Privacy News Highlights

22–31 March 2010



US – New U.S. Biometrics Agency Created to Manage Dod-Wide Responsibilities. 3

US – New Hampshire Lawmakers Reject Biometric ID Restrictions. 3

CA – Alberta Ponders Provincial Biometric ID Cards for Homeless. 3

CA – New BC Gov’t Powers Raise Privacy Concerns. 4

CA – B.C. Database Would Lead To Big Brother Scenario, Privacy Group Warns. 4

US – NAI Study Shows Value of Targeted Ads. 4

US – CIO Council Creates Privacy Guidance. 5

CA – Toronto Firm Launches Physician-to-Patient SMS app. 5

UK – Scottish Gov’t Launches Paperless Health Records. 5

US – As Health Data Goes Digital, Security Risks Grow.. 5

UK – Survey: Non-Medical Staff ‘Have Access to Health Records’ 6

WW – It Now Takes More Clicks to Escape E-Mail Lists: Study. 6

EU – Privacy Advisor Calls for ‘Privacy by Design’ Laws. 6

UK – European Commission Launches New Privacy Project 7

UK – Compensation Should Be Paid for Personal Data Loss, Says Report 7

UK – ICO Announces Plan to Boost IT Expertise. 7

IE – 46% of Irish Don’t Trust Data Protection Laws - Survey. 8

CA – Study Ranks Riskiest Cities for Online ID Fraud. 8

CH – Google Will Redirect Chinese Users to Uncensored Hong Kong Site. 8

WW – Google Official Calls for Action on Web Restrictions. 8

US – U.S. Concerned by Australian Internet Filter Plan. 8

EU – Germany Resists EU Plans to Block Child Porn Sites. 8

EU – EU to Revive SWIFT Talks, Set Up Tracking Program.. 9

US – FDIC Shows Banks Lost $120 Million In 3 Months to Online Banking Fraud. 9

US – FINRA Releases Social Networking Guidance. 9

US – Open Government Audit Finds Mixed Results for Obama Administration. 9

US – Senators Leahy and Cornyn Introduce Bill to Reduce FOIA Delays. 10

CA – National Gallery Officials Could Face Charges Over Deleted E-Mails. 10

CA – Camera Ban Missed Privacy Point 10

US – DEA Approves Interim Electronic Prescription Rule. 10

WW – Should Doctors Google Their Patients?. 10

US – ECMC Breach Affects 5% of Students (3.3m) with Federal Loans. 11

UK – Personal Data Breach Hits 9,000 Barnet Schoolchildren. 11

US – TJX Hacker Gets 20 Years in Prison. 11

IN – Condom e-Store Exposes Customer Data. 11

CA – Toronto Hydro Failed to Protect Privacy, Watchdog Says. 12

CA – Canadians May Get E-Passports in 2011; Security Experts Voice Concerns. 12

UK – Digital Economy Bill Could Block Websites. 13

NZ – Labour Party Rejects Three Strikes Proposal 13

EU – Cloud Security Weaknesses Prompt Call for Global Data Protection Law.. 13

WW – Coalition Pushes Rewrite of Online Privacy Law.. 13

US – Lawmakers to Hold Hearings on ECPA Reform.. 14

CA – Google Expanding Street View in Canada. 14

EU – Dutch Prosecutors Stop Tapping Lawyers’ Phones. 14

US – NYC Settles Jail Strip-Search Suit For $33 Million. 14

WW – Revised Facebook Policy Hints at Location Tagging. 15

CA – CIPPIC Files Statement of Concern Re: Facebook’s New Privacy Approach. 15

US – Agencies Test Industry’s New ‘You Are Being Targeted’ Icon. 15

UK – Scotland Yard Wants Net Cafés to Spy on Customers. 16

US – Cavoukian on Facebook Privacy. 16

WW – IDRC Gives UK Org $1m for Asian Privacy Network. 16

BR – Phorm Launches Commercial Operations. 16

WW – Microsoft Makes U-Prove Technology Available to Enable Identity with Privacy. 17

US – FTC to Consider New Restrictions on Collecting Data from Children. 17

US – FTC Busts Dave & Buster’s. 17

US – Court to Hear Web ‘Free Speech’ Case. 17

US – U.S. Said to be Eyeing Cybersecurity Ambassador Role. 18

US – Fighting Identity Theft Not a Priority, Report Says. 18

US – Lawmakers Ask for FTC Investigation of Google Buzz. 18

US – Idaho House Limits Information on Driver’s Licenses. 18

WW – Pill with Antenna Ensures Patients Take Meds. 18

UK – Survey Shows 100% of Organizations Targeted for Data Theft 19

UK – Airport Worker Given Police Warning for ‘Misusing’ Body Scanner 19

US – TSA Plans to Double Its Use of Whole-Body Scanners. 19

CN – “Octopus” Card Enters China, Raises Privacy Issues. 20

US – DHS Offers Details on Privacy Controls in Its Secret Einstein 3 IDS/IPS. 20

US – EFF to Press for New Privacy Protections Against Hidden Video Surveillance. 20

US – Senator Inspired to Expand Wiretapping Laws to Web-Cams and Online Photos. 21

US – Airport Device Follows Fliers’ Phones. 21

UK – Tax Man Empowered to Open Mail Without Asking Permission. 21

EU – German Court Strikes Blow Against EU Data-Retention Regime. 22

SL – Slovak Manager to Sue Deutsche Telekom over Spying. 22

UK – Police Refuse to Name Sex Offenders on the Run ‘Because of Right to Privacy’ 22

US – Data Security Concerns Persist in IRS IT Systems. 22

US – Survey: Federal CIOs Push Transparency, Struggle with Cyber-Security. 22

US – Legislators, Industry Leaders Disagree on Impact of Privacy Bill, New FTC Powers. 23

WW – New Big Brother Like Service Monitors Employee Use of Social Sites. 23

US – NJ Court: Employee-Attorney E-Mails are Private. 23

EU – German Commission Finds Employee Blood Tests Illegal 24





US – New U.S. Biometrics Agency Created to Manage Dod-Wide Responsibilities

The role of biometric information in U.S. national security is increasing, and the U.S. government creates the Biometrics Identity Management Agency (BIMA); BIMA, a component of the U.S. Army, will lead Department of Defense activities “to prioritize, integrate, and synchronize biometrics technologies and capabilities and to manage the Department of Defense’s authoritative biometrics database to support the National Security Strategy”; DoD says: “Biometrics is an important enabler that shall be fully integrated into the conduct of DoD activities to support the full range of military operations” As of last week, the United States has a new government national security agency: the Biometrics Identity Management Agency (BIMA). It supersedes a Biometrics Task Force that was established in 2000. The Federation of American Scientists (FAS) Secrecy News reports that BIMA, although nominally a component of the U.S. Army, has Defense Department-wide responsibilities. “The Biometrics Identity Management Agency leads Department of Defense activities to prioritize, integrate, and synchronize biometrics technologies and capabilities and to manage the Department of Defense’s authoritative biometrics database to support the National Security Strategy,” according to a 23 March Order issued by Army Secretary John M. McHugh, an order which redesignated the previous Biometrics Task Force as the BIMA. [Homeland Security Newswire]


US – New Hampshire Lawmakers Reject Biometric ID Restrictions

The New Hampshire House of Representatives turned down a bill proposed earlier in the year that would have restricted the use of biometric IDs within the state. The New Hampshire legislature was considering a bill that would put severe restrictions on the use of biometric IDs within the state’s borders, limiting such use to employee identification. Rejection of the proposed measure was recommended by the committee that heard the bill’s testimony, and the New Hampshire House killed the proposed legislation by a vote of 267-39. The move came last week, and the results hardly shocked the bill’s co-sponsor, New Hampshire state representative Neal Kurk. “I was disappointed but not surprised. It took several years to implement our existing statutory ban on biometrics in connection with motor vehicle registrations and licenses.” But the New Hampshire lawmaker seems undaunted by this setback, espousing the “live free or die” motto the state is so famous for. “It will take several years to extend it to other areas of government in New Hampshire”, Kurk said of the effort to restrict the use of biometric IDs, “but it will happen.” Kurk would go on to clarify the intent of the rejected bill, noting that it did not seek a wholesale ban on the use of biometric information for identification purposes. “Rather, it’s to allow biometrics in any area of state and local government where they make sense and do not unreasonably invade personal privacy, as determined by the legislature,” asserted Kurk. “In other words, a decision to allow biometrics in New Hampshire should be made by the legislature, not administrative officials in Concord or Washington, D.C.” [Infosecurity Magazine] See also: [Senators Unveil Yet Another Flawed Biometric National ID Card Plan: EFF] and also: [A Gathering Storm - How the UID Project Will Tranform India Into a Police State]


CA – Alberta Ponders Provincial Biometric ID Cards for Homeless

Alberta is working on ways to provide ID cards to homeless people that could include biometric samples of fingerprints or facial scans. Housing Minister Jonathan Denis said his department is in discussions with Service Alberta about creating an Alberta ID card for the homeless. Service Alberta Minister Heather Klimchuk said the card would allow homeless people to more easily obtain government ID by making it possible for a social worker to vouch for their identities in the absence of other documentation. It would also allow people to list a homeless shelter as a proxy address, she said. Klimchuk said the card will likely include a photograph, adding the idea of biometrics is also being explored by the government. Fingerprint scans, a type of biometric identification, have been used at the Calgary Drop-In Centre as an entry requirement for almost a year after the shelter noticed its clients kept losing their ID cards. It also allows the centre to keep out people involved with dealing drugs or other criminal activity. The system led to a controversy at the time when a board member and Alberta’s privacy commissioner raised concerns about the creation of a database that would store the information. [Calgary Herald] See also: [AU: A big night out: drinking, dancing, fingerprinting]




