility of an increased risk of identity theft” and not a “credible threat of identity theft.” “At best, plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft,” U.S. District Judge Legrome D. Davis wrote in his 14-page opinion. The case came after it was reported that personal data belonging to as many as 450,000 job applicants could have been compromised when the company’s job application site was hacked in 2009. [Law.com]
As smart meters are deployed in California, advocates are urging the state’s Public Utilities Commission (PUC) to adopt rules and regulations to protect the privacy of consumers’ energy data. Smart meters will record household electricity consumption down to the appliance level. In a joint filing, the Center for Democracy and Technology and the Electronic Frontier Foundation (EFF) urged the PUC to adopt “comprehensive privacy standards for the collection, retention, use and disclosure” of the data. The recommendations call for transparency on how data is used and restrictions on data disclosure. “We must have meaningful rules to protect this extremely sensitive information,” says EFF lawyer Lee Tien. [infoZine] [EFF Submission] [California’s smart grid initiative]
Customer loyalty card data helps supermarkets and other retailers promote products. Recently such data was used for a different gain. The U.S. Centers for Disease Control and Prevention (CDC) recently used the information to successfully pinpoint the source of a salmonella outbreak. It is the first time the CDC has used loyalty card data to aid an investigation. The centers sought patient permission before mining the data. “It was a break in the investigation for sure,” said CDC epidemiologist Casey Barton Behravesh. Some have expressed concern, however, that the breakthrough could lead to mandatory involvement in customer loyalty programs. [Associated Press]
A new report highlights a depressingly consistent drift towards ever greater control of the population using new technologies. There are few surprises in the 2010 report, entitled The Electronic Police State, issued this week. It shows Russia and the United States within a couple of points of each other when it comes to electronic policing and surveillance, North Korea just overtaking China to gain top prize, and the United Kingdom leading the rest of the West - after the US. CryptoHippie is a US-based company providing what it describes as “superior privacy enhancing technologies”. According to the report, an electronic police state is characterised by “State use of electronic technologies to record, organize, search and distribute forensic evidence against its citizens”. It continues: The two crucial facts about the information gathered under an `electronic police state are these:
1. It is criminal evidence, ready for use in a trial.
2. It is gathered universally (“preventively”) and only later organized for use in prosecutions.
States are assessed on 17 different criteria, including such varied factors as border issues, gag orders and anti-crypto laws. This year, a new weighting system has been introduced, so that certain factors contribute more heavily. The top-weighted items include: Financial Tracking, Data Storage Ability, Data Search Ability, ISP Data Retention, Cell Phone Record retention, (lack of) Police-Intel and Covert Hacking. In many ways, what is depressing is how little has changed since the last such report in 2008. Almost without exception, the raw scores for each of the 52 states surveyed has gone up (though it is not absolutely clear whether this is a side-effect of the weighting). The big winners are Taiwan, Slovenia and New Zealand - all three of which dropped by five or more places in the rankings - and the big losers would appear to be the citizens of Spain, Portugal and Bulgaria (followed closely by Italy). . [Out-Law] [The Register] [The report: The Electronic Police State] Related stories: [India plans its own net snoop system (27 Nov 2009)] [Massive net surveillance programme on schedule (18 Nov 2009)] [Election makes net snooping a pariah policy (11 Nov 2009)] [More delays for UK.gov’s net snooping programme (9 Nov 2009)] [Security boss calls for end to net anonymity (16 Oct 2009)] [Britain leads world in police state survey (1 Jun 2009)]
With the end of the Olympics, 1,000 or so Games-related surveillance cameras are being removed from Vancouver streets, sparking calls to keep them. The proponents tout the benefits to law-enforcement and public feelings of safety. The VPD is a big fan of the technology and says it was helpful in crowd control for marshalling its forces. Unfortunately, as the B.C. Civil Liberties Association keeps pointing out, the facts in this discussion are counter-intuitive – there doesn’t seem to be any significant effect on crime rates from these cameras and the cost-benefit analysis numbers are very dodgy. [Vancouver Sun]
US Government Programs
The U.S. Department of Homeland Security plans to follow in Britain’s footsteps and roll out a pricey deployment of 450 scanners to U.S. airports despite health, efficiency, and privacy concerns. Some experts say the plan is to give the perception of security, even if it doesn’t make airports much safer. Even as the U.S. Department of Homeland Security races to deploy full body scanners at airports across the U.S., significant concerns have been raised. The scanners have been shown to be ineffective at detecting dangerous low density materials like liquids, powders, or plastic weapons. In addition, some studies have linked them to potentially cancer-causing DNA damage. Perhaps most importantly, major privacy concerns remain unresolved around the scanners, which digitally disrobe passengers. Despite those problems, the DHS appears to believe that the perception of security is too important to wait for further study. It is instead beginning a mass deployment, rolling out new scanners in 11 cities including Boston, Chicago, Los Angeles, and San Diego. The DHS is defending its pricey plan, arguing that there’s no privacy risk. It says that images of passengers unclothed won’t be stored, despite the recent revelation that the scanners had the built in capability to do so. They also admit that the scanners are only efficient at detecting metal objects, but say that could be very helpful in detecting knives or metal-based guns. [Source]