CA – New BC Gov’t Powers Raise Privacy Concerns

In a move that is raising concerns about privacy implications, the British Columbia government presented an 88-page submission seeking expansion of its powers to collect and share citizens’ private information to a special committee reviewing the Freedom of Information and Protection of Privacy Act this week. The Tyee reports that the provincial government has not only proposed the collection of personal information without consent, but also the storage of such information outside of Canada. “It’s the scope of the thing,” said Vincent Gogolek of the Freedom of Information and Privacy Association. “They really are looking to change the basis of the act to remove people’s control over their own information...This is stuff you don’t want bouncing around all over the place.” [Source] [Hansard transcript (blues)] [Times Colonist: BC gov’t push to rewrite the info and privacy law] [CBC: Critics challenge B.C. privacy law proposals] and also: [Ottawa Bureaucrats: no consequence for abusing privacy laws]


CA – B.C. Database Would Lead To Big Brother Scenario, Privacy Group Warns

A government project to merge the personal information of British Columbians who use social services into a giant digital database would result in Big Brother-like scrutiny of citizens, says a provincial privacy advocate. The B.C. Freedom of Information and Privacy Association has called on the province to give more thought to the rollout of the six-year, $181-million Integrated Case Management system, suggesting it could have serious privacy ramifications. “They would know where, what you’re saying, when, how, what you’re reading, what your health is, what your family life’s been like, your educational background – basically everything,” Darrell Evans, the association’s executive director, told reporters this week. “It will be a network of different databases that amounts to complete government scrutiny of your life.” The association and the United Community Services Co-op released a two-year-long, 72-page study funded by the Law Foundation of British Columbia. It makes 11 recommendations to government, social service organizations and their clients on how to proceed on the proposed project. Among them, the study asks the province to refer the database to the B.C. Supreme Court to determine whether it violates privacy protections under the Constitution. It also suggests the province should immediately begin public consultations and carry out a legally required privacy-impact assessment. An official with the B.C. Ministry of Housing and Social Development said staff are reviewing the groups’ recommendations and hope to meet with its representatives. The ministry is also working with the province’s Privacy Commissioner, who has begun the assessment, a spokesman said, speaking on condition of anonymity. [Canadian Press] [FIPA Report: Culture of Care… or Culture of Surveillance?] []




US – NAI Study Shows Value of Targeted Ads

The Network Advertising Initiative (NAI) has released study results that show targeted ads are more valuable than run-of-network ads. The study surveyed 12 ad networks about their 2009 ad revenues, the report states, finding that marketers paid more than twice as much for ads targeted to Web users’ behaviors than for run-of-network ads. “It’s clear that behavioral targeting has the potential to significantly elevate the value of the inventory—to the advertiser, to the publisher and to the network,” said report author Howard Beales, former head of consumer protection at the Federal Trade Commission (FTC). The NAI plans to submit the study to the FTC, which is exploring the privacy implications of behavioral targeting. [MediaPost News]




US – CIO Council Creates Privacy Guidance

The Federal Chief Information Officers Council has created a guidance document calling for privacy protections to be built into new or modified systems within the federal enterprise architecture. According to the report, the guidance would establish “Privacy Control Families” that would be based on Fair Information Practice Principles. The document has been approved by the CIO Council’s privacy committee, but awaits approval by the full council. Roanne Shaddox, a privacy specialist at the Federal Deposit Insurance Corporation, provided an overview of the initiative at a trade show in Washington, DC, yesterday. [Federal Computer Week] [v2 – June 2006] See also [US: Kundra Encouraged by Private-Sector Cloud Efforts for Government]


Electronic Records


CA – Toronto Firm Launches Physician-to-Patient SMS app

The MobiSecure app from Toronto-based Diversinet, which was officially launched earlier this week at the International CITA Wireless conference in Las Vegas, is currently being tested by The Blue Sky Family Health Team in North Bay, Ont. The MobiSecure SMS app designed to allow patients to keep up to date on their personal health records via their mobile phone. In addition to improving the patient-physician relationship, the app also seeks to address the security messaging needs within the health-care industry, Diversinet said. With the app, users can receive appointment reminders, test results, prescription information, immunization records, allergy information, and other related medical data. For users involved in a medical emergency abroad, the app will be able to connect back to a patient medical history and information about insurance coverage. In terms of privacy and security, Diversinet said the app features strong mobile encryption and two-factor bilateral authentication. The app will be PIN-protected for the patient, while the physician is able to confirm delivery via read confirmations. [Source]


UK – Scottish Gov’t Launches Paperless Health Records

In spite of privacy concerns and delays with a similar project in England, a £44 million electronic data system intended to make the NHS paper-free has been launched by the Scottish government. The British Medical Association in Scotland has said that while there are advantages to the electronic system, there is serious concern across the UK about confidentiality and access to online records, the report states. According to the privacy advocate group Big Brother Watch, as many as 140,000 non-medical staff can access patient files in England, and those files will become even easier to access through the new NHS database. [The Times]


US – As Health Data Goes Digital, Security Risks Grow

Over the next four years, the amount of personal medical information online will increase exponentially, opening up new avenues for hackers to expose personal data that, unlike financial information, can result in a permanent violation of privacy. It’s not so much the quantity of information that could be a problem; it’s the different sources of data, its diversity of data and the various network infrastructures on which it resides that could overwhelm the U.S. health system and pose significant risks to privacy, according to Sia Zadeh, director of business development for security software vendor Axway Inc. According to a recent report by IDC’s Health Industry Insights division, health care providers believe it will take a major security scandal to compel organizations to take security seriously. A major health care data breach is inevitable, said Dr. William Braithwaite. He wrote portions of the Health Insurance Portability and Accountability Act of 1995 (HIPPA) and has since contributed to federal health care regulation. “As we build EHRs, that puts more information in place, so the risk that someone will go after that information increases,” said Braithwaite, now chief medical officer with security software vendor Anakam Inc.. “If we don’t understand the threat model we’re dealing with, we’re leaving the back door open; in fact, there will be no back door because they’re already in the house.” [Source] See also: [Deborah Peel in NYT: Opinion: Do-Not-Disclose Registry Needed] and [Expert: Access Control Key to Protection of Online Medical Data] and [OIPC BC - Investigation Report F10-02 - Review of the Electronic Health Information System at Vancouver Coastal Health Authority Known As The Primary Access Regional Information System (“PARIS”) ]


UK – Survey: Non-Medical Staff ‘Have Access to Health Records’

More than 100,000 non-medical staff in NHS Trusts have access to confidential patient records, according to a recent Big Brother Watch Survey. “The number of non-medical personnel with access to confidential medical records leaves the system wide open for abuse,” said Big Brother Watch’s director. But a government spokesman said the NHS’s use of smartcards means that “when managed properly, it is not possible for an unauthorized member of staff to see clinical information.” The Information Commissioner’s Office (ICO) said it is vital that medical records remain private and secure. [BBC News] See also: [Should Medical Professionals Examine Their Patients’ Online Lives?Harvard Review of Psychiatry]




WW – It Now Takes More Clicks to Escape E-Mail Lists: Study

A study of 100 large online retailers has shown that five times more are requiring at least three clicks to escape from e-mail marketing lists than in 2008. The Responsys survey also indicates that the number requiring just one click to be removed from an e-mail list has dropped to three percent, down six percent in that same time period. The report states that while retailers may not want to let their subscribers get away too easily, Chad White of Responsys recommends they let customers leave with two clicks or fewer as the time it takes to opt out is “being measured against that one click on their report spam button.” [New York Times]


EU Developments


EU – Privacy Advisor Calls for ‘Privacy by Design’ Laws

Data protection laws should change to force people creating new technologies to design privacy features into them, the EU’s data protection advisor has said. European Data Protection Supervisor (EDPS) Peter Hustinx has told the European Commission that the law should change, and be applied to three areas of technology development as a priority. These are social media, RFID and targeted advertising. The EDPS has adopted an opinion and submitted it to the Commission, which is developing a ‘digital agenda’ to guide its government of emerging and existing technologies. “Although the EU has a strong data protection regulatory framework, in many instances ICTs raise new concerns that are not accounted for within the existing framework. Further action is therefore necessary,” said the office of the EDPS in a statement. “To significantly minimise the risks and to secure users’ willingness to rely on ICTs [information and communication technologies], it is crucial to integrate, at practical level, data protection and privacy from the very inception of new ICTs,” said Hustinx. “This need for a ‘Privacy by Design’ approach should be reflected in the EU data protection legal framework at different levels of laws and policy making.” “Privacy by Design needs to be explicitly included as a general binding principle into the existing data protection legal framework,” said the EDPS statement. “This would compel its implementation by data controllers and ICT designers and manufacturers while offering more legitimacy to enforcement authorities to require its effective application in practice.” “Privacy by Design should also be fully endorsed by the forthcoming European Digital Agenda and become a binding principle in future EU policies,” it said. Hustinx said that the change was vital if users were going to learn to trust emerging information services. [Source]


UK – European Commission Launches New Privacy Project

Emerging technologies offer significant benefits but also risks to our privacy. How to deal with these risks is the subject of a new three-year project funded by the European Commission. Called PRESCIENT, the project will be considering the privacy implications of emerging technologies such as new identification and surveillance technologies, biometrics, on-the-spot DNA sequencing and technologies for human enhancement. “New technologies can often be used in a way that undermines the right to privacy because they facilitate the collection, storage, processing and combination of personal data by security agencies and businesses,” says Michael Friedewald, head of the ICT research unit at the Fraunhofer Institute for Systems and Innovation Research (ISI) and co-ordinator of the project. “We have seen that with the rise of social networking websites such as Facebook, MySpace and Bebo. They have led to a dramatic increase in the amount of personal information available online, which is routinely misappropriated for identity theft or other fraudulent purposes. We know that employers also mine these sites in order to vet prospective employees. RFID and biometrics can also be used in ways invidious to our privacy.” “The use of these new technologies is changing the ways in which we understand privacy and data protection. It is not sufficient to look at privacy as only a legal or human right. We need to reconceptualise privacy in ethical, social, cultural and other dimensions and to see how these different conceptualisations impact each other and how they can be bridged. We think part of the solution is much wider use of privacy and ethical impact assessments before new technologies or projects involving personal data are undertaken.” PRESCIENT is the acronym for Privacy and Emerging Sciences and Technologies. The project aims to establish a new framework for privacy and ethical considerations arising from emerging technologies. The project will identify and analyse ethical issues posed by new technologies and discuss them with interested stakeholders and, in due course, provide scientifically based recommendations to policy makers on how to address privacy issues of emerging technologies. []


UK – Compensation Should Be Paid for Personal Data Loss, Says Report

Compensation should be paid to anyone whose personal details are lost by the Government or a private company, according to a report backed by the information watchdog. Putting a price on privacy will deter organisations from losing or abusing people’s personal details, the influential think tank Demos found. The recommendation comes amid increasing concern that there has been a dramatic expansion of a “surveillance society”, which threatens to erode civil liberties. The report Private Lives, published today, recommended that consumers affected by the misuse or illicit sale of information should be compensated. It has also advocated giving consumers more say over how their data is used. More consent should be required before personal data such as medical data and banking details are released, according to the findings. Regulators should be required to name companies and government departments who mishandle information and produce a ‘Top 100 named and shamed’ list. Furthermore the Information Commissioner’s Office should have new powers to administer fines for misuse of information. The report, commissioned by the ICO and Consumer Focus, the Government-backed watchdog, also recommended A Kite-marking scheme, similar to the Food Standards Agency’s hygiene rating system, to help people to make better consumer decisions about how trustworthy particular organisations were. [Source] [DEMOS Report]


UK – ICO Announces Plan to Boost IT Expertise

The Information Commissioner’s Office (ICO) will be staffing its policy and strategy division with more technical experts as part of its reorganisation process. Speaking before the Home Affairs Select Committee, Information Commissioner Christopher Graham said this technical expertise will help the ICO be more forward-looking and “spot the next big thing before it becomes a huge problem.” Graham noted that while government entities have improved data protection processes, he does not expect issues around data-sharing to go away, the report states. The challenge, he said, is for the ICO to ensure “that what is proposed is proportionate, privacy friendly and thought through and complies with the Data Protection Act.” [Kable]


Facts & Stats


IE – 46% of Irish Don’t Trust Data Protection Laws - Survey

Almost half of Irish Computer Society members taking part in a recent survey said they were not confident they would be contacted should their personal information be compromised in a data breach. Unveiled at the Annual Data Protection Conference yesterday, the March 2010 survey also found that 81% of respondents said legislation should be enacted requiring organisations to notify the Data Protection Commission after a breach. Customers should be notified as well, 80% of respondents said. “Companies need to realize the importance of data protection in their companies and give it the time and training it deserves,” said the Irish Computer Society’s CEO. [SiliconRepublic]


CA – Study Ranks Riskiest Cities for Online ID Fraud

When it comes to online identity fraud, Burlington, Ontario, has made the top of the list for Canada’s riskiest cities. A recent study from Symantec has revealed the country’s top 10 cities most vulnerable to ID theft, the report states. While the list does include large cities, the study found that residents in wealthier suburbs had more access to computers and the Internet and were at greater risk for identity fraud. After Burlington, the remaining top 10 are Port Coquitlam, Langley and Vancouver, BC; Calgary, AB; Oakville, Markham and Toronto, ON; Kelowna, BC, and Kitchener, ON. [Edmonton Sun]




CH – Google Will Redirect Chinese Users to Uncensored Hong Kong Site

Google will stop censoring Internet search results for its Chinese users. Instead, users will be redirected to Google’s Hong Kong-based search engine. Although Google has been negotiating with the Chinese government about unfiltered search results, the government there “has been crystal clear ... that self-censorship is a non-negotiable legal requirement.” Hong Kong is an administrative region of China, but has its own economic and political systems. Therefore, the search engine is under Hong Kong’s jurisdiction. Google plans to keep its Chinese research and development and sales teams. [Washington Post] [Information Week] [NY Times] [Secure Computing] UPDATE: China has responded quickly to Google’s actions and is now blocking access to This is an interesting page on Google’s site to see what China is blocking:


WW – Google Official Calls for Action on Web Restrictions

A top Google executive this week called for new rules to put pressure on governments that filter the Internet, saying the practice was hindering international trade. Alan Davidson, director of United States public policy for Google, told a joint Congressional panel that the United States should consider witholding development aid for countries that restrict certain Web sites. [NY Times]


US – U.S. Concerned by Australian Internet Filter Plan

The United States has raised concerns with Australia about the impact of a proposed Internet filter that would place restrictions on Web content, an official said this week. The concerns of Australia’s most important security ally further undermine plans that would make Australia one of the strictest Internet regulators among the world’s democracies. [AP]


EU – Germany Resists EU Plans to Block Child Porn Sites

Germany’s justice minister is fighting EU plans to block access to child pornography sites because she doesn’t think the measures would work. She wants such sites shut down instead. The opposition Greens and SPD party agree with her. [Spiegel Online]




EU – EU to Revive SWIFT Talks, Set Up Tracking Program

The European Commission (EC) has revived negotiations on sharing banking data with the U.S. Citing data privacy concerns, the EU Parliament last month rejected the so-called SWIFT deal, which would have enabled the continued transfer of transaction data from the Belgium-based Society for Worldwide Interbank Financial Transactions (SWIFT) to the U.S. for use in counter-terrorism efforts. The EC adopted a mandate yesterday to begin new negotiations with the U.S. EU justice commissioner Viviane Reding said the new deal would address parliamentarians’ data privacy concerns and would require reciprocity in the sharing of data. “We would like to set up our own [terrorist financing tracking program,]” Reding said. [New York Times] See also: {Foreign Policy Journal: Washington Murdered Privacy At Home And Abroad]


US – FDIC Shows Banks Lost $120 Million In 3 Months to Online Banking Fraud

FDIC Examiner Dave Nelson reported March 5 that malware on customer computers cost banks more than $40 million each month during the last full quarter for which he had data, July-September, 2009. The FDIC receives confidential reports from financial institutions, from which Nelson’s estimates were generated. The hackers trick people into opening weaponized emails or into visiting web sites where their systems are infected. Nelson said business accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses – $25 million in the 3rd quarter of 2009. Hackers target small businesses where the security controls are weak. [ComputerWorld] [Kreb on Security] [BankInfoSecurity: 22 Banking Breaches So Far in 2010 - Hacking, Insider Theft Continue to be Top Trends]


US – FINRA Releases Social Networking Guidance

The Financial Industry Regulatory Authority (FINRA) has issued guidance for financial institutions on how to develop social media policies. Regulatory Notice 10-06 covers the use of blogs and social networks. FINRA’s Social Networking Task Force collaborated on its creation. “While many firms may find that the guidance in this notice is useful when establishing their own procedures, each firm must develop policies and procedures that are best designed to ensure that the firm and its personnel comply with all applicable requirements,” the notice states. [BankInfoSecurity] See also: [Phishers Used Facebook to Penetrate Financial Firm’s Computer System]




US – Open Government Audit Finds Mixed Results for Obama Administration

Here’s a not-so-tiny tidbit of data that’s getting lost in the White House-driven public frenzy over healthcare legislation this month: The White House Democratic administration of Barack Obama, who denounced his presidential predecessor George W. Bush as the most secretive in history, is now denying more Freedom of Information Act requests than the Republican did. One of the exemptions allowed to deny Freedom of Information requests has been used by the Obama administration 70,779 times in its first year, while the same exemption was used 47,395 times in Bush’s final budget year. An Associated Press examination of 17 major agencies’ handling of FOIA requests found denials 466,872 times, an increase of nearly 50% from the 2008 fiscal year under Bush. On March 16 to mark annual Sunshine Week, designed to promote openness in government, Obama applauded himself by issuing a statement: “As Sunshine Week begins, I want to applaud everyone who has worked to increase transparency in government and recommit my administration to be the most open and transparent ever, an effort that will strengthen our democracy and ensure the public’s trust in their government.” However, a new study out March 15 by George Washington University’s National Security Archive finds less than one-third of the 90 federal agencies that process such FOIA requests have made significant changes in their procedures since Obama’s 2009 memo. [Los Angeles Times] [Under Obama, FOIA Requests Down 11% But Rejections Up 50%] [National Security Archive FOIA Audit] and also: [Ottawa Bureaucrats: no consequence for abusing privacy laws]