Is the use of full-body scanners in airport security a breach of individual rights? Yes, according to Martin Scheinin, the UN special rapporteur on the protection of human rights. Scheinin believes the scanners are not only an excessive intrusion into individual privacy but also ineffective in preventing terrorist attacks. “The use of a full-body scanner which reveals graphic details of the human body, including the most private parts of it, very easily is a violation of human rights,” Scheinin says. He has told the UN Human Rights Council that different technology would better protect personal privacy, the report states. [The Montreal Gazette]
Proponents of a Florida House bill think it provides long-overdue protection to the privacy of crime victims. First Amendment advocates think it goes too far and would remove accountability for 911 operators and rescue responders. Crime victims themselves seem split on the issue. On Wednesday, a House panel approved Florida Bill PCB GAP 10-03, which would bar the public from hearing audio recordings of 911 calls. Only a judge could grant an exception. Furthermore, it would delay public access to the written transcripts of a 911 call for 60 days. “I think this balances privacy with accountability,” said Rep. Rob Schenck, R-Brooksville, who wrote the bill. “In speaking with many people who have made 911 calls, it’s usually a very tragic incident and they don’t want to have to hear it on the news,” he continued. “This is meant to protect their privacy.” [Source]
A Maine legislative committee voted this week to repeal the state’s Act to Prevent Predatory Marketing Practices Against Minors, citing challenges that the law is unconstitutional. A proposal for a narrower measure to ban only the collection of data for the purpose of marketing prescriptions was also withdrawn due to constitutional concerns. The 2009 law prohibits companies from gathering personal information from anyone under the age of 18 without parental consent and bans the sale or transfer of health information that identifies minors. NetChoice, a coalition of Web companies, is praising the decision, with the coalition’s legal counsel contending that legislation restricting marketing to minors “could cause grief for the state--legally and financially.” The full Maine legislature is expected to vote on the repeal within a few weeks, the report states. [MediaPost News]
The Supreme Court has agreed to referee a dispute between NASA and some of its independent contractors over required security checks, a decision that could affect how the federal government investigates the background of current and future employees. The justices agreed to hear an appeal from the space agency, which had its worker investigations at Jet Propulsion Laboratory in California blocked after the 9th U.S. Circuit Court of Appeals said the questions threatened the constitutional rights of workers. The high court’s decision in this case could throw into question the background checks routinely done on all federal government workers. 28 scientists and engineers from the Jet Propulsion Laboratory sued the federal government after NASA required them to submit to background checks. They said the agency was invading their privacy by requiring the investigations, which included probes into medical records and questioning of friends about everything from their finances to their sex lives. If the workers didn’t agree to the checks, they were to be barred from the 177-acre campus east of Los Angeles and fired. The scientists and engineers had worked for years at the labs run for NASA by the California Institute of Technology, and none of them work on top-secret projects. NASA required all employees to submit to the background checks, saying it was following a government-wide policy applying to millions of civil servants and contractors. A 2004 presidential directive ordered every government agency to step up security to their facilities and computer systems by issuing new identification badges to employees. To obtain the new cards, workers have to be fingerprinted, undergo a background check and sign a waiver allowing federal investigators access to personal information. A federal judge originally refused to stop NASA’s background checks, saying they could continue while the lawsuit made its way through the courts. He was overturned by the San Francisco-based appeals court. NASA’s forms “seeks highly personal information using an open-ended technique including asking for ‘any adverse information which ... may have a bearing on this person’s suitability for government employment,’“ the appeals court said. “There is nothing ‘narrowly tailored’ about such a broad inquisition.” [Source]
A Japanese company has created a mobile phone capable of tracking its users’ physical movements. KDDI Corporation has developed phone technology capable of deciphering precise movements such as scrubbing, sweeping and walking, for example. KDDI plans to sell the phone to managers, foremen and employment agencies, the report states. Some say it introduces an increased opportunity for abuse. “...There will surely be negative consequences when applied to employee tracking or salesforce optimization,” said the director of the International University of Japan’s mobile consumer lab. [BBC News]