US – Senators Leahy and Cornyn Introduce Bill to Reduce FOIA Delays

Senators Patrick Leahy and John Cornyn have introduced the Faster FOIA Act of 2010, S. 3111, which would establish a panel to examine agency backlogs in processing FOIA requests. Government reports reveal substantial agency delays in disclosing FOIA records. The bill came at the beginning of Sunshine Week, a national observance of the importance of open government. EPIC makes frequent use of the FOIA to obtain information about privacy issues. EPIC celebrated Sunshine Week by publishing the EPIC FOIA Gallery: 2010. [Faster FOIA Act, S. 3111] [Faster FOIA Act Press Release]


CA – National Gallery Officials Could Face Charges Over Deleted E-Mails

An investigation by the federal information commissioner has concluded there is evidence National Gallery officials broke the law in 2008 by destroying e-mails sought in an Access to Information request. And in a precedent-setting move, interim commissioner Suzanne Legault has referred the matter to the attorney general to determine if charges should be laid. Penalties include fines of up to $10,000 and two years in jail. [The Ottawa Citizen]


CA – Camera Ban Missed Privacy Point

Last week’s widely reported ruling by Judge Tim Preston that cameras will not be permitted into the Brian Sinclair inquest hinged largely on a desire to protect the privacy rights of witnesses. But what if some individual witnesses don’t have privacy concerns and actually want their testimony broadcast to the world? A group of media outlets, supported by Brian Sinclair’s family, argued that cameras should be allowed in the inquest so that as many people as possible could watch the proceedings. The Manitoba Nurses Union and the Winnipeg Regional Health Authority opposed the use of cameras. Both sides made compelling arguments before Judge Preston. But the arguments put forward by both sides were essentially one-size-fits-all scenarios. The media outlets argued that cameras should be permitted to broadcast all witnesses. The Manitoba Nurses Union and WRHA argued that cameras shouldn’t be permitted to broadcast any witnesses. Judge Preston was essentially asked to pick a side. In doing so, he recognized that “privacy has many facets ...” and that “serious and valid privacy and security concerns are at stake when the image or the words of a witness are broadcast to the world.” But through all the court arguments and public debate on this issue, the basic privacy principle of “consent” was overlooked. [Winnipeg Sun]


Health / Medical


US – DEA Approves Interim Electronic Prescription Rule

The Drug Enforcement Agency (DEA) has unveiled an interim final rule that would make it easier for physicians to e-prescribe controlled substances. The rule requires two-factor authentication as a replacement for doctors’ signatures and allows for biometric identifiers--such as fingerprints, iris scans or handprints--to be used as acceptable forms. That change aims to alleviate concerns raised by providers about in-person authorization requirements included in a 2008 notice of proposed rulemaking. [Government Health IT]


WW – Should Doctors Google Their Patients?

By now, it’s well known that almost anyone you meet - from a potential employer to a prospective date - might be searching for information about you online. But would you feel strange knowing that your doctor was Googling you? The practice appears to be widespread, according to an essay in the latest edition of the Harvard Review of Psychiatry, and it raises some thorny ethical questions for doctors, particularly those dealing with mental health. In some cases, what the authors call “patient-targeted Googling” is clearly beneficial - for example, when a patient is blogging about her suicidal thinking, or when an unconscious person comes into an emergency room with scant identification. But in other cases, the authors write, doctors are motivated by “curiosity, voyeurism and habit.” In the paper, the authors - Dr. Brendel and fellow doctors Benjamin Silverman and Brian Clinton - outline a framework that doctors, psychiatrists in particular, can use to help decide whether to conduct an Internet search on a patient. [Wall Street Journal] [Google and Facebook raise new issues for therapists and their clients]


Horror Stories


US – ECMC Breach Affects 5% of Students (3.3m) with Federal Loans

A Minnesota company that processes loans for students nationwide has reported a major theft of “personally identifiable information” involving 3.3 million students after a break-in last weekend at its Oakdale headquarters. U.S. Department of Education officials said it is believed to be one of the biggest cases of student identity theft in the nation, affecting 5% of all students with federal loans in the United States. ECMC, founded 16 years ago as Educational Credit Management Corp., said Friday that the stolen data include names, addresses, dates of birth and Social Security numbers. No bank account or other financial information was included in the data. In an e-mail Friday to several members of Congress that was obtained by the Star Tribune, company chief executive Richard Boyle said the theft occurred from a “secured location at ECMC involving portable media with ECMC student loan borrowers’ personally identifiable information.” [Minneapolis Star Tribune]


UK – Personal Data Breach Hits 9,000 Barnet Schoolchildren

Barnet Borough Council has confirmed a data breach surrounding 9,000 Year 11 students attending its schools between 2006 and 2009. The data breach occurred when a council worker experienced a domestic burglary earlier in March, resulting in the loss of encrypted computer equipment and unencrypted CD-ROMs and USB memory sticks holding the data. The breadth of the personal data lost in the breach is wide, and includes surnames, forenames, gender, date of birth, address, postcode, telephone number, ethnicity, in-care indicator, language, gifted and talented indicator, mode of travel to school, entry date to school, special educational needs indicator, and school. The council worker in question has now been suspended. [PublicTechnology]


US – TJX Hacker Gets 20 Years in Prison

Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison this week for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers. The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided. Gonzalez’s sentencing this week follows two others related to the TJX hacks. Last December, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing the sniffer that Gonzalez used in the TJX hack. Watt was also ordered to pay restitution to TJX, jointly with other accomplices, in the amount of $171.5 million. Earlier this month, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75,000 for serving as a money courier for Gonzalez. He was charged with laundering between $600,000 and $800,000 for Gonzalez. On Friday, Gonzalez will be sentenced in another case involving breaches at Heartland Payment Systems — a New Jersey card-processing company — Hannaford Brothers supermarket chain, 7-Eleven and two national retailers that are unidentified in court documents. These hacks involved more than 130 million debit and credit card numbers. He faces a likely sentence of between 17 and 25 years in that case. Under the plea agreements, the sentences will be served concurrently. [Source]


IN – Condom e-Store Exposes Customer Data

An Indian Web site that sold Durex condoms has threatened legal action against the person who exposed a data breach on the site. Earlier this month, a user of the site noticed that he could view customers’ names, addresses, contact numbers and order details. fixed the problem after the whistleblower notified all involved parties of the breach. Meanwhile, Durex says in a notice to customers on its India e-Store Web site that it has put modifications in place to “ensure that unauthorized access cannot happen again.” Durex’s parent company and a local marketing agency have jointly accused the whistleblower of downloading customer details, which he disputes. [The Register]


CA – Toronto Hydro Failed to Protect Privacy, Watchdog Says

Ontario’s privacy watchdog says Toronto Hydro Corporation must fix the “security shortcomings” that led to a breach of its e-billing system last year. According to the report from the Information and Privacy Commissioner of Ontario, two major breaches led to the privacy scare. First, an unauthorized third party obtained account numbers for all of Toronto Hydro’s 640,000 customers. Secondly, 179,000 of those numbers were used to create online billing accounts for customers without their consent. At the time, Toronto Hydro had no measures in place to make sure the account number was being used by the correct customer, investigator Mark Ratner wrote in his report. A customer simply had to enter his or her account number and create a user ID and password to view a bill. But instead of the intended online commerce, unauthorized parties got access to addresses, charges, electricity use, and the names of 179,000 Toronto Hydro customers. [Source]


Identity Issues


CA – Canadians May Get E-Passports in 2011; Security Experts Voice Concerns

As early as next year, Canadians who apply for passports will receive documents with chips that contain their digital images and personal information such as name, gender, and date and place of birth. Passport Canada says the new electronic passports, known as e-passports, will increase security, provide greater protection against tampering and reduce the risk of fraud. But they’ve also raised concerns about privacy, identity theft, misidentification and the growth of government surveillance of citizens. “I am not reassured that the passport office has adequately addressed the many concerns,” said Andrew Clement, a professor in the Faculty of Information at the University of Toronto. Full assurance, he said, “would require a thorough, expert and independent assessment with public reporting of all but the necessarily confidential aspects. As far as I know, nothing close to this has been done.” Within the next couple of weeks, Passport Canada will begin a major online consultation with Canadians about its service. After the results have been analyzed, the agency will consult Canadians again — this time focusing on the introduction of the new e-passport. Only then will its cost and date of implementation be determined. Under a pilot project that started in January 2009, Passport Canada has already issued 25,000 diplomatic and special e-passports. To address concerns raised by Canada’s privacy commissioner, Passport Canada backed away last year from the idea of including fingerprints and iris scans in the e-passport. But “we continue to be very interested in this issue,” said a spokeswoman for the privacy commissioner. The commissioner’s office expects to receive an updated report on the national rollout of the e-passport in the next few weeks. It appears unlikely that the e-passport will meet major public resistance. In the survey done for Passport Canada last fall, 84% of respondents — after learning more about the e-passport — described their overall impression as positive. About six in 10 said they have no concerns about it, whatsoever. And there’s enthusiasm for the idea of a 10-year lifespan for passports. Still, the survey report warns that Canadians have “many questions,” about such things as the amount and security of the information on the chip, as well as practical questions related to usage. That suggests the need for “effective communications messaging” preceding or accompanying the e-passport launch, the report says. [Source] See also: [UK - A personalized government webpage for every citizen] and: [Personalised website for everyone within four years]


Intellectual Property


UK – Digital Economy Bill Could Block Websites

The controversial UK Digital Economy Bill has been further amended so that ministers could block websites that offer pirated copyright content. The new move, which is supported by both Conservatives and Labour, means it is now even more likely that the Bill will be passed into law in the wash-up process, which takes place between an election being called and parliament being dissolved. [Telegraph] [Liberal Democrats Say Digital Economy Bill Should Wait For Next Government]


NZ – Labour Party Rejects Three Strikes Proposal

New Zealand’s Labour party, currently in opposition, has stated that it would no longer support provisions for cutting off file sharer’s internet accounts. The policy is a back-flip on the party’s position on graduated response legislation in the past, which supported termination of internet access. [IT Wire]


Internet / WWW


EU – Cloud Security Weaknesses Prompt Call for Global Data Protection Law

European leaders have called for a worldwide agreement on data protection to address the data security weaknesses of cloud computing. The call was made this week before an international audience of 300 cyber law experts who had assembled at the Council of Europe to discuss the harmonisation of cybercrime regulations. Francesco Pizetti, president of the data protection authority of Italy, warned that cloud computing had challenged the legal basis on which personal data was handled by corporations. “It is not possible to continue to guarantee the protection of citizens’ data without very strong international rules accepted by all countries around the world,” he said. Udo Helmbrecht, executive director of the European Network and Information Security Agency (ENISA), said the agency was examining cloud computing because of the risks it held for data security. ENISA will push for European regulation to oblige cloud providers to notify customers about security breaches, said Helmbrecht. “We need to build trust into the cloud,” he said. “If we don’t build trust into this environment, the business model will not run.” Jorg Polakiewicz, head of law reform at the Council of Europe, said both the Convention of Cyber Crime and the Council of Europe’s Data Protection Convention were being updated to take account of new technologies such as cloud computing. [] See also: [US: Policy makers, businesses debate role of Washington in cloud computing]


WW – Coalition Pushes Rewrite of Online Privacy Law

A broad coalition of companies including Google, Microsoft, and AT&T, joined by liberal and conservative advocacy groups, announced a major push this week to update federal privacy laws to protect mobile and cloud computing users. They hope to convince the U.S. Congress to update a 1986 law—written in the pre-Internet era of telephone modems and the black-and-white Macintosh Plus—to sweep in location privacy and documents stored on the Web through services like Google Docs, Flickr, and Picasa. That law, the Electronic Communications Privacy Act, or ECPA, is notoriously convoluted and difficult even for judges to follow. The coalition hopes to simplify the wording while requiring police to obtain a search warrant to access private communications and the locations of mobile devices—which is not always the case today. Under current law, Internet users enjoy more privacy rights if they store data locally, a legal twist that some companies fear could slow the shift to cloud-based services unless it’s changed. “The main thing that’s broken about ECPA is that it penalizes you for using cloud computing.” The groups plan to announce four principles, buttressed by legal analyses. The principles apply only to government access to data stored by Internet and telecommunications companies and do not regulate the private sector or private litigants. First, police may obtain “communications that are not readily accessible to the public only with a search warrant.” Second, police may access “location information regarding a mobile communications device only with a warrant.” Third, additional privacy protections would be extended to legal requests for outgoing and incoming call records, which are known as pen registers and trap and trace devices. Fourth, police may use “subpoenas only for information related to a specified account or individual”—which would bar a subpoena to AT&T asking for information about anyone connecting to one cell site at a certain time, or prevent a subpoena to Google asking for anyone searching for “weaponized anthrax” on a specified date. (That information might still be available, however, to law enforcement officials armed with valid search warrants.) Just as the Katz decision said that the right to privacy accompanies a person no matter where he or she is, today’s coalition is proposing that the right to privacy should accompany data no matter where it is stored. “When you put your digital bits out where a third party can touch them you’re waiving your Fourth Amendment rights. It almost seems like a throwback.” [CNET News] [Digital Due Process Coalition Website] [CNET: Obama faces major online privacy test]


US – Lawmakers to Hold Hearings on ECPA Reform

The House Judiciary Committee has announced it will hold hearings this spring in consideration of reforms to the Electronic Communications Privacy Act of 1986 (ECPA). House Judiciary Committee Chairman John Conyers (D-MI) and Reps. Jerrold Nadler (D-NY) and Robert Scott (D-VA) have called for hearings on privacy reforms in the wake of a request by a coalition of industry leaders including Google, Microsoft and AT&T and privacy advocates. The group, which calls itself the Digital Due Process coalition, has asked Congress to strengthen online privacy laws to protect digital personal information from government access. “As technology moves forward,” Conyers said, “it is clearly necessary for industry, as well as all Americans, to adjust and clarify the law.” [The Washington Post]


CA – Google Expanding Street View in Canada

Google has announced it is gearing up to expand its Street View mapping to every Canadian province and territory. Google will spend the next few months photographing streets in cities and towns throughout Canada as the country joins the U.S., UK and France in having nationwide Street View. When Street View was first introduced in Canada, Privacy Commissioner Jennifer Stoddart raised concerns that the service could violate privacy laws, the report states, but Google has since added technology aimed at alleviating those concerns. Google also confirmed it will be heading back to Windsor to take new pictures after city officials complained that the existing photos were taken during a strike last summer and show unkempt streets and garbage piles in many locations. [CBC News] See also: [DE: Google ‘Street View’ car sabotaged in suspected privacy protest]


Law Enforcement


EU – Dutch Prosecutors Stop Tapping Lawyers’ Phones

For years, Dutch law enforcement officials have been listening in on conversations between lawyers and their clients. The prosecutor’s office itself now wants to put an end to the practice once and for all. Phone taps are quite common in the Netherlands. In the first half of 2009 for instance, Dutch law enforcement listened in on an average of 2,254 calls a day. The large-scale inquiry by the Dutch prosecutor’s office comes after several high-profile cases in the Netherlands were upended by judges who found the prosecution had illegally tapped suspects’ lawyers in recent years. To avoid this from happening again, the public prosecutor’s office now wants to make a clean sweep. A committee, led by Arnhem’s public prosecutor has proposed some rigorous measures. For one, the prosecutor’s office should block a number of phone numbers belonging to people with whom suspects should be able to communicate in confidence. If this becomes the norm, prosecutors will no longer destroy the tapped conversations after these have taken place, they will never have access to it. “ [Source]


US – NYC Settles Jail Strip-Search Suit For $33 Million

Two women who claimed they were forced to undergo gynecological exams and thousands of other people who said they were strip-searched in New York City jails have settled a class-action lawsuit with the city for $33 million. The suit was filed on behalf of people arrested on misdemeanor drug and weapons charges and strip-searched at Rikers Island and other jails. Other charges included jumping turnstiles, failing to pay child support, shoplifting and trespassing. “We hope in some small way these damage awards will stand for some semblance of justice for these victims,” said Richard D. Emery, lead attorney for the plaintiffs. Under the agreement, victims can receive between $1,800 and $2,900 each, depending on how many people respond. The plaintiffs who claimed they were forced into gynecological exams are entitled to $20,000 each for their injury and suffering, according to the decision, reached last week and finalized Monday. The case included people arrested, but not convicted, between July 15, 1999, and Oct. 4, 2007. The court has already ruled that the practice violated the prisoners’ constitutional rights. [Source] [New York Times] [On the Net]




WW – Revised Facebook Policy Hints at Location Tagging

Facebook have announced proposed changes dealing with location tagging and third party Web sites before they take effect. In a post on Friday, Michael Richter, Facebook’s deputy general counsel, said the changes specifically allow Facebook to collect location information and permit sharing general information about users with “pre-approved” Web sites using Facebook Platform. (Users can choose to block that sharing.) The tweaks will “make way for some exciting new products we’re contemplating,” Richter said. “Not all of these products have been finalized and many aren’t yet built at all.” Facebook users have until April 3 to comment on the proposed changes. One section of the new privacy policy talks about being able to tag Facebook friends by “place,” not just by name in photos or videos. The New York Times reported earlier this month that a location-based feature will be announced soon. Another allows “pre-approved third party Web sites and applications” that use Facebook Platform to obtain general information about you, including name, photo, friend list, and public information from your account--as long as you’re still logged into Facebook. That means “you and your friend can be connected on that Web site as well” as long as both of you have an account on that Web site, the revised privacy policy says. Other proposed changes apply to developers and third party Web sites. They’re required to “delete all data” from Facebook if a user requests, and may not transfer Facebook data to advertising networks like AOL Advertising, Google, DoubleClick. More details may be released next month at Facebook’s F8 developer conference in San Francisco. [CNET] [ACLU: Is Facebook Unliking Privacy?]


Online Privacy


CA – CIPPIC Files Statement of Concern Re: Facebook’s New Privacy Approach

CIPPIC provided a statement to Facebook and the Privacy Commissioner, highlighting its concerns with recent changes on Facebook that fail to meet the standards set out in a previous PIPEDA Report of Findings against Facebook; the statement gives Facebook a 30 day timeline to respond. In particular, Facebook - did not have the informed meaningful consent of its users for new default settings it has imposed on them, has made vast amounts of personal information available to everyone, including search engines and application developers, without the adequate, informed consent of those users, and failed to implement changes it undertook to the Commissioner to make; Facebook is asked to revert to its old privacy practices, to cease sharing information categorized as “publicly available”, and when implementing new default privacy settings in the future, take into account users’ previous limits on information sharing when formulating assumptions of how a user expects information to be shared. [Scribd] See also: [New software lets businesses track employee Facebook, Twitter activity] and also: [Facebook facing privacy concerns from European regulators] [Spokeo Aggregates Your Personal Information Posted Online]


US – Agencies Test Industry’s New ‘You Are Being Targeted’ Icon

Online ad agencies plan to debut a new behavioral targeting icon within weeks. The icon is the industry’s answer to the Federal Trade Commission’s assertion that companies need to better inform consumers about online tracking and opting out, the report states. The icon features an ‘i’ within a blue circle. It will appear as an overlay on Internet advertisements. Better Advertising, the start-up that will oversee the initiative, is reportedly designing a landing page that will educate users about behavioral targeting and how to opt out. [MediaPost]


UK – Scotland Yard Wants Net Cafés to Spy on Customers

Internet cafe users in the British capital may want to watch what they download. Scotland Yard is advising administrators of public web spaces to periodically poke through their customers’ files. The London-based police force says it’s more of an awareness drive than a surveillance campaign — but civil libertarians aren’t happy. Privacy activist Simon Davies says people should not have their web use monitored at Internet cafes any more than public pay phones users should have someone listening in their calls. But Scotland Yard noted this week that several terror plotters have used Internet cafes to co-ordinate planned attacks. Posters and screen savers with the Scotland Yard logo are also being installed at cafes that sign up to the plan. [Source]


US – Cavoukian on Facebook Privacy

Ann Cavoukian, the Information and Privacy Commissioner of Ontario, spoke at the Facebook Speaker Series in Palo Alto, California last week. The title of her talk was “Privacy …It’s All About Freedom: Maximizing Control, Maintaining Freedom of Choice.” The overheads from her talk are available online.

[Source] [Presentation]


Other Jurisdictions


WW – IDRC Gives UK Org $1m for Asian Privacy Network

The Canadian International Development Research Centre (IDRC) has awarded a $1m contract to UK-based civil rights campaign group Privacy International to set up an Asian privacy network. Announcing the deal at Privacy International’s 20th anniversary celebration in London, executive director Simon Davies said the network would include Bangladesh, India, Malaysia, Pakistan, the Philippines and Thailand. It would monitor threats to citizens privacy and try to raise awareness of the need for privacy in an increasingly digital world, he said. The deal follows a report on privacy in Asia that Privacy International produced last November. It found “a mounting level of concern about telemarketing, the abuse of databases and financial information, identity fraud, and other privacy-related issues”. It said the situation in Iran was a case in point. “For years we recommended against surveillance schemes in democratic countries, as well as their technical standards for surveillance in telecommunications systems,” it said. “The response from governments was that they were democratic governments and so surveillance would always take place in accordance with international human rights instruments. “What we are now seeing is that these technologies, devised in Europe and North America, are now part of the political arsenal of more problematic regimes, and are being abused.” Privacy International said it would feed back this information to policy-makers in other countries to warn them about the dangers of wrong decisions and of setting poor examples that would be replicated elsewhere. [Source]


BR – Phorm Launches Commercial Operations

Behavioral advertising company Phorm has partnered with five Internet service providers (ISPs) in Brazil and has secured millions in pre-booked ad revenue. Phorm’s technology harvests ISP data, allowing advertisers to tailor promotions based on Web users’ browsing activities. The company announced the deals in a notice to investors on Friday. The launch follows less successful attempts in other markets such as the U.S. and UK, where authorities have scrutinized the legality of the technology. The company has also partnered with a major Korean ISP, and CEO Kent Ertugrul said Phorm is “active in almost every other major Internet market worldwide.” [ClickZ] [Phorm Notice to Investors]


Privacy Enhancing Technologies (PETs)


WW – Microsoft Makes U-Prove Technology Available to Enable Identity with Privacy

At RSA Conference 2010, Microsoft outlined how the company continues to make progress toward its End to End Trust vision. In his keynote address, Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group, explained how the company’s vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity metasystem, and called for public and private organizations alike to prevent and disrupt cybercrime. Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and Internet. As part of that effort, Microsoft released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions. Charney encouraged the industry, developers and IT professionals to develop identity solutions that help protect individual privacy. The company also shared details about a new partnership with the Fraunhofer Institute for Open Communication Systems in Berlin on an interoperability prototype project integrating U-Prove and the Microsoft identity platform with the German government’s future use of electronic identity cards.As further evidence of how the company is enabling a safer, more trusted enterprise, Microsoft also today released Forefront Identity Manager 2010, a part of its Business Ready Security strategy. Forefront Identity Manager enables policy-based identity management across diverse environments, empowers business customers with self-service capabilities, and provides IT professionals with rich administrative tools. [Press Release] [Kim Cameron: U-Prove Minimal Disclosure availability] and [video illustrations and explanations]


Privacy (US)


US – FTC to Consider New Restrictions on Collecting Data from Children

The Federal Trade Commission (FTC) is seeking public input about protecting children’s privacy online. The commission is engaged in its second five-year review of the Children’s Online Privacy Protection Act (COPPA), which took effect in 2000. COPPA requires Web site operators to obtain parental consent before collecting or using kids’ personal information. The FTC says that changes in the online environment and “children’s increasing use of mobile technology to access the Internet” might necessitate an update to the regulations. In a Federal Register notice, the commission asks how regulations should be modified to address new platforms, the report states. [MediaPost News]


US – FTC Busts Dave & Buster’s

The entertainment operation Dave & Buster’s., has agreed to settle FTC charges that the company failed to protect consumers’ information, according to an FTC press release. The commission alleged that the company failed to detect and prevent unauthorized network access and failed to “use readily available security measures to limit access to its computer networks through wireless access points,” among other failures, which enabled hackers to access 130,000 credit and debit cards. To settle the charges, the company will establish a program to protect customers’ data and subject itself to biennial audits for the next decade. [FTC Press Release]


US – Court to Hear Web ‘Free Speech’ Case

The right of a privacy advocate to publish Virginia state officials’ Social Security numbers is at the heart of a court case to begin this week, officials said. Betty “BJ” Ostergren posted the numbers, accessible to the public elsewhere, on her Web site to pressure the officials into keeping such information off government sites such as those maintained by courts. In June 2009, a federal judge ordered Virginia to cease enforcing a state law barring the dissemination of Social Security numbers, ruling the law violated Ostergren’s free-speech rights, the newspaper said. The Virginia state attorney general’s office appealed the ruling, and a U.S. Circuit Court of Appeals will hear arguments Tuesday. The ACLU, representing Ostergren, argues that her publishing of the numbers on her site for “shock value” is political speech protected by the Constitution. Virginia argues the numbers can be used in identity theft. []


US – U.S. Said to be Eyeing Cybersecurity Ambassador Role

The U.S. is weighing the creation of an ambassador-level position for negotiating cybersecurity matters at the United Nations and for ensuring the country has a consistent international policy on the issue. Both the U.S. State Department and Congress are considering the creation of such a role following the recent attacks on Google and numerous other high-tech companies. The proposals include a plan to develop policies tying foreign aid to a country’s willingness and ability to fight cybercrime originating from within its borders. The impetus for the job, according to the Wall Street Journal, is coming from the Senate Foreign Relations Committee. Whoever is appointed to fill it would need to be confirmed by the Senate and would apparently report to either a top State department official or to a panel of federal agency officials involved in cybersecurity matters. No decision has yet been made on whether the position should be mandated by law or created internally by the State Department. [IT World Canada]


US – Fighting Identity Theft Not a Priority, Report Says

Ten million Americans a year are victims of identity theft. It’s a growing problem in the United States, but fighting it doesn’t appear to be a priority, a new report says. A report by the Justice Department Inspector General released this week cites the wide-ranging costs and dangers of ID theft. Although the report has no new numbers, the financial losses are believed to be substantially higher than the $15.6 billion documented in 2005. Inspector General Glenn Fine found the effort to combat the problem, however, has lagged since the President’s Task Force on ID Theft was established in 2007. “We found that to some degree identity theft initiatives have faded as priorities,” said Fine. He said the Justice Department has not developed a coordinated plan to combat ID theft and that some recommendations of the President’s Task Force have not been addressed. No one has been appointed to oversee the efforts, the report says. [CNN] [Reuters: Justice Dept. criticized over identify theft]


US – Lawmakers Ask for FTC Investigation of Google Buzz

Eleven U.S. lawmakers have asked the U.S. Federal Trade Commission to investigate Google’s launch of its Buzz social-networking product for breaches of consumer privacy. The representatives – six Democrats and five Republicans from the House Energy and Commerce Committee – noted in their letter that Google’s roll-out of Buzz exposed private information of users to Google’s Gmail service to outsiders. [CIO]




US – Idaho House Limits Information on Driver’s Licenses

The House has approved restricting how much information the state can put on driver’s licenses amid concerns about federal efforts to improve national security. Lawmakers voted 58-10 Monday to prevent the Department of Transportation from adding a chip to driver’s licenses that would allow identity thieves to scan the cards from several feet away. The bill also bans three-dimensional photographs on identification. The Department of Transportation doesn’t plan to deploy the technology. But Athol Republican Rep. Phil Hart said he wants to make it clear Idaho won’t get involved in a federal attempt to boost license details. [Source]


WW – Pill with Antenna Ensures Patients Take Meds

If you’ve ever been plagued by temporary amnesia and forgotten whether or not you took your medication, take heart: U.S. researchers have engineered a pill that will jog your memory. The pill, designed by engineers at the University of Florida, is embedded with a tiny, non-toxic microchip and antenna that can be digested. When it’s ingested, it emits a signal that is picked up by a small electronic device carried or worn by the patient. That device, in turn, signals a cell phone or laptop, letting a patient or medical professional know the pill has been taken. “It is a way to monitor whether your patient is taking their medication in a timely manner,” said Rizwan Bashirullah, an assistant professor in electrical and computer engineering at the University of Florida. The pill has yet to be tested on humans. To date, it has been tried out on cadavers and models of humans. Scientists have also conducted experiments on the pill to see how effectively it dissolves in stomach acid. [CBC News]




UK – Survey Shows 100% of Organizations Targeted for Data Theft

In a recent survey of 115 UK executives, all reported attacks targeting corporate data within the past year and 77% reported their organizations have experienced a data breach in the past. The study, which was conducted by the Ponemon Institute and sponsored by IBM, reveals growing concern about data protection. The survey indicates that more than 27% of the respondents doubt their organizations could avoid a data breach in the next 12 months. According to the survey, data protection initiatives result in an average cost savings or revenue improvement of £11 million ($16 million), the report states. [Information Week] [IBM Press Release]


UK – Airport Worker Given Police Warning for ‘Misusing’ Body Scanner

The police have issued a warning for harassment against an airport worker after he allegedly took a photo of a female colleague as she went through a full-body scanner at Heathrow airport. The incident, which occurred at terminal 5 on 10 March, is believed to be the first time an airport worker has been formally disciplined for misusing the scanners. The BAA employee took a photo of his co-worker, Jo Margetson, when she inadvertently went through a scanner. “I can’t bear to think about the body scanner thing,” she told the Sun. “I’m totally traumatised. I’ve spoken to the police about it. I’m in too much of a state to go to work.” The incident is likely to reignite privacy concerns over the scanners by civil liberty groups. The Equality and Human Rights Commission last month warned that the government needed to take action to bring its policy for body-scanning passengers at UK airports within the law. The commission said it had concerns about the apparent absence of safeguards to ensure the scanners were operated in a lawful, fair and non-discriminatory manner. It raised doubts as to whether the decision to install them at all UK airports was legal. [The Guardian] See also: [UK: Children will face airport body scanners]


US – TSA Plans to Double Its Use of Whole-Body Scanners

A new report from the U.S. Government Accountability Office shows that the Transportation Security Administration plans to install more than double the number of whole-body scanners at U.S. airports than originally planned. Instead of deploying 878 units by the end of 2014, the TSA now plans to install as many as 1,800 scanners – or advanced imaging technologies – at U.S. airports. Rather than using them as an optional, secondary screening measure, the TSA’s revised strategy calls for increasing the use of the devices as a compulsory, primary screening measure “where feasible,” the report said. The GAO report called on the TSA to do a complete cost-benefit analysis of the technology to determine an optimal deployment strategy. Last week’s GAO report (download PDF) is the agency’s third in the last six months to touch on whole-body scanners. Like the previous reports, this one also raised questions about the effectiveness of the technology and whether a body scanner would have been able to thwart the Christmas Day bomber. The report also said the GAO is reviewing the results of operational tests of the scanners conducted by the TSA, to get a better understanding of the technology’s effectiveness. The GAO noted that the TSA has made an estimate of the life-cycle costs associated with the use of whole-body scanners but has so far not conducted a cost-benefit analysis of using the technology compared with other means, such as pat-downs, metal detectors or other practices. The TSA’s revised plans to deploy 1,800 scanners represents a twofold increase from previous plans, the report said. For fiscal 2011, the TSA has requested 3,550 additional full-time employees to operate the machines at a cost of nearly $220 million. From 2012 to 2104, the agency will likely need additional staff to operate the devices, each of which costs $170,000 and requires three full-time employees to run it. [Source]


Smart Cards


CN – “Octopus” Card Enters China, Raises Privacy Issues

Octopus Holdings Ltd, the provider of the stored-value cards widely used by Hong Kong residents to pay for everything from subway rides to McDonald’s (MCD.N) hamburgers, is extending its reach into mainland China, according to the Wall Street Journal. The Hong Kong-based company hopes Chinese citizens will soon use its cards not just for bill payments but for other uses, which could raise privacy worries, including birth registration and social security. Many Chinese municipalities want the citizen cards to allow medical records and benefits status to be recalled upon swiping the card. The cards would also store residential data and help a cardholder pay residential fees. The cards would also hold social security and birth registration data, a move that could help China better enforce its one-child policy and control the movement of its people, the Journal said. [WSJ]


US – DHS Offers Details on Privacy Controls in Its Secret Einstein 3 IDS/IPS

The Department of Homeland Security plans to work with a commercial Internet service provider and one federal agency to carry out a pilot test of Einstein 3, an intrusion detection and prevention system that will eventually be used to bolster federal agencies’ information security postures. DHS detailed the plans in a privacy impact statement – required for new IT systems in government – that it published last Thursday, along with some of the deepest detail yet of the partially classified system, the technology for which has largely been developed by the National Security Agency. Einstein 3 will follow up on the Einstein 2 intrusion detection system, which is currently readying for operational deployment, and the first Einstein system, which collects network traffic data. It has been the subject of some controversy as observers have expressed privacy concerns in the media and on Capitol Hill about the government’s use of data it collects. According to the privacy impact statement, the pilot program will solidify the processes required to “manage and protect information gleaned from observing cyber intrusions” and will help DHS map out its path for implementing Einstein 3 more widely. Einstein 3 will do real-time, deep packet inspection and “threat-based decision making” on network traffic at the edge of federal agency networks. The effort will redirect agency Internet traffic to DHS cybersecurity systems, which will apply pre-defined signatures to the traffic to determine which traffic might be associated with cyber threats and how to respond. That traffic will be made available to cybersecurity analysts at the United States Computer Emergency Readiness Team for review, while the rest of the traffic won’t be retained by DHS. US-CERT will then automatically alert federal agencies of network intrusion attempts. Thus, Einstein 3 could bolster information sharing between US-CERT and federal agencies. The system will be backed up by strong privacy policy, according to the DHS. DHS will keep the data the pilot collects for as long as one year after the pilot is done, or may purge some data early, depending on US-CERT’s determination of the data’s usefulness. DHS’ test will take place over four phases, one to assess the ISP’s ability to redirect traffic, another to install the technology, a third to bring the Einstein pilot online and ramp up the tests, and a fourth to carry out an extended test and review of capabilities over a full year. The pilot will be limited to a single federal agency. However, it’s not clear when the pilot will begin. [InformationWeek] [PIA] See also: [EINSTEIN 1: Michigan Proof of Concept PIA]




US – EFF to Press for New Privacy Protections Against Hidden Video Surveillance

On Monday, March 29, at 10 a.m., the Subcommittee on Crime and Drugs of the U.S. Senate Judiciary Committee will hold a public hearing in the Philadelphia federal courthouse on whether the federal electronic privacy laws need to be updated to better regulate secret video surveillance. Senior Staff Attorney Kevin Bankston of the Electronic Frontier Foundation (EFF) will testify. Subcommittee Chairman Arlen Specter called the hearing in response to recent allegations that public schools in the Lower Merion School District in Pennsylvania have secretly used webcams on school-issued laptops to visually monitor students while they were in their homes. At Monday’s hearing, Bankston will urge Congress to update the federal wiretapping statute to protect against secret video surveillance in the same way it protects against secret eavesdropping on private conversations. Such a change to the law would clearly require the government to obtain a search warrant before engaging in secret video surveillance of private places and would protect against similar spying by non-government actors, such as stalkers, computer criminals, private schools, private employers and others. “It doesn’t make sense that federal law regulates secret eavesdropping but doesn’t equally protect us from secret video surveillance, which can be even more invasive,” said Bankston. “Just as the federal wiretapping statute protects against electronic eavesdropping, it should also protect against secret video recording, whether in the home or in any other place where people have a reasonable expectation that they are not going to be photographed.” [Source] See also: [CSIS Wants Museum Show For Cold War Spook Tools]


US – Senator Inspired to Expand Wiretapping Laws to Web-Cams and Online Photos

After a Senate subcommittee hearing on privacy and technology yesterday, Sen. Arlen Specter (D-PA) says he will introduce legislation to expand wiretapping laws to cover photo and video surveillance. At the hearing, Specter questioned technology and law experts on the implications of a Lower Merion School District incident where administrators admittedly viewed students in their homes by remotely activating the Web cams on school-issued laptops. The district said it only activated the Web cams to locate stolen laptops. “The incident raises a question as to whether the law has kept up with technology,” Specter said at the hearing. [Philadelphia Inquirer]


US – Airport Device Follows Fliers’ Phones

Today’s smartphones and PDAs could have a new use in the nation’s airports: helping passengers avoid long lines at security checkpoints. The Transportation Security Administration is looking at installing devices in airports that home in and detect personal electronic equipment. The aim is to track how long people are stuck in security lines. Information about wait times could then be posted on websites and in airports across the country. “This technology will produce valuable data that can be used in a variety of ways,” TSA spokeswoman Lauren Gaches said, noting it could help prevent checkpoint snarls. But civil-liberties experts worry that such a system enables the government to track people’s whereabouts. “It’s serious business when the government begins to get near people’s personal- communication devices,” said American Civil Liberties Union privacy expert Jay Stanley. [USA Today] See also: [U.S. aviation security pick favors Israeli model]


Telecom / TV


UK – Tax Man Empowered to Open Mail Without Asking Permission

Officers will be allowed to intercept any suspicious mail anywhere in the country and open it before it is delivered, under plans being drawn up by the Government to amend the Postal Services Act. The measure is billed as a bid to crack down on tobacco smuggling. However, a HM Revenue and Customs spokesman said the powers could be applied much more widely. Currently, Royal Mail staff have a legal right to intercept suspicious letters and parcels in mail centres and sorting offices and pass them to HM Revenue and Customs. Tax inspectors must then notify the addressee and agree a mutually acceptable time to open the letter or parcel, before deciding whether to take any enforcement action. However the Government is now proposing to remove the legal requirement which will now allow inspectors to open suspicious post without asking permission first. Treasury documents say: “HMRC will no longer be required to notify the addressee and invite them to attend before such packets can be opened”. The new measure will be passed into law as part of the Budget over the next few weeks, and amend section 106 of the Postal Services Act 2000. Under current law, the only other enforcement officers who can open mail are border guards who can open the post without permission at ports and airports. The change was disclosed in a Treasury document published alongside the Budget headlined “Tackling tobacco smuggling in the post”. However a HM Revenue and Customs spokesman said the powers would be applied much more broadly. The spokesman said: “The change is mainly directed at helping to combat tobacco smuggling but the powers in s106 apply to any contraband including prohibited or restricted goods.” She declined to say how many times HM Revenue and Customs had used the existing powers in recent years. [Source] [Intercepting mail is worthy of the Stasi: Guardian]


EU – German Court Strikes Blow Against EU Data-Retention Regime

Germany’s constitutional court found a 2008 data-retention law to be unconstitutional, ruling in favour of 35,000 plaintiffs who were concerned about breaches of privacy and civil liberty rights; the law required telecommunications companies to retain all citizens’ telephone and internet data for 6 months. The court found that the law failed to sufficiently limit the uses of the data and ensure sufficient data encryption if the information was stolen; all data stored until now must be deleted and no more data may be held until the national law is revised. The German government is planning to draft a new law. []


SL – Slovak Manager to Sue Deutsche Telekom over Spying

A Slovak Telekom employee who was one of the targets of Deutsche Telekom snooping activities in Eastern Europe plans to sue the Germany’s telecoms giant for breach of privacy, his lawyer said this week. Detectives hired by the German firm, which owns 51% of Slovak Telekom, compiled a report on the security head in 2005. The company informed Gaulieder about the surveillance in December and gave him his file, which includes details of his professional contacts and private life, the newspaper said. Gaulieder is to file the lawsuit in a German court. [Source]


UK – Police Refuse to Name Sex Offenders on the Run ‘Because of Right to Privacy’

Police are refusing to reveal the identities of sex offenders who are on the run - because it would be an invasion of their privacy. Four registered sex offenders have been on the run for as long as two years after disappearing from their homes in the North-East. But confusion over whether the wanted criminals should be identified means that just one of them has been made known to the public, sparking fury among victim’s groups. The news comes just one month after convicted rapist Peter Chapman was jailed for murdering Ashleigh Hall, 17, from Darlington, after authorities lost track of him. [The Daily Mail]


US Government Programs


US – Data Security Concerns Persist in IRS IT Systems

According to a report from the Government Accountability Office (GAO), the US Internal Revenue Service (IRS) has yet to address 69% of the information security problems the GAO identified in a report last year. Areas of concern include the use of weak passwords, failure to restrict access permissions, and failure to encrypt login data. The report also noted that the IRS lacks an effective disaster recovery procedure. [NextGov] [GovInfoSecurity] [GAO]


US – Survey: Federal CIOs Push Transparency, Struggle with Cyber-Security

Federal CIOs have increased efforts to publish data sets and utilize social media tools as part of the Obama administration’s push for transparency, but federal agencies and departments continue to struggle with cyber-security, IT infrastructure and work force issues, according to the 20th Annual Survey of Federal CIOs released Tuesday, March 23, by TechAmerica and the Grant Thornton accounting organization. The survey, titled “Transparency and Transformation Through Technology,” reveals that the shift toward a more open government has created opportunities and barriers for federal CIOs. Opportunities include improving access, collaboration and accountability; barriers include investment costs, lack of governance and a less-than-solid idea of what citizens want. But those challenges haven’t stopped CIOs from taking action. Projects such as,, and the Federal IT Dashboard represent the latest drive to provide the public with access to information. [Government Technology]


US Legislation


US – Legislators, Industry Leaders Disagree on Impact of Privacy Bill, New FTC Powers

While legislators are promising online marketers that they don’t need to worry about a new privacy bill expected to be introduced in the weeks ahead, advertising business leaders are raising concerns about that plan and new FTC powers included in a separate bill. Virginia Rep. Rick Boucher (D-VA), who is expected to introduce his privacy bill in the next few weeks, said the legislation will not deliver a crushing blow to the $25 billion online advertising industry. Meanwhile, a proposed financial reform bill aimed at cleaning up Wall Street has industry insiders worrying over expanded FTC powers to crack down on “shady advertisers” and “data abusers,” the report states. [Mediaweek]


Employment Privacy


WW – New Big Brother Like Service Monitors Employee Use of Social Sites

A new service that monitors workers’ use of social networks may keep employees alert to the dangers of posting confidential corporate data, but it will likely also make them feel as though the eyes of their managers are constantly upon them. Teneros Inc., a Mountain View, Calif.-based messaging company, unveiled the monitoring service this week. The product, dubbed Social Sentry, helps companies keep an eye on what employees are saying on social sites like Facebook and Twitter. Matt Weil, president and CEO of Teneros, said the goal of the service is not to monitor personal conversations but to find out whether employees are disclosing sensitive corporate information, such as financial figures, personnel data or trade secrets. The creators acknowledged that some employees will feel that companies have breached their privacy. “How creepy this is or isn’t will really depend on the company wielding the tool,” said Olds. “They can make it relatively benign or very invasive. It all depends on how they use the information they gather. If they take adverse action against employees based on their off-hours social networking activities, we can be sure lawsuits will ensue. And as usual, lawyers will benefit.” Social Sentry is now in the beta test phase and is slated to be available by the end of April. [Computerworld]


US – NJ Court: Employee-Attorney E-Mails are Private

In a decision that could set new ground rules for Internet privacy in the workplace, New Jersey’s Supreme Court has ruled an employer was wrong in retrieving e-mails between a former employee and her attorney, even though they were sent from a company computer. The 7-0 ruling published this week in Stengart v. Loving Care Agency is believed to be the first of its kind to reach a state Supreme Court, attorneys involved in the case said. The case stemmed from a lawsuit Marina Stengart filed in 2008 against Loving Care, a northern New Jersey company that provides home-care nursing and health services, claiming discrimination based on gender, religion and national origin. Before Stengart left the company, she exchanged several e-mail messages with her attorney from a company-provided computer, but from her password-protected Yahoo e-mail account. Computer experts retrieved the e-mails, and Loving Care’s attorneys used them in preparing to defend the lawsuit. In court, they argued that the company’s employee manual clearly states that e-mail communications “are not to be considered private or personal to any individual employee” and that Loving Care reserved the right to “review, audit, intercept, access, and disclose all matters on the company’s media systems and services at any time.” A trial court sided with the company, but an appellate panel reversed the decision and ordered the company to turn over all copies of the e-mails and delete any record of them. In affirming the appellate decision, Supreme Court Chief Justice Stuart Rabner wrote that while a company has a right to establish policies governing computer use - and to discipline employees who violate them - even a stated policy that an employer could read an employee’s attorney-client communications would be unenforceable. “Employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy,” Rabner wrote. [Associated Press]


EU – German Commission Finds Employee Blood Tests Illegal

Stuttgart’s state privacy office has warned automotive company Daimler that it is breaking the law by testing the blood and urine of all job applicants. The privacy commission said that taking the blood of applicants broke the law because it could reveal private matters of no relevance to a future employer and would only be legal if used to avoid potential health dangers in the workplace. The commission has not imposed a fine on the company for the practice. Daimler, which had already agreed to restrict the tests to applicants for jobs where there is a health risk, has said it may challenge portions of the ruling. [Deutsche Presse-Agentur]